Industrial Security Clearance Decisions in Poland

Open table of contents Close table of contents close categories

Post navigation

Chapter navigation:
Article navigation:
Michał Puk
Contact our expert
Write an inquiry: [email protected]

Last updated: 23.10.2025

Industrial Security Clearance in Poland (2025/2026): Requirements, Levels & Certification Process

Getting involved in the defense and security sector in Poland often requires more than just a concession to manufacture or trade. When a project, tender, or contract involves access to classified information, a company must demonstrate its ability to protect that information. This is confirmed by an industrial security clearance.

The requirements and procedures are regulated by the Act of August 5, 2010, on the protection of classified information.

What Is an Industrial Security Certificate and Who Needs It?

An industrial security certificate is an official document confirming a company’s ability (in terms of personnel, organization, and technology) to protect classified information. It is a prerequisite for any entrepreneur who wants to:

  • Execute a contract that involves access to information classified as “confidential” or higher.
  • Participate in a tender in which classified documents are made available.
  • Act as a subcontractor in a project requiring such access.

The certificate is issued by the Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW), depending on the nature of the contract and the ordering party.

An exception is an entrepreneur who runs a sole proprietorship and acts personally. In this case, the ability to protect information classified as “confidential” or higher is confirmed by a personal security clearance and a certificate of training.

Definition of classified information and four levels of secrecy

Classified information is any information whose unauthorized disclosure would or could cause damage to the Republic of Poland, regardless of its form and manner of expression. The key concept here is potential damage to the state. It is the scale and nature of this potential damage that determines the classification of the information. This system is based on the principle of “presumption of secrecy” – if the information meets the statutory criteria, it is classified by law, even before it is formally classified.

Poland’s law distinguishes four secrecy classifications, forming a hierarchy of protection depending on the importance of the information being protected:

  • Top secret

Reserved for information whose unauthorized disclosure would cause exceptionally serious damage to the Republic of Poland. Such damage may consist of a threat to the independence, sovereignty, territorial integrity, constitutional order of the state, or its internal and international security.

  • Secret

Assigned to information whose unauthorized disclosure would cause serious damage to the state. Examples of such damage include preventing the performance of tasks related to the protection of sovereignty, deterioration of relations with other states, disruption of the state’s defense preparations or the functioning of the Armed Forces, or significant disruption of the functioning of law enforcement agencies.

  • Confidential

Used for information whose unauthorized disclosure would cause damage to the Republic of Poland. This damage, although severe, is less serious than in the case of higher classifications. It may, for example, be a hindrance to the conduct of the state’s current foreign policy or a hindrance to the performance of tasks by services responsible for the protection of security or public order.

  • Restricted

This is the basic and most commonly used classification. It is assigned to classified information that has not been assigned a higher classification and whose unauthorized disclosure may have a negative impact on the performance of tasks by public authorities or other organizational units in the field of defense, foreign policy, or public security.

International equivalents of Polish confidentiality clauses

Poland Confidentiality Clause Description of Potential Damage NATO Equivalent EU Equivalent ESA Equivalent
Top Secret Exceptionally serious damage (threat to independence, sovereignty) COSMIC TOP SECRET TRÈS SECRET UE / EU TOP SECRET ESA TOP SECRET
Secret Serious damage (disruption of defense preparations, deterioration of international relations) NATO SECRET SECRET UE / EU SECRET ESA SECRET
Confidential Damage (hindrance to foreign policy) NATO CONFIDENTIAL CONFIDENTIEL UE / EU CONFIDENTIAL ESA CONFIDENTIAL
Restricted Negative impact on the performance of tasks by public authorities NATO RESTRICTED RESTREINT UE / EU RESTRICTED ESA RESTRICTED

Levels and types of industrial security certificates in Poland

The certificate specifies the highest level of classified information to which your company has access. There are three levels of certification, corresponding to national and international classification levels:

  • Third level certificate: for information classified as CONFIDENTIAL.
  • Second-level certificate: for information classified as SECRET.
  • First-level certificate: for information classified as TOP SECRET.

