Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Poland has implemented Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning the measures for a high common level of security of network and information systems across the Union by adopting the Act of 5 July 2018 on the national cybersecurity system into the Polish legal order. The Act entered into force on 28 August 2018 and is the only statutory act devoted solely to the issue of cybersecurity.
The provisions of the Act impose certain obligations on operators of essential services (ie, entities that provide services of key importance for the functioning of the economy and the society).
On 22 October 2019, the Cybersecurity Strategy of the Republic of Poland for 2019–2024 was adopted by Resolution No. 125 of the Council of Ministers. The Strategy replaced the Cybersecurity Strategy for the years 2017–2022 and includes, among other things, a description of actions that will increase the level of incident resilience and information security in the public, military and private sectors.
The issue of cybersecurity was also addressed by the legislature in the Polish Penal Code, which provides for types of crime related specifically to digital and information security, detailed in Chapter XXXIII of the Penal Code. The following categories of crimes are penalised on its basis:
- destruction of IT data (article 268a of the Penal Code);
- corruption of IT data (article 260 of the Penal Code);
- disruption of the information system, ICT system or ICT network (article 260 of the Penal Code);
- creation of computer software adapted for committing an offence as well as computer passwords, access codes and other enabling unauthorised access to information stored in the information system, ICT system or ICT network (article 269b of the Penal Code); and
- computer fraud committed by affecting the processes of automatic processing, collection or transmission of IT data or altering, deleting or introducing new IT data records in order to obtain material benefit or cause damage (article 287 of the Penal Code).
The solutions adopted in Chapter XXXIII of the Penal Code are the result of the signing by the Republic of Poland of the Council of Europe Convention No. 185 on Cybercrime as well as Council Framework Decision 2005/222/JHA on attacks against information systems.
In some sectors of the economy, for instance in the financial sector, there are also specific regulations addressing the problem of information security. For example, the financial sector has the regulation of the Council of Ministers of 26 October 2004 on the manner of creating, recording, transmitting, storing and securing documents related to banking activities prepared on electronic data medium, which is secondary legislation to the Law on Banking.
Poland, as a member of the European Union, is bound by EU regulations (eg, the European Cybersecurity Act).
Additionally, cybersecurity can be seen as a part of a broader regulation of data flow, therefore the regulations on personal data protection are complementary. These are the Polish Act of 10 May 2018 on Personal Data Protection and Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation (GDPR)).
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Energy, transport, banking and financial market infrastructure, digital infrastructure, digital service providers and healthcare sectors are the sectors in the economy that are the most affected by cybersecurity laws and regulations in Poland. At the same time, these are the sectors for which the legislator uses the adjective ‘essential’ and that are listed in the Appendix to the Act on the national cybersecurity system.
In the authors’ opinion, it is difficult to evaluate which sector of Polish economy made the most progress towards promoting cybersecurity and which sectors need to improve as the regulation of cybersecurity in Poland only entered into force in August 2018, and the market is not very mature yet.
Has your jurisdiction adopted any international standards related to cybersecurity?
On 27 June 2019, the Regulation of the European Parliament and of the Council of 17 April 2019 entered into force. It is known as the Cybersecurity Act. Poland has until 28 June 2021 to adapt its national legal acts to the new regulations. The Cybersecurity Act introduces, for the first time, EU-wide rules for the cybersecurity certification of products, processes and services. In addition, the Cybersecurity Act sets a new permanent mandate for the European Union Agency for Cybersecurity (ENISA) and allocates more resources to the Agency to enable it to fulfil its goals. This is a very important regulation that will significantly change the existing certification model, dominated by SOG-IS (Senior Official Group Information Security Systems). Poland joined the group of countries signatory to the SOG- IS in 2018.
The Polish Ministry of Digital Affairs is working on adapting Polish law to the new European regulations. The aim is to make full use of the possibilities introduced by the regulation in the area of recognition of certificates at the European level.
One of the assumptions of the adopted Cybersecurity Strategy for 2019–2024, which aims to achieve the goal of increasing the level of resilience of public administration and private sector information systems, is the development of new or translated existing norms and standards into specific recommendations in the field of cybersecurity. The Strategy also provides for the designation of a national body to issue European cybersecurity certificates and to supervise national bodies established for conformity assessment of products with the requirements set out in European cybersecurity certification schemes.
