Publication date: January 15, 2026
The draft act amending the Act on the Provision of Electronic Services and certain other acts represents a significant step in adapting Polish legal regulations to the rapidly evolving digital landscape. The growing number of entities operating online, new methods of electronic communication, and the vast scale of data processing mean that the current regulations are increasingly imprecise or inadequate for the current times. In response to these challenges, the legislator proposed changes aimed at both increasing the protection of network users and clarifying the obligations of entities providing electronic services.
The Act of 18 July 2002 on the Provision of Electronic Services has been the fundamental act regulating electronic services in Poland since the beginning of the digital era. Its provisions included, among other things, the obligations of service providers related to the provision of electronic services, the principles for excluding service providers’ liability in connection with the service provided, and the principles for protecting the personal data of individuals using electronic services.
The 2025 amendment aimed to adapt national law to the requirements of Regulation (EU) 2022/2065 (Digital Services Act – DSA). This regulation has been directly applicable in the European Union since February 17, 2024, but member states – including Poland – were required to introduce provisions into their national legal systems to enable its practical application (e.g., by designating responsible national authorities and enforcement procedures). The implementation of EU regulations also aimed to enhance the protection of service users and their fundamental rights, combat illegal content, and enable state authorities to effectively enforce the law and introduce mechanisms for legal interference online where unnecessary – particularly through administrative decisions by state authorities rather than solely voluntary actions by platforms.
The Act amending the Act changes the so-called reference in the Act’s title, adding that the Act not only implements Directive 2000/31/EC, the Electronic Commerce Directive, but also serves to apply EU Regulation 20222/2065 (Digital Services Act). Before the amendment, the Act referred exclusively to modern content liability rules, which are regulated in the EU by the Digital Services Act (DSA). However, the Act now formally recognizes that it serves to apply the DSA – which is significant because the DSA is a directly applicable regulation but requires national organizational regulations.
A significant element of the amendment is the addition of a new Article 11a et seq. to the Act – within a completely new Chapter 2a titled: “Orders to take action against illegal content, orders to remove restrictions imposed by a hosting service provider, and orders to provide information”. This procedural solution creates a national system of “administrative orders” against service providers and platforms, representing a level and scope of regulation that was absent from the 2002 Act and implicitly provided for in the DSA. Chapter 2a establishes a detailed administrative procedure enabling state authorities to issue binding decisions in cases concerning illegal content and to verify moderation efforts undertaken by platforms. In particular, it introduces:
Such regulations were absent from the 2002 Act, which was based primarily on general principles of service user liability and voluntary content moderation mechanisms employed by platforms. The amendment created a formal prescriptive procedure, which in practice grants state authorities the actual authority to decide – through administrative decisions – to block specific content or restore access to it, significantly changing the current model for regulating services provided electronically.
Competent authorities
The newly introduced Article 3a of the Act, which is titled “Competent authorities, the coordinator for digital services and the National Council for Digital Services”, lists the competent state authorities and their competences:
In matters not regulated, the Code of Administrative Procedure applies. With respect to certain decisions, the possibility of challenging a decision under the extraordinary procedures of the Code of Administrative Procedure (renewal, invalidation, amendment, or repeal) is excluded.
The Polish President of the Office of Electronic Communications (UKE) has been appointed as the Digital Services Coordinator, serving as the central point of contact for national and EU relations. His responsibilities include representing Poland in the European Digital Services Council (EDSC), whose meetings are also attended by the President of the Office of Competition and Consumer Protection (UOKiK) or the Chairman of the National Broadcasting Council (KRRiT), depending on when matters within their jurisdiction are discussed. He collaborates with the President of the UOKiK and the Chairman of the National Broadcasting Council (KRRiT) in fulfilling obligations arising from the Act and the Digital Services Directive (DSA), and ensures the consistency of the national application of DSA provisions. The Coordinator is also responsible for preparing a single, consolidated report covering the activities of all relevant authorities, with these authorities required to submit annual reports by 31 March each year.
National Council for Digital Services
The National Digital Services Council operates under the Digital Services Coordinator, serving as an advisory and consultative body on matters related to the functioning of the digital services market. The Council’s mission is to support the creation of a safe, predictable, and trustworthy digital environment, in particular by providing opinions on the implementation of intermediary service providers’ obligations under the Digital Services Act (DSA), the functioning of trusted whistleblowers, and alternative dispute resolution systems, as well as by formulating proposals regarding data access for verified researchers. The Council consists of a Chairperson, a Deputy Chairperson, and ten members appointed by the President of the Office of Electronic Communications (UKE) from among representatives of the scientific community, social and economic organizations, and entities operating in the digital services market. The Council’s term of office is four years, and its administrative support and funding are provided by the office serving the UKE.
The system is complemented by the possibility of financial support for entities playing a significant role in implementing the mechanisms provided for in the DSA. The Act provides for the awarding of targeted subsidies to both out-of-court dispute resolution bodies and trusted entities reporting illegal content, through open and non-discriminatory recruitment. This solution aims to strengthen the practical effectiveness of the user protection system and the enforcement of obligations imposed on digital service providers.
