Critical Infrastructure in Poland: NASK, RDC, and Eastern Flank Reality

Poland is not a peripheral market for critical infrastructure protection. It is the operational frontier where European security policy is tested against actual threat traffic, and where the gap between regulation on paper and protection on the ground is closing faster than in any other member state of the Union.

The reason is simple. A country that shares a land border with Kaliningrad, Belarus and Ukraine, that hosts the logistical spine for allied support eastward, and that has absorbed several million people across its eastern checkpoints in the past three years, does not have the luxury of treating physical security as a procurement category. It treats it as a doctrine. Operators in Warsaw, Gdańsk, Katowice and Rzeszów have moved past the question of whether their substations, fiber landing points, rail nodes and water plants are targets. They are. The question is what holds when the next probe lands, and what the register says about who is responsible.

The shape of the Polish framework

Polish critical infrastructure protection is built on two pillars that operators outside the country often confuse. The first is the National Critical Infrastructure Protection Programme, administered through the Rządowe Centrum Bezpieczeństwa, abbreviated RCB, the Government Centre for Security. The Programme maintains a non-public register of designated critical infrastructure across eleven systems, ranging from energy and fuel supply through transport, communications, financial services and food supply, to systems supporting the continuity of public administration. Designation is not symbolic. It triggers obligations on the operator, including the appointment of a critical infrastructure protection officer, the preparation and maintenance of a protection plan, and the willingness to be audited against that plan by the responsible ministry and by RCB itself.

The second pillar is the cybersecurity regime under the National Cybersecurity System Act, which transposes the original NIS directive and is being adjusted, with friction, to the requirements of NIS2. Within that regime, NASK, the Naukowa i Akademicka Sieć Komputerowa, sits as a state research institute under the supervision of the Ministry of Digital Affairs and acts as the operational arm for cyber incident response in the civilian sector through its CSIRT NASK function. NASK does what an honest CSIRT does. It collects, correlates, warns, coordinates, and where necessary, leans on operators that have stopped responding to their own telemetry.

What complicates the picture for international observers is that the two pillars overlap in practice but not in statute. A power transmission operator is on the RCB register as critical infrastructure and is simultaneously an operator of essential services under the cyber framework. The two obligations are not consolidated. The protection plan filed with RCB does not automatically satisfy the security documentation required under the cyber regime, and the incident reported to CSIRT NASK does not automatically reach the desk that handles the physical protection officer. Operators that mature past the early phase build internal bridges between the two functions, because the regulators have not built them yet. This is the operational reality, regardless of what the official guidance says.

The framework is solid where it matters. It is bureaucratically uneven where it touches the seams between cyber and physical. Any serious security architecture in Poland is built with that asymmetry in mind, not against it.

NASK as an operational actor, not a logo

NASK is frequently described in foreign coverage as the Polish equivalent of a national cybersecurity authority. That description undersells what NASK actually does and overstates the regulatory weight it carries. NASK is a research institute, not a ministry. Its authority is technical and reputational, derived from competence rather than statute. In a country where bureaucratic authority is often contested, that distinction is a feature. Operators take NASK calls seriously because the calls are usually right, not because they are required by law.

The CSIRT NASK function handles incident coordination for non-governmental operators of essential services and for the broader civilian internet. It runs honeypots, monitors traffic, publishes advisories, and increasingly engages directly with operators whose perimeters show signs of reconnaissance. In the period since February 2022, the volume and sophistication of activity has not declined. NASK publications and parallel reporting from Polish military cyber commands describe a sustained operational tempo in which probing, defacement attempts, distributed denial-of-service campaigns against logistics and government targets, and more targeted operations against energy and transport, have become the steady state rather than the exception.

What this means for a physical security architecture is that the cyber-physical seam is no longer theoretical. A reconnaissance pattern observed in the network logs of a substation precedes, in many documented cases, a physical reconnaissance of the same site within weeks. Operators that read both their cyber telemetry and their perimeter telemetry as one feed, rather than two, are the ones that catch the pattern in time. Those that hold the two feeds in separate rooms, with separate vendors and separate reporting lines, catch the pattern after the second event. The architecture has to be unified or the unification will be done for the operator by the adversary.

NASK is also one of the few institutions in the region that has actively shaped the discussion on resilience standards for operational technology environments. Its alignment with IEC 62443 for industrial systems and with the NIST Cybersecurity Framework 2.0 for governance is more than ornamental. Polish operators that have mapped their controls against both frameworks in parallel report a measurable improvement in audit outcomes and in their ability to participate in cross-border exercises with allied operators. The framework discipline matters because it makes the conversation portable. A protection plan that reads only against Polish statute is unusable in a coalition incident. A plan that reads against IEC 62443 and ISO 27001 is the language allies actually speak.

