National Security and Cyber Resilience – How will PLN 20 billion from the NIP change Polish defense and implement NIS2?

National Security and Cyber Resilience – How will PLN 20 billion from the NIP change Polish defense and implement NIS2?

Write to us

Poland is at a strategic turning point. In response to growing geopolitical aggression and escalating, paralyzing hybrid warfare in cyberspace, the Council of Ministers has approved a bill launching the Security and Defense Fund (SDF). This is a nearly 20 billion zloty instrument, financed by the National Reconstruction Plan (NRP), which fundamentally changes the architecture of state security financing.

Although the headlines focus on building shelters and modernizing the defense industry, the real, hidden purpose of this unprecedented fund is to finance a revolution that no one has wanted so far, but that everyone urgently needs: the costly implementation of the EU’s NIS2 directive. The 20 billion zlotys is not just a physical shield. It is first and foremost capital for building the digital foundation of a new, resilient Poland. We explain how organizations – from local governments to strategic companies – can turn this painful new obligation into a strategic investment.

A fund that changes the rules of the game

What is the Security and Defense Fund and why is the 20 billion KPO a strategic breakthrough?

The Security and Defense Fund (FBiO) is formally an A2.7.1 investment under the National Reconstruction Plan. However, it is not a simple handout of grants. The breakthrough is that Poland has decided to finance it with funds from the loan portion of the Reconstruction and Resilience Facility.

This means that the state, instead of spending money from the budget, creates a revolving (working) fund. These funds will not be “eaten up” in the form of grants, but will “work” as revolving instruments: loans, taking shares in companies or purchasing investment certificates.

This is a brilliant financial and political move for two reasons. First, it allows for the mobilization of gigantic defense funds outside the national budget and public debt limit. Second, the fund is designed to last much longer than the KPO itself. While the KPO must be settled by 2026, the FBiO will be able to use the funds raised in subsequent years, and the final repayment of Poland’s loan for this purpose will not be made until 2057. The government is not “spending” the 20 billion – it is “investing” them in a sustainable security financing vehicle.

Why is Poland the first country in the EU to take such a step right now?

Poland’s decision to be the first EU country to carve out a dedicated defense fund from the NIP is a response to the “polycrisis.” “Now” marks the perfect convergence of two existential threats that require an immediate, coordinated response.

The first threat is kinetic warfare. The aggression against Ukraine brutally exposed decades of neglect in civilian defense, dual-use infrastructure (such as military mobility) and the real production capabilities of the Polish defense industry.

The second threat is a silent digital and regulatory war. Cyber attacks on critical infrastructure have become a daily occurrence. At the same time, the European Union, seeing this threat, is forcing member states to take a leap in resilience through the NIS2 Directive and the related amendment to the National Cyber Security System Act (UKSC).

FBiO is the first such large-scale, practical implementation of the concept of total defense and the resilience of the entire society. The fund brings together in one place the three pillars of state resilience: physical (shelters), digital (cyber security) and industrial (defense industry). Poland is taking advantage here of a paradigm shift within Brussels itself, which, after years of treating defense as a taboo subject, is now itself encouraging investment in dual-use technologies and military mobility. We are redirecting post-pandemic recovery (rebuilding) funds to resilience (resilience).

What support will local governments receive for shelter construction and civil protection?

Local government units (LGUs) are identified as a key beneficiary of the Fund. For 30 years, civil defense was a sham in Poland. Now the state is providing real funds for its reconstruction by delegating tasks to local governments. One of the main goals of the FBiO is the development of protective construction and civil protection infrastructure.

Promises appearing in the public space speak of subsidies for TSUs reaching up to 100% of investment costs. But how to reconcile the promise of a “100% subsidy” with the nature of the FBiO, which is a loan fund?

The key lies in the legal details of the bill. The fund, managed in this part by Bank Gospodarstwa Krajowego, will provide loans to local governments. However, these will be loans on preferential terms, including interest-free loans. Most importantly, the bill explicitly includes a mechanism for forgiving these loans.

In practice, this model will most likely operate as a 100% forgivable loan. The local government will submit an application to the BGK, receive the loan, implement the investment (e.g., building a shelter or upgrading a basement into an “emergency shelter site”), and when it is properly accounted for, the loan will be fully forgiven. This is legally complicated, but financially ingenious – it allows the transfer of NIP funds for de facto grant purposes.

