Domain Blocking: The Polish Financial Supervisory Authority’s New Weapon Against Illicit Cryptocurrency Exchanges

 

The Act on the Crypto-Assets Market, enacted on September 26, 2025, introduces a groundbreaking enforcement mechanism: the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, hereinafter “KNF”) now possesses authority to immediately block websites conducting unlawful cryptocurrency operations. This development may herald the end of an era in which dubious platforms operating from tax havens offered services to Polish clients with impunity.

 

When Poland implemented its online gambling site blocking system in 2017, the measure appeared revolutionary. Today, the KNF has been vested with considerably more formidable powers – the capacity to immediately eliminate unlicensed cryptocurrency platforms from Poland’s internet infrastructure. Articles 66-76 of the Act on the Crypto-Assets Market, enacted September 26, 2025, establish a mechanism that may fundamentally transform the Polish cryptocurrency market landscape. The legislation was transmitted to the Senate and President on September 29, 2025, and awaits further stages of the legislative process.

 

The End of Offshore Platform Impunity

For years, Polish investors have utilized foreign cryptocurrency exchanges, frequently registered in exotic jurisdictions. Entities incorporated in Belize, Seychelles, or the Cayman Islands offered their platforms directly to Polish clients without possessing any requisite authorizations, without remitting taxes in Poland, and without subjecting themselves to any supervisory oversight. When problems materialized – vanishing funds, withdrawal impossibilities, abrupt platform closures – Polish clients found themselves without legal recourse. Pursuing claims against an entity registered in Seychelles bordered on the miraculous.

The new legislation closes this loophole in a radical fashion. The KNF has been granted authority to create and maintain a Register of internet domains utilized to conduct activities violating the provisions of Regulation 2023/1114 (the Markets in Crypto-Assets Regulation, hereinafter “MiCA”). While the formulation sounds technical, in practice it signifies something considerably more straightforward: the KNF may block access to any cryptocurrency platform operating without the requisite authorization or other qualification deriving from MiCA.

Moreover, the blocking mechanism extends beyond simple access denial by telecommunications operators. The statute envisions a cascading mechanism for eliminating unlawful platforms from Poland’s internet infrastructure, ultimately culminating in complete domain cancellation and transfer to KNF control. This solution represents an unprecedented development in European financial law and may establish a template for other EU member states.

 

Two Pathways to Blocking: Automatic and Discretionary

The legislation distinguishes two circumstances under which a domain may be entered into the register. The first pertains to conducting crypto-asset activities without legally required authorization or possession of another qualification pursuant to MiCA provisions. Should an entity offer such services without requisite authorization, the KNF may file notice of reasonable suspicion of commission of an offense specified in Articles 117 and 121 of the Act. Upon posting information concerning such notice on the KNF’s dedicated website (referenced in Article 6b(4) of the Act of July 21, 2006, on Supervision of the Financial Market), the domain automatically enters the blocked sites register. No administrative decision is required; no explanatory proceeding is mandated. Entry occurs immediately, and within forty-eight hours the site becomes inaccessible to Polish users.

This solution may generate controversy from an administrative procedure perspective, yet its objective remains clear: maximizing response speed to consumer threats. In the cryptocurrency realm, where millions of złoty can vanish within hours, each day’s delay in blocking an unlawful platform signifies potential additional victims. The legislature adopted the premise that blocking first and investigating later proves preferable to permitting fraudsters to operate for months pending completion of administrative proceedings.

The second basis for registry entry proves more flexible and requires the KNF to demonstrate proportionality of action. It pertains to situations wherein an internet domain is utilized to conduct activities violating MiCA provisions in a manner other than specified above, provided such action is necessary to prevent risk of serious harm to clients or crypto-asset holders – in cases where no other effective means exist to achieve cessation of MiCA violations.

This category may encompass, for instance, improper custody of client funds, inadequate technical safeguards, misleading clients regarding the nature of offered services, or offering products available exclusively to professional clients to retail consumers.

In such cases, the KNF must demonstrate that blocking is necessary to prevent risk of serious harm and that no other effective measures would achieve violation cessation. This constitutes a significant distinction – here the Commission must justify its decision and establish that alternative supervisory tools would prove insufficient. An entity subject to such blocking possesses the right to file an objection within two months, and the KNF has fourteen days to examine it and issue a decision either maintaining the domain name in the Register or deleting it.

