Date: 5 June 2026

In May 2026, Poland’s Internal Security Agency (ABW) publicly disclosed a series of cyber incidents involving five water-treatment facilities that had been compromised during 2025. The affected facilities were located in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. 

While authorities reported no confirmed impact on water quality or public safety, the incident attracted significant international attention because attackers reportedly gained access to operational technology (OT) environments responsible for managing water-treatment processes.

In some cases, operational settings associated with water-treatment activities were reportedly modified. This demonstrated that attackers had moved beyond traditional IT systems and reached industrial-control environments supporting critical public infrastructure.

The incident serves as a powerful reminder that cyber attacks against critical infrastructure do not always begin with sophisticated malware or advanced nation-state capabilities. In many cases, weaknesses such as weak credentials and poorly secured remote-access pathways can provide attackers with a route into operational environments that support essential public services.

For organisations operating under NIS2, DORA, or broader cyber resilience frameworks, the Poland water-sector breaches offer important lessons about incident response readiness, operational resilience, and governance.

To know more about this incident, the weaknesses that the criminals exploited and key lessons, don’t forget to download our CMA Cyber Insights on the Polish Water Facilities’ Cyber Attacks.  

What Happened in the Polish Water Facilities’ Attack?

According to Polish authorities, attackers gained unauthorised access to industrial-control-system environments connected to five water-treatment facilities.

Although no specific threat actor was publicly attributed to the incidents, Polish officials highlighted an increase in hostile cyber activity linked to Russian and Belarusian interests. They warned that attacks targeting critical infrastructure were becoming increasingly aggressive and strategically focused.

Investigators reportedly found that some affected environments were exposed through weak or default credentials and internet-accessible operational technology systems.

Importantly, officials stated that there was no confirmed contamination of water supplies and no verified impact on public safety. However, the fact that attackers were able to access and reportedly modify operational settings demonstrated a concerning level of access into systems supporting critical infrastructure.

Why This Incident Matters

The significance of the Polish attacks extends far beyond the water sector. These incidents highlight a growing trend in which cyber criminals and/or nation-state actors increasingly target operational technology environments that control physical processes and essential public services.

Modern critical infrastructure organisations are becoming more connected than ever before. Water utilities, energy providers, transportation operators, healthcare organisations, and manufacturing facilities increasingly rely on remote access, cloud-connected systems, third-party vendors, and interconnected industrial networks. While these technologies improve efficiency, they also expand the attack surface.

The Poland breaches demonstrate how attackers can exploit relatively simple weaknesses to reach environments capable of affecting physical operations.

Perhaps most importantly, the incidents show that attackers do not necessarily need to cause immediate disruption to create significant strategic risk. In many cases, the greatest danger arises when threat actors establish long-term visibility and access within operational environments without triggering alarms.

The Growing Convergence of Cybersecurity and National Security

Historically, many organisations viewed cybersecurity as primarily an IT issue. That perspective is rapidly changing. Critical infrastructure attacks increasingly have implications for public safety and geopolitical security.

Water-treatment facilities represent particularly attractive targets because they support essential services relied upon by entire populations. Any disruption, contamination concern, or operational failure could have significant societal consequences.

The Polish incidents illustrate how operational technology environments have become strategic assets requiring the same level of attention traditionally reserved for national-security infrastructure.

What NIS2 Organisations Should Learn from the Polish Water-Sector Breaches?

The NIS2 Directive was specifically designed to strengthen cyber resilience across essential and important entities operating throughout the European Union. The Poland incidents demonstrate why NIS2 places such strong emphasis on risk management measures, incident response capabilities, supply-chain security and business continuity.

Several themes from the incident align directly with NIS2 expectations.

• Risk-Based Security Controls

Reports suggest that some of the affected facilities were exposed through weak credentials and internet-accessible systems. NIS2 requires organisations to implement appropriate technical and organisational measures to manage cybersecurity risks.

This includes access control management, identity security and secure remote-access controls amongst others. The Poland breaches demonstrate how failures in these areas can create pathways into critical infrastructure environments.

• Incident Response Preparedness

The incident also highlights the importance of having documented and tested incident response plans and procedures. NIS2 places considerable emphasis on an organisation’s ability to detect incidents quickly, assess their impact, escalate incidents and contain threats effectively.

Without mature incident response capabilities, organisations may struggle to respond effectively when attackers reach operational environments. Rapid recovery of essential services also becomes increasingly difficult.

One of the most significant changes introduced by NIS2 is increased accountability for senior management. Boards and executives are expected to oversee cyber risk management and ensure that resilience measures are implemented and maintained.

The Poland incidents provide a clear example of why cybersecurity must be considered a leadership issue rather than simply an operational responsibility.