The register and what it changes for operators

The RCB register is the document that turns abstract national security policy into an operator obligation. Inclusion on the register triggers a sequence of duties. The operator appoints a critical infrastructure protection officer, prepares a protection plan covering physical, technical, personnel, legal and ICT protection, integrates that plan with regional crisis management procedures, and submits to periodic verification.

The register itself is non-public. This creates a tension that international observers misread. The fact that the list of designated facilities is not disclosed does not mean that the designations are arbitrary or that the population is unknown to the market. Operators know if they are on the register, because they receive the designation. Insurers know with reasonable accuracy who is on the register, because the protection plan is a precondition for certain coverage. Vendors of physical security technology learn the population through the procurement language. The non-public character of the register protects the targets, not the framework.

For an operator newly designated, the practical question is not whether to comply but how to translate the protection plan from a document into an architecture. The plan typically requires layered physical protection, redundancy of critical functions, vetted personnel, controlled access, and demonstrated ability to detect and respond to intrusion within defined time windows. The detection and response windows are where most plans fail in audit, because operators document what they would like to achieve rather than what their current sensors and response chains can actually deliver. RCB auditors, in the experience of operators that have been through the cycle, are not interested in aspirational language. They want to see the camera coverage, the analytics that classify intrusion versus environmental noise, the alarm path from sensor to operator console, the dispatch chain to physical response, and the documentation that the chain has been exercised under conditions resembling the threat profile.

This is where the European discussion about resilience meets the Polish reality. ASIS International guidance, BSI publications on KRITIS, NICB data on cargo and equipment theft patterns, and the operational standards used by major German operators all describe similar architectures. The Polish version is harder because the threat profile includes state-linked actors operating from across a contested border, and because the response window assumed in the plan has to be short enough to matter against a determined adversary, not only against opportunistic theft.

The eastern flank as operational context

NATO doctrine since 2022 treats the eastern flank as the area where conventional deterrence, hybrid response and infrastructure resilience converge. Poland is the operational centre of that flank. The Rzeszów-Jasionka logistical hub, the rail corridors running east from Lublin and Przemyśl, the pipeline infrastructure feeding the region, the fiber routes that carry both civilian and allied military traffic, and the power infrastructure that supports all of the above, form a single integrated target system from the perspective of any actor seeking to disrupt allied support to Ukraine.

This has shifted the procurement language for physical security in measurable ways. Operators that five years ago specified perimeter intrusion detection in commercial terms now specify it in terms that include resilience under jamming, autonomy under loss of central command, redundant communications, and protection against drone surveillance and drone-delivered payloads. The technologies required are not exotic. Mobile video towers with autonomous power, AI-supported video analytics that distinguish a person from environmental motion in low light, sensor fusion across optical, thermal and acoustic channels, and security robots that extend patrol reach without expanding headcount. The exotic part is the integration into a doctrine that assumes the operator will, at some point, operate degraded.

The book BOSWAU + KNAUER. From Building to Security Technology develops a framework for this kind of integration that begins from construction-site realities rather than from a cybersecurity reading of the problem. The argument applies in Poland with particular force, because the construction logic of robustness, fast deployment, low maintenance and operator-readable interfaces is the same logic that an eastern-flank operator needs when the next incident lands at three in the morning and the central command channel is not available.

Polish operators have, in many cases, internalised this faster than their counterparts in western Europe. The reason is proximity. A facility manager in Lublin reads the morning briefing differently from one in Düsseldorf. The Lublin manager is not theorising about hybrid threats. He is reading the second drone overflight report of the week.

Sectors where the growth is real

Four sectors in Poland are absorbing physical security investment at a rate that exceeds the regional average. Energy is the first. The Polish power transmission and distribution network, combined with the LNG infrastructure at Świnoujście and the expanding nuclear programme, represents the most heavily monitored set of physical assets in the country outside the military estate. Operators are layering perimeter detection, video analytics, autonomous patrol and access control into architectures that aim for sub-minute detection-to-response cycles at substation level. The investment is sustained, not opportunistic.

