The following chapter featured in TMT 2025 and is awaiting update from the firm.

The most important piece of legislation for the digital economy is the Digital Services Act (DSA). A law implementing the DSA, in the form of an amendment to the Electronic Services Act, is planned to be enacted in Poland in the first half of 2025. This Act designates two regulators responsible for compliance with the DSA, ie, the President of the Office of Electronic Communications and the President of the Office of Competition and Consumer Protection.

Poland has not enacted separate legislation to implement the Digital Market Act (DMA), assuming that its content and the powers of the European Commission as a supervisory authority are sufficient.

In 2024, the Advertising Council adopted an important code of conduct for the Polish online industry: the “Code of Ethical Conduct in the Influencer Marketing Industry.”

In 2025, the Polish government plans to enact separate legislation protecting minors from harmful content on the Internet and legislation combating so-called “patostreaming” (Poland’s iteration of commonly known “trash streams” where broadcasting individuals engage in controversial acts to boost their viewership and/or elicit donations from their viewers). These provisions will apply independently of the DSA.

The provisions of laws implementing EU e-commerce legislation are also relevant to the digital economy (see point 1.4 Consumer Protection).

No content provided in this jurisdiction.

The taxation of digital services and goods in Poland is governed by the Value Added Tax (VAT) Act. The basic principles of taxation are outlined below.

• Place of supply of the service: normally, the place of supply of a digital service is the place where the customer (final consumer) is located. This means that even if the company providing the service is based outside Poland and the customer is in Poland, the service is subject to Polish VAT.
• VAT rate: in principle, the basic VAT rate of 23% applies, but in some cases (eg, ebooks), reduced rates may apply.
• Moment of tax liability: tax liability usually arises when a supply of digital goods or a service is made.
• VAT payer: the VAT payer is normally the trader supplying the service or digital goods.
• VAT registration: a trader providing digital services in Poland must be registered for VAT. 

Revenues from digital advertising are subject to personal income tax (PIT) or corporate income tax (CIT)

Taxation of digital advertising revenues in Poland depends on several factors, such as:

• the form of business activity – whether it is a business activity or whether the revenue is earned as supplementary income;
• type of advertising: whether these advertisements are displayed on the entity’s own website or on external platforms; and
• the entity’s status: whether it is an individual or a company.

Digital advertising revenue generated as an additional income (eg, from blogging) is also subject to PIT. According to the Tax Coordination Act, in case of doubts in Poland, one may turn to the Office of  National Fiscal Information for a so-called binding tax interpretation. The tax authorities are bound by such interpretations.

Poland has implemented the provisions of the Omnibus Directive No 2019/2161 and the Digital Directive No 2019/770, which have been in force since 1 January 2023. Since 2024, Poland has been implementing provisions from the European Union’s DAC-7 Directive and the General Product Safety Regulation (GPRS). Additionally, the Accessibility Act, which enforces the EU Directive No 2019/882 on accessibility requirements for products and services, will take effect on 28 June 2025. These regulations will also apply to e-commerce.

The President of the Office of Competition and Consumer Protection is responsible for overseeing consumer affairs in the digital economy. This authority provides guidelines to assist entrepreneurs in fulfilling their statutory obligations.

In Poland, most major sectors have established a system of out-of-court settlement of consumer disputes. If an entity authorised to conduct proceedings for out-of-court settlement of consumer disputes has not been established in a sector, a horizontal entity, ie, the State Trade Inspection, will be competent to do so.

Due to the wide application of blockchain technology, which can, inter alia, be used in the energy sector, finance or health care, there are currently no plans for comprehensive legal regulation of its use in Poland. Currently, blockchain is not recognised as a separate legal institution; rather, it is considered a technology. Its application in specific contexts or sectors may lead to the enforcement of particular legal regulations. A prime example is the legal regulation of crypto-assets, one of the most significant applications of blockchain technology within the financial sector. In this respect, the provisions of EU Regulation 2023/1114 of 31 May 2023 on crypto-asset markets, known as the MiCA Regulation, apply (some of these provisions became applicable as of 30 June 2024 and others as of 30 December 2024).

The development of blockchain technology in the financial sector is also significantly influenced by the EU Regulation 2022/2554 on the Digital Operational Resilience of the Financial Sector (DORA), the provisions of which became effective on 17 January 2025, as it is assumed that the requirements set out in the DORA provide an opportunity to build a more stable and secure financial ecosystem based on this technology.

As of 2018, the trading of cryptocurrencies is regulated by the AML/CFT (Anti-Money Laundering and Countering the Financing of Terrorism) Act, which treats digital coins as assets subject to the same rules as other funds deposited in accounts. In addition to the AML/CFT law, cryptocurrencies are also defined by personal income tax (PIT) and corporate income tax (CIT) regulations.

