Publication date: October 23, 2025
The Polish Ministry of Digital Affairs is establishing a new sectoral cybersecurity incident response team – CSIRT Cyfra. The formal establishment of CSIRT Cyfra is planned for April 2026, with full operational readiness for June 2026. The unit will be responsible for protecting digital infrastructure, and its tasks will include monitoring threats, rapidly responding to attacks, and providing technical support to institutions using digital services.
The CSIRT Cyfra project has received PLN 10 million in funding from the National Recovery and Resilience Plan. These funds will be used to create a new organizational structure, purchase equipment, and develop the competencies of experts who will ensure the security of state digital systems.
The new unit will become part of the national incident response system and will cooperate with the already existing teams: CSIRT GOV, CSIRT MON and CSIRT NASK.
What are national Computer Security Incident Response Teams (CSIRTs)? The Act on the National Cybersecurity System of July 5, 2018, established several entities that influence the level of IT security in Poland. CSIRT stands for Computer Security Incident Response Team. Three such teams have been established: CSIRT NASK, CSIRT GOV, and CSIRT MON. These teams collaborate with each other and with similar teams around the world to ensure the security of internal networks and detect threats on public networks.
The main tasks of the CSIRT Cyfra team will include not only incident response but also training and hiring experts, developing modern security tools, and improving cooperation between state institutions. This will strengthen the entire system for securing data and digital services. Like CSIRT NASK, the new team will be overseen by the minister responsible for computerization.
Pursuant to Article 20 of the Act of 28 July 2023 on Combating Abuse in Electronic Communications, CSIRT NASK is the entity responsible for maintaining the Warning List. The list includes internet domains whose primary purpose is to mislead internet users and lead to data theft or the unfavorable disposal of property. The Warning List is used by telecommunications operators, companies, organizations, and users themselves to automatically block access to malicious websites, thus limiting the effects of phishing attacks and other campaigns targeting Polish citizens. To protect its users, a telecommunications company may enter into an agreement with the President of the Office of Electronic Communications (UKE), the minister responsible for computerization, and the Scientific and Academic Computer Network – National Research Institute. A telecommunications company that is a party to the agreement may prevent internet users from accessing websites using domain names included in the Warning List. Pursuant to Article Under Article 21 of the Act on Combating Abuse in Electronic Communications, an entity holding legal title to an internet domain included in the warning list may file an objection to the inclusion of the internet domain in the warning list with the President of the Office of Electronic Communications (UKE). CSIRT Cyfra will likely take over some of the responsibilities of CSIRT NASK, including the ability to create and maintain registers of warnings about dangerous domains.
The creation of CSIRT Cyfra is a response to the growing number of cyberattacks targeting key sectors – from healthcare, through transportation and energy, to public administration. The new unit aims to relieve existing teams and increase the effectiveness of the entire cybersecurity system. With CSIRT Cyfra, Poland gains another tool in the fight against cybercrime, as well as stronger protection for citizen data and the continuity of state operations in the digital age.