Introduction – Legislative and regulatory trends in new technologies law (2026)

New technologies law can be divided into two main areas:
(a) Internet law, and
(b) law of disruptive technologies.

Internet law covers legal acts and guidance issued by supervisory authorities (regulators) concerning issues such as: (a) rules for providing electronic services, (b) e-commerce, (c) electronic marketing, and (d) data governance on the Internet (implementation of the European Data Strategy).

Disruptive technologies law consists of legal acts and regulatory guidance concerning issues such as cloud computing, artificial intelligence (AI), the Internet of Things (IoT), blockchain, cryptocurrencies, autonomous vehicles, drones and industrial robots, and the gig economy (on-demand economy).

Most new legal sources are EU legal acts, adopted primarily in the form of regulations, and only to a lesser extent as directives. To emphasise importance, newly adopted regulations are often given the label Act (e.g. the Digital Services Act, the Data Act, the AI Act); however, this has no legal significance.

EU legal acts also apply to entities established outside the EU, provided that they offer services to users located within the EU (The Long Arm of European Tech Regulation).

Many newly adopted instruments in new technologies law observe the principle of proportionality, under which the scope of obligations is linked to the size and nature of the services provided; micro- and small enterprises (within the meaning of Commission Recommendation 2003/361) are also exempt from a number of obligations.

In 2025–2026, for the first time Internet regulators are being established and equipped with powers to impose high administrative fines (up to several tens of millions of euros, or even 20% of a provider’s worldwide annual turnover in the preceding financial year). This significantly increases the legal risk connected with operating online. The granting of new powers occurs through expanding the competences of existing bodies (in Poland, in particular the UKE, UOKiK, the UODO), and a new authority, the Committee for the Development and Security of Artificial Intelligence, is also planned.

Another new development is that, in some cases, compliance with a given legal act is supervised not by one but by several regulators (risk of regulatory overlap); an example is the DSA, with which compliance is to be supervised by two regulators: the President of the UKE and the President of UOKiK.

Individual legal acts also introduce mechanisms enabling natural persons to submit individual complaints to authorities regarding the activities of online service providers, as well as to bring civil law claims (independently of any administrative proceedings before supervisory authorities).

Below, current law with regard to specific areas of new technologies law is described, with particular emphasis on legal acts adopted in 2025, as well as those that are to come into force in 2026 or for which legislative work is to be conducted in 2026 in the EU and/or Poland.

Table od contents:

  1. Autonomous vehicles
  2. Blockchain
  3. Cloud computing
  4. Cybersecurity
  5. Data Act
  6. e-Service (e-Doręczenia)
  7. Freedom Media Act
  8. Gig economy
  9. E-commerce
  10. Influencer marketing
  11. Internet of Things (IoT)
  12. Crypto-assets
  13. Aviation law (drones)
  14. Digital media
  15. EU digital regulatory overhaul (Digital Omnibus)
  16. Protection of minors online
  17. Patostreaming
  18. Political advertising online
  19. Artificial intelligence
  20. Trust services in electronic transactions (eIDAS)
  21. Intellectual property online (copyright)
  22. Freedom of speech online (anti-SLAPP directive)
  23. Data governance (Data Governance Act)

Autonomous vehicles

An autonomous vehicle is a car equipped with advanced technological systems enabling it to move with no human input. According to the standard vehicle automation scale developed by the Society of Automotive Engineers (SAE), there are six levels of vehicle autonomy, numbered from 0 to 5. Levels 0–2 are treated as driver assistance systems (the driver is responsible for driving), and levels 3–5 as actual driving automation (the system performs all or nearly all of the dynamic driving task).

The key EU legal act on autonomous vehicles is Commission Implementing Regulation (EU) 2022/1426 of 5 August 2022 laying down rules for the application of Regulation (EU) 2019/2144 as regards uniform procedures and technical specifications for the type-approval of the automated driving system (ADS) of fully automated vehicles (OJ EU L 221). This Regulation sets detailed technical and procedural requirements that ADS must meet in order for vehicles equipped with such systems to obtain type-approval and thus be allowed on roads.

Regulation 2022/1426 is an important step towards enabling autonomous vehicles to operate, but it is not the only regulation relevant to such vehicles. Other rules also need to be amended, in particular road traffic legislation. Some EU Member States have therefore introduced rules on testing and, to a limited extent, the use of autonomous cars (e.g. Czechia, the Netherlands, Germany, Sweden).

Accordingly, in Poland, the amendment to the Road Traffic Law of 7 November, 2025 (Journal of Laws 2025, item 1734) introduced provisions concerning autonomous vehicles in the chapter on research work (Articles 65k–65n), providing a legal definition and a framework for testing them on public roads. As a rule, the classic assumption still applies: road traffic requires a driver meeting statutory requirements, and driving assistance systems are treated as vehicle equipment rather than a “driver”. During tests, the legislator requires that a licensed person capable of taking control at any moment—especially in the event of a road safety risk—be present in the driver’s seat. Testing on public roads is allowed only after obtaining an administrative permit specifying the area, time, number of vehicles, and meeting safety requirements.