Currently, the most important international standard that is binding in Poland is ISO 27001. The government administration authority is the Polish Committee for Standardisation, which is responsible for ensuring the coherence of the national standardisation system with the European standardisation system, implemented by way of recognition of ISO 27001 into the Polish system (PN-EN ISO/IEC 27001). It is a standard setting out the requirements for the establishment, implementation, maintenance and continuous improvement of an information security management system in relation to an organisation. The requirements set out in ISO 27001 are general and apply to all organisations regardless of their type, size and nature. Application and acceptance of ISO 27001 by organisations and private companies in Poland is voluntary and is not required by applicable laws.
Additionally, detailed obligations within the scope of certification were provided by the Regulation of the Minister of Digital Affairs of 10 September 2018 on organisational and technical conditions for entities providing services in the field of cybersecurity as well as the internal organisational structures of the operators of essential services responsible for cybersecurity based on the Act on the national cybersecurity system and imposed on entities providing services in the field of cybersecurity. These entities are obliged to (i) have and keep up to date the information security management system that meets the requirements of PN-EN ISO/IEC 27001; and (ii) ensure the continuity of the incident response service, which consists of taking action to record and handle information system security incidents in accordance with the requirements of the Polish PN-EN ISO 22301 standard, which is the implementation of the ISO 22301 standard.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
As a rule, the responsibility for the company’s actions lies with the shareholders representing the company or, in case of a capital company, the management board of the company. The responsibility of shareholders and board members extends to all areas of the company’s business activity, so it also covers information security and cybersecurity issues.
The Act on the national cybersecurity system introduced an obligation for operators of the essential services, digital service providers and public entities to appoint a person responsible for maintaining contacts with the entities of the national cybersecurity system, and to establish internal structures responsible for cybersecurity or to enter into appropriate agreements with external entities providing services in the field of cybersecurity.
Failure to meet the aforementioned requirements may result in financial penalties as provided for in the Act on the national cybersecurity system. Failure to appoint a person responsible for maintaining contact with national cybersecurity entities is threatened with a fine of up to 15,000 zlotys, while failure to appoint internal structures responsible for cybersecurity or failure to enter into a cooperation agreement with an external entity in the field of cybersecurity is threatened with a fine of up to 100,000 zlotys.
How does your jurisdiction define cybersecurity and cybercrime?
The definition of cybersecurity was introduced into the Polish legal system on the basis of the Act on the national cybersecurity system. Pursuant to this Act, cybersecurity means the resilience of information systems to activities that violate the confidentiality, integrity, availability and authenticity of the processed data or related services offered by these systems.
However, there is no uniform definition of cybercrime in the Polish legal system. In this respect, the most frequent reference is made to definitions formulated by international entities, such as the United Nations, the Council of Europe, the European Union or Interpol.
The Penal Code does not use the term ‘cybercrimes’ either, and the legislator uses descriptive names, such as ‘computer fraud’, ‘disruption of an information system, ICT system or information network’ and others to describe crimes generally classified as cybercrimes.
The distinction between cybersecurity and data privacy can be made in relation to personal data, which is regulated by the GDPR and the Act of 10 May 2018 on the Protection of Personal Data.
Information system security and cybercrime enforcement are distinct in Poland.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
The Act on the national cybersecurity system only introduces general security measures that operators of essential services, digital service providers and public entities must implement to ensure the security of information and information systems. In this respect, the Act imposes an obligation on the indicated entities to implement a security management system that ensures:
- carrying out of systematic incident risk assessment and management;
- implementation of appropriate technical and organisational measures, proportionate to the estimated risk, taking into account the current state of art;
- collection of information on cyberthreats and vulnerabilities of the information system in use;
- use of prevention and mitigation measures to limit the impact of incidents on the security of the information system in use; and
- use of means of communication enabling correct and secure communication within the national cybersecurity system.
Entities that are required by law to provide certain cybersecurity standards are free to choose specific security measures to achieve the objectives set out in the law.
