6. Poland 87.01

6th National Cyber Security Index
29th Global Cybersecurity Index
49th ICT Development Index
42nd Networked Readiness Index
Population 38.4million
Area (km2) 312.7thousand
GDP per capita ($) 31.4thousand
NCSI FULFILMENT PERCENTAGE
NCSI DEVELOPMENT TIMELINE 3 years All data
RANKING TIMELINE
NCSI Update Data source
21 Dec 2020 Government officials
17 Jul 2018 Government officials

Version 21 Dec 2020

GENERAL CYBER SECURITY INDICATORS
  • 1. Cyber security policy development 7/7 100%
    7
    7 100%
    • 1.1. Cyber security policy unit 3
      3
      3
      Requirements
      Criteria

      A central government entity (ministry or equivalent) has a specialised official or unit responsible for national cyber security policy development.

      Accepted references

      Official website or legal act

      Evidence

      In accordance with the art. 12a and art. 19 item 1a of the Act of 4 September 1997 on division of government administration (ammended by the Act of 5 July 2018 on national cybersecurity system) cybersecurity in Poland is divaded into civilian and military spheres. For a mililtary sphere responsible is Minister of National Defence (art. 19 item 1a) and for a civilian sphere, minister competent for digitalization (currently Minister of Digital Affairs) - art. 12a. 

      Moreover, a Government Plenipotentiary for Cybersecurity was appointed by the Prime Minister. https://cyberpolicy.nask.pl/aktualnosci/pelnomocnik-rzadu-ds-cyberbezpieczenstwa-i-pelnomocnik-mon-ds-bezpieczenstwa-cyberprzestrzeni/

      The new Plenipotentiary is also, at the same time, the Minister of Digital Affairs. The Plenipotentiary is responsible for coordination of cybersecurity policy of the Council of Ministers of Poland. 


      Cybersecurity Department at the Ministry of Digital Affairs is in place. Department provides merit, organizational and legal input for the Minister of Digital Affairs in the field of cybersecurity. 


      Decision of the Minister of National Defence on establishing National Cybersecurity Center - for conducting cybersecurity activities within the military sphere - within NCSC operates CSIRT MON, one of the CSIRTs at national level. 

      Moreover, a Plenipotentiary of the Minister of National Defence for Cybersecurity was appointed: http://www.dz.urz.mon.gov.pl/zasoby/dziennik/pozycje/tresc-aktow/pdf/2020/04/Poz._74_dec._Nr_58-sig.pdf

    • 1.2. Cyber security policy coordination format 2
      2
      2
      Requirements
      Criteria

      The central government has a committee, council, working group, etc. for national-level cyber security policy coordination.

      Accepted references

      Official website or legal act

      Evidence

      Art 64-66

      National cybersecurity policy coordination is achieved through the role of Government Plenipotentiary for Cybersecurity and the Advisory Committee for Cyber Security.

      Plenipotentiary is ensuring, inter alia, a coherent and comprehensive risk management system at the national level, carrying out tasks to counteract cyber security threats of a cross-sectoral and cross-border nature and is ensuring the coordination of handling reported incidents.

      The Advisory Committee for Cyber Security operates at the Council of Ministers, in the capacity of a consultative and advisory body in matters of cyber security and relevant activities of CSIRT MON, CSIRT NASK, CSIRT GOV, sectoral cyber security teams and the competent authorities for cyber security e.g taking opinions on policy, draft legal acts, recommendations of the Plenipotentiary. 

    • 1.3. Cyber security strategy 1
      1
      1
      Requirements
      Criteria

      The central government has established a national-level cyber security strategy or other equivalent document.

      Accepted references

      Valid official document

      Evidence

      The Cybersecurity Strategy of the Republic of Poland for 2019-2024 (Strategia Cyberbezpieczeństwa RP) was adopted 30th of October 2019. The Strategy sets out specific objective, which is development of the National Cybersecurity System (KSC). 

      The Strategy replaced the National Framework of Cybersecurity Policy of Republic of Poland for 2017-2022 - the previous strategic document and fully meets the requirements of the NIS Directive. 

       


      The National Security Strategy of the Republic of Poland (Strategia Bezpieczeństwa Narodowego - SBN), was adopted on 12th of May 2020, where one of the important elements of the Strategy is cybersecurity.