What DORA-Regulated Organisations Can Learn

Although DORA primarily applies to the financial sector, the principles underpinning the regulation are highly relevant. DORA focuses on operational resilience rather than cybersecurity alone.

The objective is not simply to prevent incidents but to ensure organisations can continue delivering critical services when incidents occur. The Poland attacks reinforce several DORA themes:

Organisations must understand which systems support critical business services. If attackers gain access to operational environments, leaders need immediate visibility into the potential impact on service delivery.

DORA emphasises regular testing of resilience capabilities. Many organisations have incident response plans but rarely test them under realistic conditions. The Poland incidents demonstrate why assumptions about preparedness can be dangerous. And testing with regular cyber resilience drills is non-negotiable today.

Operational environments frequently depend on external vendors, contractors, and technology providers. DORA requires organisations to understand and manage these dependencies.

As critical infrastructure becomes increasingly interconnected, third-party risk management becomes essential.

Mapping the Lessons to CIPR Outcomes

Cyber Management Alliance’s Cyber Incident Planning and Response (CIPR) course was designed to help organisations develop practical incident response capabilities that extend beyond theoretical knowledge. Several key CIPR outcomes align directly with the lessons emerging from the Poland incident.

• Incident Identification and Classification: Teams must be able to recognise suspicious activity affecting operational environments and determine whether incidents require escalation.

• Effective Escalation Procedures: The Poland incidents demonstrate the importance of clearly defined escalation pathways involving operational teams, cybersecurity teams, leadership, and external stakeholders.

• Incident Response Playbooks: Scenario-specific playbooks can help organisations respond consistently when incidents affect critical infrastructure environments.

• Crisis Communications: Cyber incidents affecting essential services require careful communication with customers, regulators, media, and government agencies.

• Recovery and Lessons Learned: Recovery is not simply about restoring systems. It is about understanding root causes, strengthening controls, and improving resilience for future incidents.

Building Resilience Beyond Compliance

The Poland water-treatment breaches illustrate an important reality about modern cybersecurity. Compliance alone is not enough. Organisations may satisfy regulatory requirements on paper while still struggling to respond effectively when a real-world incident occurs. 

True cyber resilience requires organisations to combine Governance, Risk management and Incident response planning. The organisations that succeed will be those that treat cybersecurity as a resilience capability rather than a compliance obligation.

It’s also important to remember that you can have solid incident response plans. But it’s critical to know whether those plans will actually work during a crisis. 

The Poland attacks highlight the importance of validating:

• Escalation pathways
• Decision-making processes
• Communications procedures
• Recovery strategies
• OT-specific response activities
• Executive coordination

Without regular testing with tabletop exercises, even well-written plans can fail when confronted with a real-world incident. This is particularly true when operational technology environments are involved. OT incidents often require coordination between cybersecurity teams, engineering teams, operations personnel, senior executives, regulators, and external stakeholders.

How Cyber Management Alliance Can Help

The lessons from the Poland water-sector breaches reinforce the need for organisations to move beyond static policies and develop practical, tested cyber resilience capabilities.

Cyber Management Alliance helps organisations move beyond compliance-driven cybersecurity to build practical, measurable cyber resilience capabilities. Through our NCSC-Assured Cyber Incident Planning & Response (CIPR) Training and incident response playbooks development and review services, we help organisations prepare for the types of incidents increasingly affecting critical infrastructure, operational technology environments, and essential services.

We also support organisations in meeting evolving regulatory and resilience requirements. Our executive cybersecurity training, business continuity and disaster recovery audits, NIS2 readiness assessments, DORA-aligned cyber resilience exercises, and operational resilience consulting help you comprehensively achieve your cyber resilience and regulatory compliance requirements.

By combining governance, incident response, resilience testing, and recovery planning, we help organisations identify weaknesses before attackers do. Through realistic simulations, we help you validate your preparedness and develop the capabilities needed to maintain critical services during cyber crises.

Having delivered thousands of cybersecurity training engagements, hundreds of cyber crisis exercises, and resilience assessments across government, financial services, healthcare, critical infrastructure, and multinational enterprises, Cyber Management Alliance helps organisations transform regulatory requirements into measurable cyber resilience outcomes.

Conclusion

The Poland water-treatment facility breaches were not simply another critical infrastructure cyber incident. They were a warning that operational technology environments supporting essential services remain attractive targets for attackers seeking visibility, access, and influence over critical systems.

For organisations operating under NIS2, DORA, and other resilience-focused frameworks, the incident highlights the importance of governance, incident response preparedness, resilience testing, and executive accountability.

The question is no longer whether critical infrastructure will be targeted. The question is whether organisations have the plans, playbooks, training, and resilience capabilities needed to respond effectively when it happens.