Additionally, in accordance with article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures need to take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. This provision only applies to personal data rather than to any type of data.Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
To date, there are no specific regulations in force in Poland concerning cybercrimes committed in relation to intellectual property. Computer-related crimes committed against intellectual property rights shall be punishable under the same conditions as other crimes committed against property rights.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
Currently in Poland, there are two legal regimes that address the issue of cybersecurity in the areas in question: the GDPR and the Act on the national cybersecurity system.
Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection and the Regulation of the Council of Ministers of 30 April 2010 on National Critical Infrastructure Protection Programme, adopted on the basis of this Directive, introduced the concept of ‘critical infrastructure’ into the Polish legal system.
The definition of this concept is contained in the Act of 26 April 2007 on Crisis Management, according to which critical infrastructure shall be understood as systems and mutually bound functional objects contained therein, including constructions, facilities, installations and services of key importance to the security of the state and its citizens as well as serving to ensure the efficient functioning of public administration authorities, institutions and enterprises.
The Act on the national cybersecurity system lists the sectors (energy, transport, banking and financial market infrastructures, healthcare, drinking water supply and distribution, and digital infrastructure) and the subsectors of the economy identified as essential; thus, imposing specific security obligations on entities operating in these sectors.
However, the Polish legal system does not contain regulations relating to the penalisation of cybercrimes committed against or directed against the critical infrastructure or key sectors. The Penal Code provides for the penalisation of crimes committed with the use of computer hardware and IT infrastructure against any infrastructure, regardless of its type or significance for the economy of the state.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
The Polish legislator did not provide for penalisation of activities consisting in spreading information about cyberthreats.
The Act on the national cybersecurity system introduced the obligation to report incidents (ie, events adversely affecting cybersecurity), together with information about the incident and its description to the relevant unit of the Computer Security Incident Response Team. This obligation applies to all operators of essential services, digital service providers and public entities.
Information on vulnerabilities, incidents and cyberthreats, as well as the risk of an incident, is published in the Public Information Bulletin after consultation with the reporting entity. Such information shall not be made available if its disclosure would determine the protection of the general public as regards security or public order, or if it could adversely affect the investigation, detection and prosecution of cybercrimes.
In accordance with the article 267 of the Penal Code:
- section 1 provides that whoever, without authorisation, gains access to information not intended for him or her by opening a sealed letter, plugging into a telecommunications network, or by breaching or bypassing electronic, magnetic, computer or other special protection of such information, is subject to a fine, the penalty of limitation of liberty or the penalty of deprivation of liberty for up to 2 years;
- section 2 provides that whoever, without authorisation, gains access to a whole computer system or a part of it, is subject to the same penalty;
- section 3 provides that whoever, with the purpose of gaining unauthorised access to information, installs or employs a wiretapping or visual device, or other device or software, is subject to the same penalty;
- section 4 provides that whoever discloses to another person information obtained in the manner referred to in sections 1 to 3, is subject to the same penalty; and
- section 5 provides that the crimes provided for in sections 1 to 4 are prosecuted upon the harmed party's motion.
However, this legal provision shall apply (in relation to sections 3 and 4) to discussions in which an individual did not participate. The recording of a private conversation in which an individual receives information addressed to him or her is not an offence under article 267. The liability that arises under civil law is different. The Civil Code, in article 23, states that the personal rights of a person are protected by law. Doctrine allows for the extension of the catalogue of personal rights, and in the authors’ opinion, the secret of the conversation belongs to this catalogue.
In accordance with article 23 of the Civil Code, personal interests of a human being, in particular health, freedom, dignity, freedom of conscience, surname or pseudonym, image, confidentiality of correspondence, inviolability of home as well as scientific, artistic, inventive and reasoning activities, shall be protected by the civil law regardless of the protection provided for by other provisions.
In cases specified by Polish law, the police may apply operational control consisting in obtaining and recording the content of correspondence, including correspondence conducted by means of electronic communication.
Polish legislation does not contain detailed regulations concerning metadata.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
The main cyberactivities that are subject to criminalisation under the Penal Code are the following:
- unauthorised access to the information or IT system (article 267, section 2);
- destruction, damage, deletion, alteration or prevention of access to the IT data (article 268);
- disruption or prevention from the automatic processing, gathering or transmission of IT data (article 268a);
- disruption of the work of a computer system or an information system (article 269a);
- unlawful creation (and similar activities) of devices or computer software adapted for committing computer crimes, including crimes involving passwords, access codes or other similar data (article 269b);
- theft and fencing of a computer software (article 278, section 2 and article 293); and
- breaking or bypassing security measures to gain access to the computer data of another person or to all or part of a computer system (article 267).