      The National Security Strategy is the most important national security strategy document. Acts and detailed sector strategies may be developed on the basis of the areas of action indicated in it. One such sector strategy is the Cyber Security Strategy for 2019-2024 (Web link 1) adopted by the government last year.

    • 1.4. Cyber security strategy implementation plan 1
      1
      1
      Requirements
      Criteria

      The central government has established an implementation plan to the national-level cyber security strategy or other equivalent document.

      Accepted references

      Valid official document or its enforcement act

      Evidence

      According to point 9 of National Framework of Cybersecurity Policy within six months of the adoption of the National Framework of Cybersecurity Policy, in cooperation with members of the Council of Ministers, heads of central offices and the Director of the Government Centre for Security, the coordinator will develop an Action Plan for the implementation of the National Framework of Cybersecurity Policy. When developing the Plan, the above-mentioned bodies shall take into account in their activities the issues of cybersecurity in accordance with the statutory competence. The action plan has been adopted.

  • 2. Cyber threat analysis and information 5/5 100%
    5
    5 100%
    • 2.1. Cyber threats analysis unit 3
      3
      3
      Requirements
      Criteria

      A central government entity has a national-level unit that is specialised in national strategic cyber threat situation analysis.

      Accepted references

      Official website or legal act

      Evidence

      According to the adopted Act of 5 July 2018 on the National Cyber Security System, the national strategic cyber threat situations analysis is done by the Plenipotentiary and 3 CSIRTs.

      CSIRTs are involved in risk assessment, they monitor threats and incidents and conducts advanced analyses and develops tools to perform and prevent the cyber threats.

      The Act on National Cybersecurity System creates a coherent incident response system based on the leading role of three Computer Security Incident Response Teams at national level (MON; NASK; GOV) conducted by:

      1.      the Minister of National Defence - CSIRT MON;
      2.      the Minister of Digital Affairs (through the NASK - The Research and Academic Computer Network – a National Research Institute subordinated to the Minister of Digital Affairs) - CSIRT NASK;
      3.       Head of the Internal Security Agency, one of the Intelligence services – CSIRT GOV.

      The scope of their responsibilities is varied: CSIRT MON is responsible for specific entities subordinated to or supervised by the Ministry of National Defence; CSIRT NASK  is responsible for, inter alia, local governments units, research institutions, businesses, citizens etc. and CSIRT GOV is mainly responsible for government administration and critical infrastructure and for incidents related to terrorist events. 

      The Government Plenipotentiary for Cybersecurity is competent for ensuring a coherent and comprehensive risk management system at the national level, carrying out tasks to counteract cyber security threats of a cross-sectoral and cross-border nature, and by ensuring the coordination of reported incidents.

       



    • 2.2. Public cyber threat reports are published annually 1
      1
      1
      Requirements
      Criteria

      The public part of the national cyber threat situation analysis is published at least once a year.

      Accepted references

      Official public report

      Evidence

      Reports are published by CSIRT GOV and CSIRT NASK anually

       

       

       

       

       


      Reports are published by CSIRT GOV and CSIRT NASK anually

    • 2.3. Cyber safety and security website 1
      1
      1
      Requirements
      Criteria

      Public authorities provide at least one cyber safety and security website for cyber security and ICT professionals, and regular users.

      Accepted references

      Website

      Evidence

      Official portal of the government of Poland - dedicated cybersecurity database - main aim: enhancing public cyber awarness (best practices, recommendations etc.) - https://www.gov.pl/web/baza-wiedzy/cyberbezpieczenstwo

      Ministry of Digital Affairs – cybersecurity: https://www.gov.pl/web/cyfryzacja/cyberbezpieczenstwo

      CSIRT GOV:

      https://csirt.gov.pl/

      https://csirt.gov.pl/cer/publikacje

      National Cyber security Centre (Narodowe Centrum Bezpieczeństwa Cyberprzestrzeni): https://ncbc.wp.mil.pl/pl/

      CSIRT NASK:

      https://www.nask.pl/

      https://cyberpolicy.nask.pl/

      https://www.cert.pl/

  • 3. Education and professional development 7/9 78%
    7
    9 78%
    • 3.1. Cyber safety competencies in primary or secondary education 1
      1
      1
      Requirements
      Criteria

      Primary or secondary education curricula include cyber safety / computer safety competences.

