Draft Cybersecurity Strategy – Comments of the President of the Personal Data Protection Office
The President of the Personal Data Protection Office forwarded the comments on the draft Cybersecurity Strategy of the Republic of Poland for the years 2025-2029 to the Minister of Digital Affairs. This document will also have an impact on the sphere of human rights and freedoms. Therefore, it is important that legal solutions in the field of cybersecurity are refined to the highest degree and respond to challenges.
The President of the Personal Data Protection Office positively assesses the presentation of the draft Strategy. Similarly, he regards the idea of strengthening the resilience of cyberspace by increasing the level of information protection in the public, military and private sectors. It is also important that the document focuses on promoting knowledge and good practices in the protection of our data and information.
The President of the Personal Data Protection Office makes the following comments:
1. Legal basis
Cybersecurity solutions can only be enacted on an explicit legal basis. Therefore, it is necessary to update provisions so that they are adapted to fast-changing technological solutions. It is also necessary to analyse the provisions already in force, introducing flawed legal arrangements from the data protection perspective, which, in the opinion of the supervisory authority, may negatively affect the preservation of State cybersecurity.
In particular, public registers should be indicated here, in which personal data are publicly available, including the personal identification number (PESEL number) (e.g. land and mortgage register), as well as electronic signatures in which the PESEL number is used in the form of an identifier.
A PESEL number can be used to identify a specific person. Therefore, the possibility of its unauthorised use should be considered a cyber threat to the rights and freedoms of citizens. This issue is also relevant in relation to the EU Digital Identity Wallet and the notion of a certificate for electronic signatures provided for in the eIDAS2 Regulation – the legislator should consider amending the law in order to bring Polish legislation in line with the requirements of that Regulation.
The draft strategy (point 2) states that ‘it is essential that the right to privacy does not hinder the identification and prosecution of cybercriminals and bring about their impunity’. This is an important and socially expected action. However, the application of the provisions of Regulation 2016/679 may be restricted only in accordance with the rules laid down in Article 23 of that Regulation.
2. Risk analysis
The legislative amendment should be preceded by a risk analysis for the data processed. Cybersecurity involves the use of new technologies, which are likely to result in a high risk to the rights and freedoms of individuals. Conducting the DPIA should take place already at the stage of creating legal regulations, before adopting assumptions for specific IT projects. The legislator should follow a risk-based approach when drafting legislation.
In particular, this should be the case for public registers and data integration.
3. Technological solutions
The draft strategy does not address the issue of the processing of biometric data, the use of which for identification purposes is increasingly common. The President of the Personal Data Protection Office also drew attention to the risks associated with the use of artificial intelligence in the context of cybersecurity. The legislator should adopt solutions to prevent identity theft, tracking technologies or impersonation using artificial intelligence tools.
The draft strategy does not explain the exact scope of the strategy. It is unclear, first of all, whether the draft strategy is limited only to the executive sphere of NIS2 and the Act on the National Cybersecurity System (as indicated by the fragment of point. 3: However, the Cybersecurity Strategy of the Republic of Poland for the years 2025-2029 does not cover these issues as going beyond the statutory framework defining the National Cyber Security System) or is broader, including the issue of data protection and security set out in Regulation 2016/679 and Directive 2016/680[1] (the broader scope of the strategy is indicated, for example, by ‘Specific objective 4. Building awareness, knowledge and competences of staff of entities of the national cybersecurity system and citizens)
The President of the Personal Data Protection Office also sent comments on specific provisions of the draft Strategy (as available below in Polish)
These comments, as emphasised by the President of the Personal Data Protection Office, are intended to draw the attention of the Ministry of Digital Affairs to many issues that are important from the perspective of the supervisory authority and have a significant impact on preserving the security of the State.
DPNT.401.18.2025
