Summarise the main statutes and regulations that promote cybersecurity. Does your jurisdiction have dedicated cybersecurity laws?
Poland has implemented Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning the measures for a high common level of security of network and information systems across the Union, by adopting the Act of 5 July 2018 on national cybersecurity systems into the Polish legal order. The Act entered into force on 28 August 2018 and is the only statutory act devoted solely to the issue of cybersecurity.
Pursuant to the aforementioned Act, a national cybersecurity system needs to be created in Poland, covering government administration institutions, local government administration institutions and selected sectors of the economy. The provisions of the Act impose certain obligations on operators of essential services (ie, entities that provide services of key importance for the functioning of the economy and the society).
The issue of cybersecurity was also addressed by the legislature in the Polish Penal Code, which provides for a type of crime related specifically to digital and information security, detailed in Chapter XXXIII of the Polish Penal Code. The following categories of crimes are penalised on its basis:
- destruction of IT data (article 268a of the Penal Code);
- corruption of IT data (article 260 of the Penal Code);
- disruption of the information system, ICT system or ICT network (article 260 of the Penal Code);
- creation of computer software adapted for committing an offence as well as computer passwords, access codes and other enabling unauthorised access to information stored in the information system, ICT system or ICT network (article 269b of the Penal Code); and
- computer fraud committed by affecting the processes of automatic processing, collection or transmission of IT data or altering, deleting or introducing new IT data records to obtain material benefit or cause damage (article 287 of the Penal Code).
The solutions adopted in Chapter XXXIII of the Penal Code are the result of the signing by the Republic of Poland of the Council of Europe Convention No. 185 on Cybercrime as well as Council Framework Decision 2005/222/JHA on attacks against information systems.
In some sectors of the economy, for instance, in the financial sector, there are also specific sectoral regulations addressing the problem of information security. An example of such a regulation is the regulation of the Council of Ministers of 26 October 2004 on the manner of creating, recording, transmitting, storing and securing documents related to banking activities prepared on electronic data medium, which is a secondary legislation to the Law on Banking.
The Act on the national cybersecurity system includes a delegation of legislative powers to the Minister of Digital Affairs to adopt a number of secondary legislations, including the following on:
- the thresholds for considering an incident as major;
- the list of essential services and thresholds for the materiality of the disruptive effect of the incident on the provision of essential services;
- the scope and working mode of the Cybersecurity Court;
- the criteria for considering a breach of security or integrity of ICT networks or services as a breach of the significant impact on the operation of network or services; and
- organisational and technical conditions for entities providing services in the field of cybersecurity as well as the internal organisational structures of the operators of essential services responsible for cybersecurity.
Which sectors of the economy are most affected by cybersecurity laws and regulations in your jurisdiction?
Energy, transport, banking and financial market infrastructure, digital infrastructure and healthcare sectors are the sectors in the economy most affected by cybersecurity laws and regulations in Poland. At the same time, these are the sectors for which the legislator uses the adjective ‘essential’ and that are listed in the Appendix to the Act on the national cybersecurity system.
Has your jurisdiction adopted any international standards related to cybersecurity?
The most important international standards binding in Poland are ISO 27001 standards. The Polish government administration authority is the Polish Committee for Standardisation responsible for ensuring the coherence of the national standardisation system with the European standardisation system implemented by a way of recognition the ISO 27001 into the Polish system (PN-EN ISO/IEC 27001). It is a standard setting out the requirements for the establishment, implementation, maintenance and continuous improvement of an information security management system in relation to an organisation. The requirements set out in ISO 27001 are general and apply to all organisations regardless of their type, size and nature. Application and acceptance of ISO 27001 standard by organisations and private companies in Poland is voluntary and are not required by applicable laws.
Additionally, detailed obligations within the scope of certification were provided by the regulation of the Minister of Digital Affairs of 10 September 2018 on organisational and technical conditions for entities providing services in the field of cybersecurity as well as the internal organisational structures of the operators of essential services responsible for cybersecurity based on the Act on the national cybersecurity system and imposed on entities providing services in the field of cybersecurity. These entities are obliged to (i) have and keep up to date the information security management system that meets the requirements of the Polish PN-EN ISO/IEC 27001 Standard; and (ii) ensure the continuity of the incident response service, which consists of taking action to record and handle information system security incidents in accordance with the requirements of the Polish PN-EN ISO 22301 standard, which is the implementation of the ISO 22301 standard.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
As a rule, the responsibility for the company’s actions lies with the shareholders representing the company or, in case of a capital company, the management board of the company. The responsibility of shareholders and board members extends to all areas of the company’s business activity, so it also covers information security and cybersecurity issues.
The Act on the national cybersecurity system introduced an obligation for operators of the essential services, digital service providers and public entities to appoint a person responsible for maintaining contacts with the entities of the national cybersecurity system and to establish internal structures responsible for cybersecurity or to enter into appropriate agreements with external entities providing services in the field of cybersecurity.