 

The Blocking Mechanism: Three Tiers of Elimination

Mere registry entry activates a three-tiered mechanism for eliminating the domain from Poland’s internet infrastructure. The first tier constitutes classic DNS blocking by telecommunications enterprises. All operators providing internet access services bear an absolute obligation to block access, without compensation, to websites utilizing domain names entered in the Register by removing them from telecommunications enterprises’ IT systems serving to convert internet domain names to IP addresses, no later than forty-eight hours from registry entry. Simultaneously, they must redirect connections referencing domain names entered in the Register, without compensation, to a website maintained by the Commission containing a message directed to internet access service recipients.

This message contains, in particular, information regarding the Register’s location, entry of the sought internet domain name into the Register, the legal basis for registry entry, and a warning concerning risk of serious harm to clients or crypto-asset holders.

While this solution mirrors the gambling site blocking system, its effectiveness for cryptocurrency platforms may prove limited. Cryptocurrency platform users typically possess technical sophistication enabling them to change DNS servers, utilize VPNs, or access the Tor network without difficulty. Consequently, the statute envisions two additional blocking tiers considerably more radical in nature.

The second tier targets hosting service providers directly. Upon domain entry into the Register, at the Commission’s request, hosting service providers must immediately and without compensation:

• Remove or disable the web interface
• Restrict access to the web interface or remove content specified by the Commission

In practice, this means that if an unlawful platform is hosted in Poland or on European servers subject to Polish jurisdiction, it may be physically disconnected from the network. No VPN or DNS modification will avail – the site simply ceases to exist.

The third and most far-reaching tier involves domain cancellation itself. Upon domain entry into the Register, at the Commission’s request, domain registries and domain registrars must, without compensation, remove the internet domain name and register it on behalf of the Commission, either indefinitely or for a period specified in the request. This solution transcends ordinary access blocking. The KNF assumes control over the domain name itself, preventing fraudsters from utilizing it further even if they change hosting, servers, or jurisdiction. Following execution of the removal request and domain registration on behalf of the Commission, the KNF deletes the internet domain from the Register while retaining control over it.

This entire mechanism operates in a cascading and cost-free manner for the KNF. Telecommunications operators, hosting providers, and domain registries bear the technical costs of executing blocks. None of these entities may refuse cooperation; all act pursuant to absolute legal obligation. Notably, the statute provides them no remuneration or cost reimbursement, generating some controversy within the telecommunications industry.

 

Objection and Unblocking Procedures

In cases of automatic Registry entry (operations without authorization), objections may be filed – within two months from entry – by the entity utilizing the domain name entered in the Register or possessing legal title to that domain, hosting service providers, domain registries, domain registrars, or telecommunications enterprises.

Objections must contain identifying data of the objecting entity (name and surname for natural persons, or entity name, registered office address, and National Court Register number for legal persons and organizational units lacking legal personality) and justification.

The Commission issues a decision maintaining the domain name in the Register or deleting it from the Register within fourteen days of objection filing.

Where domain cancellation and registration on behalf of the Commission have occurred, the right to file objections belongs to the same entities within two months from domain deletion from the Register. The Commission issues a decision maintaining domain name removal and registration on behalf of the Commission, or restoring the domain name and re-registering it on behalf of the entity previously possessing legal title, within fourteen days of objection filing.

The Commission deletes registry entries immediately upon removing information posted on the KNF’s dedicated website concerning the entity in connection with whose activities notice of suspected commission of an offense specified in Article 121 was filed, or upon cessation of grounds for entry in cases of activities violating MiCA provisions in other manners.

Upon registry entry deletion, telecommunications enterprises are obligated to enable access, without compensation, to websites utilizing domains deleted from the Register and to cease connection redirection, while hosting service providers are obligated to restore or enable web interfaces, without compensation, or restore access thereto or restore content removed at Commission request – no later than two business days from registry entry deletion.

 

Could Your Operations Face Blocking?

The paramount question any crypto-asset market participant should pose is: could my operations be deemed to violate MiCA provisions? The answer proves far from obvious, particularly given the new regulations’ complexity and absence of established KNF enforcement precedent.

Consider a platform offering cryptocurrency-to-cryptocurrency exchange capability. Does this require authorization? In most instances, yes, as such activity falls within the definition of crypto-asset services. But what if the platform operates peer-to-peer, merely matching buyers and sellers without taking custody of assets? Or what if it offers exclusively CFD trading on cryptocurrencies, arguing these constitute financial instruments rather than crypto-assets? Or conducts educational activities with demonstration transactions? Or provides advisory services concerning cryptocurrency investment without executing actual transactions?

Each situation demands detailed legal analysis. The problem lies in the fact that under automatic registry entry blocking, such analysis occurs post facto. The platform becomes blocked immediately upon filing of notice of suspected criminal activity and posting information thereof on the KNF website, with opportunity to clarify whether operations actually required authorization arising only subsequently.