As previously indicated, the Code solutions adopted by the Polish legislator are a consequence of Poland signing the Council of Europe Convention No. 185 on Cybercrime and the Council Framework Decision 2005/222/JHA on attacks against information systems.
How has your jurisdiction addressed information security challenges associated with cloud computing?
The problem of cloud computing and cloud services is to be covered within the framework of new cybersecurity standards and norms, the creation of which is planned under the Cybersecurity Strategy for 2019–2024.
At present, in Poland, there are no separate, detailed regulations concerning cloud services, and there is no information on the plans to adopt additional regulations concerning cloud computing. With regard to cloud services, the provisions of the Act of 18 July 2002 on rendering services by electronic means, defining the obligations of a service provider related to providing services by electronic means, rules of releasing service providers from legal liability concerning the providing of services by electronic means and rules for the protection of personal data of natural persons using the services provided by electronic means shall apply.
The Act on rendering services by electronic means imposes an obligation on the service provider to ensure that the operation of an ICT system under its control provides to a service recipient free of charge:
- use of a service provided by electronic means in a manner that prevents unauthorised persons from accessing the contents of communications, being an element of the service, in particular through applying cryptographic techniques appropriate for characteristics of the service provided;
- unequivocal identification of parties to the service provided by electronic means; and
- the possibility of termination, at any moment, of use of a service provided by electronic means.
Data stored with the use of cloud services are also subject to regulations on personal data protection, including obligations relating to ensuring the security of data processing stored in the cloud.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
As a member of the European Union, Poland is obliged to apply in its legislation regulations compliant with the law of the Union. The Act on the national cybersecurity system, being an implementation of the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, introduces the same rights and obligations for national and foreign entities in terms of cybersecurity. Other existing national regulations also do not differentiate the legal situation of foreign entities from domestic entities in this context.
Best practiceIncreased protection
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
The provisions of the Cybersecurity Strategy for 2019–2024 emphasises the need to conduct regular audits and security tests to periodically assess the effectiveness of the implemented security management systems and the adequacy of the security features. However, the authorities do not provide recommendations of specific tools established for auditing and testing, except for the general stipulation that one of the activities conducted in 2019–2024 will be promotion of security testing in the bug bounty model.
The initiative to offer guidelines in the field of cybersecurity is led by the Research and Academic Computer Network (NASK), whose role is to educate and popularise knowledge on cybersecurity and cyberthreats. NASK develops and implements social projects and training for companies and institutions, with particular emphasis on ICT security issues. NASK participates in the European Commission's Safer Internet programme, promoting safe use of new technologies and the internet among children and young people. It is also active in issuing guidelines and guides of good practices, serving the education of society in the field of internet safety.
How does the government incentivise organisations to improve their cybersecurity?
At present, there are no government initiatives aimed at organisations, private entities or entrepreneurs in the field of cybersecurity in Poland going beyond the existing legal regulations.
The Polish Committee for Standardisation, a national budgetary body established to carry out tasks in the field of certification and standardisation, organises and conducts training, publishing, promotion and information activities in the field of standardisation and related areas, including ISO 27001 certification.
The government's initiatives are addressed mainly to local and regional authorities. The Cybersecurity Strategy for 2019–2024 contains provisions concerning cooperation between the government and local government units for the purpose of increasing competences in designing processes increasing cybersecurity, including the use of safe and modern methods of data processing in cloud computing, creating safe applications and using mobile systems.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
One of the industries operating on the Polish market, which has a dedicated code of conduct related to ensuring digital security, is the telecommunications industry. The majority of Polish mobile operators have become signatories of the European Framework for Safer Mobile Use by Young Teenagers and Children.
The adopted code of conduct provides, in particular, for the promotion of safe use of mobile services by children and adolescents, access for parents and legal guardians to information on how children and adolescents can use mobile phones safely and on content dedicated to these age groups. Information about joining the European Framework for Safer Mobile Use by Young Teenagers and Children can be found online.
