Publication date: August 31, 2025
On August 28, 2025, the Polish Act of June 25, 2025, on the national cybersecurity certification scheme, entered into force, implementing Regulation (EU) 2019/881 of the European Parliament and of the Council of April 17, 2019, on ENISA (the European Union Agency for Cybersecurity) and cybersecurity certification in information and communication technologies and repealing Regulation (EU) No 526/2013 ( Cybersecurity Act ) (OJ L 151, 7.06.2019, p. 15 and OJ L 2025/37, 15.01.2025).
Regulation 2019/881 established a European cybersecurity certification framework, introducing the possibility of creating European certification schemes and common rules for obtaining certificates. Recital 69 of the aforementioned Regulation states: “It is therefore necessary to adopt a common approach and establish a European cybersecurity certification framework, specifying the main horizontal requirements for the European cybersecurity certification schemes to be developed and enabling the recognition and use in all Member States of European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes. […] This European cybersecurity certification framework should have a two-fold objective. Firstly, it should help to increase trust in ICT products, services and processes certified under European cybersecurity certification schemes. Secondly, it should help to avoid the proliferation of conflicting or overlapping national cybersecurity schemes, thereby reducing costs for undertakings operating in the digital single market.” Recital 70 further states: “The European cybersecurity certification framework should be established in a harmonised manner across Member States in order to prevent certification shopping practices due to differences in the levels of requirements in different Member States.”
Each certificate issued under a specific European cybersecurity program, as referred to in Article 2, point 9 of Regulation 2019/881, will be automatically recognized throughout the European Union. As indicated in the Council of Ministers’ justification for the adoption of the Act, Regulation 2019/881 requires all EU Member States to establish a national cybersecurity certification authority, which will oversee the market and monitor the correctness of certification activities. To implement the Regulation’s provisions, it was also necessary to introduce a procedure for the accreditation of entities authorized to issue certificates into the Polish legal system. The Act also provides for the introduction of a national cybersecurity certification scheme in areas not covered by European cybersecurity certification programs.
Pursuant to Article 1 of the Act on the National Cybersecurity Certification System, the Act specifies the organisation of the national cybersecurity certification system and the tasks and responsibilities of the entities comprising this system, including the method of supervising the activities of the entities comprising this system, controlling the activities of these entities and coordinating their activities.
The relationship between these models (the European and Polish certification systems), or between the Act on the National Cybersecurity Certification System and Regulation 2019/881, appears in some respects rather complicated, incomprehensible, or even chaotic. The problem with this provision appears to lie in the parallel operation of the national and European systems.
Under the Regulation, Poland will issue a European cybersecurity certificate as defined in Article 2, point 11 of Regulation 2019/881, a definition to which the Act on the National Cybersecurity Certification System refers. In addition to the European cybersecurity certification scheme (Article 2, point 9) and the related European cybersecurity certificate (Article 2, point 11), Regulation 2019/881 provides for a national cybersecurity certification scheme (Article 2, point 10).
The Act on the national cybersecurity certification system, specifically in Article 2, point 12, additionally mentions a national certificate defined as:
a document confirming that a given ICT product, a given ICT service, a given ICT process, a given managed security service, a given cybersecurity management system or a given natural person has been assessed for compliance with the detailed requirements specified in the national diagram cybersecurity certification.
The concept of a national cybersecurity certification scheme is interesting because it is a way to expand the national cybersecurity certification program defined in Regulation 2019/881. A national cybersecurity certification program can only apply to ICT products, services, and processes, as well as managed security services. However, this definition leaves Member States without the basis to issue certificates covering individuals (e.g., cybersecurity experts) or security management systems under national certification programs.
For this reason, the Polish legislator created the concept of a national cybersecurity certification scheme in Article 2, point 13, which reads as follows: “national cybersecurity certification scheme – a national cybersecurity certification program referred to in Article 2, point 10 of Regulation 2019/881 and a comprehensive set of regulations adopted by a national cybersecurity certification authority, applicable to the certification of cybersecurity management systems or natural persons in the field of cybersecurity.”
As indicated in Art. 3, paragraph 1: “The national cybersecurity certification scheme is a set of entities referred to in paragraph 2 and procedures related to certification […] under European cybersecurity certification schemes or national cybersecurity certification schemes and procedures for the certification of cybersecurity certification schemes or natural persons under national cybersecurity certification schemes […]”, and also in paragraph 2: “The national cybersecurity certification scheme includes: 1) the minister responsible for digitalization; 2) the Polish Centre for Accreditation; 3) conformity assessment bodies; 4) suppliers who subject their products, services, ICT processes or managed security services to a conformity assessment under a given European cybersecurity certification scheme or a given national cybersecurity certification scheme; 5) natural persons who subject their knowledge and practical skills to a conformity assessment under a given national cybersecurity certification scheme; 6) entities that subject the cybersecurity management systems they use to a conformity assessment under a given national cybersecurity certification scheme.”
