Cybersecurity certifications are designed for IT professionals, including system and network administrators, security specialists, engineers, and those aspiring to these roles, to validate their knowledge and practical skills in protecting against digital threats. The certification also covers ICT products, services, and processes, and aims to inform consumers about the level of digital security and support Polish companies in European markets.

On August 28, 2025, the Act of June 25, 2025, on the national cybersecurity certification scheme entered into force, implementing Regulation (EU) 2019/881 of the European Parliament and of the Council of April 17, 2019, on ENISA (the European Union Agency for Cybersecurity) and cybersecurity certification in information and communication technologies, and repealing Regulation (EU) No 526/2013 ( Cybersecurity Act ) (OJ L 151, 7.06.2019, p. 15 and OJ L 2025/37, 15.01.2025).

The Act defines the organization of the national cybersecurity certification scheme and the tasks and responsibilities of the entities participating in it. The new regulations allow for the issuance of European and national security certificates for products, services, systems, and processes related to information and communication technologies (ICT). This will confirm that a given product, service, or process meets specific data protection and cyberattack resistance standards.

Regulation 2019/881 aims to harmonize the issuance of cybersecurity certificates by introducing the possibility of creating European certification programs and common procedures for obtaining a certificate. This will allow cybersecurity certificates to be automatically recognized throughout the European Union. This is stipulated in Article 2, point 9 of Regulation 2019/881.

The European certification system is complemented by so-called national cybersecurity certification schemes in areas not covered by European cybersecurity certification programs. Regulation 2019/881 requires all European Union Member States to establish a national cybersecurity certification authority to oversee the market and monitor the correctness of certification activities. It is worth noting that the entire certification system will continue to be based on market mechanisms, meaning that private entities will be able to issue certificates under a national cybersecurity certification scheme. The Polish Council of Ministers’ justification for the adopted law states that the solutions based on market opening were adopted, and no single national conformity assessment body was designated to issue certificates with a ‘high’ assurance level. Adopting an alternative solution could constitute a barrier to the development of private conformity assessment bodies.

The change therefore involves placing the certificate issuing process under an umbrella and creating mechanisms for its oversight. More information about the European and national cybersecurity certification system, the relationship between European and national certificates, the framework of the national cybersecurity certification system, accreditation, conformity assessment, and the role of the minister as the national cybersecurity certification authority can be found here: https://www.kg-legal.eu/info/it-new-technologies-media-and-communication-technology-law/new-provisions-on-cybersecurity-certification-in-poland/

Are cybersecurity certificates mandatory and for whom?

Regulation 2019/881 stipulates that cybersecurity certification is voluntary, unless EU or Member State law provides otherwise (Article 56, paragraph 2). By adopting the Act on the National Cybersecurity Certification System, the Polish legislator decided to maintain the voluntary nature of certification. The Council of Ministers’ justification for the adopted Act includes the information that cybersecurity certification will be a complete voluntary process and will be conducted on market principles, and customers will be able to freely choose among entities operating on the market. The Act creates a framework for certification without imposing any obligations on market entities. Anyone interested will therefore be able to both start a business in this field and obtain certification of their ICT product, ICT service, ICT process, or managed security service, without being obligated to do so.

The same justification repeatedly mentions the voluntary nature of certification, which is crucial for two categories of entities: It should be emphasized that private entities will not be forced to join this system in any way. The obligations arising therefrom will therefore apply only to those who voluntarily submit to it. This applies to both conformity assessment bodies and entities undergoing the certification process.

At the EU level, there is currently no regulation introducing a direct certification obligation, although in reality, it is somewhat more complicated. Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS2 Directive) introduces numerous requirements for cybersecurity risk management measures, which Member States must impose on so-called key and important entities. Paragraph 5 of this article refers to Commission implementing acts specifying technical requirements for, among others, DNS service providers, TLD name registries, cloud service providers, and other entities included therein. Pursuant to Article 24 of NIS2, Member States may require essential and important entities to use specific ICT products, processes, and services certified in accordance with European cybersecurity certification schemes adopted pursuant to Article 49 of Regulation 2019/881.

