The European Parliament adopted the very first EU-wide legislation on cybersecurity, the Directive on Security of Network and Information Systems (the "NIS Directive"), in June 2016. Theoretically, all Member States had time to implement it into national laws by May 2018. However, some countries, including Poland, encountered certain issues with the implementation, which caused the European Commission to intervene. Then, on 5 July 2018, the Polish Parliament adopted the Act on National Cybersecurity System (the "Act"), which finally entered into force on 28 August 2018.
In light of its main objective, i.e. creating a national cybersecurity system, the Act focuses on a clear and precise distribution of tasks and obligations, as well as ways to prevent and minimise the effects of attacks and threats infringing cybersecurity in Poland. The cybersecurity system consists of national and local government institutions and the biggest entrepreneurs active in key economy sectors. The NIS Directive's provisions are reflected in the Act, which mentions for example (i) the operators of essential services (e.g. the biggest banks, energy companies, air and railway undertakings, ship-owners, hospitals, etc.); (ii) providers of essential services (such as online trading platforms); and (iii) competent authorities. According to the Act, the computer security incident response teams will exist in three Polish institutions: the Internal Security Agency, the Research and Academic Computer Network (NASK), and the Ministry of National Defence. It is not clear at this point whether any other, more sectoral, incident response teams will be created. Keeping in mind the degree to which economic sectors can differ from each other, as well as the necessity to exchange information between EU Member States, the creation of such teams is highly anticipated.
The Act provides for a number of important dates related, for example, to considering a certain entity as an operator of essential services. The competent authorities were under an obligation to issue relevant decisions granting certain entities the status of an operator of essential services by 9 November 2018. This date was also the final deadline for applying to the Ministry of Digital Affairs with a request to enter the identified doperators on the official list. On the other hand, the Ministry of Digital Affairs was obliged to inform the European Commission about the list of essential services, as well as their operators. This ministry is also responsible for preparing a cybersecurity strategy for Poland, which should be ready by 31 October 2019.
A good step in the direction of regulating cybersecurity issues and threats in Poland was the obligation to appoint a national (government) cybersecurity representative, whose tasks are aimed at coordination and pursuit of government policy towards the ensuring of cybersecurity in Poland. So far it is difficult to tell whether such representative will indeed have any real power, as its main obligations focus on reporting and commenting on certain security issues. The fines which may be imposed for cybersecurity infringement are restricted to particular amounts, the biggest of which is PLN 1 million (approx. EUR 233,000). This fine may be imposed for infringements which directly and seriously threaten national security and defence.
One of the questions experts have already raised is whether the goals, assumptions and expectations related to the Act will be fully achieved. The Act provides for a fairly tight budget for 2019 – 2027, which may lead to difficulties even in allocating the money into certain projects. The Act is not the only piece of legislation implementing the NIS Directive. Soon it will be accompanied by several additional regulations, which hopefully will help fill in the legal loophole in Polish cybersecurity. Practice will show whether the Act, together with other legal provisions, will be a successful move in striving to improve the level of cybersecurity protection in Poland.
This article was up to date as at the date of going to publishing on 10 December 2018.