The draft amendment to the act on the national cybersecurity system provides for high penalties for companies that break the law and pose a serious threat to security, Deputy Prime Minister and Minister of Digital Affairs Krzysztof Gawkowski told PAP. The maximum penalty in such cases is PLN 100 million.
New responsibilities: from energy to food production
Last week, the Sejm received a draft amendment to the Act on the National Cybersecurity System (KSC), which implements the NIS 2 directive in Poland. The project assumes that companies from key and important sectors (i.e. energy, health, banking, production, water supply) will have a number of new obligations related to cybersecurity. It will be mandatory, among others: implementing an information security management system, ensuring the security of the supply chain of ICT products, services and processes (ICT – PAP) and regularly assessing the risk of incidents.
The project assumes that companies from sectors covered by the KSC will be subject to financial penalties for failure to fulfill their obligations. In cases where a key or important entity violates the regulations and at the same time poses a serious threat, among others: for defense or people's lives, the fine may amount to up to PLN 100 million. This is the maximum limit provided for in the project in such cases.
Gawkowski: It's about winning the hybrid war
– The penalties provided for in the amendment are elements of forcing companies, public institutions, the state and citizens to treat cybersecurity very seriously – emphasized the Deputy Prime Minister and head of the Ministry of Digitization in an interview with PAP.
– High penalties apply to those who do not comply with the regulations and may pose a serious threat to safety. If no one breaks the law, there will be no penalties, he added.
He assured that “the state will not excessively punish” entrepreneurs.
As he noted, the amendment to the Act on the national cybersecurity system is intended to ensure security in the event of critical situations in cyberspace. – It is intended to guarantee that the hybrid war with Russia or other countries will be won; that there will be no shortage of electricity in the socket or water in the tap of citizens. It is intended to provide security for companies and public institutions, he emphasized.
“Key” and “important” entities. What penalty rates?
The amendment to the KSC Act is intended to implement the EU NIS 2 directive on cybersecurity and Toolbox 5G in Poland, i.e. the EU document on 5G network security. The NIS 2 directive replaced the previous division into operators of essential services and digital service providers into “key entities” and “important entities”. It also introduces new sectors that are subject to cybersecurity obligations. In addition to the sectors of energy, transport, health, banking, financial market infrastructure, water supply, digital infrastructure, the following sectors have been added in the NIS 2 directive: wastewater, ICT management, space, post, production and distribution of chemicals, and food production and distribution.
Fines will be imposed on entrepreneurs from these sectors for non-compliance with the regulations: as a rule, on key entities in the amount of at least PLN 20,000. PLN, and a maximum of EUR 10 million (approx. PLN 42.4 million); and for important entities – min. 15 thousand PLN and max. EUR 7 million (approx. PLN 20 million). The penalty may also amount to 2%. the entrepreneur's revenues achieved in the previous financial year – in the case of key entities; and in the case of important entities – 1.4 percent. revenues.
PLN 100 million fine – when is the maximum penalty imposed?
Regardless of the limits, failure to comply with the order of the cybersecurity authority will result in a fine ranging from PLN 500 to PLN 100,000. PLN for each day of delay. Such a penalty may be imposed, for example, for failure to comply with an order to take specific actions regarding the handling of a serious incident or for failure to conduct an audit.
However, a fine of up to PLN 100 million will apply to a situation in which a key or important entity is identified as violating the provisions of the Act and at the same time causing a direct and serious cybersecurity threat to defense, state security, public safety and order, and human life and health; or causes a threat of serious property damage or serious difficulties in the provision of services.
In the justification for the draft amendment, the Ministry of Digital Affairs emphasized that if violation of the regulations involves serious consequences for the state and its citizens, the penalties should be “appropriately high”. This is intended to deter the company from further violations. As MC noted, this is important because Poland currently has a second alert level (BRAVO-CRP), which is introduced when there is a real probability of a terrorist event occurring in cyberspace, but the specific target of the attack has not been identified.
The current version of the KSC Act comes from 2018 and does not contain any provisions implementing the EU NIS 2 directive. The deadline for its implementation into the national legal order expired on October 18, 2024.
Monika Blandyna Lewkowicz (PAP)
mbl/ mick/ lm/