Depending on the level of ability to protect classified information marked as “confidential” or higher, an appropriate certificate is issued:

  1. first level – confirming the entrepreneur’s full ability to protect this information;
  2. second degree – confirming the entrepreneur’s ability to protect this information, excluding the possibility of processing it in their own ICT systems;
  3. third degree – confirming the entrepreneur’s ability to protect this information, excluding the possibility of processing it in the facilities used by them.

A certificate confirming the ability to protect classified information with the following classification:

  1. “top secret” confirms the ability to protect classified information with the following classification:
    1. “top secret” – for a period of 5 years from the date of issue,
    2. ‘secret’ – for a period of 7 years from the date of issue,
    3. “confidential” – for a period of 10 years from the date of issue;
  2. “secret” confirms the ability to protect classified information with the following classification:
    1. “secret” – for a period of 7 years from the date of issue,
    2. ‘confidential’ – for a period of 10 years from the date of issue;
    3. “confidential” confirms the ability to protect classified information with this classification for a period of 10 years from the date of issue.

The table below summarizes the key differences in the authorizations and requirements for each level of ŚBP, which may be a helpful tool in making strategic decisions.

Capability/Activity Level I industrial security certificates: Level II industrial security certificates: Level III industrial security certificates:
Staff access to classified information Yes Yes Yes
Storage of classified documents at own premises Yes Yes No
Processing of classified information in own IT systems Yes No No

Example activities

 Main contractor in R&D projects, systems integration, production Subcontractor performing analyses on paper materials, physical maintenance of equipment Advisory and consulting services, secondment of experts to work at the client’s premises

Key requirements for obtaining certification in Poland: practical checklist

The process of obtaining an Industrial Security Certificate is a formalized, two-track procedure in which the state conducts an in-depth assessment of both the company itself and key individuals within its structure.

The first step is to identify the appropriate authority to submit the application to. The division of competences is clear:

  • The Military Counterintelligence Service (SKW) is competent in matters concerning organizational units subordinate to or supervised by the Minister of National Defense, including the Polish Armed Forces, as well as entrepreneurs performing contracts on their behalf.
  • The Internal Security Agency (ABW) is competent in all other cases, covering a wide range of civilian entities, government and local government administration.

In practice, during the proceedings, both services may cooperate and exchange information, especially if the entrepreneur performs contracts for entities from both areas.

To obtain industrial security certificate, a company must establish a comprehensive internal system for the protection of classified information. It comprises three basic pillars:

Classified Information Protection Officer (Protection Officer)

Every company dealing with classified information must appoint an officer. This person, who reports directly to the company’s management, is responsible for the entire information protection system.

The key tasks of the Protection Officer include:

  • Developing and updating the company’s classified information protection plan.
  • Overseeing the implementation of physical and IT security measures.
  • Conducting internal audits and document flow controls.
  • Organizing and providing mandatory training for all employees with access to classified information.
  • Managing the process of checking the personal security of employees.

The representative must have a valid personal security clearance and complete specialized training conducted by the Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW).

The Classified Information Protection Plan must include, among other things:

  • Analysis and assessment of the risks associated with unauthorized access to information.
  • Characteristics of the facility and indication of rooms where classified information is processed.
  • Description of physical security measures (physical protection, technical security).
  • Designation and description of security zone boundaries.
  • Procedures for managing keys and passwords to rooms and safes.
  • Access control rules for employees and outsiders.
  • Emergency procedures, including evacuation plans and plans for the destruction of classified materials.

Secret Office

A secret office is a secure, physically protected area designated for the registration, storage, circulation, and dispatch of documents marked “SECRET” or “TOP SECRET.” If your company will only be processing information with a confidentiality level of “CONFIDENTIAL,” a full office may not be required, but you must still provide a secure system for registering and circulating documents.

Key requirements for a secret office:

  • Physical security. The room must meet specific standards, including certified burglar-proof doors, barred windows, and certified safes or metal cabinets for document storage.
  • Access control. Access is strictly limited to authorized personnel, typically the office manager and his or her staff. An access control system is required.
  • Alarm and monitoring systems. The area must be protected by certified alarm systems and, in some cases, video surveillance of the entrance.
  • Personnel. The head of the secret office must have personal security clearance appropriate for the highest level of information processed and undergo specialized training.

