Poland’s cyber‑security agency has ordered government staff to stop using Signal, citing APT‑linked phishing campaigns that could expose confidential communications. The state‑developed mSzyfr messenger is presented as a GDPR‑compliant alternative, but its reliance on foreign MFA services raises questions about true data sovereignty.
Poland Bans Signal for Officials, Rolls Out State‑Built mSzyfr Messenger
Polish authorities announced on 18 May 2026 that all public officials and entities that belong to the National Cybersecurity System must abandon the Signal app and migrate to a home‑grown encrypted messenger called mSzyfr. The directive follows a series of intelligence briefings that linked recent social‑engineering attacks to advanced persistent threat (APT) groups allegedly backed by hostile states.
What happened
The Ministry of Digital Affairs cited several incidents in which attackers pretended to be Signal support staff, sent urgent‑tone messages about “blocked accounts,” and used malicious links to harvest verification codes and QR‑based Linked Devices tokens. Successful compromises could reveal phone numbers, metadata and the content of messages exchanged between senior officials – a breach that could jeopardise national security.
Poland’s Computer Security Incident Response Teams (CSIRTs) warned that the campaigns mirror tactics previously reported in Russia‑linked phishing operations against Signal and WhatsApp in March 2026. Similar alerts have been issued by the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and Germany’s Bundesamt für Sicherheit in der Informationstechnik (BSI).
Legal basis for the ban
GDPR considerations
Poland, as an EU member state, is bound by the General Data Protection Regulation (GDPR). Under Article 32, controllers must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Polish CSIRTs argue that Signal’s open‑source model, while generally secure, does not give the state full control over the processing environment, making it difficult to guarantee compliance with the GDPR’s data‑protection‑by‑design and by‑default obligations for high‑risk public‑sector communications.
National security exemptions
Article 45 of the GDPR allows Member States to impose additional restrictions for reasons of national security. By mandating a domestically hosted messenger, the government is invoking this clause, claiming that a Polish‑jurisdiction solution can be audited more thoroughly and that any data breaches can be addressed under national law rather than foreign jurisdictions.
Potential impact on CCPA‑covered entities
While the California Consumer Privacy Act (CCPA) does not directly apply to Polish public bodies, multinational firms that provide MFA services (Microsoft, Google) to mSzyfr could face cross‑border data‑transfer scrutiny. If personal data of EU citizens is processed by U.S. services, the EU‑U.S. Data Privacy Framework must be respected, and any failure could trigger supervisory‑authority investigations.
Impact on users and companies
For Polish officials
- Immediate migration: Users must install mSzyfr via invitation‑only links. Existing Signal chats cannot be transferred because of end‑to‑end encryption, meaning officials will lose historical context unless they manually archive messages.
- Multi‑factor authentication: The messenger relies on MFA providers such as Microsoft Authenticator, Google Authenticator, or the open‑source FreeOTP. Although MFA strengthens access control, it re‑introduces a dependency on foreign infrastructure, which partially undermines the claim of full Polish jurisdiction.
- Recovery keys: To retain message history after logout, users must generate a recovery key and store it in a password manager. Most popular managers (1Password, LastPass) are U.S.‑based, creating another vector for potential data exposure.
For technology vendors
- Microsoft and Google: Their MFA services become de‑facto components of a state‑run security solution, potentially exposing them to EU supervisory scrutiny.
- Polish research institute NASK: Now responsible for maintaining the messenger’s source code, cryptographic libraries and update pipeline. This raises questions about the institute’s capacity to keep pace with emerging threats.
- Signal: The ban may set a precedent for other EU governments to scrutinise foreign‑origin messaging apps, even those with strong end‑to‑end encryption.
What changes are required
Technical steps for officials
- Install mSzyfr from the invitation link sent by the Ministry of Digital Affairs.
- Enroll in MFA using one of the approved authenticator apps.
- Generate a recovery key and store it securely in a password manager that complies with GDPR (e.g., a self‑hosted solution like Bitwarden).
- Delete Signal from all devices after confirming successful migration of any needed data.
Organizational measures
- Policy updates: All agencies must amend their communication‑security policies to reference mSzyfr as the approved instant‑messenger.
- Training: Conduct phishing‑simulation exercises that mimic the “Signal support” impersonation scenario, teaching staff to verify sender identities through out‑of‑band channels.
- Audit trails: Implement logging of messenger usage and MFA events to satisfy GDPR’s accountability requirements.
Broader implications
Poland’s move underscores a growing tension between global privacy‑by‑design standards and national‑security imperatives. While the GDPR encourages the use of vetted, open‑source tools, governments are increasingly demanding solutions they can audit end‑to‑end. The reliance on foreign MFA providers shows that achieving complete data sovereignty is still a work in progress.
If other EU states follow suit, we may see a fragmented messaging ecosystem where each country promotes its own “secure” platform, potentially weakening the collective security benefits of widely reviewed open‑source protocols. Privacy advocates warn that such fragmentation could lead to weaker overall encryption standards, as smaller teams may lack the resources to discover and patch vulnerabilities as quickly as larger, community‑driven projects.
Bottom line: Poland’s ban on Signal is grounded in GDPR‑derived risk assessments and national‑security concerns, but the new mSzyfr messenger still leans on foreign authentication services, raising questions about the true extent of data sovereignty. Officials must adapt quickly, and the episode may spark a broader EU debate on how to balance open‑source security with state‑controlled oversight.
Comments
Please log in or register to join the discussion