The spread of advanced information technologies not only means that many aspects of private and business life are being transferred to the digital world, but also contributes to the increased frequency of cyberattacks, with hackers using increasingly advanced methods.
The broad definition of cybersecurity encompasses a variety of practices and processes undertaken to protect computer systems, networks, devices, and data from unauthorized access, damage, theft, or other forms of attack. Self-employed IT professionals subject to flat-rate sum taxation and engaging in cybersecurity activities therefore face significant challenges in classifying such activities for accurate tax reporting.
Classifying an activity under a specific PKWiU code translates into the possibility of applying a higher or lower flat rate. It’s worth noting the “ex” symbol before some PKWiU codes listed in the Flat-rate Act. This symbol indicates that within a given PKWiU grouping, only the services listed in that provision are subject to taxation at a given rate, e.g., 12%.
One of the most frequently asked questions in taxpayers’ applications for individual tax rulings is the question regarding the possibility of applying the 8.5% flat rate to cybersecurity services.
In accordance with the emerging line of interpretation, tax authorities unanimously rule that activities including IT consulting in the field of cybersecurity (PKWiU 62.02) are related to software and therefore are subject, in accordance with art. 12 section 1 item 2b letter b) of the Act on flat-rate income tax on certain income earned by natural persons (Flat-rate Act), to the 12% rather than the 8.5% flat rate, while training services in the field of cybersecurity (PKWiU 85.59.19.0) are subject to taxation at the 8.5% rate (interpretation 0113-KDIPT2-1.4011.274.2025.3.DJD; 0114-KDIP3-2.4011.342.2025.3.MG).
It is therefore worth paying attention to interpretation 0113-KDIPT2-1.4011.171.2025.2.HJ, in which the tax authority found that a taxpayer taxed on a flat-rate basis, conducting business in the field of IT and communication consulting, may also tax revenues from activities related to cybersecurity at a flat rate of 8.5%, due to the fact that the services provided by him are not related to software or management consulting.
The applicant indicated that he would collaborate with other entities providing cybersecurity solutions, and that his activities would include offering strategic guidance on cybersecurity solutions, among other things, and presenting such solutions to clients. The taxpayer also noted that, as part of his services, he would not be a software provider, nor would he provide software-related advice, and that his activities would be limited to defining business and IT process descriptions, as well as identifying threats to ensure the security of client operations. The taxpayer classified his services as PKWiU 62.01.12.0 – i.e. as services related to the design and development of information technologies for computer networks and systems, including providing expert technical opinions to improve products and offering strategic guidance in the field of cybersecurity, conducting technical assessments of development projects to ensure their effectiveness and feasibility, and PKWiU 62.02.30.0, i.e. technical assistance in the field of IT and computer hardware.
Taxpayers taxed on a flat-rate basis who conduct or plan to expand their business in the field of IT services and want to benefit from a lower tax rate should therefore pay particular attention not only to the provisions of the Flat-rate Act, but also carefully analyse the codes of the Polish Classification of Products and Services.
Anna Siwiec
Consultant