Logistics and rail are the second. The corridors from the Baltic ports inland, and the eastern rail routes that have absorbed both commercial and aid traffic, are now equipped with mobile video towers, sensor arrays at marshalling yards, and analytics platforms that monitor cargo movement against expected patterns. The NICB pattern for cargo theft is recognisable in the Polish data, with the additional layer that some of the activity tracks state-linked rather than purely criminal motivation. Operators have adjusted their architectures accordingly.

Data centres and fiber infrastructure are the third. Poland has emerged as a significant hub for European data infrastructure, partly because of geography and partly because operators have priced sovereignty into their decisions. The physical protection of data centres in Warsaw, Kraków and the secondary hubs is at a standard that compares favourably with Frankfurt and Amsterdam, with the difference that the threat model includes physical sabotage of fiber routes as a credible scenario rather than a theoretical one.

Water and food supply are the fourth. Less visible, less discussed, and increasingly the target of designation under the RCB register. Operators in this segment are at an earlier stage of architectural maturity, but the regulatory pressure and the insurance economics are pulling them forward.

Across all four sectors, the pattern is the same. The operators that move first are the ones that have stopped treating physical security as a guarding cost and started treating it as an infrastructure investment with measurable returns in reduced loss, lower insurance premiums, and better positioning for the next round of regulatory verification.

What holds

Poland is the European market where critical infrastructure protection has the shortest distance between doctrine and operation. The RCB register translates national security policy into operator obligations that are audited in practice. NASK operates as a technical authority whose calls are taken seriously because they are usually correct. The eastern-flank context removes the ambiguity that allows operators in calmer markets to defer investment.

For an operator looking at the Polish market, whether as a foreign investor with assets in country or as a domestic operator preparing for the next audit cycle, the question is not whether the framework will tighten. It will. The question is whether the architecture in place today reads against IEC 62443, ISO 27001, NIST CSF 2.0 and the Polish protection plan template, in a way that an external auditor can verify in days rather than weeks. If it does not, the gap is the work programme.

A confidential sixty-minute conversation, Path I in the framework set out in the book, is the appropriate first step for an operator that wants a second reading of the gap before committing to a structured audit. The audit, Path II, runs three to five days on site and delivers a written assessment that is usable independently of any vendor relationship. The two paths are designed to be useful even if no further engagement follows.

Frequently asked questions

What is NASK?

NASK, the Naukowa i Akademicka Sieć Komputerowa, is a Polish state research institute under the Ministry of Digital Affairs. It operates CSIRT NASK, one of the national-level computer security incident response teams responsible for the civilian sector. NASK coordinates incident response for operators of essential services, publishes threat advisories, maintains technical capabilities for monitoring and analysis, and contributes to the development of Polish cybersecurity standards. Its authority is primarily technical and reputational rather than regulatory, but its calls carry weight with operators because the analysis is consistently accurate and aligned with international frameworks including NIST CSF 2.0 and IEC 62443.

What is the RDC?

The reference is to the Rządowe Centrum Bezpieczeństwa, RCB in standard abbreviation, the Government Centre for Security. RCB administers the National Critical Infrastructure Protection Programme and maintains the non-public register of designated critical infrastructure across eleven systems including energy, transport, communications, finance and food supply. Designation triggers operator obligations including the appointment of a protection officer, the preparation of a protection plan covering physical, technical, personnel, legal and ICT protection, and periodic verification by the responsible ministry and RCB. The register itself is not disclosed publicly to protect designated facilities.

How does NATO context apply?

Poland sits on NATO's eastern flank and hosts the logistical infrastructure that supports allied operations in the region. This shifts the threat model for critical infrastructure operators from commercial risk to a profile that includes state-linked actors, hybrid operations and sustained reconnaissance activity. NATO doctrine treats infrastructure resilience as part of deterrence, which means that protection plans for designated facilities are read against an assumption of sophisticated adversaries operating with intent rather than opportunistic criminals. Operators specify resilience against jamming, autonomy under degraded communications, and protection against drone surveillance as standard rather than exceptional requirements.

Which sectors are growing?

Four sectors absorb the majority of physical security investment in Poland at present. Energy, covering transmission, distribution, LNG infrastructure and the nuclear programme, leads in volume and sophistication. Logistics and rail, particularly the corridors handling commercial and aid traffic eastward, follow closely with mobile video towers, sensor arrays and analytics platforms. Data centres and fiber infrastructure are growing rapidly as Poland establishes itself as a European data hub with sovereignty considerations priced in. Water and food supply are at an earlier stage of architectural maturity but moving forward under regulatory and insurance pressure tied to the RCB designation cycle.