— We live in an era where war does not always start with a gunshot, sometimes it starts with a click. The number of cyberattacks is growing dramatically, the president said in a recording published on the X website.
Informing about the signing of the amendment to the Act on the national cybersecurity system, he added that digital security is today an element of state security. — This bill strengthens defense mechanisms, improves institutional cooperation and allows us to eliminate high-risk suppliers, he said.
See also: President Karol Nawrocki vetoes the act on the National Council of the Judiciary. Waldemar Żurek responds
However, he added that he must also respond to the voice of entrepreneurs who believe that the statutory obligations imposed on them are excessive and disproportionate. Therefore, in this case, it will submit a request for post-control to the Constitutional Tribunal.
The amendment is the result of the work of both the PiS government and the October 15 coalition. The amendment was first made public in September 2020. Three years later, the project was submitted to the Sejm, but the government withdrew it before work began. After the Coalition took power on October 15, work on the regulations started again and was finally finalized. The Act will enter into force one month from the date of announcement.
See also: Own nuclear weapons? The professor indicates what Poland would have to do first
What does the KSC Act change?
The Act implements the directive on measures towards a high common level of cybersecurity across the Union, the so-called NIS 2 directive adopted in December 2022 NIS is an abbreviation of “Network and Information Systems Directive“.
The directive should be applied from October 2024. The European Commission has already called on Poland to explain the delays in its implementation.
The amendment includes, among others: expands the list of entities covered by the obligations arising from it, strengthens the incident response system and clarifies the roles of the authorities responsible for cybersecurity.
High-risk suppliers
The most important change concerns high-risk suppliers, i.e. those suppliers of new technologies, hardware or software who do not guarantee security. This is why the Act is called Lex Huawei.
Entities important for the functioning of the state will not be able to introduce products from high-risk suppliers into their systems, and if they have any, they will be obliged to withdraw them within 7 years. A supplier who does not agree with the decision will be able to file a complaint to the administrative court. And the president didn't like these regulations either.
“These provisions interfere with the independence of entrepreneurs' functioning, including by imposing the obligation to replace hardware and software without compensation and without securing financial resources for this purpose. Moreover, the system of decision-making by cybersecurity authorities towards key and important entities, from the point of view of procedural guarantees and in the field of judicial protection, is defective. The system of administrative penalties provided for by the act is restrictive, and the amount of penalties that can be imposed has the nature of independent punitive measures,” we read in the information on the president's website.
18 industries are too many
Moreover, thanks to the Act the national cybersecurity system (KSC) will be expanded to include new sectors of the economy, such as sewage disposal, postal services, space or the production and distribution of chemicals and food. The idea is that the current division into key service operators and digital service providers will be replaced by a new category of key entities and important entities. This means that more enterprises will have to meet the high requirements of the NIS2 directive, e.g. regarding incident reporting, risk assessment, and management responsibility.
The president has doubts about the act's coverage of as many as 18 sectors of the economy, grouped into key and important entities. However, in his opinion, this extension does not result from European regulations, but is an independent initiative of the government. For this reason, it referred these provisions to the Constitutional Tribunal.
As Adam Woźniak, partner at Grant Thornton, leader of the Cybersecurity Technology team, explains, the existing standards affected a narrow group of enterprises, and implementing new requirements will be expensive. In his opinion, however, it is better to treat it as an investment.
And it points to another important change that concerns management board members. They will be personally liable for violations, including criminal liability. Administrative penalties are severe – up to EUR 10 million or 2%. global turnover. It becomes necessary to implement a risk management and accountability process.
What can the Tribunal do?
Acts submitted to the Constitutional Tribunal in a subsequent manner, i.e. after signing, are considered in the same way as others. There is no deadline for considering the president's application, e.g. during the vacatio legis period of the act, i.e. before it enters into force.
The Tribunal may share the president's doubts and declare that a given provision is unconstitutional. It may lose its validity on the day the judgment is announced, but it does not have to. The Constitutional Tribunal may also specify a deadline for its removal. The current government does not publish the Constitutional Tribunal's judgments, which may complicate the situation of companies covered by the regulations.
The Tribunal may also disagree with the president's arguments, and then the provisions will continue to apply.