      Accepted references

      Official curriculum or official report

      Evidence

      In 2017, issues within the field of cybersecurity education were introduced to the Polish education system.
      1. There are new changes introduced to the Act of 14 December 2016 on Educational Law (Journal of Laws of 11 January 2017). New provision were introduced in Art. 1 (items 21 and 22) about dissemination of knowledge about threats, including in cyberspace and development of ICT skills. These records are as follows:
      Art. 1. The education system ensures in particular:
      21) dissemination of knowledge about safety among children and adolescents and shaping appropriate attitudes towards threats, including those related to the use of information and communication technologies, and emergency situations;
      22) developing students' skills in efficient use of information and communication technologies;
      These records must be taken into account in the planning and implementation of activities by all entities operating under the education system in Poland.
      2. In addition, issues related to education in the area of the use of new technologies, critical understanding and security in cyberspace have been formulated in the new core curriculum of general education for both primary and secondary schools.
      The new core curriculum of IT education and IT extends safety and compliance provisions. They refer to respecting the privacy of information, data protection, intellectual property rights and safe movement in cyberspace.
      The implementation of the core curriculum is the responsibility of every teacher.
      The new core curriculum for primary schools is in force from the training year 2017/2018. However, for secondary schools it will apply from the school year 2018/2019.
      The Minister of National Education, defining the directions of the implementation of the state's education policy in the 2017/2018 school year, identified security on the internet and responsible use of social media as one of the priorities. It is also planned to prepare tutorials for teachers on the implementation of the content of the new core curriculum of IT classes and computer science, including in the field of information security. Materials will be developed by the Center for Education Development in 2018.
      At the request of the Ministry of National Education, recommendations were also prepared. "Safe school, threats and recommended preventive actions in the field of physical and digital security". The material was donated to educational institutions and published on the website https://bezpiecznaszkola.men.gov.pl/bezpieczna-szkola-zagrozenia-i-zalecane-dzialania-profilaktyczne-w-zakresie-bezpieczenstwa-fizycznego-i-cyfrowego-uczniow/ (Link 2) in September 2017.


    • 3.2. Bachelor’s level cyber security programme 2
      2
      2
      Requirements
      Criteria

      There is at least one cyber security / electronic information security focused programme at Bachelor’s or equivalent level.

      Accepted references

      Accredited study programme

      Evidence

      MoDA in a close cooperation with NASK Institute, Warsaw University of Technology and Cybersecurity Foundation set out very first accredited study programme for bachelor's level university programme. The programme is a refference point for other universities when decided to introduce new cybersecurity study. 

    • 3.3. Master’s level cyber security programme 2
      2
      2
      Requirements
      Criteria

      There is at least one cyber security / electronic information security focused programme at Master’s or equivalent level.

      Accepted references

      Accredited study programme

      Evidence

      There are few MA programmes offering cybersecurity studies. The programmes are available at the public and private universities. 

      https://www.nask.pl/pl/aktualnosci/2276,Cyberbezpieczenstwo-nowe-studia-podyplomowe-NASK-i-Politechniki-Bialostockiej.html

      http://www.wat.edu.pl/?portfolio=kryptologia-i-cyber-bezpieczenstwo

      http://www.elka.pw.edu.pl/Studia/Informacje-dla-kandydatow/Opis-kierunkow-studiow/Cyberbezpieczenstwo

      http://weka.pwr.edu.pl/kandydaci/cyberbezpieczenstwo

      https://eti.pg.edu.pl/katedra-teleinformatyki

      https://www.wsb.pl/gdansk/studia-i-szkolenia/studia-ii-stopnia

       

    • 3.4. PhD level cyber security programme 0
      0
      2
      Requirements
      Criteria

      There is at least one cyber security / electronic information security focused programme at PhD or equivalent level.

      Accepted references

      Accredited study programme

      Evidence
    • 3.5. Cyber security professional association 2
      2
      2
      Requirements
      Criteria

      There is a professional association of cyber/electronic information security specialists, managers or auditors.

      Accepted references

      Website

      Evidence
  • 4. Contribution to global cyber security 2/6 33%
    2
    6 33%
    • 4.1. Convention on Cybercrime 1
      1
      1
      Requirements
      Criteria

      The country has ratified the Convention on Cybercrime.

      Accepted references

      Official website of the convention

    • 4.2. Representation in international cooperation formats 1
      1
      1
      Requirements
      Criteria

      The government is regularly represented in a cooperation format that is dedicated to international cyber security (e.g. FIRST).