The Act of 5 July 2018 on the National Cybersecurity System is responsible for implementing the provisions of the NIS1 and NIS2 Directives. Chapter 3 of the Act is devoted to the obligations of essential service operators, which include, among others, the obligation to implement security measures, report incidents, and conduct system security audits. Digital service providers must fulfill similar obligations, as regulated in Chapter 4 of the Act. These obligations do not include the requirement to hold a European cybersecurity certificate, although such a requirement could theoretically exist under the NIS2 regulations. At the same time, obtaining an appropriate cybersecurity certificate by essential service operators in particular, but also by digital service providers, may prove necessary or at least useful. The numerous and costly requirements placed on operators of essential services could be reduced by obtaining a cybersecurity certificate, for example by shortening the mandatory audit period.

The only currently adopted European cybersecurity certification program is based on the Common Criteria (ISO/IEC 15408). The requirements imposed by European and Polish legislation on essential service operators are largely based on widely used standards such as the aforementioned ISO/IEC 15408, ISO/EIC 27001, and ISO/IEC 27002. This means that developing a sufficiently secure infrastructure in accordance with the requirements of the most commonly used standards requires very similar, or even identical, measures to obtain a European cybersecurity certificate. Obtaining such a certificate, in turn, may entail benefits in the form of shortened procedures, such as security audits. The situation is similar with the previously mentioned requirements under the NIS2 Directive, such as DNS[1], which are largely based on the commonly used ISO/EIC standards.

Other EU legal acts also impose or enable the imposition of further cybersecurity requirements on various economic sectors. Such regulations include Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (DORA Regulation), which aims to increase the digital operational resilience of financial entities and regulate the provision of ICT services in the financial market. As a result of the noticeable trend of introducing further reporting requirements, resilience testing, risk management, etc., European cybersecurity certificates may prove to be a very useful way to meet all these requirements significantly more easily, although it is worth noting that there is no mechanism for automatic compliance upon obtaining a certificate.

It is worth emphasizing that obtaining cybersecurity certificates is not currently mandatory, but may prove necessary in the future in public procurement. The contracting authority has the right to specify a requirement for a specific certificate in the tender specifications (Terms of Reference). While theoretically, the requirements should be proportionate, based on non-discrimination and equal treatment, this means that an equivalent method of demonstrating compliance should be sufficient in most cases. Obtaining a certificate can therefore be useful when participating in tenders, both when the tender specifications specify a specific cybersecurity certificate or when only standards such as ISO/EIC are referenced. As mentioned earlier, cybersecurity certificates are largely based on these standards, allowing for an equivalent method of demonstrating compliance with the requirements.

[1]Detailed requirements in this respect result, among others, from Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 with regard to technical and methodological requirements for cybersecurity risk management measures and specifying the cases in which an incident is considered serious in relation to DNS service providers, TLD name registries, cloud service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines and social networking platforms, and trust service providers.

Artykuł Act on the national cybersecurity certification system – for whom cybersecurity certificates will be needed. pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Publication date: August 31, 2025

On August 28, 2025, the Polish Act of June 25, 2025, on the national cybersecurity certification scheme, entered into force, implementing Regulation (EU) 2019/881 of the European Parliament and of the Council of April 17, 2019, on ENISA (the European Union Agency for Cybersecurity) and cybersecurity certification in information and communication technologies and repealing Regulation (EU) No 526/2013 ( Cybersecurity Act ) (OJ L 151, 7.06.2019, p. 15 and OJ L 2025/37, 15.01.2025).

Regulation 2019/881 established a European cybersecurity certification framework, introducing the possibility of creating European certification schemes and common rules for obtaining certificates. Recital 69 of the aforementioned Regulation states: “It is therefore necessary to adopt a common approach and establish a European cybersecurity certification framework, specifying the main horizontal requirements for the European cybersecurity certification schemes to be developed and enabling the recognition and use in all Member States of European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes. […] This European cybersecurity certification framework should have a two-fold objective. Firstly, it should help to increase trust in ICT products, services and processes certified under European cybersecurity certification schemes. Secondly, it should help to avoid the proliferation of conflicting or overlapping national cybersecurity schemes, thereby reducing costs for undertakings operating in the digital single market.” Recital 70 further states: “The European cybersecurity certification framework should be established in a harmonised manner across Member States in order to prevent certification shopping practices due to differences in the levels of requirements in different Member States.”