In addition to the telecommunications market, in response to the growing threat of cybercrime in the banking sector, on 29 November 2016 the Council of the Polish Bank Association appointed the Cybersecurity Committee of ZBP Banks. On 10 January 2018. The Management Board of ZBP created the Bank Security Team of ZBP, within which operates the operating unit FinCERT.pl, which is the banking cybersecurity centre of ZBP.
As of 1 January 2019, the Committee operates within a framework consisting of: 29 banks SA, one state bank and two cooperative banks, which constitute 95.23 per cent of shares in the total assets of all banks and 97.05 per cent of shares in the total assets of banks in the form of joint-stock and state companies. This information may be accessed at www.zbp.pl/dla-bankow/Cyberbezpieczenstwo.
Are there generally recommended best practices and procedures for responding to breaches?
The adopted legislation imposes on operators of essential services the obligations related to incident reporting and handling, such as the obligation to identify the incident, register and classify the incident on the basis of the thresholds for recognising the incident as major and to report the major incident immediately, or within 24 hours of its detection at the latest, to the relevant CSIRT.
Incident reporting initiates further handling of the incident, in which the operator is obliged to cooperate with the relevant CSIRT and provide access to the necessary information concerning the incident.
The Act on the national cybersecurity system sanctioned functioning of previously existing entities involved in handling and responding to computer incidents at the national level (according to the nomenclature adopted in Directive 2016/1148 – Computer Security Incident Response Teams). In Poland, these entities are the computer security incident response team operating at the national level (CSIRT GOV), the Ministry of Defence Computer Emergency Response System (CSIRT MON) and the National Cybersecurity Centre, abbreviated to NC Cyber (CSIRT NASK).
Their task is to counter cyberthreats of a cross-sectoral and cross-border nature, to coordinate the handling of major, substantial and critical incidents, and to provide information about incidents, both within the network of government organisations related to cybersecurity and to the general public.
The Act on the national cybersecurity system also introduces two new entities involved in the coordination of activities concerning the provision of cybersecurity and ensuring the coordination of the implementation of tasks at the government level, namely the Government Plenipotentiary of Cybersecurity and the Cybersecurity Court.
In addition, in accordance with the requirements of the GDPR, the Act on the national cybersecurity system sets out the rules for the processing of personal data as part of the functioning of the national cybersecurity system, including the processing of data on incidents.Information sharing
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
At present, there is no regulation covering the voluntary sharing of information on cybercrime. So far, law enforcement agencies have informed the public about the state of cybersecurity in Poland through the publication of annual reports.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The need for the government sector to cooperate with the private sector within the framework of ensuring the security of cyberspace is reflected in the provisions of the Cybersecurity Strategy for 2019–2024, as it was in the previous Cybersecurity Strategy for 2017–2022. According to the content of this document, the government is obliged to strive to build an effective system of public–private partnership, as well as to engage in existing and emerging forms of European public–private cooperation.
The above is to be implemented, inter alia, through active government support for research and development projects in the field of cybersecurity, including projects carried out in cooperation with private companies and research centres.
Cooperation with the private sector in the field of cybersecurity is conducted by the NASK National Research Institute, which, with the use of its own analytical and research and development facilities, conducts research and analyses of the use of new technologies and implementation of these solutions. The aim of the activities is to develop new, effective methods and techniques of identification, analysis and response to threats to the security of networks and ICT systems, as well as their practical use to create innovative NASK products, including those enabling detection and prevention of threats. Innovative solutions developed by NASK are then subject to commercialisation.Insurance
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Insurance against cyber risks (known commercially as cyber insurance) is becoming increasingly popular on the Polish market. The addressees of offers prepared by insurance companies are entrepreneurs operating on the Polish market – collecting, processing or transmitting any data. The scope of insurance normally covers three types of costs incurred in connection with a cyberattack, namely: costs related to data recovery, purchase of software, deletion of malicious software, among others; additional costs, such as legal defence costs, public relations costs and costs of external consultations; and civil liability.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
Competence to supervise the application of the provisions of the Act by the obliged entities are allocated to persons at the ministerial level. The competent authorities shall be the:
- Minister of information technology for the digital infrastructure and digital service providers sector;
- Minister of National Defence for the healthcare sector, digital infrastructure and the healthcare sector in the area covered by the Ministry of National Defence and digital service providers – entrepreneurs of particular economic and defence importance;
- Minister of energy for the energy sector;
- Minister of maritime economy and the Minister of inland navigation for the water transport subsector;
- Minister of transport for the transport sector, excluding the water transport subsector;
- Minister of health for the healthcare system;
- Minister of water management for drinking water supply and distribution sector; and
- Polish Financial Supervision Authority for the banking sector and financial markets infrastructure.