      Accepted references

      Official website of the cooperation format

      Evidence

      Poland is part of CSIRTs network at EU level, which was created as a result of the entry into force of NIS Directive.

      Polish Minister of Digital Affairs is responsible for supervision of NASK as the research institute and operator of data transmission network, under which CSIRT NASK functions.

      CSIRT NASK is the first Computer Emergency Response Team established in Poland. Thanks to its dynamic activity since 1996 in the environment of responsive teams, it has become a recognizable and experienced entity in the field of computer security. From the beginning of the team's existence, the core business is the handling of security incidents and cooperation with similar units around the world, both in operational and research and implementation activities.

      Since 1998, CSIRT NASK has been a member of the international forum of responding teams - FIRST, and since 2000 belongs to the working group of European responsive teams - TERENA TF-CSIRT and the Trusted Introducer operating on it.

      In 2005, at the initiative of CSIRT NASK, the forum of Polish abuse teams - Abuse FORUM - was established, while in 2010 CSIRT NASK joined the Anti-Phishing Working Group, an association gathering companies and institutions actively fighting cybercrime.


      FIRST


      TF-CSIRT Trusted Introducer

    • 4.3. International cyber security organisation hosted by the country 0
      0
      3
      Requirements
      Criteria

      A regional or international cyber security organisation is hosted by the country.

      Accepted references

      Organisation’s official website

      Evidence
    • 4.4. Cyber security capacity building for other countries 0
      0
      1
      Requirements
      Criteria

      The country has (co-)financed or (co-)organised at least one capacity building project for another country in the last 3 years.

      Accepted references

      Official website or project document

      Evidence
BASELINE CYBER SECURITY INDICATORS
  • 5. Protection of digital services 5/5 100%
    5
    5 100%
    • 5.1. Cyber security responsibility for digital service providers 1
      1
      1
      Requirements
      Criteria

      According to legislation, digital service providers (except micro and small enterprises): (1) must manage cyber/ICT risks or (2) must implement established cyber/information security requirements.

      Accepted references

      Legal act

      Evidence

      Cybersecurity responsibilities for digital service providers are defined in the Act on the National Cybersecurity System adopted on the 5th of July 2018.

      Chapter 4 outlines responsibilities of digital service providers.

      Digital service providers are required to apply security measures proportionate to the risk, taking into account in particular:

      • security of information systems and facilities - information systems include ICT systems together with data processed in electronic form.
      • the procedure in the case of incident handling, i.e. activities enabling the detection, recording, analysis, classification, prioritization, taking corrective actions and limiting the effects of the incident.
      • managing the continuity of the provider's activity in order to provide digital service. Pursuant to Article 17(3) of the Act on the National Cyber Security System, the digital service provider shall take measures to prevent and minimize the impact of incidents on the digital service in order to ensure continuity of the service provision.
      • compliance with international standards as referred to in the  EU Regulation 2018/151 of 30 January 2018. This Regulation clarifies further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact. When incident occurs, the digital service provider should ensure that threat detection processes are maintained, that the incident reporting system is in place, that it reacts in accordance with procedures, and that the severity of the incident is assessed, with full documentation. The regulation also defines incident assessment and qualification as significant.
      • monitoring, audit and testing.

      In addition to the appropriate risk management of the information systems used to provide the digital service, DSPs shall be required to perform activities to detect, record, analyse and classify incidents.

      DSPs are supervised by the competent authorities, which have the power to conduct inspections and impose fines.

    • 5.2. Cyber security standard for the public sector 1
      1
      1
      Requirements
      Criteria

      Public sector digital service providers must implement (1) cyber/ICT security requirements (defined by legislation) or (2) a widely recognised security standard.

      Accepted references

      Legal act

      Evidence

      Regulation of the Council of Ministers of 12 April 2012 on the National Interoperability Framework, sets minimum requirements for public registers and electronic information exchange and minimum requirements for information and communication systems.

      §20


      The Act on the National Cybersecurity System adopted on the 5th of July 2018 defines in Chapter 5 obligations of public entities.

      Article 21

    • 5.3. Competent supervisory authority 3
      3
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise public and private digital service providers regarding the implementation of cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
  • 6. Protection of essential services 3/6 50%
    3
    6 50%
    • 6.1. Operators of essential services are identified 1
      1
      1
      Requirements
      Criteria

      There is a legal act that allows to identify operators of essential services.

