Poland’s CYBERSEC 2026: AI deepfakes, 15-year-old hackers, and a €3bn gigafactory bet define the firewall moment

The threat escalates, and people are the weak link

Just under a year after a record spike in security incidents, the mood at CYBERSEC Expo & Forum 2026 was blunt. Deputy Digitisation Minister Dariusz Standerski reported over 272,000 incidents registered in 2025, a 44% jump from the year before. Daily, between 2,000 and 4,000 cyberattacks hit Polish systems; 99% are repelled, but the volume alone is staggering. Marcin Dudek, head of CERT Polska, said his team handles several ransomware cases every week, with attackers increasingly tailoring ransom demands to a victim’s financial reality. Business Email Compromise (BEC), ransomware, and data breaches remain the triad of corporate pain. Maciej Jan Broniarz, an incident response expert, noted that data stolen years ago is still being recycled for fresh schemes, while Agata Ślusarek, a CTI specialist, pointed to a brazen trend: some cybercrime groups are led by teenagers as young as 15.

Today we no longer have a technology problem. Technologies are available. The problem becomes whether someone knows how to use them, whether they understand the threats and whether the organization can react appropriately.

AI: both shield and spear, but often ungoverned

A report by ESET and DAGMA IT Security revealed that 62% of Polish employees already use AI-based tools at work, yet only 27% of organisations have a formal policy governing that use. That gap is widening the attack surface. Marcin Kowalski, AI research lead at the Military University of Technology, warned of increasingly convincing deepfakes, personalised phishing, and automated scams. “Very soon it will be extremely difficult to distinguish real content from generated,” he said. The panel agreed that AI must drive business value, not just buzz. But Prof. Dariusz Szostek, a Constitutional Tribunal judge, stressed sequencing: “First cybersecurity of the company, then AI. We have a Himalaya of problems with the security of ordinary algorithms, supply chains, and IT systems.”

First cybersecurity of the company, then AI. We have a Himalaya of problems with the security of ordinary algorithms, supply chains, and IT systems.

NIS2 overhaul: 20,000 entities under pressure

The implementation of the EU’s NIS2 directive through Poland’s KSC law was described as the biggest cybersecurity reform in decades. Directly, about 20,000 entities, energy firms, hospitals, transport operators, public bodies, will fall under new rules, with supply-chain cascades affecting tens of thousands more. Post-attack scrutiny will shift from the fact of a breach to whether proper procedures and risk management were in place. A heated debate centred on high-risk supplier provisions, which some panellists said could force costly infrastructure replacement for up to 42,000 entities. Mirosław Wróblewski, head of the data protection authority UODO, noted a doubling of personal data breach notifications to over 22,000 per year, underlining the regulatory stakes.

The sovereignty debate: national or European?

The opening panel on technological sovereignty exposed a divide. Vice-minister Standerski argued that no 40-million-person country can build an entire digital supply chain alone and that sovereignty now means diversifying at the European level. Tomasz Zdzikot, deputy chair of the presidential Security and Defence Council, pushed back, calling talk of “EU sovereignty” dangerous: “Capital has its nationality and its interests, and allies’ interests sometimes diverge. Let’s talk about Poland’s digital sovereignty first.” The session, framed by this year’s motto “We are the firewall,” made clear that technology choices are now geopolitical.

As a society we are unprepared. How many times do we click: accept, proceed, enter password—and have no idea what is happening?

A gigafactory bid and the 2028 horizon

Amid the security talk, Krzysztof Szubert from the Institute of Communications unveiled Poland’s ambition to host one of the European Commission’s planned AI gigafactories. The project envisions 100,000 GPUs, a €3 billion private investment, and 200–300 MW of power, an energy draw comparable to a large town. The host country would underwrite 17% of capacity for five years, the Commission another 17%, guaranteeing demand for one-third of output. A joint procurement tender is expected in the coming weeks, a decision three months later, and then 18 months to build, putting a June 2028 launch in Poland within reach.

We are fighting for this project to succeed. We are talking about infrastructure of 100,000 GPUs and an investment on the order of €3 billion, and a power demand of 200-300 MW, which is what a fairly large city needs. We are in the game.