The competences of these authorities include, among others, monitoring the application of the Act by operators of essential services and digital service providers, conducting inspections of these entities and calling on them to remove the detected vulnerabilities of the systems within a specific time limit.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
State authorities involved in detecting and prosecuting crimes have the same powers in detecting and prosecuting cybercrimes as in the case of other crimes. These powers include, but are not limited to: carrying out a search of a room or person; seizure of property; seizure and control of correspondence; seizure of documents, including documents containing secrecy, inspection and recording of conversations; and control of e-mail and documents or interviews related to cybersecurity incidents. In addition, the provisions of the Code of Penal Procedure oblige officers, institutions and entities conducting ICT business activities to immediately secure – at the request of the court of prosecutor – information data stored in the information system or on data carriers.
An internal unit is dedicated to detecting and combating crimes committed in cyberspace: the Office for Combating Cybercrime. The tasks of the Office include in particular:
- supervising, coordinating and supporting activities aimed at combating cybercrime, conducted by province police departments within the scope of operational and exploratory activities, and in cooperation with the Polish Central Bureau of Investigation;
- conducting operational and exploratory activities;
- initiating and conducting cooperation with government administration bodies, law enforcement bodies and state institutions;
- conducting international cooperation;
- providing a 24-hour service in the scope of coordinating police activities concerning cybercrimes and cyberthreats and combating them as well as conducting cooperation of police organisational units with domestic and foreign bodies and entities;
- conducting technical consultations; and
- initiating and supporting research and cooperation with domestic and foreign entities to implement modern solutions in the fight against cybercrime.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Effective detection and prosecution of cybercrimes can be difficult, often due to the inadequacy of the legal system with regard to rapidly evolving IT tools and services. One of the most serious obstacles is the rapid development of online tools enabling the anonymisation of the network used to commit crimes, and the concealment of identity and location. Another obstacle in combating and effectively prosecuting cybercrime is the differences in national legislation and the cross-border nature of the internet. On the one hand, access to internet services provided by foreign companies not obliged to comply with Polish law is practically unlimited for internet users, and on the other hand, prosecution of crimes committed outside of Poland, of which the targets were natural persons or legal persons with Polish domicile, encounters a legislative barrier, which significantly delays crucial reaction time and, in extreme cases, makes it impossible to prosecute the crime committed. While efforts are being made within the European Union to ensure an efficient exchange of information on cybercrimes and cyberthreats, cooperation with third countries in this area is significantly hampered, if not impossible in some cases.
For this reason, the Polish legislator has placed considerable emphasis on procedures for the smooth reporting and exchange of information within the national structures as well as within the framework of cooperation in the European Union, as reflected in the provisions of the Act on the national cybersecurity system.
What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?
The Act on the national cybersecurity system imposes on the operator of a key service the obligation to report a serious incident (ie, an event that has or may have an adverse impact on cybersecurity and that causes or may cause a serious deterioration in the quality or interruption of the provision of a key service) to the appropriate CSIRT MON, CSIRT NASK or CSIRT GOV immediately, or within 24 hours of its detection at the latest.
The Act on the national cybersecurity system does not introduce the obligation to notify infringement of the data subject. However, the obligation is imposed on any entity that is a controller of personal data pursuant to the GDPR in a situation where the violation of personal data creates a high risk of violation of the rights or freedoms of a natural person.Penalties
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
The Act on the national cybersecurity system provides for financial penalties for violation of obligations imposed on entities obliged to apply it. The amount of the financial penalty depends on the type of violation and ranges from a fine of up to 15,000 zlotys to a fine of up to 150,000 zlotys. This penalty may be imposed either in the form of a single penalty or in the form of the sum of the penalties for each violation.