The amendment to the Road Traffic Law concerning testing of autonomous vehicles enters into force on 24 June, 2026.

Blockchain

Due to the broad use of blockchain technology in areas such as energy, finance, and healthcare—there are currently no plans in the EU or Poland to adopt comprehensive legislation specifically governing blockchain.

Under the current legal framework, blockchain as such is not a separate legal institution; it is a technology which, when used in a particular way or sector, may trigger the application of specific legal rules. An example is the regulation of crypto-assets, which are one of the most important blockchain applications in the financial sector. Distributed Ledger Technology (DLT), of which blockchain is the most common type, serves to record ownership of assets. In this respect, Regulation (EU) 2023/1114 of 31 May 2023 on markets in crypto-assets and amending Directive (EU) 2019/1937 (OJ EU L 150/1), known as MiCA, applies. Some provisions came into force on 30 June, 2024 (Article 149(1)), and the remainder on 30 December, 2024 (Article 149(2)). MiCA is to be transposed into national provisions; in Poland—by the Crypto-assets Act (see item 12 below).

Other legislation with a significant impact on the development of blockchain in the financial sector is Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA), which came into force on 17 January, 2025 (OJ EU L 333/1). It is assumed that DORA’s requirements create an opportunity to build a more stable and secure financial ecosystem based on this technology.

Certain sector-specific Polish rules also touch on blockchain. For example, Articles 30031 § 3 and 3281 § 3 of the Commercial Companies Code allow joint-stock companies and simple joint-stock companies to maintain a shareholder register in the form of a distributed and decentralised database, i.e. using blockchain. Apart from the planned Crypto-assets Act, no new legal acts applicable to blockchain are expected to stake effect in 2026.

Cloud computing

ZarNeither the EU nor Poland plans to adopt a single act comprehensively regulating the provision and use of cloud computing services. Legislative work is, however, ongoing on regulating the use of cloud computing in selected sectors (e.g. public administration—see below).

In practice, laws governing cloud computing projects include:

  • the Act on the National Cybersecurity System (KSC),
  • personal data protection rules (GDPR),
  • sector-specific regulations (including financial services, life sciences, public sector),
  • intellectual property rules (copyright, Database Protection Act),
  • civil law rules (including liability for performance of cloud computing services contracts).

New legal acts and regulatory initiatives concerning cloud computing that are to come into effect or on which work is to be continued in 2026 are:

  • Regulation (EU) 2023/2854 (Data Act), in particular provisions on switching data processing service providers, including cloud computing services (see item 5 below);
  • amendment of the Act on the Provision of Electronic Services, establishing supervisory authorities responsible for enforcing Regulation (EU) 2022/2065 ( DSA). Cloud computing constitutes a hosting service under this act; therefore, cloud computing service providers must meet DSA requirements, and failure to do so will trigger liability under the amended national act, including the possibility of administrative fines imposed by the President of the UKE as the supervisory authority (see item 14 below).

Guidelines issued by supervisory authorities or executive bodies are also important. In this context, on 23 October, 2024, the Council of Ministers adopted Resolution No. 127 amending the resolution of 11 September, 2019 on the Common State IT Infrastructure initiative (Journal of Laws 2024, item 908). The amended resolution has been in force since 29 October, 2024 and is of key importance for cloud computing projects in the public sector. Linked to the initiative and the government cloud are the Cloud Computing Cybersecurity Standards (SCCO) issued by the Ministry of Digital Affairs, setting legal, organisational, and technical requirements for government administration’s use of cloud computing services, defining minimum security levels depending on system category and cloud model. They are published as a separate document on the chmura.gov.pl portal.

Currently, the Ministry of Digital Affairs is also preparing a legislative proposal on cloud computing processing services for public administration, known as the Cloud Act. This is intended to regulate areas including the operation of the Government Cloud, the use of public clouds by administration, and the Cloud Services Assurance System (ZUCH). The act is to cover all public administration bodies—central and local—as cloud users. It is intended to regulate the Government Cloud (RChO) as a community cloud for administration, rules for using public clouds (PChO), and the operation of ZUCH as a procurement platform. The purpose is to ensure easy, standardised access to scalable cloud computing services in various models (IaaS, PaaS, SaaS), while ensuring a high level of security and compliance with SCCO 2025 and the National Interoperability Framework (KRI). The bill is therefore intended to codify and elevate content currently dispersed across WIIP and SCCO to statutory level.

Finally, in 2025, the European Commission announced that work would begin on a Cloud and AI Development Act, aiming to at least triple EU data-centre capacity over five to seven years and fully meet the needs of the economy and administration by 2035. The proposal is expected in Q1 2026.

The Commission is also drafting the EU Cloud Rulebook, a set of common requirements for cloud computing services in the EU market, covering, areas including security, interoperability, data portability, and contractual reversibility. These efforts form part of the Rolling Plan for ICT Standardisation and aim, among other things, to create pan-European marketplaces for cloud computing services meeting EU standards and rules.

