- Regulation of the Minister of Digital Affairs of 29.5.2025 on the granting of aid de minimis to support entities active in the field of collective water supply covered by the national cybersecurity system, as part of the National Recovery and Enhancement Plan (Journal of Laws of 2025 item 729; hereinafter: DeMinimisWaterCyberbezpR) entered in 30.5.2025.
- The Regulation implements the Act of 6.12.2006 on the Principles of Conducting improvement Policy (Journal of Laws of 2025 item 198).
- The Regulation pursues the objectives and obligations resulting from Union legislation, in peculiar Regulation (EU) 2023/2831 of 13.12.2023 on the application of Articles 107 and 108 of the Treaty on the Functioning of the European Union to de minimis aid (OJ L 2023, p. Regulation (EU) 2019/881 of the European Parliament and of the Council of 17.4.2019 on ENISA (European Union Cybersecurity Agency) and cybersecurity certification in the field of information and communication technologies and repealing Regulation (EU) No 526/2013 (the Cybersecurity Act) (OJ L 151, p. 15).
In the face of an expanding number of cyber attacks (as reported by the Ministry of Digital Affairs, more than 627 000 reports of incidents were reported in 2024 – 60% more than a year ago), the water supply sector, which is vital for critical infrastructure, became the subject of protection measures financed by the C KPO component.
In accordance with Paragraph 1 of the DeMinimisWaterCyberbezpR, the Regulation sets out the circumstantial purpose, conditions and mode of granting to entities active in collective water supply, covered by the national cybersecurity strategy de minimis in the field of investment C3.1.1 "Cybersecurity – CyberPL, data-processing infrastructure for the optimisation of the safety infrastructure of public services" indicated in component C "Digital Transformation" of the National Recovery and Enhancing Immunity Plan. According to § 17 DeMinimisWaterCyberbezpR aid de minimis may be granted until 30.6.2026.
Addressees and scope of eligibility
According to § 4 DeMinimisWaterCyberbezpR aid de minimis may be granted to entities active in the field of collective water supply utilizing operational technologies in industrial control systems. These include:
- water and sewage companies, operators of key services within the meaning of Article 5 of the Law of 5.7.2018 on the National Cybersecurity strategy (i.e. OJ of 2024 item 1077),
- commercial law companies carrying out public service tasks within the meaning of the provisions of the Law of 20.12.1996 on the Municipal Economy (i.e. OJ of 2021 item 679),
- public finance sector entities within the meaning of Article 9(2) to (4) of the Act of 27.8.2009 on public finances (i.e. OJ of 2024 item 1530).
Support for a grant task may be provided that the eligible entities prosecute at least 1 of the following cybersecurity objectives:
- implementation of organisational measures to guarantee cybersecurity,
- the acquisition or modernisation of method measures to guarantee cybersecurity,
- developing the competence of cybersecurity personnel.
Financing conditions
The aid is non-refundable (§ 9 of the DeMinimisWaterCyberbezpR) and may cover up to 100% of the eligible costs of the grant task (§ 7(1) of the DeMinimisWaterCyberbezpR), which includes in peculiar the costs incurred for:
- review, make and implement the information safety management strategy or update it;
- the introduction of measures covering, inter alia: hazard analysis and ICT safety policy, incidental handling, continuity and crisis management, cryptography and encryption, access control and multi-component authentication;
- an audit of the safety management strategy carried out by a qualified auditor, demonstrating the implementation and application of that strategy in the organisation or institution;
- the acquisition and implementation of ICT systems, including equipment, software and services to prevent, detect and respond to cybersecurity threats;
- equipment and software deployment and configuration services and cybersecurity expert support;
- the acquisition and implementation of systems or services for operational safety centres;
- the acquisition or improvement of systems or services to manage vulnerability and vulnerability scanners;
- cyber safety training for the personnel of an entity applicable to the cybersecurity policy or information safety management strategy implemented, including in peculiar the measures implemented under the grant project;
- cybersecurity training for: cybersecurity IT professionals, managers and another personnel of the entity, including simulated cyber attacks on network users and information systems in the organisation;
- cybersecurity advisory services.
According to Paragraph 8(2) of DeMinimisWaterCyberbezpR aid de minimis may be granted to cover costs incurred from 1.1.2025.
Application procedure
The application shall be submitted electronically in the Digital Projects Centre (CPPC) strategy (§ 10 DeMinimisWaterCyberbezpR): the information indicated in the application and the annexes shall be specified in § 10(2) to (3) DeMinimisWaterCyberbezpR. In the event of formal deficiencies, it is possible to call for completion of the application (§ 10(6) DeMinimisWodaCyberbezpR). 1 entity may submit only 1 application for recruitment (§ 11(7) of the DeMinimisWaterCyberbezpR) if the entity referred to in § 4 of the DeMinimisWaterCyberbezpR has submitted more than 1 application, the CPPC shall consider only the first one, leaving the remaining requests undisclosed.
The CPPC conducts recruitments in competition mode, posting an announcement on its website (§ 11(3)–5 DeMinimisWaterCyberbezpR). The Regulation specifies the minimum time limit for submission of applications – 30 calendar days from the date of transportation of the call (§ 11(6) DeMinimisWaterCyberbezpR).
Applications shall be assessed in accordance with the competition rules (§ 13(1) DeMinimisWaterCyberbezpR) and the evaluation shall include, inter alia, the objectives of the project, the reasonableness of costs and the sustainability of results (§ 13(3) DeMinimisWaterCyberbezpR).
The aid is granted on the basis of a contract concluded with the CPPC (§ 14 DeMinimisWaterCyberbezpR), after which the beneficiary is obliged to submit periodic reports on the implementation of the task (§ 16 DeMinimisWaterCyberbezpR). With precise support rules, the water supply sector can effectively increase its cybersecurity. The Regulation responds to increasing digital threats and allows public backing to be channelled to a sector where interruption of the continuity of services could have serious social impacts. The water supply sector, which uses OT (Operational Technology) systems widely, requires support not only for hardware but besides for competence. The fresh rules offer a real chance to professionalise and safe this infrastructure.
![Jak idzie budowa 17-piętrowego bloku przy rondzie Pobitno w Rzeszowie [ZDJĘCIA] [WIDEO]](https://storage.googleapis.com/bieszczady/rzeszow24/articles/image/35b7b750-df1e-42de-9910-b34ab0499575)
