The new regulations change the current division of companies into operators of key services and digital service providers, replacing it with the categories of “key entities” and “important entities”.
The rest of the text below the video
Read also: EU funds for network modernization. PGE Dystrybucja focuses on innovation
High risk supplier
The range of adjustments expands significantly – in addition to energy, transport, health, banking and digital infrastructure, it will also include, among others, space sector, wastewater management, ICT management, post and the production and distribution of chemicals and food.
One of the key novelties is introducing a procedure for recognizing companies as so-called high-risk suppliers. The minister responsible for computerization, after consultations with the prosecutor's office, the social side and the cybersecurity college, will be able to issue a decision on this matter based on technical and non-technical criteria.
Entrepreneurs will be able to appeal against it to the administrative courtbut certain equipment from a recognized supplier will have to be withdrawn from the systems of key and important entities over a period of four to seven years.
Read also: Change in PKP Cargo. A state giant with a new president
The Act on the KSC on Karol Nawrocki's desk. There will be new obligations for companies
Enterprises operating in the sectors covered by the act will be obliged, among others, to: to implement information security management systems, secure the supply chain of ICT products and services, and regularly assess the risk of cyberattacks and other incidents.
The current KSC Act came from 2018 and did not include the NIS 2 directive, the deadline for implementation in EU countries was October 18, 2024. The new regulations are to enter into force one month after their announcement.
High penalties for violations. One of them will be the most severe
Severe financial sanctions are provided for non-compliance with the new regulations. Key entities may face fines ranging from PLN 20,000. PLN up to EUR 10 million, and for important entities – from PLN 15,000. PLN to seven million euros.
Additionally You can pay from PLN 500,000 to PLN 100,000 for failing to comply with the orders of cybersecurity authorities. PLN for each day of delay.
The strictest sanction, up to PLN 100 million, threatens companies whose violations cause a serious threat to state security.public order or human life and health.