Cybersecurity

The core cybersecurity act in Poland is the Act on the National Cybersecurity System of 5 July, 2018 (consolidated text: Journal of Laws of 10 July 2024, item 1077). It was modelled on Directive (EU) 2016/1148 (NIS 1). NIS 1 was replaced by Directive (EU) 2022/2555 (NIS 2), which was to be transposed by 17 October, 2024. The Polish legislator did not meet this deadline.

Under NIS 2, the previous distinction between operators of essential services and digital service providers has been replaced by a distinction between essential entities and important entities, with a number of new obligations imposed on them. Additional sectors have also been placed in scope (e.g. ICT service management, food production/processing/distribution).

NIS 2 is to be transposed in Poland via an amendment to the National Cybersecurity System Act, also reflecting the EU 5G Toolbox recommendations. Legislative work is nearing completion, and it is assumed that the amendment will be adopted in early 2026. It is estimated that the number of entities covered will increase from several hundred to approximately 40,000.

This amendment is not the only cybersecurity instrument that took effect in 2025 or will apply in 2026. The following will also take effect:

  • Regulation (EU) 2024/2847 (Cyber Resilience Act – CRA) introducing horizontal cybersecurity requirements for products with digital elements (hardware and software) placed on the EU market, aiming to reduce vulnerabilities and ensure security throughout the lifecycle. The CRA covers products intended or reasonably expected to be connected logically or physically (directly or indirectly) to a device or network. Products must meet essential cybersecurity requirements laid down in Annex I. Provisions will come into force gradually in 2026–2027. From 11 September, 2026, reporting obligations (Article 14) will apply, requiring notification to the competent CSIRT and ENISA of actively exploited vulnerabilities contained in products with digital elements. Although the main obligations will apply from 11 December, 2027, preparation should begin in 2026.wne obowiązki określone w CRA zaczną obowiązywać dopiero od dnia 11 grudnia 2027 r., to warto już w tym roku przygotować się do ich wdrożenia.
  • Regulation (EU) 2022/2554 (DORA) on digital operational resilience in the financial sector—aiming to increase resilience to cyberattacks and other technology threats and introducing stricter digital security requirements for financial institutions and their IT providers;
  • Directive (EU) 2022/2557 (CER Directive) on the resilience of critical entities—requiring transposition by 17 October, 2024 (deadline missed), with work ongoing in Poland on amending the Crisis Management Act;

Data Act

The Data Act is an EU regulation intended to create a single European data market. Its full title is Regulation (EU) 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data.

It covers both personal and non-personal data. The Data Act is horizontal and governs data sharing in B2B, B2C and B2G relationships.

The Data Act reinforces the rights of users (consumers and businesses) to access and use data generated by IoT devices. It gives users greater control over data generated by products they own. This means users should have the ability to transfer their data more easily to other service providers and decide who may access it. Previously, such data was often accessible only to device manufacturers, preventing users from using competing after-sales or repair services (e.g. servicing by an entity other than the manufacturer). Accordingly, the Regulation requires smart devices to be designed and manufactured so that data generated by their use is, by default, easily and securely accessible to the user and to other entities designated by the user—and, where necessary, directly from the device.

In B2B contexts, it also introduces a list of unfair contractual terms concerning access to and use of data, with particular protection for SMEs.

Independently, the Data Act also enables the switching of cloud computing providers (including providers outside the EU if they offer services in the EU), including requirements for clear contractual terms, interoperability standards, and, ultimately, a prohibition on switching fees from 12 January 2027.

Separate provisions allow public authorities to access private sector data only in exceptional situations (e.g. disaster response), where data cannot be obtained otherwise in time.

Most of the provisions in the Data Act took effect on 12 September, 2025. From 12 September, 2026, the access by design requirement will apply to new IoT products and services, which must be designed to enable users to access data directly. In practice, this requires embedding data access mechanisms (interfaces, APIs, etc.) for products placed on the market after that date.

In the first half of 2026, Poland is also expected to adopt an implementing act—an act on fair access to data—setting out supervision and enforcement mechanisms, including the competent authority (intended to be the President of the UKE) and sanctions for breaches. Adoption of this act will help to enforce the Data Act more effectively.

e-Service (e-Doręczenia)

The essence of e-Service is that this is registered electronic service—serving letters and documents online in a way that provides proof of dispatch and receipt and protects the content against unauthorised alteration, thus having evidential value similar to registered mail with acknowledgement of receipt. In practice, e-Service is based on an electronic delivery address (ADE) and a delivery mailbox through which authorities communicate with citizens or businesses in official matters.

The key legal act is the Act of 18 November, 2020 on Electronic Service (consolidated text of 21 June 2024, Journal of Laws 2024, item 1045). Under these provisions, from 1 January, 2026 e-Service will become the primary channel for service of documents electronically in relations between a public entity and a citizen or business (non-public entity), unless specific provisions provide otherwise. In practice, this means moving away from ePUAP as the standard, limiting its use to cases specified by law.

Service of correspondence in the e-Service system has legal effect equivalent to registered mail with acknowledgement of receipt, together with proof of dispatch and receipt. In professional practice, activating and monitoring the ADE becomes a component of due diligence, because failure to collect correspondence may result in service being deemed effective after the statutory period and the risk of missing deadlines (e.g. for businesses, attorneys-at-law).