Unification of certificates in the European Union?

Each certificate issued under a specific European cybersecurity program, as referred to in Article 2, point 9 of Regulation 2019/881, will be automatically recognized throughout the European Union. As indicated in the Council of Ministers’ justification for the adoption of the Act, Regulation 2019/881 requires all EU Member States to establish a national cybersecurity certification authority, which will oversee the market and monitor the correctness of certification activities. To implement the Regulation’s provisions, it was also necessary to introduce a procedure for the accreditation of entities authorized to issue certificates into the Polish legal system. The Act also provides for the introduction of a national cybersecurity certification scheme in areas not covered by European cybersecurity certification programs.

Pursuant to Article 1 of the Act on the National Cybersecurity Certification System, the Act specifies the organisation of the national cybersecurity certification system and the tasks and responsibilities of the entities comprising this system, including the method of supervising the activities of the entities comprising this system, controlling the activities of these entities and coordinating their activities.

The complex relationship between European and national certificates

The relationship between these models (the European and Polish certification systems), or between the Act on the National Cybersecurity Certification System and Regulation 2019/881, appears in some respects rather complicated, incomprehensible, or even chaotic. The problem with this provision appears to lie in the parallel operation of the national and European systems.

Under the Regulation, Poland will issue a European cybersecurity certificate as defined in Article 2, point 11 of Regulation 2019/881, a definition to which the Act on the National Cybersecurity Certification System refers. In addition to the European cybersecurity certification scheme (Article 2, point 9) and the related European cybersecurity certificate (Article 2, point 11), Regulation 2019/881 provides for a national cybersecurity certification scheme (Article 2, point 10).

The Act on the national cybersecurity certification system, specifically in Article 2, point 12, additionally mentions a national certificate defined as:

 a document confirming that a given ICT product, a given ICT service, a given ICT process, a given managed security service, a given cybersecurity management system or a given natural person has been assessed for compliance with the detailed requirements specified in the national diagram cybersecurity certification.

The concept of a national cybersecurity certification scheme is interesting because it is a way to expand the national cybersecurity certification program defined in Regulation 2019/881. A national cybersecurity certification program can only apply to ICT products, services, and processes, as well as managed security services. However, this definition leaves Member States without the basis to issue certificates covering individuals (e.g., cybersecurity experts) or security management systems under national certification programs.

For this reason, the Polish legislator created the concept of a national cybersecurity certification scheme in Article 2, point 13, which reads as follows: “national cybersecurity certification scheme – a national cybersecurity certification program referred to in Article 2, point 10 of Regulation 2019/881 and a comprehensive set of regulations adopted by a national cybersecurity certification authority, applicable to the certification of cybersecurity management systems or natural persons in the field of cybersecurity.”

What is the national cybersecurity certification system?

As indicated in Art. 3, paragraph 1: “The national cybersecurity certification scheme is a set of entities referred to in paragraph 2 and procedures related to certification […] under European cybersecurity certification schemes or national cybersecurity certification schemes and procedures for the certification of cybersecurity certification schemes or natural persons under national cybersecurity certification schemes […]”, and also in paragraph 2: “The national cybersecurity certification scheme includes: 1) the minister responsible for digitalization; 2) the Polish Centre for Accreditation; 3) conformity assessment bodies; 4) suppliers who subject their products, services, ICT processes or managed security services to a conformity assessment under a given European cybersecurity certification scheme or a given national cybersecurity certification scheme; 5) natural persons who subject their knowledge and practical skills to a conformity assessment under a given national cybersecurity certification scheme; 6) entities that subject the cybersecurity management systems they use to a conformity assessment under a given national cybersecurity certification scheme.”

The relationship between national cybersecurity certification schemes and European cybersecurity certification schemes is also governed by Article 57(1) of Regulation 2019/881. It states that: “national cybersecurity certification schemes and related procedures for ICT products, ICT services, ICT processes and managed security services that are covered by a European cybersecurity certification scheme shall cease to have effect on the date specified in the implementing act adopted pursuant to Article 49(7). National cybersecurity certification schemes and related procedures for ICT products, ICT services, ICT processes and managed security services that are not covered by a European cybersecurity certification scheme shall continue to exist.”

