Poland Mandates State Messenger Over Signal Amid Security Fears

May 20, 2026 - 03:15
Updated: 3 days ago
0 3
Polish government personnel adopt the state-approved mSzyfr Messenger for secure communications.

Poland has officially directed public officials and entities within its National Cybersecurity System to discontinue the use of Signal. The mandate cites mounting evidence of successful social engineering attacks targeting government personnel by advanced persistent threat groups. In response, the state promotes mSzyfr Messenger as a secure alternative fully under Polish jurisdiction.

Why is Poland shifting away from Signal?

The Polish government has issued a formal directive urging public officials and entities within the National Cybersecurity System to stop using Signal. This significant policy shift comes amid mounting reports of successful social engineering attacks targeting higher-ups in government institutions. The announcement, released on Friday, explicitly states that Signal carries inherent security risks due to these targeted campaigns orchestrated by advanced persistent threat groups linked to hostile state agencies.

National-level Computer Security Incident Response Teams have identified phishing campaigns designed specifically to exploit the trust users place in the platform. These attacks target public figures and government employees who rely on encrypted messaging for sensitive communications. The advisory highlights that attackers impersonate Signal support staff, abusing this perceived legitimacy to take over victims' accounts.

The tactics employed by these adversaries are sophisticated and deceptive. Attackers trick users into opening malicious links by sending messages designed to create a sense of urgency. These messages often claim the user's account is blocked or requires immediate verification. Successful attempts can expose victims' phone numbers and, crucially, messages sent between government officials.

This exposure potentially threatens national security by compromising confidential diplomatic and administrative correspondence. The advisory cites recent security incidents related to Signal as primary reasons for the change. While it does not specify exact details of these attacks or identify the perpetrators directly, the context strongly suggests a response to broader geopolitical cyber threats.

What is mSzyfr Messenger?

Poland announced the launch of mSzyfr Messenger in March as the designated replacement for Signal. The platform was developed by the Ministry of Digital Affairs and the Scientific and Academic Computer Network – National Research Institute, known as NASK. The government touts it as the first secure instant messenger fully under Polish jurisdiction.

mSzyfr is designed specifically for use by public administration entities, those involved in the National Cybersecurity System, and other approved organizations. It operates on a privacy-by-design philosophy, explicitly noting that neither WhatsApp nor Signal fits this description according to its FAQ document. The government claims these US-based platforms are not GDPR-compliant.

However, the claim of full Polish jurisdiction is nuanced. mSzyfr relies on multi-factor authentication provided by US megacorps. Microsoft is the recommended option for MFA, but users can also opt for Google or FreeOTP. This dependency introduces a layer of foreign infrastructure into an otherwise domestic solution.

Furthermore, if users want to retain access to messages even after logging out, they must set up a recovery key. The installation manual suggests storing this key in a password manager. Many popular password managers are either foreign-owned or open source, which somewhat undercuts the emphasis on absolute Polish jurisdiction and control.

How does this compare to previous security measures?

The introduction of mSzyfr replaces Threema, which the Polish government began endorsing for state officials and law enforcement in 2022. Threema is a Swiss-founded application that had been the standard for secure communications within the country for several years. The shift to mSzyfr represents a consolidation of control under domestic development.

All Threema users should expect to receive an invite to mSzyfr in the near future, if they have not already received one. Data such as messages cannot be transferred between the apps due to their encrypted nature. This means officials must start fresh on the new platform without migrating historical chat logs.

The decision mirrors similar actions by other intelligence agencies globally. Dutch intelligence agencies AIVD and MIVD reported a large-scale campaign targeting their own government officials, noting that some attacks were successful. They stated that Russian hackers likely gained access to sensitive information through these methods.

Beyond Signal support staff impersonation, the Dutch agencies noted that attacks involve outsiders persuading victims to surrender verification codes or PINs. They also exploit the platform's Linked Devices feature via QR codes to take control of accounts. The FBI, CISA, and the German information security department issued near-identical warnings regarding these threats.

What are the implications for digital sovereignty?

This mandate raises questions about the balance between national security and technological independence. While mSzyfr is developed domestically, its reliance on US-based authentication services highlights the interconnected nature of modern cybersecurity infrastructure. Complete isolation from foreign technology is often impractical in a globalized digital landscape.

The government's stance reflects a broader trend among nations seeking to reduce dependency on Western tech giants for critical communications. By promoting a state-developed alternative, Poland aims to mitigate risks associated with foreign jurisdiction and potential data access by external governments. This aligns with efforts seen in other sectors, such as the push for enhanced privacy protections in browser technologies.

Signal has not immediately responded to requests for comment regarding Poland's announcement. However, the company recently addressed security concerns raised by various intelligence agencies last week. It introduced new warnings and alerts inside the platform to help users weed out potential impostors and bad actors.

This update demonstrates that Signal is actively working to counter the social engineering tactics cited in the Polish advisory. The effectiveness of these user-facing warnings remains to be seen, particularly against sophisticated state-sponsored adversaries who may bypass standard security prompts through psychological manipulation.

What does this mean for future cybersecurity policy?

The shift from Signal to mSzyfr signals a tightening of cybersecurity protocols within the Polish government. It suggests that trust in third-party encrypted messaging apps is waning among state institutions facing direct threats from hostile actors. The emphasis on jurisdiction and control over data becomes paramount when national security is at stake.

Other nations may observe this move closely as they evaluate their own reliance on global communication platforms. The success of mSzyfr will depend on its ability to provide robust security without introducing new vulnerabilities through its dependencies. The transition period for officials moving from Threema to mSzyfr will be critical in ensuring continuity of secure communications.

Ultimately, this directive underscores the evolving landscape of digital diplomacy and administration. Governments are increasingly recognizing that communication tools are not just convenience features but critical infrastructure requiring rigorous protection against espionage and sabotage.

What's Your Reaction?

Like Like 0
Dislike Dislike 0
Love Love 0
Funny Funny 0
Wow Wow 0
Sad Sad 0
Angry Angry 0
Christopher Holloway

Christopher Holloway is the founder and director of Progressive Robot, a UK-based technology company. A full-stack engineer with more than two decades of experience, he works across PHP development, ecommerce, Linux infrastructure, technical SEO and AI automation, and writes here on technology, AI, hardware and software.

Comments (0)

User