The amendment also introduces chapters 4a-4f which regulate the certification of out-of-court dispute resolution bodies, the status of a trusted whistleblower, the status of a verified researcher, the liability of intermediary service providers, civil liability and fines.
Certification of alternative dispute resolution bodies is provided by the Digital Services Coordinator for a five-year period, in accordance with the DSA rules. The entity seeking certification submits an electronic application, signed with a qualified, trusted, or personal signature, containing, among other things, its name, address, the scope of its expertise, and the languages in which it can resolve disputes. The application must be accompanied by documents confirming compliance with certification requirements.
Before issuing a certificate, the coordinator consults with public administration authorities to confirm competence in matters related to illegal content or the application and enforcement of terms of service. The application is reviewed within two months; if any deficiencies are found, the coordinator requests supplementation within seven days.
After a positive assessment, the coordinator issues a certificate that includes the name of the authority, validity period, certificate number, and the coordinator’s signature. During the certificate’s validity period, the authority must meet the certification requirements. The certificate may be extended for another five years upon request by the authority, submitted no later than 30 days before its expiry, along with a declaration of compliance.
The Coordinator maintains a list of certified bodies, published in the Public Information Bulletin. A certificate is refused or revoked by decision if the body fails to meet the requirements. The decision is immediately enforceable and subject to appeal to the administrative court.
The coordinator may conduct verification activities to ensure compliance with certification requirements, including access to the body’s premises, reviewing documents, and requesting clarification. A report is prepared for the activities, signed by the coordinator and the body. Certified bodies submit annual reports to the coordinator by March 31 of the following year, with the possibility of requesting supplementation.
Trusted Signaling entity status is granted by the Digital Services Coordinator in accordance with the DSA rules. Applicants submit an electronic application with the required information: name, address, email address, areas of expertise, and documents confirming compliance with the requirements of the EU regulation.
Before granting the status, the coordinator will seek the opinion of the President of the Personal Data Protection Office regarding the data protection measures applied by the entities, as well as the opinion of other public administration bodies regarding their expertise in illegal content or the application of the terms and conditions of use of online platforms. These bodies have 30 days to submit their opinion; failure to respond within this period will be deemed to have met the requirement.
The coordinator reviews the application within two months and requests supplementation if any deficiencies are found. Upon positive evaluation, the coordinator issues a certificate that includes the entity’s name, number and date of issue, the scope of expertise, and the coordinator’s signature. The status and information about trusted entities are published in the Public Information Bulletin.
The coordinator may refuse to grant status if the entity does not meet the requirements, and the decision is final. To verify the conditions, they may conduct inspections, suspending the status for the duration of the inspection. The status may be revoked if the entity no longer meets the requirements, and the decision is immediately enforceable. A complaint may be filed against a decision refusing or revoking status to the administrative court.
Trusted flaggers are obliged to submit annual reports to the coordinator on reports made in accordance with Article 16 of the EU Regulation, by 31 March of the following year.
Verified researcher status, which allows access to data for research purposes (Article 40, paragraph 4 of the DSA), is granted by the Digital Services Coordinator, i.e., the President of the Office of Electronic Communications. An entity or individual applying for this status submits an application containing: name, first name and last name, registered office or place of residence address, email address, information confirming compliance with the requirements of Article 40, paragraph 8 of the Regulation, and a description of appropriate technical and organizational security measures, along with supporting documents.
Before issuing a decision, the coordinator will seek the opinion of the President of the Personal Data Protection Office (UODO) and other public administration bodies, assessing whether the planned research contributes to the detection and understanding of systemic risk and whether the scope and conditions of data access are adequate and proportionate. The bodies have 30 days to submit their opinion; failure to respond will be deemed to have met the requirement.
The coordinator reviews the application within two months, requesting that any missing information be provided within seven days; otherwise, the application will not be considered. Upon positive evaluation, the coordinator issues a certificate confirming the status of a verified researcher. Applications are submitted to providers of very large online platforms or search engines (VLOP and VLOSE) via a single point of contact.
At the request of a platform or search engine, the coordinator may approve or deny an application’s amendment, and this decision is immediately enforceable. The coordinator refuses to grant status if the applicant does not meet the requirements, and the decision is final. To verify the conditions, the coordinator may conduct verification activities with the applicant and the entity to which the status was granted.
Access to data may be revoked if requirements are not met or regulations are violated, and the decision is immediately enforceable. The coordinator then informs the platform or search engine provider and withdraws the access request. An appeal against the coordinator’s decision may be filed with the administrative court.
A service recipient or other authorized entity may submit a complaint against an indirect service provider to the Digital Services Coordinator. The complaint should include the provider’s details, the service, a description of the violation, the legal basis, and evidence (documents, screenshots, recordings). The Coordinator will inform the complainant about the complaint’s handling and possible transfer to an authority in another EU country, and, if necessary, request translation of documents.
Proceedings before the competent authority may be explanatory (to determine whether there are grounds for further proceedings) or concerning a breach of duty. The authority may initiate them ex officio, and the explanatory proceedings are concluded within 4-5 months.