Freedom Media Act (European Media Freedom Act)

W dniu 17 kwietnia 2024 r. opublikowane zostało rozporządzenie Parlamentu EOn 17 April, 2024, Regulation (EU) 2024/1083 of 11 April 2024 establishing a common framework for media services in the internal market and amending Directive 2010/13/EU (the European Media Freedom Act) was published. Most of the provisions in this act came into force on 8 August, 2025.

The main purpose of the Regulation is to protect media pluralism and editorial independence, for both private and public media. It aims, in particular, to protect media service providers from political interference in editorial decisions and to protect journalists and their sources. Member States are also obliged to allocate public funds for advertising or other media services based on objective, non-discriminatory criteria. The Regulation also establishes the European Board for Media Services.

The EMFA requires national implementing provisions. In Poland, this work is supervised by the Ministry of Culture and National Heritage. According to the premises of the new media act, for which public consultations were held consulted publicly, the act is to regulate:

  • financing of public media,
  • reform of the National Broadcasting Council (KRRiT),
  • appointment of public media authorities,
  • media pluralism.

Adoption of the new media act is planned for 2026.

Gig economy

The gig economy is an economic and labour market model based on short-term assignments, known as gigs, projects, and on-demand work instead of permanent employment with one employer. It is most often associated with digital platforms (e.g. ride-hailing apps, delivery apps, freelancing platforms) matching clients with workers.

Of particular importance is Directive (EU) 2024/2831 of 13 September 2024 on improving working conditions in platform work and amending Directives 2019/1152 and 2019/1158 (the platform work directive).

The directive aims to strengthen protection for people working via digital platforms, mainly by facilitating correct classification of employment status and regulating algorithmic management. It introduces a rebuttable presumption of an employment relationship between the platform and the worker where the facts indicate direction and control by the platform—shifting the burden of proof to the platform if it wants to maintain an independent contractor model. The directive also restricts the use of automated monitoring and decision-making that exerts excessive pressure or endangers workers’ mental or physical health.

It also strengthens personal data protection for platform workers, especially regarding monitoring, profiling, and the use of data for work management.

The directive came into force in the EU on 1 December, 2024, and Member States must transpose it by 2 December, 2026.

Currently, Poland’s Ministry of Family, Labour and Social Policy is working on legislation on platform work.

E-commerce

Poland’s e-commerce legal framework consists of long-standing instruments, including:

General rules on electronic services (B2B and B2C)

  • Act on Providing Services by Electronic Means (the UŚUDE)

Rules on electronic transactions (B2B and B2C)

  • online contract formation (Civil Code)
  • form of legal acts (Civil Code, eIDAS Regulation)
  • EU regulation on online intermediation services

Consumer protection (B2C)

  • Consumer Rights Act
  • Act on Competition and Consumer Protection
  • Act on Providing Information  about Prices of Goods and Services
  • Act on Counteracting Unfair Market Practices
  • Civil Code provisions on unfair terms

Protection of businesses in contracts with platforms (B2B)

  • specific rules protecting businesses in platform relationships

Specific rules for certain categories of persons
In particular, the Act of 26 April, 2024 on Ensuring Accessibility Requirements for Certain Products and Services by Economic Operators (Journal of Laws 2024, item 731). It aims to remove barriers preventing or hindering persons with disabilities from using products and services. This act applies for instance to e-commerce services (Article 3(2)(6)). Businesses providing such services must ensure accessibility of websites and mobile apps, as well as documents, and provide alternative communication methods (e.g. text-based contact). The regulator for e-commerce and digital services is the Minister of Digital Affairs.

In 2026, Poland is expected to transpose two important directives relevant also for e-commerce: the EU Right to Repair directive and the new defective products liability directive.

Right to Repair Directive

Directive (EU) 2024/1799 of 13 June 2024 on common rules promoting the repair of goods (Right to Repair) is of key importance for e-commerce, electronics manufacturing, and consumer protection.

It establishes rules to promote repair rather than replacement, supporting environmental objectives. It covers measures within the statutory seller liability regime for lack of conformity and also beyond that regime.

During the seller’s liability period, if a consumer chooses repair instead of replacement, the seller must conduct repairs, and the liability period is extended by at least an additional 12 months—creating a regulatory incentive to repair.

A major development is that after the seller’s liability period, consumers gain a direct right to request repair from the manufacturer for goods listed in Annex II (technically repairable categories such as smartphones, tablets, data storage products). The manufacturer must offer repair within a reasonable time and at a reasonable price or free of charge (unless repair is impossible), and cannot refuse repair solely because a third party previously repaired the product.

Member States must transpose the directive by 31 July, 2026. Work in Poland is being led by UOKiK (on behalf of the Chancellery of the Prime Minister), with analyses and pre-consultations. Transposition is likely via amendments to the Consumer Rights Act and the Civil Code.

New Product Liability Directive

Directive (EU) 2024/2853 on liability for defective products replaces Directive 85/374/EEC and adapts product liability to the digital economy and AI. It introduces fully harmonised strict liability rules (no-fault) for economic operators for damage suffered by natural persons due to defective products.