In Poland, cryptocurrencies are, therefore, legal and can be used both as a means of payment and as an investment. However, they are not recognised as the country’s official currency or regulated by the central bank of the Republic of Poland (Narodowy Bank Polski). Therefore, using cryptocurrencies involves certain risks and a lack of guarantees from the state.

In Poland, no single piece of legislation is dedicated to cloud computing. In practice, the legal provisions concerning the processing of personal data and cyber security are of the greatest importance in projects of this type.

For some sectors, regulators have issued guidelines for the implementation of public or hybrid cloud in entities belonging to these sectors. Such guidelines have been issued for the following sectors: financial, public, life science and energy. Failure to comply with these guidelines may result in the imposition of penalties by the supervisory authority responsible for such sector, irrespective of any liability arising from general legislation, eg, GDPR.

The Polish Office for Personal Data Protection has not issued separate guidelines on the processing of personal data in cloud computing. In practice, the biggest controversy is the assessment of the legality of transferring personal data to a third country, including the US. The DPA does not currently question the reliance of such a transfer on standard contractual clauses approved by the European Commission.

Legislative work is currently underway in Poland on an Artificial Intelligence Systems Act, which will implement the EU AI Act regulation. On the basis of this Act, an AI regulator is to operate, which is to be a newly established office – the AI Development and Safety Commission. The law is planned to be enacted in the first half of 2025.

Currently, no codes of ethics for the creation and use of artificial intelligence have been enacted in Poland. There is no separate regulation on the creation and use of deepfakes in the Polish legal system. In court cases concerning deepfakes, the courts have so far ruled on the basis of the provisions of the Civil Code on the protection of personal rights and personal data.

In 2024, the Polish government drafted laws that regulate the use and/or testing of autonomous cars and drones. These laws are expected to be enacted in 2025. These laws focus on procedural matters of the use of these innovations and do not regulate the use of AI components as part of them.

In Poland, no separate legislation on the use of the Internet of Things has been enacted or planned. No codes of ethics have been adopted in this area either. The following provisions apply to such projects: cyber security, GDPR, e-Privacy, IPR and civil law.

Electronic communications, including those connected to the Internet of Things, are governed by the provisions of the Electronic Communications Law, which implemented the provisions of the European Electronic Communications Code. In practice, the most relevant provision is Article 399 of the Electronic Communications Law, according to which the installation of any application or the recording and transmission of information from the user’s networked devices (Internet, Bluetooth, etc) requires the user’s consent.

The main challenge in IoT projects, especially in the realm of “consumer IoT,” is to ensure compliance with the requirements of the General Data Protection Regulation (GDPR). Additionally, it is crucial to adhere to the cybersecurity principles outlined in Polish law that implement the NIS-1 and NIS-2 directives.

Poland lacks specific legislation regarding data sharing in relation to the Internet of Things (IoT), albeit this will change on 12 September 2025, when the Data Act comes into effect in Poland. This Act will include provisions aimed at strengthening the rights of IoT users, particularly in Article 3 and the subsequent articles.

A law is currently being drafted in Poland to implement the Data Act, which, among other things, establishes a regulator responsible for compliance with these provisions.

In general, television broadcasting in Poland requires a licence from the National Broadcasting Council (KRRiT). The fee for a television broadcasting licence depends on several factors, some of which are outlined below.

• The type of broadcasting – is it terrestrial, satellite, cable or telecommunications network broadcasting?
• The range of broadcasting – is the programme local, regional or nationwide?
• The technology of broadcasting – is it analogue or digital?

The Broadcasting Act specifies the maximum amounts that licence fees may not exceed. The KRRiT sets the fee amount independently. An exception to the obligation to obtain a licence is the distribution of television programmes exclusively in ICT systems (eg, on a streaming platform). Although they do not require a licence, streaming platforms must be notified to the National Broadcasting Council (KRRiT) of the list of providers of video-sharing platforms.

The Polish government has begun preparations for the enactment of a law implementing the provisions of European Union Regulation 2024/1083 Freedom Media Act (planned for 2025).

Electronic Communication Law regulates services such as:

• telephone services (voice calls, both landline and mobile);
• internet access services (broadband, mobile internet);
• data services (email, file transfer, etc);
• value-added services (voice mail, telephone conferencing, SMS services);
• services related to traffic in communications networks (billing, settlement, traffic management, etc);
• services provided over telecommunications networks (internet television services, on-demand audio radio services); and
• services related to network security (such as firewalls and anti-virus systems).

In some cases, a licence for providing telecommunications services may be required. The specific requirements depend on the type of service and scope of operation. Even if a concession is not required, other notifications to the relevant authority – the Office of Electronic Communications (UKE) – may be necessary.