During the proceedings, the authority may conduct an inspection of the inspected entity and other individuals with information related to the violation. The inspection includes access to the premises, review of documents and systems, requesting clarification, making copies, and securing materials. The inspector may be supported by the Police and NASK-PIB.
The inspected entity is obligated to provide information, ensure the conditions for the inspection, allow access to documents, systems, and premises, and confirm the conformity of copies with the originals. Evidence may be secured at the entity’s premises or at an office. If necessary, the competent authority may issue a decision to seize documents or items for the period necessary for the inspection (max. 7 days).
Once a report of seized items is prepared, they can be collected or transferred to a trusted person, with the obligation to present them to the authority upon request. Inspection and seizure reports document, among other things, the case details, the list of items, the course of action, and the signatures of the inspector and the inspected party. The inspected party may submit objections to the report, which the authority analyzes and, if necessary, supplements or amends the report in the form of an annex. Inspections can be conducted remotely, and all information obtained during the inspection, including trade secrets, is protected. Legally protected materials, such as correspondence with a lawyer, remain at the inspection site, and in case of doubt, they are forwarded to the Competition and Consumer Protection Court.
The competent authority may conduct inspections of providers of large platforms and search engines, and in the event of violations of the DSA Regulation, it issues decisions ordering cessation of the infringement, publication of the decision, warnings, or restrictions on access to services, while maintaining the proportionality of the measures. If the provider ceases the infringement, the decision establishes this fact, and the burden of proof rests with the provider. The authority may impose remedial obligations, monitor their implementation, and issue interim measures if there is a risk of serious harm.
Suppliers are obligated to provide information and documents upon request by the authority, while respecting the right of individuals to refuse in certain situations. The authority’s decision may be appealed to the Court of Competition and Consumer Protection, which the authority forwards along with the case file, retaining the option of prior revocation or amendment of the decision. Regarding evidence and service, the provisions of the Code of Civil Procedure and regulations on electronic service apply accordingly.
In matters concerning claims by service recipients for breach of obligations arising from the DSA, the provisions of the Civil Code and the Code of Civil Procedure apply to matters not regulated by the regulation. The competent court for resolving claims by service recipients is the district court. The court notifies the competent authority of the filing of a lawsuit and the final judgment, and the authority informs the court of pending or concluded proceedings concerning the violation. The court suspends the proceedings if the authority upholding the claim discontinues the legal proceedings in this regard. The authority’s findings regarding the breach of obligations are binding on the court when assessing liability for damages. The competent authority or trusted whistleblower, with the service recipient’s consent, may bring legal proceedings on their behalf and participate in the proceedings at any stage, with the provisions of the Code of Civil Procedure applying accordingly. The authority may also submit opinions to the court on matters of public interest related to the claim arising from the violation of the regulation.
Providers of intermediary services, internet platform hosting, and internet search engines who fail to comply with the obligations set out in the DSA are subject to administrative fines imposed by the competent authority. Fines can amount to up to 6% of the global turnover of the supplier in the year preceding the imposition of the fine. In the event of improper provision of information to the authority or obstruction of an inspection, the fine can amount to up to 1% of annual income or turnover, and an additional periodic penalty of up to 5% of average daily turnover can be imposed for each day of delay or obstruction in fulfilling the obligations. Fines may be imposed even after the infringement has ceased, if the duration, scope, or effects of the infringement warrant.
The turnover amount required to establish the fine is calculated based on the profit and loss account, financial statement, or other revenue documents, also taking into account the turnover of the merged entities or the average turnover in recent years. In the absence of revenue, the maximum fine is the equivalent of EUR 6,000. The euro is converted to PLN at the NBP exchange rate on the last day of the year preceding the penalty.
When determining the amount of fines, the authority is guided by the public interest and the principles of effectiveness, proportionality, and deterrence, taking into account the nature and gravity of the violation, the type of business activity, and the economic capacity of the entity. Proceeds from fines constitute state budget revenue. Fines are enforced pursuant to the provisions on administrative enforcement proceedings, and payment is due within 14 days of the decision becoming final. In unregulated matters, the provisions of the Tax Ordinance apply accordingly. Fine decisions may be appealed to the Court of Competition and Consumer Protection.
In January 2026 the implementation of the EU Digital Services Act (DSA) in Poland was blocked by a presidential veto of a key amendment to the act that was to implement provisions on blocking illegal content by the administration (the President of the Office of Electronic Communications), raising concerns about leaving internet users without full protection and shifting responsibility to the European Commission; the president justified the veto with concerns about “administrative censorship” and “overregulation.”
The bill, as submitted for the President’s signature, included amendments resulting from a broad public discussion on the need to increase control over digital platforms.
The adopted amendments, among other things, increased judicial oversight of the procedure for blocking illegal content by limiting the automatic immediate enforceability of decisions against which an appeal has been filed.
They also expanded the list of entities that may apply for an injunction to take action against illegal content to include copyright and related rights holders (even if they are not users of the platform in question).
They also clarified that the injunction to unblock content applies to situations in which the provider has made an erroneous decision (often using automated moderation tools), not to situations where standard terms of service have been applied.