Poland’s New Cybersecurity Law Could Cost at Least PLN 14 Billion

By introducing the high-risk supplier category (DWR), the legislation would require replacing IT equipment from such manufacturers. According to calculations by the telecommunications sector, this would entail at least PLN 14.4 billion in additional expenditure over five years, while extending it to the entire economy could raise the bill several times. Professional associations are calling for a review of the law, citing constitutional concerns, while the government justifies the strict rules by the need to strengthen national security.

Poland is preparing to transpose the EU’s 2022 NIS2 directive into national law through a comprehensive amendment of the Cybersecurity Act (KSC). One of the most controversial elements of the proposal is the introduction of the “high-risk supplier” (DWR) category, which would empower the Minister for Digital Affairs to classify certain IT suppliers as risky. New procurement of equipment from such manufacturers would be prohibited, and existing devices would have to be replaced within 4-7 years, without state compensation. Although the law does not name specific companies, it is widely understood to target Chinese telecommunications giants primarily.

The amendment would also significantly expand the scope of cybersecurity obligations: instead of the previous roughly 400 entities, approximately 42,000 organisations across 18 sectors would be affected. This includes not only telecommunications, but also the energy sector, utilities, transport, healthcare, finance, and even the food industry.

Billion-Zloty Burdens in the Telecommunications Sector

The government’s draft legislation did not quantify the financial burden imposed on companies by the new rules – this was later assessed by the Krajowa Izba Komunikacji Ethernetowej (KIKE), which represents telecommunications firms. Based on an analysis of 152 companies, replacing hardware and software from high-risk suppliers would cost an average telecom operator approximately PLN 4.3 million over five years. At the national level, projected across approximately 3,332 regulated service providers, this would amount to a total cost of PLN 14.4 billion for the sector. Until now, the government had not accounted for this additional burden.

KIKE experts warn that withdrawing capital on this scale from the sector could have serious consequences. New developments – such as the rollout of 5G networks or the expansion of fibre-optic broadband networks – could slow, while many smaller service providers could become financially unstable. Numerous local internet service providers already operate with low profit margins. They are still servicing loans taken out for network construction, meaning they could barely absorb multi-million-zloty additional costs without external assistance or price increases. Ultimately, consumers may end up paying the price, as providers will likely be forced to pass these extra costs on through higher subscription fees.

Service Disruptions and Network Risks

From a network security perspective, the proposal also presents serious challenges. Poland’s telecommunications infrastructure currently relies heavily on technology of Chinese origin: for most surveyed providers, more than half of the network equipment comes from such suppliers. According to KIKE estimates, some level of disruption is expected at 85% of companies if mass replacement occurs. Moreover, equipment from different manufacturers is not always interoperable, which means replacing a single component may require redesigning the entire system. If all this must be implemented within a few years, the risk of service outages becomes very real. KIKE warns that in some rural areas, complete “white spots” could emerge on the digital map if small internet providers are unable to deploy suitable new equipment in time to replace the old.

Even Higher Costs at the Level of the Entire Economy

The PLN 14.4 billion estimated by KIKE applies only to the telecommunications sector. However, the new regulation, following NIS2, extends to nearly all critical sectors, increasing the number of affected organisations from 400 to approximately 42,000. As a result, the forced replacement of Chinese-origin technology could also occur across other sectors, including energy, utilities, finance, and public administration. According to industry expert Piotr Mieczkowski, if the DWR mechanism were applied in its broadest form, replacement costs would have to be calculated in the hundreds of billions of zlotys. No official estimate has been prepared in this regard – at present, it is impossible to foresee the burden the new law could place on the entire economy.

Debate and Constitutional Concerns

A fierce debatehas emerged around the new KSC law. A group of business organisations has asked the president in a letter to refer the legislation to the Constitutional Tribunal for review. They argue that the DWR mechanism amounts to expropriation without compensation, which contradicts the property protection principles of the Polish Constitution. They also criticise the limited legal remedies available, and the fact that the government failed to notify the EU in advance about the law – an omission they believe constitutes a procedural errorthat could later lead to legal chaos and compensation lawsuits. Meanwhile, the Senate’s legal committee has also issued sharp criticism: according to its report, the draft is riddled with errors and contradictions and should therefore undergo a thorough review.

At the same time, other industry players are urging the law to take effect immediately. The Cyfrowa Polska technology association notes that Poland is facing cyberattacks of unprecedented intensity, leaving no time to delay improvements to its defences. They argue that the law is crucial for protecting critical infrastructure and does not constitute an automatic ban on any specific company; it merely provides a framework for filtering out risky elements. The final decision rests with the head of state: either sign the highly controversial law or acknowledge the concerns and delay its entry into force. Either way, the debate over how to guarantee cybersecurity without imposing excessive burdens on economic actors is far from over.

• business
• technology
• poland
• law
• economy
• EU
• central and eastern europe