Cyberattacks on Poland in 2025: what the year showed
2025 was a record year for Poland: attacks on hospitals, DDoS on infrastructure and disinformation. We summarise the threats and lessons for businesses.
2025 cemented something that until recently sounded abstract: Poland is one of the most intensively cyber-attacked countries in Europe. State institutions reported a record number of incidents, attacks hit critical infrastructure — from hospitals to water utilities — and in the background the constant pressure of Russia-linked groups continued: DDoS, sabotage and disinformation. For Polish companies this isn’t a distant geopolitical problem; it’s a changed risk landscape in which you have to operate. We summarise what the year brought and what follows from it.
The scale: a record year
Response teams (CERT Polska) and the services responsible for cybersecurity said repeatedly in 2025 that they had handled a record number of incidents and that Poland remains among the top targets in Europe. There are several reasons: its position on NATO’s eastern flank, support for Ukraine, and the strong digitalisation of public services and the economy. The result: attacks that are sporadic elsewhere have become the everyday backdrop in Poland.
Three main fronts
Critical infrastructure and healthcare. A continuation of the trend of previous years: attacks (including ransomware) on hospitals, laboratories and medical service providers, plus incidents in the water/sewage and energy sectors. It’s the most dangerous category, because the consequences go beyond the screen — they touch people’s health and safety. We covered this in the context of ransomware in hospitals and attacks on the energy sector.
DDoS and politically motivated sabotage. Pro-Russian hacktivist groups regularly ran DDoS campaigns aimed at the websites of public institutions, transport and media. On their own they rarely cause lasting damage, but they are cheap, loud, and serve psychological pressure and distraction from more serious operations.
Scams against citizens and companies. In parallel, a wave of social engineering targeted ordinary people and employees: fake texts, BLIK spoofing, vishing as a bank employee, phishing impersonating tax and gov portals. This is the most common source of real financial losses for Polish companies and citizens.
Elections and disinformation
An election year meant heightened activity of information operations: attempts to influence public debate, fake content (increasingly aided by deepfakes), attacks on the infrastructure of campaign committees and media. For businesses, one conclusion matters: disinformation and cyberattacks increasingly go together — a technical incident is often amplified by a narrative campaign, and a brand can be dragged into a dispute it never started.
What follows for Polish companies
You’re in a heightened-risk zone — plan for it. Regardless of size, a Polish company operates in an environment where attacks are more frequent than the European average. It’s an argument for treating security as an ongoing process, not a one-off project — from the SMB basics to a mature programme.
Regulation is catching up with reality. The implementation of NIS2 extends obligations to thousands of new entities, and the financial sector faces DORA. This isn’t bureaucracy for its own sake — it’s the state’s response to a real, rising threat level.
The basics still win. Despite the geopolitical framing, the entry routes remain the same familiar weaknesses: no MFA, unpatched internet-facing services, susceptibility to phishing, a weak password reset process. An advanced adversary doesn’t need a 0-day if there’s open RDP.
Business continuity is the new priority. Since the goal is often sabotage and disruption, not just data theft, the importance of backups, response plans and operational resilience grows. The question “how fast can we recover” is as important as “how do we avoid being attacked”.
Frequently asked questions (FAQ)
We’re a small company, not critical infrastructure. Does this apply to us? Yes, though differently. The greatest danger for SMEs isn’t state attacks on infrastructure but automated crime and social engineering, which are exceptionally intense in Poland. The protection is the same basics: MFA, updates, backups, team awareness, the second-channel rule for transfers.
Should we fear DDoS? DDoS is disruptive but rarely causes lasting damage, and effective protection services exist (CDN, scrubbing). More dangerous is what DDoS is sometimes a cover for — so during a volumetric attack it’s worth heightening vigilance for other, quieter activity.
How do we prepare for a sabotage scenario, not just theft? The keys are tested backups (resistant to overwriting), an incident response plan and operational resilience — the ability to keep working despite losing some systems. It’s a shift of emphasis from confidentiality alone to availability and integrity.
Will NIS2 cover my company because of these threats? It depends on sector and size — NIS2 extends the scope to many mid-sized companies and indirectly to the suppliers of regulated entities. Even if you’re not covered directly, clients from critical sectors may require an appropriate security level from you.
Where do we start to genuinely raise resilience? With a diagnosis: what’s exposed to the internet, where MFA is missing, how the backup and response process looks. A security audit or penetration test gives a gap map tailored to your risk — instead of guessing, you get a priority list. Book a consultation.
Summary
2025 confirmed that Poland is on the front line of cyber threats — from attacks on critical infrastructure, through DDoS and disinformation, to mass social engineering aimed at companies and citizens. For organisations it means one thing: security has stopped being optional. The good news is that the overwhelming majority of real attacks are still stopped by the basics — MFA, patching, backups, awareness and a rehearsed response plan. If you want to know where you stand on this map, let’s start with a conversation.
Sources and further reading: CERT Polska, NASK.