Personal security clearances

Employees who will have direct access to classified information as part of their duties must have a personal security clearance. This is based on the “need-to-know” principle.

The company’s representative manages the verification process, which is carried out by the Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW) and includes a detailed background check of the employee.

How to Apply: Step-by-Step Industrial Security Clearance Process in Poland

  1. Preparation: The company implements all necessary organizational and technical measures (appoints a representative, drafts a secret office, develops internal security procedures).
  2. Application: The entrepreneur submits a formal application to the Internal Security Agency (ABW) or Military Counterintelligence Service (SKW) to initiate an industrial security screening procedure.
    • The level of certification and the highest classification to which the company is to be entitled must be specified.
    • The application must be accompanied by a completed Industrial Security Questionnaire.
  3. Vetting process: The services conduct a thorough audit of the company. This includes:
    • Verification of the data provided in the security questionnaire.
    • Inspection of physical security measures (e.g., classified office).
    • Audit of IT systems designed to process classified information.
    • Security verification of key personnel (company manager, representative for classified information protection and his/her deputy, security department employees, ICT system administrator, other persons indicated in the questionnaire who are to have access to classified information).
  4. Issuance of a certificate: If the audit is successful and the company is deemed capable of protecting classified information, the competent authority issues an industrial security certificate. The certificate is valid for a specified period (e.g., 5 years for a “SECRET” certificate, 7 years for a “CONFIDENTIAL” certificate).

What Is Checked During the Clearance Procedure in Poland?

The scope of verification is very broad and depends on the classification level. The procedure aims to rule out any doubts regarding:

  • Participation or cooperation in espionage, terrorist, or other activities directed against the Republic of Poland.
  • Loyalty to the constitutional order of the Republic of Poland.
  • Susceptibility to blackmail or pressure.
  • Proper handling of classified information in the past.

In the case of proceedings for access to “secret” and “top secret” classifications (so-called extended and special proceedings), the verification additionally covers:

  • Financial situation (whether the standard of living does not grossly exceed income).
  • Any mental illnesses or disorders that may affect the ability to protect secrets.
  • Addiction to alcohol or intoxicants.

This procedure requires the written consent of the person being vetted and the submission of a detailed Personal Security Questionnaire. Refusal to issue a security clearance to the manager of the enterprise or security representative results in the mandatory refusal to issue an ISS for the entire company.

Schedule, costs, and results of the procedure

The statutory deadline for completing the industrial security procedure is six months from the date of submission of the complete documentation.

The procedure is subject to a fee. The entrepreneur bears the flat-rate costs of the activities carried out by the Internal Security Agency (ABW) or the Military Counterintelligence Service (SKW), which are specified in the regulation of the Prime Minister. The fees are non-refundable, regardless of the outcome of the procedure.

The proceedings may end with one of three outcomes:

  • Issuance of an Industrial Security Certificate in accordance with the application.
  • Issuance of a decision refusing to issue a certificate.
  • Issuance of a decision to discontinue the proceedings (e.g., at the request of the entrepreneur or in the event of its liquidation).

When can the issuance of an industrial security certificate be refused in Poland?

The Internal Security Agency refuses to issue a security certificate (by issuing an appropriate decision) if, during the proceedings:

  1. it turns out that the person undergoing verification knowingly provided false or incomplete information in the personal security questionnaire,
  2. doubts regarding confidentiality guarantees have not been dispelled,
  3. the findings indicate that the person undergoing verification has been convicted of an intentional crime prosecuted by public indictment, including crimes committed abroad, as well as fiscal crimes (until the conviction is expunged).

Refusal to issue a certificate does not mean a lifetime ban on performing duties related to access to classified information. However, the verification procedure for a person who has not obtained a security certificate may be carried out at the earliest one year after the date of such a decision.

An entrepreneur has the right to appeal to the Prime Minister against a decision by the Internal Security Agency or the Military Counterintelligence Service to refuse to issue or to revoke a certificate. The Prime Minister’s decision may then be appealed to an administrative court.