The key change for tech law is expanding the concept of a product beyond tangible goods to include software, AI systems, and digital services. In the last case, this concerns services integrated with a product such that the product cannot function without them (e.g. navigation in an autonomous car), which are treated as a component of the product.

A product is defective if it does not ensure the safety that can reasonably be expected or required by law; risks can relate to digital elements and after-sales aspects (e.g. software updates). Potentially liable entities include not only the manufacturer but also component manufacturers, providers of related digital services, and in certain cases distributors.

In online sales models, some internet platforms may also be held liable. The directive introduces evidentiary tools, including disclosure mechanisms and presumptions of defectiveness and/or causation in typical scenarios.

The deadline for transposition is 9 December, 2026.

Influencer marketing

Currently, neither the European Union nor Poland have enacted legislation that directly regulate influencers’ activities.

In practice, the acts applied are the Act on Counteracting Unfair Market Practices, the Act on Combating Unfair Competition, and the Act on Competition and Consumer Protection (competences of the President of UOKiK).

A frequent allegation against influencers is the failure to properly label advertising content on social media (transparency). This may result in their activity being classified as:

  • surreptitious advertising within the meaning of article 7(1)(11) of the Act on Counteracting Unfair Market Practices —using editorial content in mass media to promote a product where the trader has paid for the promotion, and this is not made clear from the content or from images or sounds clearly identifiable by the consumer, is surreptitious advertising, and an unfair market practice;
  • an act of unfair competition within the meaning of article 16(1)(4) of the Act on Combating Unfair Competition —in particular, a statement which, encouraging the purchase of goods or services, creates the impression of neutral information, is an act of unfair competition in the field of advertising.

Two notable initiatives have been implemented in Poland in this context. First, in 2022, the President of UOKiK issued recommendations on how influencers should label advertising content on social media (https://uokik.gov.pl/influencer-marketing). Industry organizations (IAB Polska, SAR and the Advertising Council) and academic institutions (the University of Warsaw and Adam Mickiewicz University in Poznań) were consulted on these recommendations. Second, on 17 December, 2024, the Advertising Council adopted the Code of Ethical Conduct in the Influencer Marketing Industry.

With regard to influencer activity, there is also a statement issued by the National Broadcasting Council (KRRiT) of 12 January, 2022, according to which influencers’ commercial publication of materials on video-sharing platforms (e.g., YouTube) constitutes an audiovisual media service within the meaning of the Broadcasting Act, thus triggering an obligation to register the service with the Chair of the KRRiT, as well as other obligations set out in that act.

There are no plans to adopt legislation specifically addressing influencer activity in 2026.

Internet rzeczy (IoT)

Neither in the European Union nor in Poland is it envisaged that a single legal act will be adopted to comprehensively regulate the provision of services and the use of cloud computing.

In practice, cloud computing projects are governed by the following in particular:

  • the Act on the National Cybersecurity System (KSC),
  • personal data protection regulations (GDPR),
  • sector-specific regulations (including financial services, life sciences, public sector),
  • intellectual property law (copyright law, the Act on the Protection of Databases),
  • civil law provisions (including liability with regard to performance of cloud service agreements).

Guidelines issued by various authorities are also important. One notable case in this context is the European Data Protection Board (EDPB) Guidelines 1/2020 on the processing of personal data in the context of connected vehicles and mobility-related applications (connected cars), as well as the ENISA’ Guidelines for securing the Internet of Things (2020).

As regards legal acts, the following EU legislation came into effect in 2025, or will do so in 2026–2027. These have major implications for the IoT market:

  • EU Regulation 2023/2854 (Data Act), in particular as regards strengthening the rights of users of IoT devices (see item 6 above),
  • EU Regulation 2024/1689 (AI Act) (see item 20 below),
  • EU Regulation 2024/2847 (Cyber Resilience Act) (see item 5 above).

Crypto-assets

Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (MiCA), is the first comprehensive legal framework for issuing crypto-assets and providing related services across the EU. Its aim is to harmonize the market, enhance investor protection, and reduce systemic risks associated with crypto-assets.

MiCA is to be implemented through national laws, in particular by designating the competent authority, and regulating licensing procedures, supervisory mechanisms, and the catalogue of administrative and criminal sanctions. In Poland, a bill drawn up by the Ministry of Finance in cooperation with the Polish Financial Supervision Authority (KNF), adopted by Parliament to implement MiCA and the regulation on transfers of funds in crypto-assets, was vetoed by the President of the Republic of Poland on 1 December, 2025. A governmental proposal on crypto-assets (version 2.0) was adopted again by the Council of Ministers in December 2025 and is currently being processed in Parliament. It is planned to be adopted in early 2026.

The bill designates the KNF as the competent authority, including for licensing crypto-asset service providers (CASPs), carrying out inspections, and imposing administrative sanctions. It also provides for a register of domains and IP addresses of entities illegally offering crypto services, the possibility to block accounts and wallets, and a broad catalogue of financial and criminal penalties.