In the event that, as a result of control carried out by the competent authority in charge of cybersecurity, the operator of essential services or the digital service provider persistently violates the provisions of the Act – causing (i) a direct and major cyberthreat to defence, state security and public order or human life and health; or (ii) a threat of causing serious property damage or serious difficulties in providing essential services – the authority is entitled to impose a fine of up to 1 million zlotys.
The imposition of a financial penalty on an entity failing to comply with statutory obligationsor violating accepted standards of conduct shall be effected by a decision issued by an authority in charge of cybersecurity. The proceeds from the imposed penalties constitute revenue for the state budget.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Pursuant to the provisions of the Act on the national cybersecurity system, for violation of the obligation to report an incident, the operator of essential services and the digital service provider may be punished with a fine of up to 20,000 zlotys for each violation.
Furthermore, for a breach of the obligation to cooperate in handling a major and a critical incident with the relevant CSIRT GOV, CSIRT MON or CSIRT NASK, including the transmission of all necessary data, the operator of essential services and the digital service provider may be punished with a fine of up to 20,000 zlotys.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
The Civil Code is the basis for claiming compensation for damage suffered in connection with committing a cybercrime or failure to maintain an adequate level of security, within the framework of a private action.
To claim compensation, a person who suffered damage owing to a breach of cybersecurity rules shall demonstrate a causal link between the damage suffered and the fact that the IT system administrator failed to maintain an adequate level of security and must document the amount and type of damage suffered.
Threat detection and reportingPolicies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
The legal regulation on cybersecurity in force in Poland does not impose obligations on all participants in economic trading, but only on operators of essential services and digital service providers.
The primary duty of operators of essential services and digital service providers, to protect data against cyberthreats, is to collect information about threats and vulnerabilities of the information system used to provide the service as well as to cooperate with state CSIRT and other authorities responsible for data security. In addition, the operator or provider is obliged to apply measures to prevent and mitigate incidents, such as applying mechanisms to ensure data security, taking care to keep the software up to date, protecting against unauthorised modification and taking immediate action when vulnerabilities or threats are identified. The operator must also designate a person responsible for maintaining contact with the entities of the national cybersecurity system, making available to the user of the service information that enables them to understand and protect themselves against threats. In the event of an incident, the operator shall ensure that the incident is handled and, in the event of a major incident, shall inform the relevant CSIRT without delay and, at the latest, within 24 hours.
To perform its data protection duties, the operator shall set up its own structures responsible for cybersecurity or enter into a contract with an entity providing such services. In accordance with the Regulation, these entities shall apply standardised procedures of ISO 27001 and ISO 22301.
In addition, the protection of personal data is subject to a separate regulation of the GDPR and the Act of 10 May 2018 on the Protection of Personal Data.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
The legal regulation on cybersecurity in force in Poland does not impose obligations on all participants in economic trading, but only on operators of essential services and digital service providers.
The primary duty of operators of essential services and digital service providers, to protect data against cyberthreats, is to collect information about threats and vulnerabilities of the information system used to provide the service as well as to cooperate with state CSIRT and other authorities responsible for data security. In addition, the operator or provider is obliged to apply measures to prevent and mitigate incidents, such as applying mechanisms to ensure data security, taking care to keep the software up to date, protecting against unauthorised modification and taking immediate action when vulnerabilities or threats are identified. The operator must also designate a person responsible for maintaining contact with the entities of the national cybersecurity system, making available to the user of the service provided information that enables them to understand and protect themselves against threats. In the event of an incident, the operator shall ensure that the incident is handled and, in the event of a major incident, shall inform the relevant CSIRT without delay and, at the latest, within 24 hours.
To perform its data protection duties, the operator shall set up its own structures responsible for cybersecurity or enter into a contract with an entity providing such services. In accordance with the Regulation, these entities shall apply standardised procedures of ISO 27001 and ISO 22301.
The operators of essential services shall keep records of the cybersecurity of the information system used to provide the key service for at least two years from the date of its withdrawal from use or termination of the essential service.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
According to Polish regulations, operators of essential services are obliged to prepare and update the documentation concerning the cybersecurity of the information system. Upon withdrawal or termination of the provision of an essential service, the operator shall keep the documentation for at least two years.