Control procedure

If the Internal Security Agency receives a signal that a person holding a security clearance may not guarantee confidentiality, a verification procedure is initiated.

The procedure may only be initiated if new facts are revealed about the person to whom the security clearance was issued, indicating that they should not have access to classified information.

Until the procedure is completed, such a person may have limited or completely excluded access to classified information. The control procedure is analogous to the procedure carried out before the certificate is issued, but the consent of the person being controlled is not required to carry it out. The control procedure is carried out ex officio and there is no specific deadline for its completion. However, the Internal Security Agency is required to remain impartial and objective and to conduct the procedure without undue delay.

The reasons for initiating a control procedure may include:

  1. improper handling of classified information
  2. conviction by a final judgment for an intentional crime prosecuted by public indictment
  3. allegations of committing a crime (but only if they raise doubts as to the guarantee of confidentiality)
  4. providing false information when applying for security clearance.

As a result of the control procedure, the validity of the certificate may be confirmed or a decision may be made to revoke the security clearance (in which case the person may reapply for the certificate no earlier than one year after the date of the revocation decision).

Grounds for revocation of a industrial security certificates:

The loss of a security clearance certificate may result from its revocation by the authority that issued it. The Act distinguishes between mandatory grounds (when the authority must revoke the certificate) and optional grounds (when the authority may do so).

Grounds for mandatory revocation of a industrial security certificates:

  • Refusal to issue or revocation of a security clearance for the Head of the Entrepreneur.
  • Inability to determine the capital structure or sources of financing of the company.
  • Loss of functionality of the classified information protection system (e.g., liquidation of a secret office).
  • Finding that false information was provided in the questionnaire.

Grounds for optional (discretionary) revocation of a industrial security certificates::

  • The emergence of unresolvable doubts regarding persons from management or control bodies.
  • Failure to comply with the obligation to report changes in data within the prescribed time limit.
  • Failure to obtain accreditation for the ICT system.
  • The certificate also expires automatically after its expiry date, in the event of the liquidation of the entrepreneur or if he renounces his rights.

Criminal liability

The most serious consequence of violating the provisions on the protection of classified information is criminal liability, regulated in the Criminal Code.

  • Article 265 of the Criminal Code

“Whoever discloses or, contrary to the provisions, uses information classified as ‘secret’ or ‘top secret’ shall be subject to imprisonment for a term of between 3 months and 5 years.”

If the disclosure was made to a person acting on behalf of a foreign entity (which is a qualified form of industrial espionage), the penalty is much more severe, ranging from 6 months to 8 years of imprisonment.

Even unintentional disclosure of such information by a person who has become familiar with it in connection with their duties is punishable by up to one year of imprisonment.

  • Article 266 of the Criminal Code

A public official who discloses classified information marked “restricted” or “confidential” to

FAQ: Industrial Security Clearance Decisions in Poland

Who needs an industrial security clearance in Poland?

Any entrepreneur, company, or subcontractor that intends to execute contracts involving access to classified information—classified as “confidential,” “secret,” or “top secret” – must obtain an industrial security certificate. This includes participation in public tenders and subcontracted defense-related projects.

What are the three levels of industrial security certificates and how long are they valid?

There are three levels:

  • Level I – for “Top Secret” information (valid for 5 years),
  • Level II – for “Secret” information (valid for 7 years),
  • Level III – for “Confidential” information (valid for 10 years).

Each level confirms the organization’s capacity to protect classified data within that classification range.

How long does it take to obtain an industrial security certificate and what is the cost?

The procedure must be completed within 6 months from the date the complete documentation is submitted. The process is paid – costs are fixed and non-refundable, regardless of the outcome. The certificate is issued by ABW or SKW depending on the contract’s nature.

Expert team leader D&P Legal Michał Puk
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Michał Puk
Expert team leader D&P Legal Ignacy Heckert
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Michał Puk
Expert team leader D&P Legal Daria Piwecka / Dudkowiak & Putyra Business Law Firm
Contact our expert
Write an inquiry: [email protected]
check full info of team member: Michał Puk