The crypto-assets bill is particularly important for entities in the crypto sector (e.g., exchanges, crypto exchange offices, brokers, token issuers, etc.), but also for financial and payment institutions (e.g., banks, brokerage houses), as well as entities outside the crypto sector (e.g., e-commerce companies accepting crypto payments).

Aviation law (drones)

Under the current legal framework, the use of drones is regulated by both EU law and Polish law.

From the perspective of EU law, the following acts are key:

  • Commission Implementing Regulation (EU) 2019/947 — mainly on rules for conducting drone operations,
  • Commission Delegated Regulation (EU) 2019/945 — mainly on classes of unmanned aircraft systems (UAS),
  • the Easy Access Rules for UAS document (guidance and explanations for applying the rules under Regulations 945 and 947),
  • Guidelines for UAS operations in the open and specific category – Ref to Regulation (EU) 2019/947.

However, these EU documents do not regulate all issues related to drone operations, and individual EU Member States must adopt appropriate national legislation.

Accordingly, Poland adopted an amendment to the Aviation Law of 24 January, 2025 (Journal of Laws 2025, item 179). This amendment comprehensively closes the implementation of EASA regulations for UAS and introduces new obligations for operators.

The amendment specifies three categories of UAS operations:

  • open operations,
  • specific operations,
  • certified operations.

Guidelines issued by the President of the Civil Aviation Authority (ULC), issued under article 23(2)(2) of the Aviation Law and other legal provisions, are also important as a way to implement and clarify EU provisions (e.g., Regulation 2019/947).

Digital media

In 2026, two legal acts concerning digital media are expected to be adopted:

  • a new media act implementing the European Media Freedom Act (see item 9 above),
  • an amendment to the Act on Providing Services by Electronic Means, implementing the EU regulation known as the Digital Services Act (DSA).

As an EU regulation, the DSA is directly applicable, and each Member State must ensure that it is enacted effectively in its legal system by adopting appropriate internal rules. At national level, the requirements under the DSA include designation of the Digital Services Coordinator — the regulator responsible for enforcement in Poland — and granting it appropriate powers.

According to the governmental bill amending the Act on Providing Services by Electronic Means submitted to the Sejm on 29 September, 2025 (Sejm docket no. 1757), the competent authorities under the DSA in Poland are to be:

  • the President of UOKiK — with respect to provisions concerning providers of online platforms enabling consumers to conclude distance contracts with traders and other consumer protection matters set out in the DSA,
  • the President of the Office of Electronic Communications (UKE) — in the remaining, predominant scope.

At the same time, the President of the UKE is to be designated as the Digital Services Coordinator in Poland (article 49(1) DSA). A National Council for Digital Services is to be established to operate as an arm of the President of UKE.

The amendment also addresses matters such as:

  • orders to act against illegal content, orders to remove restrictions imposed by hosting providers, and orders to provide information,
  • rules for certification of out-of-court dispute settlement bodies,
  • rules for granting the status of trusted flagger and verified researcher,
  • rules on policies enabling complaints against intermediary service providers,
  • rules of civil liability of intermediary service providers and court proceedings,
  • rules for imposing fines under the DSA,
  • provisions amending other acts.

The adoption of the amendment was planned for early 2026, but the bill was vetoed by the President on 9 January, 2026. and thus this timeline no longer applies. As in the case of the vetoed crypto-assets act —the government can be expected to draft version 2.0 of the amendment in Q1 2026. In 2026, the European Commission also intends to announce proposed changes to the EU Audiovisual Media Services Directive (AVMSD), on which the Polish Broadcasting Act is modeled.

EU digital regulatory overhaul (Digital Omnibus)

On 19 November, 2025, the European Commission announced the initiative known as the Digital Omnibus (COM(2025) 837 final). Its main objective is to simplify the current digital regulations and reduce the cost of compliance. Under the adopted approach, a single EU regulation is planned, to amend a number of legal acts including the GDPR, the e-Privacy Directive, Directive NIS2, the Data Act, and the Data Governance Act. The package includes a separate proposal — distinct from the general Digital Omnibus regulation — titled the Digital Omnibus on AI, amending certain provisions of the AI Act (COM(2025) 836 final). This regulation will be crucial, among other things, for determining the applicability of AI Act provisions on high-risk systems (see item 19 below).

The Digital Omnibus package will be of major importance to the digital market. It is envisaged to be adopted by the end of 2026, with the Digital Omnibus on AI expected to be processed faster.

Protection of minors online

The Ministry of Digital Affairs is currently working on a bill protecting minors from pornographic content online (UD179).

The bill is currently at the governmental and parliamentary stages and has been substantially revised in relation to the original concept — the scope has been narrowed from harmful content to pornographic content.

The bill provides for instance for obligations for service providers to apply effective age verification and appropriate provisions in online service terms and conditions. The main premise of the bill is to limit minors’ access to pornographic content online through mandatory age verification, a register of websites that disregard these requirements, and internet access providers blocking access to such domains.

The act is to protect all persons under 18, and focuses on making access to pornographic content more difficult and preventing accidental exposure of children to such material.

