CRA compliance for Polish manufacturers: NASK, KSC and PCA

Polish manufacturers face the same CRA obligations as every other EU manufacturer, plus one wrinkle the other Member States do not have at the same depth: a parallel national cybersecurity law (the amended KSC Act) that came into force on 3 April 2026 and overlaps with CRA in some places but not all. This page is a country brief for Poland: how vulnerability and incident reports route through CSIRT NASK, where PCA fits as the accreditation body, where the KSC framework sits next to the CRA, what the Polish-language obligations require under the 1999 Act, and which of the FENG, KPO and dedicated cybersecurity programmes are realistic for compliance investment. For the full manufacturer obligation set, see the manufacturer cluster guide.

When this guide applies to you

You are the target reader if your manufacturer "main establishment in the Union" is in Poland. That means the place where decisions related to the cybersecurity of your products with digital elements are predominantly taken. A Polish-registered sales subsidiary with engineering offshore is not the main establishment. If your engineering team, your SDLC governance, and the people approving security-update releases sit in Poland, this guide is for you.

If your main establishment is elsewhere in the EU and you only ship into Poland, your CRA reports route through the CSIRT of your main-establishment Member State, not CSIRT NASK. The Polish-language obligation for user-facing information still applies for any product placed on the Polish market.

NASK and CSIRT NASK: the Polish CSIRT route

CRA notifications route through the CSIRT designated as coordinator of the Member State where the manufacturer has its main establishment in the Union. For a manufacturer whose main establishment is in Poland, that CSIRT is CSIRT NASK, the national CSIRT operated within NASK (Naukowa i Akademicka Sieć Komputerowa), the country's national research and education network operator and the long-standing host of CERT Polska.

Poland runs three national-level CSIRTs under the KSC framework: CSIRT NASK for the civilian sector (including commercial manufacturers, local government, and most public entities), CSIRT MON for the military sector, and CSIRT GOV for the central government administration. For a commercial manufacturer placing a product with digital elements on the EU market, the route is CSIRT NASK. The other two are out of scope.

The technical channel for the 24 hours / 72 hours / 14 days reporting cadence is the ENISA single reporting platform, which goes operational on 11 September 2026. A Polish manufacturer files via that platform with CSIRT NASK as the receiving coordinator. The CSIRT designation is the routing. The platform is the transport.

Notified bodies: PCA accredits, notifying authority designation pending

Important Class I products need a notified body (Module B+C or Module H) only where harmonised standards, common specifications, or a certification scheme do not fully cover them. Important Class II products use a notified body (Module B+C or Module H) or an available and applicable certification scheme. Critical products (Annex IV) follow Article 32(4): the Article 8(1) certification route where the Commission has triggered it, otherwise the same Article 32(3) routes.

The Polish institutional chain is:

• PCA (Polskie Centrum Akredytacji) is the sole national accreditation body in Poland, with the status of a state legal entity supervised by the minister responsible for the economy. PCA is the only institution authorised to grant accreditation to conformity-assessment bodies and is actively developing the accreditation and notification scheme for CRA conformity-assessment bodies. Accreditation under ISO/IEC 17065:2012 is the technical step before notification.
• The notifying authority that formally designates Polish CRA notified bodies to the European Commission has not yet been confirmed in the Dziennik Ustaw. The Ministerstwo Cyfryzacji is the leading candidate based on its consultation role, but the formal designation will land in the Polish implementing instrument.

The CRA framework for notified bodies applies from 11 June 2026, after which designated bodies can begin issuing CRA conformity-assessment certificates. As of mid-2026, the Polish chain is being stood up alongside the implementing instrument. A Polish manufacturer can use any EU-notified body, not only Polish-designated ones. Choosing a Polish-designated body is a procurement preference and not a CRA requirement. Final CRA designations are published in the European Commission NANDO database.

KSC and CRA: where they overlap, where they do not

The amended Ustawa o krajowym systemie cyberbezpieczeństwa (KSC Act) is Poland's NIS2 transposition. It was published in Dziennik Ustaw on 2 March 2026, entered into force on 3 April 2026 after a one-month vacatio legis, gives in-scope entities until 3 April 2027 to comply, and requires self-identification plus registration in the KSC registry by 3 October 2026. Maximum fines reach 100 million PLN.