With regard to documentation containing personal data processed by the relevant CSIRT in connection with cybersecurity incidents or threats, there is an obligation to delete or anonymise the data within five years of the date on which the incident was handled.
The operator of the essential service and digital service providers are obliged to report the serious incident immediately, but no later than 24 hours after its detection, to the appropriate CSIRT MON, CSIRT NASK or CSIRT GOV. The notification referred to in section 1 item 4 shall be transmitted in electronic form, and in the event that it is not possible to transmit it in electronic form, using other available means of communication.
The report contains:
- data of the notifying entity, including the business name of the entrepreneur, number in the relevant register, registered office and address;
- name and surname, telephone number and email address of the person making the notification;
- name and surname, telephone number and email address of the person authorised to provide explanations concerning the submitted information;
- a description of the impact of the serious incident on the provision of the key service, including:
- key services of the reporter affected by the serious incident;
- the number of key service users affected by the serious incident;
- the time and duration of the occurrence and detection of the serious incident;
- the geographical extent of the area affected by the serious incident;
- the impact of the major incident on the provision of the critical service by other key service providers and digital service providers; and
- the cause of the serious incident and the manner in which it has occurred and the consequences for the information systems or the key services provided;
- information enabling the relevant CSIRT MON, CSIRT NASK or CSIRT GOV to determine whether the incident affects two or more member states of the European Union;
- in the case of an incident that could have affected the provision of the critical service, a description of the causes of the incident, its course of action and the likely impact on the information systems;
- information on the preventive measures taken;
- information on corrective actions taken; and
- other relevant information.
What is the timeline for reporting to the authorities?
In accordance with Polish regulations regarding the entities that are obliged to inform the relevant CSIRT about incidents, the reporting shall take place immediately, or within 24 hours at the latest. At the time of reporting, entities obliged to report must provide all information on the incident known at the time of reporting. The legislator has provided for the competent CSIRT to request from the reporting party access to information containing legally protected secrets to the extent necessary to carry out the tasks of the CSIRT in relation to the reported incident. The reporting party itself is obliged to correctly identify information that is a legally protected secret (eg, a business secret).
For other entities to which the provisions on the national cybersecurity system and providers of electronic communications services do not apply, where there has been a breach of personal data protection, the controller shall, without undue delay and as far as possible and within 72 hours of the breach being identified, notify the breach to the supervisory authority, unless the breach is unlikely to result in a risk of infringement of the rights or freedoms of individuals.Reporting
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Within Polish cybersecurity system regulations, information about incidents, threats or vulnerabilities is published by the appropriate CSIRT in the Public Information Bulletin. The information shall be published if the CSIRT considers that it will contribute to increasing the cybersecurity of the information systems used by citizens and businesses or ensure the secure use of the systems. Published information may not, however, violate the provisions on the protection of confidential information or legally protected secrets and the provisions on personal data protection.
In accordance with the Polish Telecommunications Act, the service provider is obliged to inform users of any particular risk of a breach of network security requiring measures going beyond the technical and organisational measures taken by the service provider as well as of the existing security capabilities and associated costs.
In addition, Polish regulations do not impose an information obligation on entities; however, it is recommended to protect the interests of consumers and to increase the security of information systems in sectors of the economy exposed to data loss and data security.
Update and trendsUpdate and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
According to the provisions of the Cybersecurity Strategy for 2019–2024, the government established five main strategic goals to be achieved by 2024, namely:
- develop the National Cybersecurity System;
- increase the resilience of the public administration's and private sector's information systems and the capacity to prevent and respond effectively to incidents;
- strengthen national capacities in cybersecurity technologies;
- build cybersecurity awareness and societal competence; and
- build a strong international position for Poland in the area of cybersecurity.
In the next year, we expect a number of actions to be taken by the government to achieve its objectives, including cooperation with private companies, mainly in research and development. This cooperation would constitute a possibility for companies to shape a favourable regulatory environment.
However, we do not envisage a significant change in cybersecurity rules and principles over the next year owing to the fact that the current regulation – the Act of 5 July 2018 on the national cybersecurity system – is still recognised as new and not implemented thoroughly yet.
Law Stated DateCorrect On
Give the date on which the information above is accurate.
The information presented above is accurate as at 6 December 2019.