Service providers that make pornographic content available (websites, platforms) will be required to implement effective mechanisms for verifying users’ age before granting access. If a provider fails to implement age verification, the President of UKE will be able to place the domain on a special register maintained by NASK, and telecom operators will be required to block access to domains on the list for users in Poland.

NASK is to maintain a register of domains that fail to meet age verification requirements or circumvent the system, and the President of UKE is to receive powers to issue decisions placing domains on the register and to supervise compliance by internet access providers with the obligation to block access, including by way of imposing sanctions.

The planned date for adoption by the Council of Ministers is Q2 2026, and enactment is expected in Q4 2026.

Patostreaming

In 2025, there was substantial public debate in Poland about issues classified as patostreaming, i.e., publicly streaming and disseminating online audiovisual content presenting violence, aggression, and pathological behavior, which poses danger of a serious social and moral nature.

Currently, Poland has no separate provision that expressly defines patostreaming as an independent criminal offence, but advanced work is underway to criminalize it. As a result, patostreaming is currently prosecuted under existing Criminal Code provisions regulating offences such as those that endanger life and health, the offence of insult, defamation, making of criminal threats, incitement to hatred, and public praising of an offence.

At the same time, consultations are underway on introducing a new provision to the Criminal Code (new article 255b § 1), aimed at combating this problem. The proposed provisions define patostreaming as dissemination online of content showing the commission or simulated commission of an offence, often with further stipulations where the perpetrator acts for financial gain.

Further consultations can be expected in 2026 on introducing a separate Criminal Code provision penalizing patostreaming.

Political advertising online

On 10 October, 2025, the main provisions of Regulation (EU) 2024/900 of the European Parliament and of the Council of 13 March 2024 on the transparency and targeting of political advertising (OJ EU L 2024/900) took effect.

The main goal of the Regulation is to ensure transparency and fairness in the electoral process and protect citizens from information manipulation, including disinformation.

The Regulation introduces a number of rules that significantly affect online activity, particularly in the context of election campaigns and public debate.

Key mechanisms include:

  • transparency of funding,
  • clear labelling of political ads,
  • restrictions on targeting based on sensitive personal data,
  • measures to combat disinformation.

The obligations under the Regulation apply to:

  • political advertisers,
  • advertising service providers,
  • sponsors.

There is a catalogue of sanctions for non-compliance, including removal orders, blocking access to a platform used to publish an unlawful ad, and restrictions on conducting political advertising activity for a certain time.  There are administrative fines of up to 6% of annual income/budget or 6% of global annual turnover.

Each EU Member State is obliged to implement the above rules in its national legal system, including by designating the authority/authorities responsible for enforcement. In Poland, the competent authority supervising compliance with targeting rules and data processing in online political advertising is the President of the Personal Data Protection Office (PUODO), based on article 22 of the Regulation. Other aspects (such as ad labelling and publishers’ obligations) are to be entrusted to another authority; so far, no comprehensive national rules have been adopted, and the Ministry of Digital Affairs is working on a legislative proposal.

A supplementary (implementing) act is due to be adopted in 2026.

Artificial intelligence

The key legal act regulating the development and use of AI systems is the EU AI Act.

The main date from which the AI Act will apply is 2 August, 2026. An intertemporal rule was adopted under which the act will apply to systems placed on the market or put into service before that date unless, after that date, substantial changes are made to their design (article 111(2)). An exception to the general start date applies to provisions on prohibited AI practices, which have been in force since 2 February, 2025. Some provisions on high-risk systems and on general-purpose AI models came into force on 2 August, 2025.

The main objective is to ensure safety in developing and using AI systems. The regulation applies to systems that process personal and non-personal data. The AI Act applies not only to providers but also to deployers, and also to entities outside the EU where outputs produced by an AI system are used in the EU (article 2(1)(c)).

Article 5 lists practices that are prohibited after 2 February, 2025, for example placing on the market, putting into service, or using an AI system that uses subliminal techniques beyond a person’s consciousness in order to materially distort a person’s behavior in a manner that causes or is likely to cause physical or psychological harm (article 5(1)(a)).

Most of the AI Act concerns high-risk AI systems (chapter III), i.e., systems meeting conditions in article 6(1) and listed in annex III as posing significant risks. The regulation sets out obligations separately for providers (mainly article 16 et seq.) and for deployers (articles 26–27). Providers must also undergo conformity assessment procedures.

While the AI Act generally does not regulate low-risk systems article 50 introduces certain transparency obligations, e.g., informing users they are interacting with an AI system, machine-readable labelling of synthetic content, and disclosure obligations for deepfakes.

There are also specific rules for providers of general-purpose AI models (e.g., GPT). Under article 53, special obligations apply regarding the use of copyright-protected works and related rights as training data.

The AI Act provides for the establishment of an independent supervisory authority with powers including imposing high administrative fines (up to 7% of total worldwide annual turnover). In a new development, the European Data Protection Supervisor will be able to impose fines for breaches of the prohibited AI practices, up to EUR 1,500,000.