Failure to meet the aforementioned requirements may result in the financial penalties as provided for in the Act on the national cybersecurity system. Failure to appoint a person responsible for maintaining contacts with the entities of the national cybersecurity is threatened with a fine of up to 15,000 zlotys, while failure to appoint internal structures responsible for cybersecurity or failure to enter into a cooperation agreement with an external entity in the field of cybersecurity is threatened with a fine of up to 100,000 zlotys.
How does your jurisdiction define cybersecurity and cybercrime?
The definition of cybersecurity was introduced into the Polish legal system on the basis of the Act on the national cybersecurity system. Pursuant to this Act, cybersecurity means the resilience of information systems to activities that violate the confidentiality, integrity, availability and authenticity of the processed data or related services offered by these systems.
However, there is no uniform definition of cybercrime in the Polish legal system. In this respect, the most frequent reference is made to definitions formulated by international entities, such as the United Nations, the Council of Europe, the European Union or Interpol.
The Polish Penal Code does not use the term ‘cybercrimes’ either, and the legislator uses descriptive names, such as computer fraud, disruption of an information system, ICT system or information network, and other to describe crimes generally classified as cybercrimes.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
The Act on the national cybersecurity system only introduces general security measures that operators of essential services, digital service providers and public entities must implement to ensure the security of information and information systems. In this respect, the Act imposes an obligation on the indicated entities to implement a security management system ensuring as follows:
- conduct systematic incident risk assessment and management;
- implementation of appropriate technical and organisational measures, proportionate to the estimated risk, taking into account the current state of art;
- collection of information on cyberthreats and vulnerabilities of the information system in use;
- incident management;
- use of prevention and mitigation measures to limit the impact of incidents on the security of the information system in use; and
- use of means of communication enabling the correct and secure communication within the national cybersecurity system.
Entities that are required by law to provide certain cybersecurity standards are free to choose specific security measures to achieve the objectives set out in the law.
Scope and jurisdiction
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to intellectual property?
To date, there are no regulations in force in Poland concerning cybercrimes committed in relation to intellectual property. Computer-related crimes committed against intellectual property rights shall be punishable under the same conditions as other crimes committed against property rights.
Does your jurisdiction have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
Currently, in Poland, there are two legal regimes that address the issue of cybersecurity in the areas in question (ie, the EU directive and the Act on the national cybersecurity system).
Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection and the Regulation of the Council of Ministers of 30 April 2010 on National Critical Infrastructure Protection Programme, adopted on the basis of this Directive introduced the concept of ‘critical infrastructure’ into the Polish legal order.
The definition of this concept is contained in the Act of 26 April 2007 on Crisis Management, according to which critical infrastructure shall be understood as systems and mutually bound functional objects contained therein, including constructions, facilities, installations and services of key importance to the security of the state and its citizens as well as serving to ensure the efficient functioning of public administration authorities, institutions and enterprises.
The Act on the national cybersecurity system lists the sectors (energy, transport, banking and financial market infrastructures, healthcare, drinking water supply and distribution, and digital infrastructure) and the sub-sectors of the economy identified as essential, thus imposing specific security obligations on entities operating in these sectors.
However, the Polish legal system does not contain regulations relating to the penalisation of cybercrimes committed against or directed against the critical infrastructure or key sectors. The Penal Code provides for the penalisation of crimes committed with the use of computer hardware and IT infrastructure against any infrastructure, regardless of its type or significance for the economy of the state.
In 2017, the Ministry of Digital Affairs adopted a document entitled ‘Cybersecurity strategy of the Republic of Poland for 2017-2022’, constituting a national strategy in the field of cybersecurity of ICT systems within the meaning of the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. The ‘Cybersecurity strategy’ addresses, inter alia, the issue of increasing ICT security of essential and digital services as well as the critical infrastructure and comprehensive, cross-sectoral approach to the need to ensure cybersecurity in the technologies used by operators of essential services, digital service providers and operators of critical infrastructure.
Does your jurisdiction have any cybersecurity laws or regulations that specifically restrict sharing of cyberthreat information?
The Polish legislator did not provide for penalisation of activities consisting in spreading information about cyberthreats.
The Act on the national cybersecurity system introduced the obligation to report incidents (ie, events adversely affecting cybersecurity), together with information about the incident and its description to the relevant unit of the Computer Security Incident Response Team. This obligation applies to all operators of essential services, digital service providers and public entities.
Information on vulnerabilities, incidents and cyberthreats, as well as the risk of an incident, is published in the Public Information Bulletin after consultation with the reporting entity. Such information shall not be made available if its disclosure would determine the protection of the general public as regards security or public order or if it could adversely affect the investigation, detection and prosecution of cybercrimes.
What are the principal cyberactivities that are criminalised by the law of your jurisdiction?