The distinction between a national certificate and a national cybersecurity certificate was outlined in the Council of Ministers’ justification for the act as follows: a national certificate will be issued for a product, service, ICT process, or managed security service, a security management system that ensures the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or provided functions or services, at a level appropriate to potential cyberthreats, and minimizes known risks related to cyberthreats.

Therefore, possession of such a certificate will guarantee an adequate level of protection. In turn, a national cybersecurity certificate may be issued to an individual who possesses the knowledge and practical skills necessary to effectively perform cybersecurity tasks. Its holders will be able to stand out in the job market, and potential employers, including public institutions, will have proof of their competence.

Framework for the national cybersecurity certification system

Article 6 of the Act on the National Cybersecurity Certification System specifies that a product, service, ICT process, managed security service, cybersecurity management system, or an individual’s cybersecurity knowledge and practical skills may be subject to a compliance assessment in accordance with a given national cybersecurity certification scheme. Article 7 of the Act on the National Cybersecurity System specifies the requirements for issuing a national certificate.

These requirements include ensuring the availability, authenticity, integrity, or confidentiality of processed data or provided functions or services at a level appropriate to potential cyberthreats, and minimizing known risks related to cyberthreats. In the case of individuals, a national certificate may be issued to an individual who possesses the knowledge and practical skills necessary to perform cybersecurity tasks.

Methods for verifying whether the requirements are aligned with the appropriate cybersecurity certification scheme include: examination of technical documentation, audits, testing of specific properties, or performance analyses. In the case of individuals, competence will be verified through a knowledge and practical skills test (Article 8 of the Act on the National Cybersecurity Certification System). A national certificate may be issued for a period of no less than two years and no longer than five years. According to the justification for the act, this is due to the fact that cybersecurity is a rapidly evolving field, meaning that a certificate issued in the past may not necessarily correspond to the level of competence currently required. However, its validity must be sufficiently long to ensure the certificate continues to function and remains relevant in the market. The certificate’s validity can be extended (Article 10 of the Act on the National Cybersecurity System).

Obtaining a national certificate also entails certain obligations on the part of its holder, including reporting obligations to the conformity assessment body, as further specified in Article 12 of the Act on the National Cybersecurity Certification System. The act stipulates that technical documentation regarding the subject of certification must be retained for a period of 10 years following the certificate’s expiry. This is necessary for monitoring and, if necessary, auditing the proper functioning of conformity assessment bodies (Article 14 of the Act on the National Cybersecurity Certification System).

Creating national cybersecurity certification schemes

Pursuant to Art. 15 of the Act on the national cybersecurity certification system: The minister responsible for digitalization may specify, by regulation, a national cybersecurity certification scheme for selected ICT products, ICT services, ICT processes, managed security services, cybersecurity management systems or individuals, containing:

1) detailed requirements for ICT products, ICT services, ICT processes, managed security services, cybersecurity management systems subject to conformity assessment or individuals whose knowledge and practical skills in the field of cybersecurity are subject to conformity assessment;

2) detailed methods used to demonstrate that an ICT product, ICT service, ICT process, managed security service, cybersecurity management system or individual meets the requirements referred to in point 1;

3) detailed conditions for issuing, maintaining and extending the validity of national certificates;

4) detailed method of monitoring the compliance of ICT products, ICT services, ICT processes, managed security services, cybersecurity management systems or individuals with the requirements referred to in point 1, including mechanisms for demonstrating compliance with these requirements;

5) the detailed scope of technical documentation relating to certification and the method of storing and destroying this documentation;

6) the period of storing technical documentation relating to certification;

7) the period for which the national certificate is issued; 8) the template of the national certificate.

