“Poland is becoming a much more difficult target in cyberspace.” The President signed the amendment to the act, but sent it to the Constitutional Tribunal

President Karol Nawrocki announced on Thursday that he had signed an amendment to the Act on the national cybersecurity system, which introduces, among others, new obligations for key and important entities. However, he sent it to the Constitutional Tribunal as a follow-up review procedure.

In a recording published on website X, the President said that the amendment to the Act on the National Cybersecurity System (KSC) strengthens defense mechanisms, improves cooperation between institutions and allows for the elimination of high-risk suppliers.

He added that he signed the amendment because “security has no party colors.”

Karol Nawrocki, however, pointed out that he had to react to the voice of entrepreneurs who perceive the obligations contained in the amendment “as excessive and disproportionate”. He informed that he had therefore submitted an application to the Constitutional Tribunal for subsequent review of the provisions.

“The success of Donald Tusk's government in cybersecurity!” – Deputy Minister of Digitization Paweł Olszewski, who was responsible for preparing the amendment, commented on the president's decision on the X website. “Despite another trick with the Constitutional Tribunal, after 6 years Poland has a modern National Cybersecurity System,” he added, referring to the time taken to process the amendment.

According to Olszewski, Poland is becoming a much more difficult target in cyberspace. “We cannot afford half-measures,” he emphasized.

The key sectors in the amendment to the KSC Act include: energy, transport, health care, banking and financial market infrastructure, water supply, digital infrastructure, as well as, not yet present in the KSC: sewage, ICT (telecommunications infrastructure) management and space. Key sectors also include public entities, including offices, local governments, schools, hospitals and research institutes.

However, the important sectors, according to the amendment, include: postal services; waste management; digital service providers; production and distribution of chemicals; food production, processing and distribution; production, including, among others: medical devices, computers, electrical devices, motor vehicles, trailers and semi-trailers.

According to the amendment, companies must assess themselves whether they meet the criteria for a key entity or an important entity. If the answer is positive, they will be obliged to register in the list of KSC entities and will have 6 months from self-identification to do so. Failure to report to the system may result in penalties being imposed.

The amendment provides that organizations from key and important sectors will have a number of new obligations related to cybersecurity, including the implementation of an information security management system, regular assessment of the risk of incidents and incident management. It will also be mandatory to collect information on cyber threats and vulnerabilities to incidents and to apply measures to limit the impact of incidents. These measures include, for example, regular software updates or taking immediate action after noticing a threat.

Entities covered by the KSC will also have to implement technical and organizational measures proportional to the assessed risk, which should be adapted, among others, to: to the size of the organization. These measures include cybersecurity policies and procedures, access control to systems, secure means of communication including multi-factor authentication and employee training. The implemented measures are intended to ensure the safety of people, the environment, the entity's resources and the supply chain of ICT products, services and processes (ICT – PAP). They are also intended to ensure the continuity of the entity's operations and the ability to provide services in the event of an incident.

The amendment assumes that key and important entities will provide each other with information about incidents, cyber threats and vulnerabilities using the s46 system. In addition, key entities will be obliged to conduct a security audit at their own expense, at least once every 3 years.

Key and important entities will have 12 months to adapt to the regulations – from the date of entry into force of the amendment act.

The amendment also provides for the creation of sectoral CSIRT teams that will support entities covered by the KSC in handling cybersecurity incidents.

Pursuant to the act, a National Plan for responding to large-scale cybersecurity incidents and crises will also be introduced. It is to be adopted by the Council of Ministers within 6 months from the date of entry into force of the amendment. However, the Minister of Digital Affairs will be able to issue a protective order specifying behavior that will limit the effects of an ongoing critical incident. As part of it, it may, for example, order the entity to conduct a risk analysis or secure certain information.

The amendment introduces the term “serious incident”, i.e. one that causes or may cause: a serious deterioration of quality; interruption of service continuity; financial losses; or one that affects other persons and entities by causing serious harm. Key and important entities will have to report such incidents to the appropriate CSIRT within 72 hours of detection. However, they will have to report an “early warning” to the sectoral CSIRT within 24 hours. KSC entities were also obliged to notify service users about a serious incident – if this incident has a negative impact on the provision of services.

Financial penalties will be imposed on entrepreneurs covered by the KSC for non-compliance with the regulations. The fine for key entities may amount to 2%. company revenues; minimum 20 thousand PLN, and a maximum of EUR 10 million (approx. PLN 42.4 million). However, fines for important entities may amount to 1.4%. company revenues; min. 15 thousand PLN and max. EUR 7 million (approx. PLN 20 million).

Regardless of the limits, failure to comply with the order of the cybersecurity authority will result in a fine ranging from PLN 500 to PLN 100,000. PLN for each day of delay. Such a penalty may be imposed, for example, for failure to comply with an order to take specific actions regarding the handling of a serious incident or for failure to conduct an audit.

The Act also provides for penalties of up to PLN 100 million in a situation where a key or important entity is identified as violating the provisions of the Act and at the same time causing a direct and serious cybersecurity threat to defense, state security, public safety and order, and human life and health; or causes a threat of serious property damage or serious difficulties in the provision of services.

During the parliamentary work on the act, changes were adopted that clarified the selected solutions. One of them introduced the obligation for the president's representative to participate in government work on the resolution of the Council of Ministers on the National Plan for responding to large-scale cybersecurity incidents and crises.

The next one provided that administrative fines for failure to fulfill the obligations arising from the amendment to the KSC Act could be imposed for the first time after 2 years from the date of entry into force of the amendment. This solution is intended to enable regulated entities to adequately prepare for the new requirements.

The previous version of the KSC Act comes from 2018 and does not contain any provisions implementing the EU NIS 2 directive. The deadline for its implementation into the national legal order expired on October 18, 2024.

The amendment to the Act on the national cybersecurity system is to enter into force one month after its announcement. (PAP)

mbl/ mick/