Publication date: February 6, 2026
Cybersecurity certifications are designed for IT professionals, including system and network administrators, security specialists, engineers, and those aspiring to these roles, to validate their knowledge and practical skills in protecting against digital threats. The certification also covers ICT products, services, and processes, and aims to inform consumers about the level of digital security and support Polish companies in European markets.
On August 28, 2025, the Act of June 25, 2025, on the national cybersecurity certification scheme entered into force, implementing Regulation (EU) 2019/881 of the European Parliament and of the Council of April 17, 2019, on ENISA (the European Union Agency for Cybersecurity) and cybersecurity certification in information and communication technologies, and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.06.2019, p. 15 and OJ L 2025/37, 15.01.2025).
The Act defines the organization of the national cybersecurity certification scheme and the tasks and responsibilities of the entities participating in it. The new regulations allow for the issuance of European and national security certificates for products, services, systems, and processes related to information and communication technologies (ICT). This will confirm that a given product, service or process meets certain standards of data protection and resistance to cyberattacks.
Regulation 2019/881 aims to harmonize the issuance of cybersecurity certificates by introducing the possibility of creating European certification programs and common procedures for obtaining a certificate. This will allow cybersecurity certificates to be automatically recognized throughout the European Union. This is stipulated in Article 2, point 9 of Regulation 2019/881. The European certification system is complemented by so-called national cybersecurity certification schemes in areas not covered by European cybersecurity certification programs.
Regulation 2019/881 requires all European Union Member States to establish a national cybersecurity certification authority to oversee the market and monitor the correctness of certification activities. It’s worth noting that the entire certification system will continue to be based on market mechanisms, meaning private entities will be able to issue certificates under the national cybersecurity certification scheme. The Council of Ministers’ justification for the adopted law indicates that solutions based on market opening have been adopted and that no single national conformity assessment body has been designated to issue certificates with a “high” assurance level. Adopting an alternative solution could pose a barrier to the development of private conformity assessment bodies. The change, therefore, involves placing an “umbrella” over the certificate issuing process and creating mechanisms for its oversight.
More information about the European and national cybersecurity certification system, the relationship between European and national certificates, the framework of the national cybersecurity certification system, accreditation, conformity assessment and the role of the minister as the national cybersecurity certification authority can be found here: https://www.infor.pl/prawo/nowosci-prawne/7039425,trzeba-bedzie-miec-certyfikat-cyberbezpieczenstwa-zeby-wykazac-cyberodpornosc-nowe-przepisy-od-28-sierpnia-2025-r.html
Regulation 2019/881 stipulates that cybersecurity certification is voluntary, unless EU or Member State law provides otherwise (Article 56, paragraph 2). By adopting the Act on the National Cybersecurity Certification System, the Polish legislator decided to maintain the voluntary nature of certification. The Council of Ministers’ justification for the adopted Act includes the following information: “Cybersecurity certification will be a completely voluntary process and will be conducted on a market-based basis, with customers free to choose from among market operators. The Act creates a framework for certification without imposing any obligations on market operators. Anyone interested will therefore be able to both begin business in this area and obtain certification of their ICT product, ICT service, ICT process, or managed security service, without being obligated to do so.” The same justification repeatedly mentions the voluntary nature of certification, which is crucial for two categories of entities: “It should be emphasized that private entities will not be forced to join this system in any way. The obligations arising from it will therefore apply only to those who voluntarily submit to them. This applies to both conformity assessment bodies and entities undergoing the certification process.”
At the EU level, there is currently no regulation introducing a direct certification obligation, although in reality, it is somewhat more complicated. Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS2 Directive) introduces numerous requirements regarding cybersecurity risk management measures that Member States must impose on entities known as key and important entities. Paragraph 5 of this Article refers to Commission implementing acts specifying technical requirements for, among others, DNS service providers, TLD name registries, cloud service providers, and other entities located therein. Pursuant to Article 24 of NIS2, Member States may require key and important entities to use specific ICT products, processes, or services that are certified in accordance with European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation 2019/881.
The Act of 5 July 2018 on the National Cybersecurity System is responsible in particular for implementing the provisions of the NIS1 and NIS2 Directives. Chapter 3 of the Act is devoted to the obligations of essential service operators, which include, among others, the obligation to implement security measures, report incidents, and conduct system security audits. Digital service providers must fulfill similar obligations, as regulated in Chapter 4 of the Act. These obligations do not include the obligation to hold a European cybersecurity certificate, although theoretically, under the NIS2 regulations, such an obligation could exist. At the same time, obtaining an appropriate cybersecurity certificate for essential service operators in particular, but also for digital service providers, may prove necessary or at least useful. The numerous and costly requirements for essential service operators could be reduced by obtaining a cybersecurity certificate, for example, by shortening the mandatory audit period.
The only currently adopted European cybersecurity certification program is based on the Common Criteria (ISO/IEC 15408). The requirements imposed by European and Polish legislation on essential service operators are largely based on widely used standards such as the aforementioned ISO/IEC 15408, ISO/EIC 27001, and ISO/IEC 27002. This means that developing a sufficiently secure infrastructure in accordance with the requirements of the most commonly used standards requires very similar, or even identical, measures to obtain a European cybersecurity certificate. Obtaining such a certificate, in turn, may entail benefits in the form of shortened procedures, such as security audits. The situation is similar with the previously mentioned requirements set under the NIS2 directive, e.g., DNS [1], which are largely based on the commonly used ISO/EIC standards.
Other EU legal acts also impose or enable the imposition of further cybersecurity requirements on various sectors of the economy. Such regulations include Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (the DORA Regulation), which aims to increase the operational digital resilience of financial entities and regulate the provision of ICT services in the financial market. As a result of the noticeable trend of introducing further requirements for reporting, resilience testing, risk management, etc., European cybersecurity certificates may prove to be a very useful way to meet all the requirements in a significantly easier way, although it is worth noting that there is no mechanism for automatic compliance with the requirements upon obtaining the certificate.
It’s worth emphasizing that obtaining cybersecurity certificates is not currently mandatory, but may prove necessary in the future in public procurement. The contracting authority has the right to specify a requirement for a specific certificate in the tender specifications (Terms of Reference). While theoretically, the requirements should be proportionate, based on non-discrimination and equal treatment, this means that an equivalent method of demonstrating compliance should be sufficient in most cases. Obtaining a certificate can therefore be useful when participating in tenders, whether the tender specifications specify a specific cybersecurity certificate or refer only to standards such as ISO/EIC. As mentioned earlier, cybersecurity certificates are largely based on these standards, allowing for an equivalent method of demonstrating compliance with the requirements.
[1]Detailed requirements in this regard result, among others, from Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 with regard to technical and methodological requirements for cybersecurity risk management measures and specifying the cases in which an incident is considered serious in relation to DNS service providers, TLD name registries, cloud service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking platforms, and trust service providers.