Accreditation and conformity assessment

Conformity assessment is performed by a conformity assessment body accredited to a given European cybersecurity certification program or national cybersecurity certification scheme. To assess the conformity of products, services, processes, managed services related to the security of cybersecurity management systems, and individuals, interested entities will need to obtain accreditation from the Polish Centre for Accreditation (PCA). The Polish Centre for Accreditation will inform the minister responsible for digitalization, no later than 14 days from the date of accreditation, of the granting of accreditation to a given European cybersecurity certification program or national cybersecurity certification scheme, as well as of any refusal, suspension, or limitation of the scope of accreditation to a conformity assessment body no later than 14 days from the date of the relevant decision. The Polish Centre for Accreditation supervises, within the scope of accreditation granted, conformity assessment bodies in the area covered by a given European cybersecurity certification scheme or a given national cybersecurity certification scheme, taking into account the requirements referred to in Art. 22 sec. 4 of the Act of 13 April 2016 on conformity assessment and market surveillance systems and the requirements specified in: 1) the annex to Regulation 2019/881, 2) European cybersecurity certification schemes, 3) national cybersecurity certification schemes (Art. 16 and 17 of the Act on the national cybersecurity certification scheme).

Assessment of compliance with the requirements of the European cybersecurity certification program

An ICT product, service, process, or managed security service (which therefore has a narrower scope) may be subject to a conformity assessment in accordance with a given European cybersecurity certification scheme based on an agreement between the provider and the conformity assessment body. The conformity assessment in question refers to one of the assurance levels specified in Article 52 of Regulation 2019/881. This agreement specifies, in particular, the ICT product, ICT service, ICT process, or managed security service to be subject to a conformity assessment, the scope of certification, the European cybersecurity certification scheme under which the European certificate is to be issued, the assurance level to which the certificate is to refer, the obligations of the parties related to certification, and the obligations related to the protection of information provided to the conformity assessment body, in particular the method of protecting trade secrets and other confidential information, including trade secrets, as well as the protection of intellectual property rights (Article 5 of the Act on the National Cybersecurity Certification System).

Article 49(7) of Regulation 2019/881 states that the Commission, on the basis of a scheme proposal prepared by ENISA, may adopt implementing acts establishing a European cybersecurity certification scheme for ICT products, ICT services, ICT processes and managed security services that meets the relevant requirements set out in Articles 51, 51a, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(1) and in paragraph 8 that “ENISA shall evaluate each adopted European cybersecurity certification scheme at least every 5 years, taking into account feedback received from stakeholders. Where necessary, the Commission or the ECCG may request ENISA to initiate the process of developing a revised scheme proposal in accordance with Article 48 and this Article.

Currently, one European cybersecurity certification scheme has been adopted, i.e. the European Cybersecurity Certification – the Scheme on Common Criteria (EUCC), effective from February 2025, applies to ICT products (hardware, software, components) and is based on the Common Criteria standard (ISO/IEC 15408). Such a certificate issued in Poland will be recognized throughout the EU. Other programs are in the preparation phase, including the European Cybersecurity program. Certification Scheme for Cloud Services (EUCS) for cloud services.

The role of the minister

The national cybersecurity certification authority, referred to in Article 58 of Regulation 2019/881, is the Minister responsible for computerization (Article 4 of the Act on the National Cybersecurity System). As part of the responsibilities imposed on the national government administration authority responsible for cybersecurity, the minister will conduct a number of administrative proceedings, including: granting consent to the issuance of European certificates referring to the “high” level; issuing authorizations to conduct conformity assessments where the certification program specifies specific requirements for assessment bodies; 3) withdrawing and limiting authorizations to conduct conformity assessments where the certification program specifies specific requirements for conformity assessment bodies; withdrawing a certificate referring to the “high” assurance level issued in contravention of the provisions of Regulation 2019/88 or the Act or in contravention of the provisions of the certification program; and imposing fines.

As part of the certification programs being developed by the European Cybersecurity Agency (ENISA), a procedure for introducing changes to the assessment methodology used by a conformity assessment body has emerged. Such an exception to the standard certification procedure requires the consent of the competent authority for cybersecurity. Therefore, it was necessary to establish an appropriate procedure in national legislation. Article 21, Section 1 of the Act on the National Cybersecurity Certification Scheme states: “If a given European cybersecurity certification program provides for the possibility of introducing changes to the assessment methodology to be used by a conformity assessment body, that body may submit a request to the minister responsible for digitalization to introduce changes to that methodology. The request shall include proposed changes to the assessment methodology to be used by the conformity assessment body, along with a justification.”

Artykuł New provisions on cybersecurity certification in Poland pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.