How will the Fund strengthen critical infrastructure operators – from energy to water utilities?

Critical infrastructure operators (CIPs) are the lifeblood of the modern state. The fund is intended to support them in securing energy, gas or water supply systems. This protection has two dimensions: physical (e.g., protecting water intakes) and digital.

And here we come to the point. The sectors mentioned in the FBiO’s objectives – power, gas, water, transportation – are exactly the same sectors that the NIS2 directive classifies as essential entities.

The real challenge for CIOs today is not office (IT) security, but Operational Technology (OT) security. This refers to SCADA and ICS systems that physically control industrial processes – opening valves on a gas pipeline, controlling turbines in a power plant or the water treatment process. These systems are often outdated, designed decades ago with no thought for cyber security. Implementing NIS2 requirements in these areas is extremely complicated and expensive.

The Security and Defense Fund becomes the first-ever dedicated source of funding for this giant technology debt in Polish industry. It’s a fund for cyber security of OT systems.

What opportunities for modernization and R&D development does the Fund open up for the Polish defense industry?

The third pillar of the FBiO is to support defense industry enterprises by financing production modernization and research and development (R&D). This realizes the strategic goal of increasing domestic production capacity and becoming independent of foreign supplies, which is in line with Defense Ministry plans and EU trends.

Again, the key is the mechanism. FBiO will not (primarily) hand out R&D grants. It will act like a state private equity or venture capital fund. The bill explicitly talks about taking up equity rights in companies and acquiring investment certificates.

This is a fundamental change in philosophy. The state will no longer be just a customer for armaments that generates demand. It will become an investor that builds supply. A dedicated special-purpose vehicle (SPV) will be able to enter private and state-owned companies in capital to finance risky research or upgrade production lines in exchange for shares. This is an attempt to strategically steer the defense sector using modern financial tools.

Hidden target – How the Fund will finance the NIS2 revolution

What is the key link between the Fund and the delayed implementation of the NIS2 Directive in Poland?

The key evidence of the link between FBiO and NIS2 is timing. The deadline for implementing the NIS2 directive into national law was October 17, 2024. Poland is well behind schedule. The European Commission already sent Poland a “reasoned opinion” in May 2025, which is the second stage of the infringement procedure. We face real financial penalties.

The government is up against the wall. It must implement NIS2 immediately. And suddenly, at the end of 2025, we are seeing two parallel, coordinated movements:

  1. The painful, costly and delayed amendment to the National Cyber Security System Act (UKSC) is finally making its way through the government and into parliament.
  2. At the same time, the government approves the FBiO bill, a 20 billion zloty fund.

This is no accident. The government could not impose the gigantic mandatory costs of implementing NIS2 on thousands of companies, hospitals and local governments without identifying any source of funding.

The FBiO is the political and financial lubricant to enable the quick and conflict-free adoption of the UKSC amendment. It’s a bundled deal: “We’re giving you expensive new responsibilities (KSC/NIS2), but at the same time we’re giving you a $20 billion fund (FBiO) to implement them.”

What is the amendment to the KSC Law and what new costly obligations does it impose on companies and administrations?

The amendment to the NSC Law, implementing NIS2, is a real revolution. First of all, it radically expands the number of regulated entities. It replaces the old division into Key Service Operators with new categories: key entities and important entities. In practice, this means bringing hundreds of new companies from previously unregulated sectors, such as manufacturing, the food industry and waste management, under supervision.

The new responsibilities are systemic and very costly:

  • Risk management: Require systemic risk analysis, not just incident response.
  • Supply chain security: Companies are becoming responsible for the cyber security of their suppliers and subcontractors.
  • Management responsibility: The directive places personal responsibility on executives, who must approve policies and undergo mandatory training.
  • Severe penalties: Non-compliance is punishable by penalties of up to €10 million or 2% of total global turnover for key players.

Awareness of these changes is catastrophically low. The survey found that as many as 36% of cybersecurity experts do not know if their company falls under NIS2. The biggest costs are not the purchase of software, but human resources (hiring experts) and implementing supply chain audit processes.

