Citizen Awareness: The strategy sets out measures for creating conditions for the safe use of cyberspace by citizens as a top priority. As a national institute, NASK - Cybersecurity is tasked with supporting education and awareness-raising about cyber threats. Its centre for strategic analysis assesses various strategic, regulatory and organisational aspects of cybersecurity, as well as educational and awareness about cyberspace security. To this end, it runs its own social projects and training programmes for businesses and institutions with a special focus on IT security.

NASK has been taking part in the EC's Safer Internet Programme (Safer Internet) for many years, promoting the safe use of new technologies and the Internet by children and young people, providing materials and best practices for educating society on cybersecurity (Stój. Pomyśl. Połącz, Bezpieczne Wybory). 

Primary and secondary education: The strategy highlights the importance of: 

• Making cybersecurity education available as early as possible to children and young people to protect them when accessing digital services. 
• Supporting teachers in executing educational programme and ensuring they are based on knowledge about the safe use of modern technologies. 
• Ensuring continuous professional development of teachers on modern technologies and cybersecurity, taking on board specific needs of educational institutions. 
• ​Encouraging higher education institutions to develop interdisciplinary specialisations covering inter alia information security management, assessment and evaluation of ICT system safeguards, protection of personal data, protection of intellectual property on the internet and issues related to new technologies and new challenges. 

Poland has been conducting research on cybersecurity since 2013 under NASK - Cybersecurity with the aim of developing new security technologies. NASK R&D facilities support research and analyses on new technology applications and implementations. Its cybersecurity-related R&D activities are centred around developing new, effective methods and techniques of identifying, analysing and responding to network and IT system security threats. Our activities also lead to the finding of practical applications for these new solutions, by creating our own innovative products, including products which make it possible to detect and counteract threats.

Commercially oriented achievements include the ARAKIS Enterprise, a cybersecurity early warning system for businesses and BotSense systems, offering real-time detection of account theft attempts and unauthorised transactions for the financial sector. BotSense won the Portfiel WPROST 2017 award in the security category. 

The strategy sets out several measures to build on this national legacy aimed at stimulating research and development on cybersecurity, such as: 

• Intensified research, development and manufacturing activities in the face of a dynamically growing IT market, including the shift towards the IPv6 communicaion protocol, the development of the Internet of Things (IoT), smart cities, Industry 4.0, cloud computing, broadband mobile communication network (5G and future generations), big data. 
• Research programmes focusing on the development and implementation of new methods of protection against cyber threats in cooperation with the National Centre for Research and Development (NASK). 
• Special attention to ensuring product, service and process security in early design phase, e.g. Security-by-Design, data protection and privact, e.g. Privacy-by-Design and especially for future development of IoT technologies.

Research programmes will be based on cooperation between the academic and scientific community with a view to: 

• Assessing the effectiveness of protections and resilience to cyber threats. 
• Evaluating the effectiveness of responding to incidents.
• Developing methods for detecting and analysing new types of cybercrime, cyberterrorism and cyberespionage.
• Studying methods of attacks (including attacks of a hybrid nature) and measures to counteract these attacks and mitigate their effects.
• Protecting democratic processes against disruption by cyber threats.

Research and development activities will be carried out also in the area of international cooperation within the EU and NATO. Important tasks for ensuring cybersecurity are performed by non-governmental organisations, which are very efficient organisers of educational activities for society and providers of analyses coupled with viewpoints on public administration. It is also possible to acquire experts with unique skills through analytical centres for the purposes of solving complex cybersecurity issues. In this regard, Poland will create its own innovative products, including products that make it possible to detect and counteract threats.

The strategy defines a wide-ranging professional training programme across public administration, education and entrepreneurs. 

Local government and public administration: 

• Developing and implementing a systematic support mechanism for increasing employee competences in local government administration. Managerial staff in local government will define responsibilities and authorisation of staff with important roles in cybersecurity management and communicate decisions to stakeholders. 

Higher Education and Research:

• Increasing the cybersecurity competences of research and higher education institutions using legal instruments to incentivise higher education institutions to provide teaching aimed at attracting cybersecurity specialists, for example, as part of first and second-cycle studies, doctoral schools and post-graduate programmes. 
• Setting up educational and professional development programmes that give employees the required qualifications for cybersecurity, such as counteracting cybercrime, enhancing law enforcement and the judiciary. Training should be both theoretical and practical tackling real-world cyber threats.  

Entrepreneurs: 

• Supporting the development of digital competences within the Polish business community with the aim of imparting knowledge and training for adopting cybersecurity technologies, including AI-based autonomous systems, production and service provision processes. 
• Giving entrepreneurs opportunities on the global market by supporting the development of digital competences and in applying for the funding of innovative solutions, consultancy in access new markets and establishing cooperation with other businesses. 

Prioritising the capacity to preventt and respond to incidents is key to increasing resilience in public and private organisations. To this end, the national strategy underscores the importance of developing and implementing national cybersecurity standards and disseminating good practices and recommendations.

• Cooperation between research centres, academic and research institutes, public and private organisations: Focus on either developing new national standards or translating existing norms and standards into recommendations for their implementation based on the technical expertise of the Polish Committee for Standardisation. 
• Resilience of public administration information systems: National Cybersecurity Standards must be developed as a set of organisational and technical requirements for the security of applications, mobile devices, workstations, servers and networks and cloud computing models. To ensure the secure and cost-effective functioning of IT systems in public administration, recommendations and good practices that increase resilience must be implemented for the use of new types of processing and information storage, including cloud computing. The execution of public tasks related to cybersecurity will be underpinned by Polish standards based on European and/or international standards. 
• References to standards should also be widely used over the entire life cycle of ICT systems. It is also important to support the execution of recommendations made by market regulators.