The relationship between national cybersecurity certification schemes and European cybersecurity certification schemes is also governed by Article 57(1) of Regulation 2019/881. It states that: “national cybersecurity certification schemes and related procedures for ICT products, ICT services, ICT processes and managed security services that are covered by a European cybersecurity certification scheme shall cease to have effect on the date specified in the implementing act adopted pursuant to Article 49(7). National cybersecurity certification schemes and related procedures for ICT products, ICT services, ICT processes and managed security services that are not covered by a European cybersecurity certification scheme shall continue to exist.”
The distinction between a national certificate and a national cybersecurity certificate was outlined in the Council of Ministers’ justification for the act as follows: a national certificate will be issued for a product, service, ICT process, or managed security service, a security management system that ensures the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or provided functions or services, at a level appropriate to potential cyberthreats, and minimizes known risks related to cyberthreats.
Therefore, possession of such a certificate will guarantee an adequate level of protection. In turn, a national cybersecurity certificate may be issued to an individual who possesses the knowledge and practical skills necessary to effectively perform cybersecurity tasks. Its holders will be able to stand out in the job market, and potential employers, including public institutions, will have proof of their competence.
Article 6 of the Act on the National Cybersecurity Certification System specifies that a product, service, ICT process, managed security service, cybersecurity management system, or an individual’s cybersecurity knowledge and practical skills may be subject to a compliance assessment in accordance with a given national cybersecurity certification scheme. Article 7 of the Act on the National Cybersecurity System specifies the requirements for issuing a national certificate.
These requirements include ensuring the availability, authenticity, integrity, or confidentiality of processed data or provided functions or services at a level appropriate to potential cyberthreats, and minimizing known risks related to cyberthreats. In the case of individuals, a national certificate may be issued to an individual who possesses the knowledge and practical skills necessary to perform cybersecurity tasks.
Methods for verifying whether the requirements are aligned with the appropriate cybersecurity certification scheme include: examination of technical documentation, audits, testing of specific properties, or performance analyses. In the case of individuals, competence will be verified through a knowledge and practical skills test (Article 8 of the Act on the National Cybersecurity Certification System). A national certificate may be issued for a period of no less than two years and no longer than five years. According to the justification for the act, this is due to the fact that cybersecurity is a rapidly evolving field, meaning that a certificate issued in the past may not necessarily correspond to the level of competence currently required. However, its validity must be sufficiently long to ensure the certificate continues to function and remains relevant in the market. The certificate’s validity can be extended (Article 10 of the Act on the National Cybersecurity System).
Obtaining a national certificate also entails certain obligations on the part of its holder, including reporting obligations to the conformity assessment body, as further specified in Article 12 of the Act on the National Cybersecurity Certification System. The act stipulates that technical documentation regarding the subject of certification must be retained for a period of 10 years following the certificate’s expiry. This is necessary for monitoring and, if necessary, auditing the proper functioning of conformity assessment bodies (Article 14 of the Act on the National Cybersecurity Certification System).
Pursuant to Art. 15 of the Act on the national cybersecurity certification system: The minister responsible for digitalization may specify, by regulation, a national cybersecurity certification scheme for selected ICT products, ICT services, ICT processes, managed security services, cybersecurity management systems or individuals, containing:
1) detailed requirements for ICT products, ICT services, ICT processes, managed security services, cybersecurity management systems subject to conformity assessment or individuals whose knowledge and practical skills in the field of cybersecurity are subject to conformity assessment;
2) detailed methods used to demonstrate that an ICT product, ICT service, ICT process, managed security service, cybersecurity management system or individual meets the requirements referred to in point 1;
3) detailed conditions for issuing, maintaining and extending the validity of national certificates;
4) detailed method of monitoring the compliance of ICT products, ICT services, ICT processes, managed security services, cybersecurity management systems or individuals with the requirements referred to in point 1, including mechanisms for demonstrating compliance with these requirements;
5) the detailed scope of technical documentation relating to certification and the method of storing and destroying this documentation;
6) the period of storing technical documentation relating to certification;
7) the period for which the national certificate is issued; 8) the template of the national certificate.
