Publication date: September 01, 2025
The development and dissemination of technology mean that internet users are facing an increasing number of threats. This development also brings with it a growing number of opportunities for those seeking to exploit this development to deceive others. To counteract this threat, particularly against personal data theft and the misuse of property, CERT Polska, a computer security incident response team operating within the Scientific and Academic Computer Network – National Research Institute (NASK PIB), is tasked with this goal. This is primarily achieved through the CERT Warning List. In 2024 alone, 92,600 malicious domains were added to the Warning List, compared to 79,300 the previous year. Approximately one in three reports submitted to CERT results in the website being added to the Warning List (in 2024, the CERT team analyzed over 300,000 reports). In 2024, the websites listed primarily offered fraudulent investments and were domains imitating popular portals to trick potential victims into providing login credentials. According to CERT data, the estimated number of visits to websites blocked by the Warning List reached nearly 72 million in 2024[1], demonstrating that CERT, together with the Warning List, plays an important role in protecting Polish internet users. This article outlines the procedure for adding websites to the Warning List and, consequently, blocking them.
Pursuant to Article 20, Section 1 of the Act of July 28, 2023, on Combating Abuse in Electronic Communications, in order to protect internet users from websites that extort data, including personal data, and lead internet users to dispose of their property in an unfavorable manner, an agreement may be concluded between the President of the Office of Electronic Communications (UKE), the minister responsible for digitalization, NASK, and a telecommunications company or companies concerning the maintenance of a list of warnings and the prevention of access to these websites. Article 20, Section 2 of the same Act states that the entity responsible for maintaining the list is the NASK CSIRT.
There are two types of activity that can lead to a domain being added to the warning list. Primarily, these domains are targeted for the primary purpose of misleading internet users and leading to the theft of their data or the unfavorable disposal of property (Article 20, Section 3 of the Act on Combating Abuse in Electronic Communications). It’s hard not to appreciate that these criteria are defined quite broadly. Misleading users can mean a website impersonating another, well-known internet domain that users trust, using a similar address, page layout, graphics, etc., although other types of abuse leading to user confusion can also be included, for example, those fulfilling the characteristics of abuse listed in the open catalog of prohibited abuses in electronic communications in Article 3 of the Act on Combating Abuse in Electronic Communications (smishing, spoofing, phishing). In turn, data theft may involve actions aimed at persuading the user to provide sensitive information (login, PESEL number, password, payment card number, mother’s maiden name), which may stem from the user’s belief that they are dealing with a genuine, familiar website, and that providing the data will not result in negative consequences. It may also happen that the website allows, and sometimes even fraudulently (hence the phrase “unfavorable disposition of property instead”), the transfer of funds to a false account, the purchase of goods that will never be delivered, the donation to a fraudulent fundraiser, etc. Therefore, it seems necessary to introduce such a general framework as criteria for placing a domain on the Warning List. Otherwise, it would be difficult to ensure the effectiveness of the NASK CSIRT in this regard.
Who and where can report domains that mislead users
As stipulated in Article 20, Section 4 of the Act on Combating Abuse in Electronic Communications, anyone can report an internet domain, as mentioned above, whose primary activity is aimed at deceiving users in any way, leading to data theft or unfavorable property disposal. The report may include a justification, although the cooperation agreement [2]referred to in Article 20, Section 1 of the Act on Combating Abuse in Electronic Communications states that the report must include a justification for each reported domain. Reports of internet domains can be submitted at https://incydent.cert.pl or by email to cert@cert.pl . CSIRT NASK may also act on its own initiative to include internet domains on the warning list.