Particularly critical is the situation of entities that commenced operations prior to MiCA and the Crypto-Assets Market Act entering into force. For years they may have operated lawfully based on simple registration for virtual currency activities, requiring no special authorizations. Now they suddenly discover their operations require MiCA-derived authorization, the acquisition procedure for which spans months and proves extraordinarily costly. Transitional periods remain very brief, while consequences of non-compliance prove drastic.

A broad grey zone of crypto-asset-related activities whose legal status remains ambiguous also exists. Information portals publishing market analyses and trading signals – does this constitute investment advice requiring authorization? Aggregators comparing various exchanges’ offerings – does this constitute intermediation? Investment communities operating on Discord or Telegram where members share strategies – does this constitute portfolio management?

 

Revolution in Poland’s Cryptocurrency Market

Implementation of the domain blocking system may precipitate fundamental transformation of Poland’s cryptocurrency market structure. Heretofore, domestic clients largely utilized foreign platforms, often of dubious reputation, offering lower fees, greater asset selection, or more liberal approaches to identity verification. Some platforms deliberately targeted the Polish market, offering Polish-language versions and Polish-language customer support while evading all regulatory oversight.

The new blocking system may effectively eliminate these entities from the Polish market. If a platform fails to obtain requisite authorization or cannot demonstrate exemption from possession requirements, it faces blocking. For most offshore platforms, obtaining authorization will prove economically unviable. This requires satisfying numerous costly requirements: share capital, civil liability insurance, employment of qualified personnel, implementation of sophisticated compliance and cybersecurity systems, data storage compliant with requirements, and regular KNF reporting.

For small platforms heretofore operating with several-person teams, these requirements prove insurmountable. Even if theoretically capable of satisfying them, business economics become unprofitable when restricted to the Polish market exclusively. The result will be natural selection – only large, reputable international platforms willing to bear authorization costs, and domestic entities building businesses from scratch in compliance with new regulations, will remain in the Polish market.

This may prove a blessing for Polish consumers. Instead of dozens of dubious platforms offering unrealistic returns and vanishing with client funds, they will access a smaller number of entities possessing requisite authorizations, actually subject to supervision, storing funds in compliance with security requirements, and obligated to treat clients fairly. Should problems arise, clients will possess realistic possibilities of pursuing claims against entities headquartered in Poland or other EU countries, rather than attempting futilely to sue Seychelles-incorporated companies.

Conversely, some market participants fear excessively restrictive regulations may cause Polish client exodus to platforms operating entirely outside the European legal system. If most known platforms face blocking while authorization procedures prove too costly for smaller players, clients may begin utilizing platforms accessible exclusively through Tor or decentralized DEX exchanges entirely beyond regulatory reach. This would create a paradoxical situation wherein, rather than improving security, regulations provoke client migration to even riskier channels.

 

Practical Enforcement Challenges

The blocking system’s very nature poses numerous practical and legal challenges. Consider first jurisdictional questions. If a cryptocurrency platform is registered in Seychelles, hosted on Singapore servers, with its domain registered through an American registrar, how does the KNF intend to compel domain removal? The Polish supervisory authority lacks jurisdiction over American domain registrars, which operate pursuant to American law that does not recognize Polish administrative decisions as grounds for domain cancellation.

Theoretically, the statute resolves this problem by imposing enforcement obligations on Polish telecommunications operators, who must block domain access regardless of actual location. Practically, however, any moderately technologically sophisticated user can circumvent such blocking within minutes. Changing DNS servers to Google’s or Cloudflare’s public servers, utilizing VPN services masking location, or using the Tor browser suffices. For cryptocurrency users, by definition technologically conversant, this constitutes a trivial task.

Another problem concerns erroneous blocks. The system envisions very rapid action – registry entry occurs immediately upon filing criminal activity notice and posting information thereof on the KNF website, with DNS blocking required within forty-eight hours. During this period, the platform-operating entity often remains unaware the KNF has filed notice. No opportunity exists to present explanations, prove operations’ legality, or obtain execution suspension pending matter clarification. What if the KNF erred in assessing the activity’s character? What if the platform actually possesses appropriate authorizations but the KNF lacked information thereof? What if operations require no authorization whatsoever because they concern tokens not constituting crypto-assets under MiCA?

The statute provides for objection possibilities, but only post-blocking. Meanwhile, for internet-based operations, even several days’ unavailability may spell business catastrophe. Clients lose confidence, migrate to competitors, social media circulates rumors of platform collapse. Even if the block later proves unjustified and is lifted, damage proves irreversible. Provisions contain no mechanism for compensating unjustly blocked entities, potentially precipitating protracted disputes concerning damages.