      Accepted references

      Legal act

      Evidence

      The Act on National Cybersecurity System defines operator of essential services as companies and institutions providing services of vital importance for maintaining critical social or economic activity. There are 6 essential sectors of the economy in Poland: energy, transport, banking and financial market infrastructure, health care, drinking water supply (including distribution) and digital infrastructure.

      The Act on National Cybersecurity System is an entity which has an organisational unit on the territory of the Republic of Poland, in relation to which a competent authority (the Ministry regulating a given sector of the economy) has issued a decision on recognition as an operator of essential services. Sectors, sub-sectors and types of entities are specified in the Annex No. 1 to the Act.

      The Council of Ministers defined by the Ordinance of 11 September 2018 on the list of essential services and the thresholds of significance of the disruptive effect of an incident on the provision of essential services (Journal of Laws, item 1806):

      • the list of essential services, based on the assignment of a essential service to a given sector, subsector and type of entity listed in the aforementioned Annex No. 1 to the Act and the significance of the service for maintaining critical social or economic activity;
      • thresholds of significance of the disruptive effect of an incident on the provision of essential services included in the list of essential services
    • 6.2. Cyber security requirements for operators of essential services 1
      1
      1
      Requirements
      Criteria

      According to the legislation, operators of essential services must manage cyber/ICT risks.

      Accepted references

      Legal act

      Evidence

      Cybersecurity requirements for operator of essential services are identified in the Act on National Cybersecurity System adopted on the 5th of July 2018. The most important responsibilities of operator of essential services according to the Act on National Cybersecurity System include:

      • risk management (including risk evaluation);
      • implementation of appropriate and proportionate technical and organisational measures (including maintenance and safe operation of the information system; physical and environmental security; security and continuity of supply; implementation, documentation and maintenance of action plans);
      • collecting information on cyber threats and vulnerabilities;
      • reporting a serious incident to the relevant CSIRT team;
      • Incident handling and cooperation with the relevant CSIRT;
      • appointing a contact person for the national cyber security system.

      The operator of essential services should provide information on a significant incident that causes or is likely to cause a significant deterioration or interruption in the performance of the essential service provided.

      The operator should report the incident immediately, no later than within 24 hours of detection, to the relevant CSIRT MON, CSIRT NASK or CSIRT GOV.

      The operator shall cooperate during the handling of a significant incident and a critical incident with the relevant CSIRT MON, CSIRT NASK or CSIRT GOV, providing the necessary data.

      The operator shall remove the indicated vulnerabilities and inform the competent authority of their removal.

      The Act sets out in detail the classification of incidents and the scope of competence of CSIRT MON, CSIRT NASK, CSIRT GOV.

      When an incident occurs, operator of essential services upon notification of the incident, starts handling it according to the following scheme of action: detection, registration, analysis, classification, prioritization and taking corrective action and limiting the effects of the incident.

       


      Ordinance of the Minister of Digitization of 4 December 2019 on organisational and technical conditions for entities providing services in the field of cybersecurity and internal organisational structures of operator of essential services responsible for cybersecurity

    • 6.3. Competent supervisory authority 0
      0
      3
      Requirements
      Criteria

      The government has a competent authority in the field of cyber/information security that has the power to supervise operators of essential services, regarding cyber/information security requirements.

      Accepted references

      Official website or legal act

      Evidence
    • 6.4. Regular monitoring of security measures 1
      1
      1
      Requirements
      Criteria

      Operators of essential services must regularly (at least once every 3 years) provide evidence of the effective implementation of cyber/information security policies (e.g. audit result, documentation, specific report).

      Accepted references

      Legal act

  • 7. E-identification and trust services 8/9 89%
    8
    9 89%
  • 8. Protection of personal data 4/4 100%
    4
    4 100%
INCIDENT AND CRISIS MANAGEMENT INDICATORS
Information Disclaimer

The information provided on the NCSI website is based on publicly available evidence materials. The appearance in the index and subsequent ranking is commensurate to the existence and public availability of such information. The NCSI links to third party websites and information. The NCSI and eGA are not responsible for the accuracy or completeness of third party website information.

What can I do to improve my country's data in NCSI?

Become a data contributor Update a specific indicator with evidence data

CONTRIBUTORS

Joanna Świątkowska
The Kosciuszko Institute
Jarosław Łuba
Ministry of Digital Affairs