Is the Security and Defense Fund the de facto fund for NIS2 implementation?

Yes. This is a key thesis, which is confirmed by an analysis of the goals of both initiatives. The convergence of beneficiaries and objectives is 100 percent. FBiO is an implementing tool for the cyber security policy that NIS2 enforces.

FBiO has an explicitly written objective: cyber security. The beneficiaries of FBiO, i.e. local governments and critical infrastructure operators (power, water, gas), are the same entities that NIS2 calls key entities and public administration entities. The government created the problem (by implementing the directive) and immediately created the solution (a fund to cover the costs).

The table below visualizes this synergy, mapping NIS2 responsibilities to FBiO financial goals.

Table 1: Synergy of FBiO and NIS2 – Who Pays for What?

Obligation (KSC Amendment / NIS2 Directive).Obligated Entity (according to NIS2)Financial Solution (FBiO Target).
SZBI implementation, risk management, protection of OT/SCADA systemsCritical infr. operators (energy, water, gas, transportation)Support for critical infrastructure operators (securing energy, gas pipelines, water supply systems)
Securing IT systems, protecting data, responding to incidentsLocal Governments / Public Administration EntitiesSupport of local governments in the area of cyber security
Supply chain security, R&D in cyber-resilient technologiesCompanies (e.g., industry, manufacturing, defense sector)Support to enterprises for modernization and research and development
Building a resilient dual-use infrastructureTransportation Sector, Digital InfrastructureConstruction and modernization of dual-use infrastructure

How will the new measures help fund the toughest challenges, such as the cyber security of OT/SCADA systems?

As mentioned, protecting Operational Technology (OT) and Industrial Control Systems (ICS/SCADA) is the most difficult and expensive NIS2 challenge. Traditional IT security is useless here. You can’t “reboot” a turbine in a power plant to upload an update. Specialized, expensive solutions for industrial network monitoring, vulnerability management and strict access control are required.

Implementing these systems is a large initial investment (CapEx). This poses an insurmountable barrier for many companies, especially municipal water and wastewater treatment plants, for example.

And this is where FBiO’s financing model – i.e., loans and equity investment – is ideally suited to the CapEx problem. The CFO of a critical infrastructure operator can now go to the BGK for a low-interest loan for the project “Modernization of SCADA systems for NIS2 compliance and increased resilience.” FBiO de-risks this mandatory investment and makes it financeable.

Mechanisms and operation in practice

How will the Fund operate – who manages the funds and what forms of support will there be (loans, capital, grants)?

The FBiO bill describes a complex but flexible structure. The fund will not be a centralized “bag of money” in the ministry. Its sole shareholder will be Bank Gospodarstwa Krajowego, but management will be two-tiered:

  1. Dedicated Special Purpose Vehicle (SPV): BGK will establish a new joint stock company (SPV) to make equity investments: taking up shares, acquiring mutual fund certificates, etc…
  2. Bank Gospodarstwa Krajowego (BGK): It will be the operator of the lending part. The bill explicitly directs the SPV to entrust the lending tasks precisely to BGK.

This SPV is a financial vehicle for special tasks. To give it maximum speed and flexibility, the bill exempts it from a number of onerous regulations. Among other things, the SPV will not be subject to the provisions of the Investment Funds Law [Art. 3], parts of the Accounting Law [Art. 3], will be exempt from CIT [Art. 15] and civil law transaction tax (PCC) [Art. 16], and will even be partially exempt from the Public Procurement Law [Art. 20].

The government is creating a “financial special unit” to operate at the speed of a venture capital fund, rather than an office.

Who will decide on the Fund’s investment priorities – the role of the Steering Committee?

The entire operation will be overseen by the “brain” of the Fund, the Steering Committee. An analysis of its composition allows one to understand the FBiO’s actual priorities. It is not a group of technocrats, but a political supervisory board of Polish security. It will include:

  • Co-Chairman: Minister of Defense
  • Co-chairman: Minister of Regional Development (controlling KPO).
  • Members: the Minister of State Assets, the Minister of Digitization, the Minister of the Interior, the Minister of the Economy and the Minister of Transportation.