What is the procedure
Each report is verified. The cooperation agreement provides only a brief instruction that the verification process should be as short as possible to ensure the agreement’s objectives are met. Following verification, the domain that “passed the verification process” is immediately added to the Warning List. As mentioned earlier, the agreement is also concluded with telecommunications companies, including the largest operators operating in Poland (from the outset, the following have participated: Orange Polska SA, Polkomtel Sp. z o. o. – the operator of the Plus network, P4 Sp. z o. o. – the operator of the Play network, and T-Mobile SA). Telecommunications companies’ participation in the agreement means that, after the Alert List is made available, they are obligated to prevent access to websites using domain names published on the Alert List by removing them from their IT systems used to convert domain names to IP addresses as soon as possible after receiving information about the new domain being added to the Alert List. They are also obligated to redirect connections using domain names published on the Alert List to a website operated by NASK-PIB containing a message addressed to internet users or to another website with a similar message using tools available on the operators’ side, as stipulated in the aforementioned cooperation agreement and Article 20, Sections 8 and 9 of the Act on Combating Abuse in Electronic Communications. The Alert List is used to automatically block access to malicious websites. Additionally, operators themselves are obliged to provide information about websites that extort data, including personal data, and lead Internet users to unfavorable disposal of their financial resources, in connection with reports received from their subscribers.
Filing an objection and its consideration
Given the broad criteria for including an internet domain on the Warning List, and the significance of the decision to exclude a domain from access as a result of being included on the list and the potential financial losses associated with it, it is essential that there be an appeal process against such a far-reaching decision. Operators undertake to restore access to websites if a domain name has been removed from the Warning List after receiving notification from NASK of its removal. Pursuant to Article 21 of the Act on Combating Abuse in Electronic Communications, an entity holding legal title to an internet domain included on the Warning List may file an objection to the inclusion of an internet domain on the Warning List with the President of the Office of Electronic Communications. The objection in question must meet the minimum formal requirements: specify the internet domain to which the objection relates, provide a justification explaining why the inclusion of the internet domain on the warning list is unjustified, and provide identifying information about the entity holding the legal title to the internet domain, including the first and last name, residential address (in the case of natural persons), the entity’s business name, registered office address, and the relevant registry number (in the case of legal entities and organizational units without legal personality), the first and last name of the person authorized to represent the entity holding the legal title to the internet domain, along with authorization. Such an objection should be submitted to the electronic delivery address of the President of the Office of Electronic Communications (UKE). Failure to meet the formal requirements will result in the objection being left unprocessed.
The President of the UKE will review the objection within 14 days of its receipt. The President of the UKE will uphold the objection if the internet domain is not used for data fraud or for the detrimental disposal of internet users’ property. However, it will not be upheld if the internet domain is used for data fraud or for the detrimental disposal of internet users’ property. The next step taken by the President of the Office of Electronic Communications (UKE) is to order CSIRT NASK to immediately, no later than three days from the date the objection is upheld, remove the domain from the warning list (Article 22 of the Act on Combating Abuse in Electronic Communications), which will of course occur if the objection is upheld. According to Article 22, Section 4 of the Act on Combating Abuse in Electronic Communications, dismissing the objection constitutes another act of public administration, subject to appeal to the administrative court. To increase the chances of upholding the objection, the entity holding the legal title to the domain should present in its explanation arguments that the domain to which it holds the legal title is not intended to mislead users, is not intended to obtain personal data, or lead to the unfavorable disposal of property, and should support this argument with appropriate evidence.
Examples of argumentation directions
Such arguments will, of course, depend on the reason the domain was deemed misleading to internet users and whether the consequences of this misrepresentation would involve theft of personal data or the unfavorable disposal of property. For example, if the misrepresentation were to result from domain similarity, one could point out that the domain has existed for a long time (including longer than the website with which it is confused), that it serves different purposes, gathers independent internet users, is recognizable in certain groups, or that its graphic design is dissimilar to the website with which it is supposedly confused. It would also be useful to demonstrate that the website uses various security measures to protect users, such as SSL/TLS certificates, and that the domain owner has responded to any reports in the past that might raise concerns about the website misleading users, for example, by displaying information on the website that internet users sometimes confuse one website with another. Additionally, server statistics confirming the number of users and the information collected by the website would certainly be useful (this could demonstrate that the website was not phishing). Considering the criteria set out in Article 20, Section 3 of the Act on Combating Abuse in Electronic Communications, an effective argument may be that an internet user or users were indeed misled, perhaps with even more far-reaching consequences, but this was not intentional and resulted, for example, from changes made to the website, a hacker attack, or other reasons that do not allow for the conclusion that the primary purpose of the website was to mislead internet users. The misrepresentation would then be merely incidental and accidental, for example, resulting from human error, and was not intentional.
