Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

The legal regulation on cybersecurity in force in Poland does not impose obligations on all participants in economic trading, but only on operators of essential services and digital service providers.

The primary duty of operators of essential services and digital service providers, to protect data against cyberthreats, is to collect information on threats and vulnerabilities of the information system used to provide the service as well as to cooperate with state CSIRT and other authorities responsible for data security. In addition, the operator or provider is obliged to apply measures to prevent and mitigate incidents, such as applying mechanisms to ensure data security, taking care to keep the software up to date, protecting against unauthorised modification or taking immediate action when vulnerabilities or threats are identified. The operator must also designate a person responsible for maintaining contact with the entities of the national cybersecurity system, making available to the user of the service provided information that enables them to understand and protect themselves against threats. In the event of an incident, the operator shall ensure that the incident is handled and, in the event of a major incident, shall inform the relevant CSIRT without delay and at the latest within 24 hours.

To perform its data protection duties, the operator shall set up its own structures responsible for cybersecurity or enter into a contract with an entity providing such services. In accordance with the Regulation, these entities apply standardised procedures of ISO 27001 and ISO 22301.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

According to Polish regulations, operators of essential services are obliged to prepare and update documentation on the cybersecurity of the information system. Upon withdrawal or termination of the provision of an essential service, the operator shall keep such documentation for at least two years.

With regard to documentation containing personal data processed by the relevant CSIRT in connection with cybersecurity incidents or threats, there is an obligation to delete or anonymise such data within five years from the date on which the incident was handled.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

The Act on the national cybersecurity system imposes specific obligations on operators of essential services and digital service providers within the scope of reporting incidents. The operator of the essential service reports the incident as major to the appropriate CSIRT. A major incident is understood by the legislator as one that causes or may cause a major deterioration in the quality or interruption in the provision of an essential service. Digital service providers, however, are obliged to report a substantial incident, as defined in the European Commission Implementing Regulation 2018/151. Public entities are required to report each incident, regardless of its classification.

In the event of a cybercrime, under the general rules of criminal procedure, it is the responsibility of everyone who learns about it to notify the competent authorities.

Timeframes

What is the timeline for reporting to the authorities?

In accordance with Polish regulations regarding the entities that are obliged to inform the relevant CSIRT about incidents, the reporting shall take place immediately, but not later than within 24 hours. At the time of reporting, these entities must provide all the information on the incident known at the time of reporting. The legislator has provided for the competent CSIRT to request from the reporting party access to information containing legally protected secrets to the extent necessary to carry out the tasks of the CSIRT in relation to the reported incident. The reporting party itself is obliged to correctly identify information that is a legally protected secret (eg, a business secret).

For other entities to which the provisions on the national cybersecurity system and providers of electronic communications services do not apply, where there has been a breach of personal data protection, the controller shall, without undue delay and as far as possible and no later than within 72 hours after the breach has been identified, notify the breach to the supervisory authority, unless the breach is unlikely to result in a risk of infringement of the rights or freedoms of individuals.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Within Polish cybersecurity system regulations, information about incidents, threats or vulnerabilities is published by the appropriate CSIRT in the Public Information Bulletin. Such information shall be published if the CSIRT considers that it will contribute to increasing the cybersecurity of the information systems used by citizens and businesses, or ensure the secure use of the systems. Published information may not, however, violate the provisions on the protection of confidential information or legally protected secrets and the provisions on the personal data protection.

In accordance with the Polish Telecommunications Act, the service provider is obliged to inform users of any particular risk of a breach of network security, requiring measures going beyond the technical and organisational measures taken by the service provider as well as of the existing security capabilities and associated costs.

In addition, Polish regulations do not impose an information obligation on entities; however, this is recommended to protect the interests of consumers and to increase the security of information systems in sectors of the economy exposed to data loss and data security.