Changes to Regulations Concerning the National Cybersecurity System - New Obligations Related to .pl Domain Names
Jun 17, 2026, 1:23:22 PMOn April 3, 2026, an amendment to the Act of July 5, 2018, on the National Cybersecurity System (“UKSC”) entered into force, implementing the provisions of the EU’s NIS2 Directive. These regulations aim to enhance cybersecurity, combat online abuse, and ensure the security of the state and users of digital services. The regulations impose an obligation on entities operating in strategic sectors of the economy to implement appropriate technical and organizational measures. This also applies to the internet domain name ecosystem, including the accuracy and completeness of Subscriber data.
With regard to names in the .pl domain, the new requirements primarily include:
- mandatory verification of Subscriber data,
- providing a contact phone number if one has not been provided previously,
- mandatory publication in the Whois/RDAP database of the contact details of those Subscribers who do not avail themselves of the personal data protection provided for under the GDPR.
1. .pl domain names are maintained for designated entities, and the basis for verification activities has thus far been the authority to identify the Subscriber as a party to the contract. The existing practice essentially aligns with the new requirements; therefore, the new regulations do not affect the Subscriber’s current status. However, Subscribers will be required to participate in verification procedures conducted by .pl domain name registrars, as the UKSC has made such participation mandatory. Failure to participate in these procedures may prevent compliance with the obligations imposed by the regulations and result in further consequences.
2. With regard to .pl domain name Subscribers, the following data must be collected: the Subscriber’s name or first and last name, contact address including the country, telephone number, and contact email address. Phone numbers were previously optional information, but this is now changing; therefore, Registrars will ask Subscribers to provide any missing data in this regard.
3. Under the new regulations, contact information - including email addresses and phone numbers - will also be subject to publication in the Whois/RDAP database. At the same time, data pertaining to Subscribers with the status of “natural person” will continue to be protected under the General Data Protection Regulation (GDPR) and will not be published.
The legislature has established a transition period that will last until April 2, 2027. During this period, the Registry will publish the Policy and Procedure on data verification required by law, and each Registrar will be required to develop its own corresponding documentation in this regard. During this time, Registrars will also contact Subscribers to verify, supplement, or update their data, in accordance with their own procedures.
The new regulations pose a challenge for all parties involved; therefore, we ask for your understanding and cooperation, particularly during the specified transition period. The Registry will provide ongoing updates on new information relevant to Subscribers. We also invite you to follow the website of the Ministry of Digital Affairs.