The two regimes overlap, but they do not substitute for one another:

• KSC covers the entity. It applies to your organisation as a "key entity" (podmiot kluczowy) or "important entity" (podmiot ważny) if you fall in one of the sectors named in the Act. Governance, risk-management, incident-reporting, and supply-chain-security obligations attach to the organisation.
• CRA covers the product. It applies to every product with digital elements you place on the EU market, regardless of whether your organisation is in scope of KSC. Essential cybersecurity requirements, vulnerability-handling, technical documentation, and CE marking attach to the product.

A Polish manufacturer that is both a KSC-scope entity and a CRA product manufacturer carries both regimes. Incident reports go to CSIRT NASK in both cases, but the underlying obligations differ: KSC tracks operational incidents at the organisation level, CRA tracks actively exploited vulnerabilities and severe incidents at the product level. Treat the KSC self-identification deadline of 3 October 2026 as an organisation-level task separate from your CRA product readiness. The KSC registry is not the CRA reporting platform.

Polish-language requirements in practice

The CRA requires user-facing product information to be in a language easily understood by users and the local market-surveillance authority. For products placed on the Polish market, that is Polish. Articles 7 and 7a of the 1999 Polish Language Act (Ustawa z dnia 7 października 1999 r. o języku polskim) independently require Polish in consumer-product naming, warranty terms, invoices, receipts, warnings, instructions for use, and product-property information. The CRA obligation aligns with this long-standing national rule.

Must be in Polish:

• The user instructions and product information shipping with the product.
• The manufacturer contact details, wherever they appear.
• The end-of-support date disclosure shown at the point of purchase.
• Warranty terms and consumer-rights information that ships with the product.

Can be multilingual:

• The product label and CE marking.
• Packaging text.
• Online documentation, provided a Polish version is reachable.

English is normally accepted for:

• Internal technical documentation. The Polish market-surveillance authority can request a Polish translation under reasoned request, so plan for that contingency.

The 1999 Act's Article 7a section 1 lets you ship a technically clear visual or symbol when the type of information allows. Article 11 exempts proper names, trademarks, indications of product origin, and customarily used scientific or technical terminology from the Polish-language requirement. The EU declaration of conformity must be made available in the languages required by the Member State where the product is placed or made available.

Selling cross-border from Poland

Polish manufacturers selling into Germany, the Czech Republic, France, or any other EU Member State carry the same single-routing rule: your reports still go to CSIRT NASK, because routing follows main establishment, not per-shipment destination. You do not file with the German, Czech, or French CSIRT.

The language obligation does fan out per market. A product shipped into the German market needs German user-facing content. A product shipped into the French market needs French content. The single Polish-language pack does not cover those markets.

Each receiving Member State's market-surveillance authority can also request your technical documentation in a language easily understood by that authority. If your supply runs broadly across the EU, expect requests in at least one widely-used working language, and treat early translation of the most-requested technical-documentation sections as a practical hedge.

National funding programmes

The Polish funding picture for CRA investment in 2026 has one live multi-year programme, one closing programme, and a handful of dedicated cybersecurity lines.

• FENG (Fundusze Europejskie dla Nowoczesnej Gospodarki) is the main EU-funded innovation and SME programme for 2021-2027, administered by PARP. In May 2025, the Commission accepted a FENG change introducing Priority 5 for STEP-aligned defence technologies and dual-use investments, including cybersecurity. A separate Digital Transformation and Environment-Friendly Fund inside FENG opens SME loan applications in Q3 2026. CRA-driven SBOM tooling, vulnerability-handling platforms, and security-by-design infrastructure fit where the work is genuine innovation or production-process digitalisation.
• KPO (Krajowy Plan Odbudowy) is Poland's Recovery and Resilience Plan, total envelope around EUR 54.7 billion (EUR 25.3 billion grants, EUR 29.4 billion preferential loans). KPO investments must be executed by 31 August 2026 under the NextGenerationEU sunset, with final payment requests due 30 September 2026. KPO is therefore not a viable planning vehicle for the 11 December 2027 CRA deadline.
• Regional SME cybersecurity grants through PARP and the regional operational programmes typically sit in the 20,000 to 200,000 PLN range and cover diagnostic audits, secure-development training, and tooling pilots. Useful for an initial diagnosis, not for the full CRA programme.

For compliance investment dated against the 11 December 2027 deadline, the realistic public funding picture in Poland is FENG (Priority 5 and the Digital Transformation Fund) plus regional SME programmes.

This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific CRA compliance guidance.