Poland NIS2 transposition (UKSC amendment) in force 3 April 2026 — water-sector essential-entity status

CERT-PL disclosed CVE-2026-44088 on 2026-05-17: a JAR zip-polyglot bypass in the SzafirHost browser-helper that mediates qualified e-signature operations for Polish public-sector users (citizen-facing e-government services). The flaw lets a crafted JAR delivered as a polyglot file bypass the qualifying-certificate check and induce the host to attach a qualified signature to attacker-chosen content. Patched 2026-05-15. Operational relevance for Swiss / EU public-sector defenders: the eIDAS qualified-electronic-signature framework is pan-European, so the class of attack — polyglot-file abuse of a browser-helper that mediates signature operations — is portable to Swiss QES vendors and to other member-state qualified-signature browser helpers. Validation: confirm patch state of every QES-helper in your endpoint estate; consider polyglot-file detection as a content-inspection control on inbound document workflows (CERT-PL CERT-PL-2026-44088; daily 2026-05-17).

ESET's 2026-05-14 analysis of activity observed since March 2026 documents an evolved spearphishing chain: (1) malicious PDFs impersonating Ukrtelecom with embedded redirect links, (2) RAR archives delivering JavaScript PicassoLoader variants, (3) server-side victim geo-validation (serves benign PDF to non-Ukrainian IPs) with system fingerprinting every 10 minutes to determine Cobalt Strike eligibility, (4) persistence via scheduled tasks and registry modifications. The previous Polish-targeting wave exploited CVE-2024-42009 (Roundcube XSS) for credential harvesting; WinRAR CVE-2023-38831 also referenced in the toolchain. The Belarus-aligned actor cluster (UNC1151, UAC-0057, TA445, Storm-0257, Umbral Bison, White Lynx) targets governmental, industrial, healthcare, and logistics sectors. EU scope: Poland, Lithuania, and Ukraine confirmed; broader Eastern European public-sector exposure inferred (ESET WeLiveSecurity; The Hacker News; daily 2026-05-15).

No named EU victim disclosures this run. Status update from the W19 long-running record (item:apt28-apt29-unc1151): ESET's documentation of the geofencing and 10-minute fingerprinting cadence is new operational detail not present in the W19 ABW tri-attribution coverage. Detection: outbound connections to Canarytokens-style endpoints used for fingerprinting; scheduled-task creation with random GUIDs spawned from Office process trees (T1053.005); child processes of WinRAR or archive handlers executing JavaScript (T1059.007); PicassoLoader staging behaviours.

CERT Polska disclosed CVE-2026-44088 on 2026-05-15 — a class-loading split-brain in SzafirHost, the browser-integration component of Poland's Szafir qualified electronic signature (QES) ecosystem operated by KIR (Krajowa Izba Rozliczeniowa), an eIDAS-recognised qualified trust service provider (CERT-PL, 2026-05-15). ENISA's EUVD entry EUVD-2026-30512 records the CVSS 4.0 base 8.6 score used in this brief's footer; CERT-PL's own write-up does not publish a numeric CVSS. SzafirHost is the helper that downloads and loads signed JAR plugins to bridge smart-card signing into Chrome, Firefox, and Opera. The bug abuses how Java parses the same archive two different ways: JarInputStream validates the JAR's code-signing certificate by reading from the start of the file, while JarFile / URLClassLoader loads actual classes from the ZIP Central Directory at the end. CERT-PL states verbatim: "It can lead to remote code execution by allowing an attacker to combine a genuine, signed JAR file with a malicious ZIP file, causing the verification to pass but the malicious class to be loaded." An attacker who controls the JAR download path (MitM on the SzafirHost CDN/update channel, DNS interception, or a compromised mirror) can therefore execute arbitrary code inside SzafirHost — and silently sign fraudulent documents in the context of an authenticated KIR user session. Technique class: T1574.002 DLL Side-Loading equivalent for Java class-path hijack. Patched in SzafirHost 1.2.1. Why it matters to us: Szafir QES is one of the established Polish qualified signature ecosystems used in Polish public procurement, court e-filing, tax administration and healthcare e-signature workflows. Under eIDAS, qualified electronic signatures issued by a Polish QTSP enjoy cross-border legal recognition across EU member states and Switzerland's eIDAS-equivalent framework. A successful zip-polyglot attack against the SzafirHost JAR download path silently weaponises every signature produced on the compromised endpoint — an integrity-class failure that breaks the assumption baseline for eIDAS-trust documents wherever Polish QES output is consumed.

ABW's 2025 Annual Report (published 2026-05-07) is the only annual report this week that combines new ground-truth attribution detail with explicit regulatory-coverage-gap framing. The five named municipal water facilities (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo) all sit below the NIS2 essential-entity headcount threshold. ABW formally attributes initial access and persistence to APT28 (GRU), intelligence-collection overlay at Jabłonna Lacka to APT29 (SVR), and a disinformation overlay (fabricated leak documents purporting contamination data) to UNC1151 (Belarusian, Ghostwriter-affiliated) — granular tri-attribution materially beyond the "pro-Russian hacktivist" framing in initial reporting. ABW is recommending legislative action to extend NIS2 obligations to critical-function entities regardless of headcount. The cross-finding pattern for Swiss / EU public-sector readers: small municipal CI operators sit below regulatory coverage but inside hostile-state targeting; expect more regulator-side movement on this gap in coming weeks (daily 2026-05-09 UPDATE).

Poland's amended National Cybersecurity System Act (UKSC) entered into force on 3 April 2026, implementing NIS2 with a full compliance deadline of 3 April 2027 and first audit deadline 3 April 2028 (Addleshaw Goddard, 2026-02-26 · SecurityWeek, 2026-05-08). "Drinking water supply and distribution" and "wastewater management" are now designated essential-entity sectors in Polish law — meaning the five municipal water treatment facilities ABW documented as breached during 2025 (Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, Sierakowo; § 4 / § 7) would, if attacked today, fall under NIS2 incident-reporting obligations. The attack vectors ABW attributes to APT28 / APT29 / UNC1151 (default credentials, internet-exposed ICS) are addressable by NIS2 Article 21 minimum security measures. The remaining policy gap: the breached small municipal operators are precisely the sub-threshold entities whose NIS2 coverage status is borderline under size-cap rules; the EC's NIS2 amendment introduces a "small mid-cap" important-entity category but does not resolve this specific small-municipality water-supply gap (member-state discretion). What defenders need to do differently: OT environments in small Polish municipalities with recently-transposed NIS2 obligations should treat the UKSC registration deadline (3 October 2026) as the immediate action item, and the 2025 ABW-documented attack vectors as the first patch-sprint target. For Swiss / EU operators reading: the ABW recommendation to extend essential-entity coverage below headcount threshold is now backed by both a documented compromise pattern and a freshly-transposed national NIS2 framework.