Entities providing telecommunications services must ensure adequate technical conditions, such as:

• technical infrastructure;
• quality of services;
• compliance with applicable standards; and
• network and user data security.

The Electronic Communications Law provides security requirements in addition to the GDPR. Providers of electronic communication services are obliged to ensure an adequate level of security in the processing of their users’ personal data. Pursuant to Article 401 of Electronic Communications Law, providers must implement appropriate technical and organisational measures to ensure the security of such data.

The Electronic Communications Law guarantees the principle of net neutrality. According to it, the following principles apply:

• equal traffic treatment – ISPs must treat all internet traffic equally, without discriminating against certain types of data or services;
• prohibition of blocking – providers may not block access to lawful content and services;
• prohibition of bandwidth limitation – providers must not limit data speeds for certain services or content; and
• transparency – providers must inform users of any limitations and conditions of service.

The provision of IoT and AI solutions is not regulated under the Electronic Communications Law. When integrating with telecommunications services, the most significant attention should be paid to network and service security and user privacy regulations.

The biggest challenge for technology contracts in Poland is the need to comply with a number of guidelines issued for specific sectors, particularly the public, financial, life science, and energy sectors. Examples are the guidelines for implementing public and hybrid cloud computing projects in these sectors.

For certain sectors, certain legal restrictions have also been introduced regarding so-called chain outsourcing, including foreign outsourcing (banking and insurance sectors). The same applies to the prohibition to exclude the outsourcer’s liability for damages caused to the bank’s clients. The banking law also introduced a provision according to which the Financial Supervision Authority may, in certain cases, require the amendment or termination of an outsourcing contract (Article 6(c)(5)).

The contract for the provision of telecommunications services should include, inter alia, elements such as:

• type of service – a detailed description of the services provided (eg, internet access, mobile telephony, television);
• technical parameters – information about the speed of the connection, available functions, data limits, etc;
• duration of the service;
• the level of charges – a detailed breakdown of all charges (subscription, additional charges, connection costs, etc);
• operator’s obligations – to provide services in accordance with the contract, ensure availability of services, provide information on changes to the offer;
• obligations of the subscriber – paying for services on time, complying with the regulations, reporting faults;
• subscriber rights – right to withdraw from a contract, right to complain, right to information about services;
• method and time limit for making a complaint:
1. definition of how a subscriber may make a complaint;
2. time limit for filing a complaint; and
3. maximum time limit within which an operator should handle a complaint; and
• protection of personal data and information covered by telecommunications secrecy.

Key areas to look out for during telecommunications contract negotiations are the following:

• total cost – not only the monthly charges but also additional costs such as charges for international calls, SMS or out-of-country internet usage; and
• contract terms:
1. notice period;
2. contractual penalties;
3. technical terms;
4. customer service (including availability of technical support, response time and forms of contact);
5. additional services (possibility to include additional services such as IP address, dedicated line or VPN services);
6. flexibility (possibility to change the contract); and
7. scalability (the contract allows for easy increase or decrease of services).

Key provisions of telecommunications interconnection agreements are the following:

• precise definition of services – the agreement should clearly specify what services will be provided (eg, data, voice, video), including technical parameters (capacity, latency, availability level);
• interconnection points – the exact points of physical or logical connection between the two operators’ networks should be defined;
• quality of service – the contract should contain detailed provisions on the quality of service provided, including the level of network availability, response time to failures and complaint procedures;
• technical conditions and standards – the contract should specify the technical standards to be used for the interconnection of the network (eg, protocols, data formats);
• security – the contract should contain provisions on network security, including protection against cyberattacks;
• financial terms (including, but not limited to, price indexation);
• liability for non-performance or improper performance of the contract, including determination of force majeure; and
• termination of the contract.

The form in which legal transactions (including contracts) should be concluded is specified in the Civil Code. The effective use of online forms is possible only if the provisions of the law do not provide for a specific form of a legal transaction or a written form. If a written form is required, the electronic form provides the possibility to comply with it.

Submitting a declaration of intent in electronic form and affixing a qualified electronic signature is sufficient to maintain the electronic form of a legal transaction. Qualified electronic signatures can only be purchased from authorised trust service providers entered in the Minister of Information Technology register kept by the National Certification Centre. These providers must first pass an assessment of compliance with EU Regulation No 910/2014 (eiDAS) requirements.

In the Polish legal system, gaming is not regulated separately, and the same applies to codes of ethics. Conversely, under the Sports Act, the particular form of gaming that is considered an electronic sport has been recognised as a sport in the legal sense. This provides some additional opportunities, such as sponsorship for eSports entities and players.