 

Precedent for Other Regulated Sectors

The domain blocking system introduced for the crypto-asset market may establish precedent for other regulatory domains. Should the KNF effectively utilize this tool and gain positive experience, other supervisory authorities may seek similar powers. One can envision the Office of Competition and Consumer Protection demanding blocking of sites selling counterfeit branded products, the President of the Personal Data Protection Office blocking GDPR-violating services, or the National Health Fund eliminating unlawful online pharmaceutical sales.

From a consumer protection perspective, such solutions may appear attractive. Rather than conducting multi-year judicial proceedings against entities concealing themselves in exotic jurisdictions, regulatory authorities simply block access to unlawful services. Effect proves immediate; cost minimal. The problem lies in this enforcement model’s potential to erode fundamental procedural guarantees.

In a democratic state governed by law, all decisions by governmental authorities interfering with entities’ rights should be made through procedures ensuring defense rights, opportunity to be heard before decision issuance, and access to independent judicial review. The domain blocking system introduced in the Crypto-Assets Market Act undermines these standards, permitting immediate interference without prior party hearing and without possibility of execution suspension pending dispute resolution.

Should this model gain adoption across other regulatory domains, it may precipitate situations wherein administrative authorities acquire quasi-police powers to immediately eliminate from public discourse entities deemed to operate unlawfully. The boundary between justified consumer protection and governmental arbitrariness grows increasingly thin.

 

What You Should Do Now

If you conduct crypto-asset-related operations or plan to commence such activities, the time to act is now. The Act was enacted by the Sejm on September 26, 2025, and transmitted to the Senate and President. Though the legislative process remains incomplete, the Act’s entry into force constitutes a matter of coming weeks or months. Do not await publication in the Journal of Laws; do not await initial blocks; do not await KNF placement of your domain on warning lists.

The first step involves impartial legal analysis of your operations’ character. Do they actually require MiCA-derived authorization? If so, what type? Do you benefit from MiCA-provided exemptions? Do your operations fall under these regulations at all?

Do not assume that because no one has raised objections heretofore, everything remains in order. Prior regulations proved considerably more lenient, with KNF supervision limited. The new legal regime proves fundamentally different. Operations lawful yesterday based on simple registry entry may today require costly authorization. Consequences of conducting operations without requisite authorization now prove drastic – not merely financial penalties and imprisonment, but immediate website blocking and effective business termination.

Should analysis reveal your operations require authorization, do not delay commencing procedures. Preparing complete applications requires assembling extensive documentation, implementing appropriate compliance systems, obtaining cybersecurity certificates, training personnel, and ensuring adequate capital. The later you begin, the greater the risk of failing to complete procedures before transitional period expiration.

Even if you believe your operations require no authorization, consider proactive KNF communication. Better to obtain early confirmation that your statutory interpretation proves correct than to risk sudden blocking and post-facto explanation necessity. The Commission possesses capacity to provide individual interpretations, though not formally obligated to do so. Documentation of such communication may prove invaluable evidence of good faith should problems subsequently arise.

Consider also contingency planning. What will you do if your domain faces blocking? How will you communicate with clients? How will you ensure their fund access? Do you possess alternative communication channels? Have you prepared procedures for various problem scenarios? We do not suggest operating on assumptions of law violation, but prudent preparation for various scenarios constitutes fundamental professional risk management.

 

A New Regulatory Era Has Arrived

The KNF’s internet domain blocking system symbolizes broader transformation occurring in the crypto-asset market. The Wild West era concludes – when anyone could establish cryptocurrency exchanges and offer services without supervision. An era of rigorous regulation commences, enforcement of which relies not solely on traditional criminal and administrative sanctions but also on modern technological tools enabling immediate elimination of unlawful entities from digital space.

For some industry segments, this heralds the end of dreams concerning rapid profits in regulatory niches. For others, it represents opportunity to construct a stable, transparent market wherein clients may feel secure. History will reveal which vision prevails. One certainty exists – time for compliance rapidly diminishes, while consequences of disregarding new provisions may prove devastating.

Do not await your domain’s appearance on KNF lists. Verify your operations today.

Kancelaria Prawna Skarbiec offers comprehensive legal support for crypto-asset industry entities:

• Analysis of operations regarding MiCA-derived requirements
• Preparation of applications for requisite authorizations
• Representation in KNF proceedings
• Appeal procedures concerning blocked domain registry entries
• Pursuit of damage claims for unjustified blocking

Contact:
ul. Maciejki 13, 02-181 Warsaw
tel. +48 22 586 40 00
sekretariat@kancelaria-skarbiec.pl

 

This article is informational in nature and does not constitute legal advice. For specific matters, always seek individual legal opinion tailored to your circumstances.