Last review date: 10 January 2025

☒ omnibus – all personal data

☒ sector-specific — e.g., financial institutions, governmental bodies

☒ constitutional

Last review date: 10 January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• EU General Data Protection Regulation
• Act of 10 May 2018 on Personal Data Protection
• Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crime
• Act of 21 February 2019 amending certain laws to ensure the application of the EU General Data Protection Regulation (Aligning Act)

Last review date: 10 January 2025

• Act of 5 July 2018 on the National Cybersecurity System (implementing NIS Directive)
• Act of 16 July 2014 on Telecommunication Law
• Regulation of the Council of Ministers of 11 September 2018, on the list of key services and the thresholds for the materiality of the disruptive effect of an incident on the provision of key services
• Regulation of the Council of Ministers of 31 October 2018 on the thresholds for considering an incident as serious
• Regulation of the Council of Ministers of 16 October 2018 on types of cybersecurity documentation for the information system used to provide a key service
• Regulation of the Minister of Digital Affairs of 12 October 2018 on the list of certificates authorizing audits
• Regulation of the Council of Ministers of 2 October 2018 on the scope of activities and procedures of the College for Cyber Security Affairs
• Regulation of the Minister of Digital Affairs of 4 December 2019 on organizational and technical conditions for entities providing cyber security services and internal organizational structures of key service operators responsible for cyber security
• Regulation of the Minister of Digital Affairs of 20 September, 2018 on a model form for transmitting information on a breach of security or integrity of telecommunications networks or services that has had a significant impact on the operation of networks or services
• Regulation of the Minister of Digital Affairs of 20 September 2018 on the criteria for recognizing a breach of security or integrity of telecommunications networks or services as a breach with a significant impact on the operation of networks or services
• Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on the European Union Agency for Cybersecurity ("ENISA")  and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 ("Cybersecurity Act")
• Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code ("European Electronic Communications Code")

Proceedings to implement Directive (EU) 2022/2555 ("NIS 2") to the Polish legal system have been yet initiated, but the draft is still under discussion.

Last review date: 10 January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act)
• Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union;
• Act of 11 August 2021 on open data and reuse of public sector information;
• Act of 6 September 2001 on access to public information.

Last review date: 10 January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• Act of 5 July 2018 on the National Cybersecurity Systemis now in the process of being amended to conform to the Directive (EU) 2022/2555 of the European Parliament and of The Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
• Additionally, the “Act on amending certain laws in connection with ensuring the digital operational resilience of the financial sector and the issuance of European green bonds” is in a legislative process with aim of implementing certain rules in relation to DORA in Poland (among others Act of 5 July 2018 on the National Cybersecurity System will be amended)
• Simultaneously, Polish lawmakers are working on the National Cybersecurity Certification Act, which is intended to ensure proper functioning of the Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on the European Union Agency for Cybersecurity ("ENISA") and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 ("Cybersecurity Act").
• The new Electronic Communications Law, which implements the Directive of the European Parliament and of the Council (EU) 2018/1972 of 11 December 2018 establishing the European Electronic Communications Code, has been adopted on 12 July 2024 and became applicable (with exceptions) on 10 November 2024.
• The new Act of Artificial Intelligence Systems is being worked on by the Polish government. The Act will complement the EU AI Act and will introduce to Polish law some obligations related to the EU AI Act. In particular, the subject-matter of the draft Act are issues regarding the national supervisory authority, proceedings before that body, control proceedings, notifying the notification authority, certification, judicial protection of citizens' rights, as well as initiating proceedings and imposing administrative financial penalties for violating the provisions of Art. 5 of Regulation 2024/1689. The Act has not yet been submitted to the Polish parliament. Currently a new version of the draft is being prepared after public consultations that took place in 2024.