The date of 2 August, 2026 for the high-risk regime may be postponed: the European Commission proposed this on 19 November, 2025 in the AI Omnibus proposal (COM(2025) 836 final) as part of the Digital Omnibus package. Under that proposal, provisions on high-risk systems and on synthetic content may come into force later, in 2027, due, among other things, to delays in Member States in designating supervisory bodies, conformity assessment bodies, and issuing guidance.

In Poland, work is also underway on an implementing act. A proposal on AI systems prepared by the Ministry of Digital Affairs and submitted for consultation assumes that the supervisory authority will be a new body — the Commission for the Development and Security of Artificial Intelligence — headed by a chair appointed by the Prime Minister. Adoption is planned in 2026.

Although the AI Act is the main regulation, other laws also apply, in particular: copyright law (including text and data mining), GDPR, civil law (liability), unfair competition law (trade secrets), and consumer law (e.g., information on personalized pricing based on automated decision-making).

Trust services in electronic transactions (eIDAS)

The existing eIDAS Regulation (EU) No 910/2014 provided the legal basis for electronic signatures and other trust services. It established standards for e-signatures, seals, time stamps and electronic registered delivery services, and ensured cross-border recognition of eID and certificates across the EU.

On 11 April, 2024, eIDAS was amended by Regulation (EU) 2024/1183 (eIDAS 2.0), introducing the European Digital Identity framework. Its objectives include improving authentication and authorization, interoperability, and  security. Transitional provisions apply: secure signature creation devices recognized under the old directive will continue to be recognized as qualified until 21 May, 2027; qualified certificates issued under the old directive will continue to be recognized until 21 May, 2026. In practice, existing qualified signatures and certificates can still be used. The list of qualified trust service providers in Poland is available on the website of the National Certification Centre.

eIDAS 2.0 introduces new requirements also for non-qualified trust service providers, and stricter security and certification. A key new service is the EU Digital Identity Wallet, a smartphone app enabling storage and use of digital documents across the EU.

The amendment entered into force on 20 May, 2024, but many implementing acts and transition periods apply. For example, Member States must ensure that at least one EU Digital Identity Wallet is created within 24 months from the entry into force of implementing acts defining standards and requirements.

Poland is implementing eIDAS 2.0 primarily through an amendment to the Act on Trust Services and Electronic Identification (draft UC122) and related changes, including to the Act on Computerization and the mObywatel app. Adoption is planned in 2026.

Intellectual property online (copyright)

For online business in 2026, the key legislative development is the 2024 amendment to the Polish Copyright Act. At the same time, the increasing use of generative AI raises practical challenges in applying existing IP paradigms.

An amendment of 26 July, 2024 implemented Directive (EU) 2019/790 (DSM Directive). Most provisions took effect on 20 September, 2024, with article 86¹ taking effect on 20 February, 2025.

Key areas include:

  • Text and data mining (TDM) — defined as automated analysis of texts and data to generate information such as patterns, trends and correlations. The amendment introduced a new exception allowing TDM unless the rightholder reserves rights; for online works, the reservation must be machine-readable with metadata.
  • Remuneration rights for creators and performers for making available online — creators and performers are granted an inalienable right to remuneration where their works/performance are made available online, especially on streaming/VOD platforms.
  • Remuneration for audiovisual works online — new provisions introduce a right to collect royalties for online use of audiovisual works.
  • New neighboring right for press publishers online — press publishers gain an exclusive right to use their publications online, enabling additional remuneration from online service providers; authors receive 50% of the remuneration due to publishers.
  • New liability regime for online content-sharing service providers — platforms are generally liable for unauthorized public communication unless they demonstrate compliance with statutory conditions (e.g., due diligence to obtain authorization).

In 2026, no further copyright amendments are planned.

Freedom of speech online (anti-SLAPP directive)

On 11 April, 2024, Directive (EU) 2024/1069 was adopted to protect people engaging in public debate from manifestly unfounded claims and abusive lawsuits (SLAPP). It enables early dismissal of manifestly unfounded claims and shifts the burden to the claimant; courts may order costs and impose penalties in cases of abuse. The directive applies only to cross-border civil matters. Member States must implement it by 7 May, 2026.

In Poland, a governmental draft of the implementing act is expected to be adopted by the Council of Ministers in early 2026 and then processed in the Sejm. It is to take the form of a separate act.

Data governance (Data Governance Act)

Regulation (EU) 2022/868 (Data Governance Act) came into effect on 24 September, 2023. It is to be supplemented in Poland by an implementing act, which is undergoing legislative work.

The act establishes frameworks to increase trust and support data sharing, including re-use of public sector information, data intermediation services, and data altruism (voluntary data sharing for the common good). It applies to both public and private entities.

Each Member State must establish an independent supervisory authority. Under the Polish legislative proposal, the authority would be the PUODO, with certain tasks also assigned to the President of Statistics Poland (GUS). A sanctions regime is planned, with fines up to EUR 500,000.

The Polish legislative proposal was adopted by the Council of Ministers on 21 October, 2025 and submitted to Parliament, but its future is uncertain because the draft EU Digital Omnibus proposes repealing the Data Governance Act and incorporating its content into an amended Data Act.

Contact us to help prepare your organization for changes in 2026.

Send an enquiry