Accreditation and conformity assessment
Conformity assessment is performed by a conformity assessment body accredited to a given European cybersecurity certification program or national cybersecurity certification scheme. To assess the conformity of products, services, processes, managed services related to the security of cybersecurity management systems, and individuals, interested entities will need to obtain accreditation from the Polish Centre for Accreditation (PCA). The Polish Centre for Accreditation will inform the minister responsible for digitalization, no later than 14 days from the date of accreditation, of the granting of accreditation to a given European cybersecurity certification program or national cybersecurity certification scheme, as well as of any refusal, suspension, or limitation of the scope of accreditation to a conformity assessment body no later than 14 days from the date of the relevant decision. The Polish Centre for Accreditation supervises, within the scope of accreditation granted, conformity assessment bodies in the area covered by a given European cybersecurity certification scheme or a given national cybersecurity certification scheme, taking into account the requirements referred to in Art. 22 sec. 4 of the Act of 13 April 2016 on conformity assessment and market surveillance systems and the requirements specified in: 1) the annex to Regulation 2019/881, 2) European cybersecurity certification schemes, 3) national cybersecurity certification schemes (Art. 16 and 17 of the Act on the national cybersecurity certification scheme).
Assessment of compliance with the requirements of the European cybersecurity certification program
An ICT product, service, process, or managed security service (which therefore has a narrower scope) may be subject to a conformity assessment in accordance with a given European cybersecurity certification scheme based on an agreement between the provider and the conformity assessment body. The conformity assessment in question refers to one of the assurance levels specified in Article 52 of Regulation 2019/881. This agreement specifies, in particular, the ICT product, ICT service, ICT process, or managed security service to be subject to a conformity assessment, the scope of certification, the European cybersecurity certification scheme under which the European certificate is to be issued, the assurance level to which the certificate is to refer, the obligations of the parties related to certification, and the obligations related to the protection of information provided to the conformity assessment body, in particular the method of protecting trade secrets and other confidential information, including trade secrets, as well as the protection of intellectual property rights (Article 5 of the Act on the National Cybersecurity Certification System).
Article 49(7) of Regulation 2019/881 states that the Commission, on the basis of a scheme proposal prepared by ENISA, may adopt implementing acts establishing a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services that meets the relevant requirements set out in Articles 51, 51a, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(1) and in paragraph 8 that “ENISA shall evaluate each adopted European cybersecurity certification scheme at least every 5 years, taking into account feedback received from stakeholders. Where necessary, the Commission or the ECCG may request ENISA to initiate the process of developing a revised scheme proposal in accordance with Article 48 and this Article.
Currently, one European cybersecurity certification scheme has been adopted, i.e. the European Cybersecurity Certification – the Scheme on Common Criteria (EUCC), effective from February 2025, applies to ICT products (hardware, software, components) and is based on the Common Criteria standard (ISO/IEC 15408). Such a certificate issued in Poland will be recognized throughout the EU. Other programs are in the preparation phase, including the European Cybersecurity program. Certification Scheme for Cloud Services (EUCS) for cloud services.
The role of the minister
The national cybersecurity certification authority, referred to in Article 58 of Regulation 2019/881, is the Minister responsible for computerization (Article 4 of the Act on the National Cybersecurity System). As part of the responsibilities imposed on the national government administration authority responsible for cybersecurity, the minister will conduct a number of administrative proceedings, including: granting consent to the issuance of European certificates referring to the “high” level; issuing authorizations to conduct conformity assessments where the certification program specifies specific requirements for assessment bodies; 3) withdrawing and limiting authorizations to conduct conformity assessments where the certification program specifies specific requirements for conformity assessment bodies; withdrawing a certificate referring to the “high” assurance level issued in contravention of the provisions of Regulation 2019/88 or the Act or in contravention of the provisions of the certification program; and imposing fines.
As part of the certification programs being developed by the European Cybersecurity Agency (ENISA), a procedure for introducing changes to the assessment methodology used by a conformity assessment body has emerged. Such an exception to the standard certification procedure requires the consent of the competent authority for cybersecurity. Therefore, it was necessary to establish an appropriate procedure in national legislation. Article 21, Section 1 of the Act on the National Cybersecurity Certification Scheme states: “If a given European cybersecurity certification program provides for the possibility of introducing changes to the assessment methodology to be used by a conformity assessment body, that body may submit a request to the minister responsible for digitalization to introduce changes to that methodology. The request shall include proposed changes to the assessment methodology to be used by the conformity assessment body, along with a justification.”