The possibility of winning virtual objects in computer games, located, eg, in loot boxes, is not treated under Polish law as a gambling activity and is not subject to the Act on Gambling and Betting.

In the current state of the law, there are no separate legal regulations in Poland imposing age limits on players. Regarding content accessible to minors, general regulations on illegal content on the internet apply.

In Poland, no separate supervisory authority supervises gaming activities.

In practice, supervision is exercised by two authorities – the President of the Office of Protection and Consumers and the President of the Office for Personal Data Protection.

IP and Gaming Issues

The key problems concerning gaming and IP in Poland are the following:

• Lack of comprehensive legal regulation – Poland, like many other countries, lacks a law dedicated exclusively to video games.
• Complexity of computer games – video games are complex works that consist of many elements, such as graphics, sound, source code, etc. Protecting each of these elements requires the application of different laws, which can be complicated.
• Agreements with partners – working with publishers, distributors and others often involves complex licensing agreements.
• International nature of the industry – many games are distributed worldwide, which means that developers have to contend with different legal systems (eg, copyright).
• Piracy – illegal copying and distribution of games is a serious problem that affects the profits of game developers, publishers and distributors.

IP Mechanisms

The key laws and mechanisms protecting IP in the digital world are the following.

• Copyright – this is the basis of protection for most game elements, such as source code, graphics, music, scripts, and character designs.
• Trade marks – these protect game names, logos, slogans or other graphic signs that identify a product or service. Registering a trade mark gives the creator the exclusive right to use it.
• Industrial designs – this protection applies to an original utility model or industrial design, such as a unique user interface design.
• Licence agreements – this is a key tool for regulating the use of works by others. Through licence agreements, creators can determine to what extent and under what conditions others can use their intellectual property.

Copyright

The key copyright issues for digital and virtual content are the following.

• Authorship: in the case of games created by teams, who is the author?
• Object of protection: what exactly are the protected elements of the game? Is it just the graphics and sound, or also the gameplay mechanics or the game idea itself?
• Fixation: when is a work considered to be fixed? Is saving it on a hard drive sufficient, or is a more formal form of fixation required?

Trade marks

Examples of virtual goods and services that a trade mark can protect include:

• virtual currencies – names of cryptocurrencies are often protected as trade marks;
• game characters – names and images of video game characters can be protected as trade marks;
• virtual worlds – names and logos of virtual platforms (eg, metaverse) may be subject to trade mark protection;
• virtual objects – unique objects in games (eg, skins, weapons) may be trade marked; and
• virtual services – services provided in a virtual environment, such as virtual concerts or exhibitions, can be identified by trade marks.

User-Generated Content (UGC)

UGC is any material created by users of online platforms, such as comments, posts, videos, or graphics. It presents a number of challenges related to the protection of intellectual property rights, with the most important consequences outlined below.

• Copyright infringement – unconscious copying, where users often unknowingly copy parts of copyrighted works, eg, quoting long passages of text or using parts of music or graphics.
• Unauthorised use of trade marks: Users may use the trade marks of others in a way that misleads consumers about the origin of the goods or services.
• Violation of the right to privacy – publishing the image of others without their consent may constitute a violation of the right to privacy.

In Poland, there are no separate regulations for social networking sites, and no codes of ethics have been adopted in this respect either. Therefore, the provisions of the Digital Services Act apply primarily to the administrators of such sites.

Under Polish civil law, a contract for the use of social networking sites may be concluded by a person who is at least 13 years old. A similar age limit has been adopted in the Data Protection Act, supplementing the GDPR.

The largest number of court cases involve claims related to violations of personal rights (such as defamation on online websites) and copyright law (copyright infringements through the distribution of content without the consent of the entitled entities).

At present, the activities of social networks are supervised by two regulators – the President of the Office for Personal Data Protection and the President of the Office for Competition and Consumer Protection. After the enactment of the amendment to the Act on Providing Services by Electronic Means (1st half of 2025), their activities will also be regulated by the President of the Office of Electronic Communications, who is to be responsible for supervising compliance with the DSA regulations.

All of the above offices can impose administrative sanctions, including fines.

The most well-known case taken against social networking sites this past year was the decision of the President of the Office for Personal Data Protection, issued on 8 August 2024. In a widely reported case, the Polish DPA obliged Meta Platforms Ireland Limited to stop displaying false advertisements using real data and the image of journalist and presenter Ms Omena Mensah on Facebook and Instagram in the territory of the Republic of Poland for three months. The order, in this case, was issued on the basis of Article 60(1) of the GDPR and Article 70(1) and (2) of the Personal Data Protection Act.

No content provided in this jurisdiction.

No content provided in this jurisdiction.