Supply chain security:

• Ensuring organisational and technical protections are in place over the entire lifecycle of IT systems, such as secure supply chains, designing, developing, deploying, operating systems.
• Supply chain quality assurance calls for the assessment and certification of software, hardware and services, establishing also a national cybersecurity evaluation and certification scheme.
• Accredited conformity assessment bodies will enable Poland to achieve full and internationally recognised status as an Authorising Member country for the provision of cybersecurity solutions. To this end, Poland will take part in work on establishing European cybersecurity certification schemes under the new mandate for ENISA, including responsibility for the European Cybersecurity Certification Framework (Reference: Regulation (EU) No. 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA, the European Union Agency for Cybersecurity, and on information and communications technology cybersecurity certification and repealing Regulation (EU) No. 526/2013 (Cybersecurity Act).

• Actions at the national level will include the designation of the national cybersecurity certification authority issuing European cybersecurity certificates, supervising national conformity assessment bodies for the compliance of products, services and processes with the requirements set in the European cybersecurity certification schemes and cooperating with the national accreditation body – the Polish Centre for Accreditation to monitor and supervise activities of accredited national conformity assessment bodies. The overarching goal is to enable Polish producers to compete more effectively in the Digital Single Market.

Security tests and audits: 

• Periodic audits are among measures that assess the effectiveness of implemented information security management systems and the adequacy of the safeguards introduced. Audit methodologies should take into account applicable standards, good practices and the specifics of diverse sectors. The aim is to achieve comparability of audit outcomes. Another measure is periodic testing, including penetration testing, enabling a real assessment of the system’s resilience to threats. Outcomes of these tests are the basis for verifying the safeguards in place. 

Increasing the national capacity in the area of cybersecurity technology:

• According to the national strategy, the Polish government will invest in the development of industrial and technological resources for cybersecurity with levers for SMEs and start-ups and the involvement of research institutes that develop new solutions. Priorities include enhanced capabilities for designing and producing software, hardware and services in all branches of Polish industry to improve its competitiveness. 
• Participation in international initiatives will also be a route for the acquisition of new technology developments at the national level, emphasising innovation, bilateral cooperation and within international organisations, including the planned  European Cybersecurity Industrial, Technology and Research Competence Centre. 

• Warsaw University of Technology – Bachelor Degree in Cybersecurity. Year established: 2019. Student Intake: 60. European Credit Transfer System (ECTS): 210. Focus: Cross-cuttting across IT system security, legal and ethical issues, risk management and internships. 
• AGH University of Science and Technology – Bachelor Degree in Cybersecurity. Year established: 2019. Student Intake: 55. European Credit Transfer System (ECTS): 210. Focus: Cross-cuttting across IT system security, legal and ethical issues, risk management and internships. 
• Czestochowa University of Technology - Computer Science: Master Degree in Cybersecurity. Year established: 2019. Student Intake: 70. European Credit Transfer System (ECTS): 90. Focus: System security, network security, component security, SW security.

The Polish government has made a commitment to ensuring security in cyberspace is part of a joint effort between the private sector, the public sector and citizens based on trust and shared responsibility for cybersecurity. 

The CYBERWISER.eu CyPR is all about boosting opportunities in the cybersecurity marketplace. 

This European Cybersecurity Professional Register is the place where professionals, juniors or seniors, age can promote their specific skill sets and experiences in cybersecurity, courses taken and qualifications.

Organisations of any size or sector from SMEs to large companies and public institutions can find and contact the right skills and experiences they need to improve their IT security posture.

January 2021.

The information contained here is based on desk research carried out by CYBERWISER.eu, including the ENISA interactive maps on national strategies and educational courses. 

The NASK CSIRT operates in accordance with the Act on the national security system, which implements the Polish legal system the EU Directive on the security of network and information systems (NIS Directive). The act appoints three institutions to serve as response teams – the Internal Security Agency (GOV CSIRT in English; in Polish), NASK – National Research Institute (NASK CSIRT) and the Ministry of National Defence (MON CSIRT), which work with one another and with other organs responsible for cybersecurity. Together, they constitute a coherent and complete national risk management system, combating cybersecurity threats, both sector-specific and cross-border, as well as coordinating the handling of all reported incidents. The institutions making up the national cybersecurity system form a cohesive whole which renders it possible to take a wide range of effective actions to counteract threats and successfully respond to hazards.

NASK has organised a series of events related to EU regulations and international co-operation:

• NIS Directive reception
• NATO Summit Warsaw 2016 and the recognition by NATO the Cybersecurity field as a battlefield.
• SECURE 2016 conferance.​

Every public institution performing public obligations specified in the Act on the national cybersecurity system, depending on the information system utilised, as well as key service operators, must appoint a person responsible for staying in contact with national cybersecurity system institutions. The NASK CSIRT must be informed about appointing or changing a contact person within 14 days. In order to register a contact person responsible for staying in touch with the national cybersecurity system institutions, please fill out the form available here or contact:

January 2021.

The information contained here is the result of desk research carried out by CYBERWISER.eu.