The presence of the Minister of Digitization (Minister of Information Technology) in this group is hard evidence and a guarantee that cyber security goals and KSC/NIS2 implementation will be prioritized. The operating model is simple: the political Steering Committee sets strategic priorities (e.g., “this year we are financing the cyber security of the power plant”), and a flexible financial vehicle (SPV/BGK) is tasked with executing this goal using the best market tools.

When will the first calls start and what steps should be taken now to prepare to apply?

The draft law is dated July 31, 2025, and involves express action. The law is to take effect 14 days after promulgation. The BGK is then to receive the first tranche of funds within 14 days and apply for registration of the SPV in another 14 days.

The key date is July 31, 2026. By that date, all of the NIP funds (nearly PLN 20 billion) must be transferred to BGK. This means that the Fund will be under tremendous pressure to distribute this money as quickly as possible.

This creates a gigantic opportunity for the prepared. Do not wait for the official announcement of the calls. First come, first served. Steps that company boards, local government officials and CIOs must take immediately:

  1. Map the needs: Conduct an immediate audit and gap analysis, especially for compliance with the upcoming KSC / NIS2 law.
  2. Prepare a project: develop a ready-made investment project, such as “Implementation of an OT monitoring system at a wastewater treatment plant” or “Modernization of a production line for ‘dual-use’ standards.”
  3. Justify the request: The project must be described in the language of the FBiO objectives. Not “we want to buy servers,” but “we are making an investment in critical infrastructure cyber resilience to implement NIS2 requirements.”
  4. Prepare a financial model: Remember that it is (mainly) loans and investments. You need to have a business plan and financial analysis, not just a cost estimate.

Strategic Summary

How can organizations turn an obligation (NIS2) into an investment (KPO) and gain a strategic advantage?

We are faced with a classic choice: see change as a threat or as an opportunity. On the one hand, we have a costly legal obligation (NIS2/UKSC) that introduces severe penalties and new costs. On the other, an opportunistic funding opportunity (FBiO with NIP).

Marauding organizations will treat NIS2 as another “compliance tax.” They will do the bare minimum to avoid penalties, fund it out of ongoing operating costs, and complain about regulation.

Leader organizations will see this as a strategic moment. They will use cheap capital from the FBiO to finance mandatory upgrades. The obvious benefit is to free up their own capital for commercial operations and development.

But the real long-term strategic advantage lies elsewhere. The NIS2 directive enforces supply chain security. A company (e.g., in the manufacturing sector) that reliably implements NIS2, using FBiO resources, becomes a more resilient and reliable partner. It will be able to prove to its European customers – such as German automotive or French industry – that it is a secure link in their value chain.

Thus, its cyber resilience, funded by the NIP, becomes its unique competitive advantage (USP). The Security and Defense Fund is a rare moment when government money makes it possible to solve a real regulatory problem. It’s not a “grant,” it’s “transformational capital.” Organizations that treat NIS2 as an audit and the FBiO as a source of investment funding will not only ensure their compliance with the law, but will build the foundation for a more secure and competitive future.

Free consultation and pricing

Contact us to discover how our end-to-end IT solutions can revolutionize your business, increasing security and efficiency in every situation.

I have read and accept the privacy policy.
About the author:
Marcin Godula

Marcin is a seasoned IT professional with over 20 years of experience. He focuses on market trend analysis, strategic planning, and developing innovative technology solutions. His expertise is backed by numerous technical and sales certifications from leading IT vendors, providing him with a deep understanding of both technological and business aspects.

In his work, Marcin is guided by values such as partnership, honesty, and agility. His approach to technology development is based on practical experience and continuous process improvement. He is known for his enthusiastic application of the kaizen philosophy, resulting in constant improvements and delivering increasing value in IT projects.

Marcin is particularly interested in automation and the implementation of GenAI in business. Additionally, he delves into cybersecurity, focusing on innovative methods of protecting IT infrastructure from threats. In the infrastructure area, he explores opportunities to optimize data centers, increase energy efficiency, and implement advanced networking solutions.

He actively engages in the analysis of new technologies, sharing his knowledge through publications and industry presentations. He believes that the key to success in IT is combining technological innovation with practical business needs, while maintaining the highest standards of security and infrastructure performance.

Other articles by the author