Legislative and institutional environment
The first European cybersecurity regulation is Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union, known as the Network and Information System Directive (NIS). The directive imposes numerous obligations on Member States, primarily involving the establishment of appropriate institutions, the adoption of a national strategy for the security of network and information systems, and the introduction of cooperation mechanisms. This directive established a network of computer security incident response teams (CSIRTs). The Act on the National Cybersecurity System, adopted by the Polish legislator on 28 August 2018, serves to achieve the objectives set out in the NIS Directive.
Pursuant to Article 1 of the Act on the National Cybersecurity System, the act specifies: the organization of the national cybersecurity system and the tasks and responsibilities of the entities comprising this system, the method of exercising supervision and control over the application of the provisions of the act, as well as the scope of the Cybersecurity Strategy of the Republic of Poland. The legislator, in principle, decided to create three teams: CSIRT GOV – Computer Security Incident Response Team operating at the national level, led by the Head of the Internal Security Agency, CSIRT MON – Computer Security Incident Response Team operating at the national level, led by the Minister of National Defence and CSIRT NASK – Computer Security Incident Response Team operating at the national level, led by the Scientific and Academic Computer Network – National Research Institute (Article 2 of the Act on the National Cybersecurity System). The competence of CSIRT GOV and CSIRT MON is defined in Article 27 of the Act on the national cybersecurity system as follows: “CSIRT GOV is competent in the scope of incidents related to events of a terrorist nature, referred to in Article 2 point 7 of the Act of June 10, 2016 on counter-terrorist activities (Journal of Laws of 2024, item 92); CSIRT MON is competent in the scope of incidents related to events of a terrorist nature, referred to in Article 5 paragraph 1 point 2a of the Act of June 9, 2006 on the Military Counterintelligence Service and the Military Intelligence Service (Journal of Laws of 2023, items 81, 1834 and 1860); If it is found that an incident, the handling of which is coordinated by the competent CSIRT MON, CSIRT NASK or CSIRT GOV, is related to In the event of the events referred to in paragraph 1 or 2, the coordination of incident handling is taken over by the relevant CSIRT MON or CSIRT GOV. Therefore, for other incidents of a “civilian” nature, CSIRT NASK is responsible.
The entity that carries out CSIRT NASK’s tasks is CERT Polska, historically the first incident response team in Poland, operating since 1996 within the structure of NASK – the National Research Institute. CERT is a team responsible for handling security incidents and cooperating with similar units around the world, both in operational activities and in research and implementation. Pursuant to Article 26 of the Act on the National Cybersecurity System, CERT Polska, entrusted with the responsibilities of CSIRT NASK, is responsible for, among other things: monitoring cybersecurity threats and incidents at the national level, responding to reported incidents, coordinating incident handling, conducting advanced malware analyses and vulnerability analyses, developing tools and methods for detecting and combating cybersecurity threats, and conducting awareness-raising activities in the area of cybersecurity.
The second act, very important from the perspective of the topic under discussion, is the Act of July 28, 2023, on Combating Abuse in Electronic Communications. It defines the rights and obligations of telecommunications companies related to preventing and combating abuse in electronic communications, the powers of the President of the Office of Electronic Communications related to preventing and combating abuse in electronic communications, the rules for filing an objection by the sender of a short text message (SMS) if the content of such a message is deemed to constitute abuse in electronic communications, the rules for providing services related to sending short text messages (SMS) containing overrides to public entities, the rules for filing an objection by an entity holding legal title to an internet domain against the inclusion of that domain on a warning list, the obligations of email providers and public entities related to the provision and use of email to prevent abuse in electronic communications, and specific rules for processing information covered by electronic communications confidentiality related to preventing and combating abuse in electronic communications.
[1]https://cert.pl/uploads/docs/Raport_CP_2024.pdf
[2]Consolidated text of the agreement on cooperation in protecting internet users from websites that extort data, including personal data, and lead internet users to the unfavorable disposal of their financial resources during states of emergency, epidemics, or epidemic threat in the Republic of Poland. Source: https://www.gov.pl/web/baza-wiedzy/porozumienie-ws-listy-ostrzezen