The EU Cybersecurity Act should build on Poland’s experience with High-Risk Vendors

Poland’s model for assessing High-Risk Vendors (HRVs) could serve as a valuable inspiration for future European regulations governing ICT supply chain security, according to the Digital Poland Association. In a position paper submitted to Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski, the organisation also calls for strengthening the role of ENISA and further harmonising European cybersecurity certification schemes.

The association, representing Poland’s digital industry, submitted its recommendations as a contribution to the Polish government’s position in the ongoing revision of the EU Cybersecurity Act (CSA2). According to Digital Poland, this is currently one of the most important regulatory initiatives shaping the future of the European digital market. Industry experts stress that, in the face of growing cyber threats and the accelerating digitalisation of the economy, new regulations should not only strengthen security but also provide greater regulatory consistency and predictability for businesses operating within the Single Market.

“Today, virtually every new regulation has an impact on digital systems and critical infrastructure. That is why cybersecurity considerations should be incorporated already at the legislative design stage. Europe needs solutions that effectively protect its digital economy while preserving market competitiveness and innovation,” said Michał Kanownik, President of the Digital Poland Association.

A European path inspired by Polish experience

In Digital Poland Association’s view, the ongoing reform of the Cybersecurity Act presents an opportunity for solutions developed in Poland to inspire policy across the European Union. This applies particularly to the approach towards High-Risk Vendors (HRVs), which enables governments to effectively safeguard national security without unnecessarily restricting competition in the technology market.

The organisation points out that the Polish model is based on a multi-layered risk assessment process, evaluating specific ICT products, services and processes, while also providing robust appeal mechanisms. This approach makes it possible to mitigate security risks effectively without imposing automatic bans on entire manufacturers or technologies.

“Poland has developed a model that focuses on identifying actual risks associated with specific technological solutions rather than relying on arbitrary decisions targeting entire groups of suppliers. This approach could provide valuable inspiration for future European regulations concerning ICT supply chain security,” emphasised Michał Kanownik.

ENISA should play a greater role in EU rule-making

Another key element of the position paper is the strengthening of the European Union Agency for Cybersecurity (ENISA). According to Digital Poland, the current system does not provide a sufficiently structured mechanism for assessing the cybersecurity impact of new regulations, while expert consultations often take place too late in the legislative process.

For this reason, the organisation proposes expanding ENISA’s mandate and formally integrating the agency into the development, implementation and enforcement of EU legislation. The association also advocates granting ENISA the authority to issue independent opinions and recommendations on the cybersecurity implications of proposed regulations.

The need for a consistent certification framework

The position paper also highlights the importance of European cybersecurity certification frameworks. According to the industry, the current system requires greater harmonisation and standardisation to ensure that certificates issued in different Member States guarantee a comparable level of security.

“European certification should build trust and strengthen the security of the Single Market. Yet there are cases where ICT products or processes obtain certification in one Member State despite not meeting security requirements in others. We need a coherent set of rules that applies across the entire European Union,” said Michał Kanownik.

At the same time, the organisation stresses that new certification schemes should not duplicate obligations already imposed by other legislative frameworks, including NIS2, the Cyber Resilience Act (CRA) and DORA.

Digital Poland Association also underlines the need to adapt certification systems to modern software development practices. According to the organisation, traditional static recertification cycles may create situations in which newer and more secure product versions remain formally uncertified, while older versions continue to hold valid certificates. The association therefore supports a continuous compliance model that takes into account security updates, patches and vulnerability management processes.

Finally, the position paper stresses the importance of ensuring ongoing industry participation in the development of European certification schemes. Digital Poland advocates establishing a permanent consultation mechanism with strong industry representation, increasing transparency in the development of new certification programmes, and allowing experts and stakeholders to submit non-binding opinions and recommendations.