The main cyberactivities that are subject to criminalisation under the Polish Penal Code are the following:
- unauthorised access to the information or the IT system (article 267, section 2 of the Polish Penal Code);
- destruction, damage, deletion, alteration or prevention of access to the IT data (article 268 of the Polish Penal Code);
- disruption of prevention from the automatic process, gathering or transmission of IT data (article 268a of the Polish Penal Code);
- disruption of the work of a computer system or an information system (article 269a of the Polish Penal Code);
- unlawful creation (and similar activities) of devices or computer software adapted for committing computer crimes, passwords, access codes or other similar data (article 269b of the Polish Penal Code);
- theft and fencing of a computer software (article 278, section 2 and article 293 of the Polish Penal Code); and
- breaking or bypassing security measures to gain access to the computer data of another person or to all or part of a computer system (article 267 of the Polish Penal Code).
As previously indicated, the code solutions adopted by the Polish legislator are a consequence of signing by Poland of the Council of Europe Convention No. 185 on Cybercrime as well as Council Framework Decision 2005/222/JHA on attacks against information systems.
How has your jurisdiction addressed information security challenges associated with cloud computing?
Currently, in Poland, there are no separate, detailed regulations concerning cloud services and there is no information on the plans to adopt additional regulations concerning cloud computing. With regard to cloud services, the provisions of the Act of 18 July 2002 on rendering services by electronic means defining the obligations of a service provider related to providing services by electronic means, rules of releasing service providers from legal liability concerning the providing of services by electronic means and rules for the protection of personal data of natural persons using the services provided by electronic mean,s shall apply.
The Act on rendering services by electronic means imposes an obligation on the service provider to ensure that the operation of an ICT system under its control enables a service recipient free of charge:
- by using a service recipient of a service provided by electronic means in a manner that prevents unauthorised persons from accessing the contents of communications being an element of the service, in particular through applying cryptographic techniques appropriate for characteristics of the service provided;
- unequivocal identification of parties to the service provided by electronic means; and
- the possibility at any moment of terminating use of a service provided by electronic means.
Data stored with the use of cloud services are also subject to regulations on personal data protection, including obligations relating to ensuring the security of data processing stored in the cloud.
How do your jurisdiction’s cybersecurity laws affect foreign organisations doing business in your jurisdiction? Are the regulatory obligations the same for foreign organisations?
As a member of the European Union, Poland is obliged to apply in its legislation regulations compliant with the law of the Union. The Act on the national cybersecurity law, being an implementation of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union, introduces the same rights and obligations for national and foreign entities in terms of cybersecurity. Also, other existing national regulations do not differentiate in this context the legal situation of foreign entities from domestic entities.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
In the document issued by the Ministry of Digital Affairs entitled ‘Cybersecurity strategy of the Republic of Poland for 2017-2022’ constituting a national strategy in the field of cybersecurity of ICT systems (within the meaning of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union), particular attention was paid to the need to conduct regular audits and security tests to periodically assess the effectiveness of the implemented security management systems and the adequacy of the security features. The ‘Cybersecurity strategy’ also includes the announcement of legislative changes regulating the subject matter of methods and tools for carrying out such security audits, together with the announcement of the possibility of legally regulating bug-bounties (ie, a service consisting in the search for vulnerability to attacks of this software by persons not related to the manufacturer of computer software).
How does the government incentivise organisations to improve their cybersecurity?
Currently, there are no government initiatives aimed at organisations, private entities or entrepreneurs in the cybersecurity field in Poland going beyond the existing legal regulations.
The Polish Committee for Standardisation, a national budgetary body established to carry out tasks in the field of certification and standardisation, organises and conducts training, publishing, promotion and information activities in the field of standardisation and related areas - including ISO 27001 certification.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
One of the industries operating on the Polish market that has a dedicated code of conduct related to ensuring digital security is the telecommunication industry. The majority of Polish mobile operators have become signatories to the European Framework for Safer Mobile Use by Young Teenagers and Children.
The adopted code of conduct provides in particular for the promotion of safe use of mobile services by children and adolescents, access for parents and legal guardians to information on how children and adolescents can use mobile phones safely and on content dedicated to these age groups. Information about joining the European Framework for Safer Mobile Use by Young Teenagers and Children can be found on the mobile operator’s websites and under the link: https://www.gsma.com/gsmaeurope/wpcontent/uploads/2012/04/polandcoc.pdf.
Are there generally recommended best practices and procedures for responding to breaches?
The adopted legislation imposes on operators of essential services the obligations related to incident reporting and handling, such as the obligation to identify the incident, register and classify the incident on the basis of the thresholds for recognising the incident as major and to report the major incident immediately, but no later than within 24 hours of its detection, to the relevant computer security incident response services team (CSIRT).
Incident reporting initiates further handling of the incident, in which the operator is obliged to cooperate with the relevant CSIRT and provide access to the necessary information concerning the incident.
The Act on the national cybersecurity system sanctioned functioning of previously existing entities involved in handling and responding to computer incidents at national level (according to the nomenclature adopted in Directive 2016/1148 - Computer Security Incident Response Teams). In Poland, these entities are the Computer Security Incident Response Team operating at the national level (CERT.GOV.PL) (CSIRT GOV), the Ministry of Defence Computer Emergency Response System (CSIRT MON) and the National Cybersecurity Centre (NC Cyber or CSIRT NASK).
Their task is to counter cyberthreats of a cross-sectoral and cross-border nature, to coordinate the handling of major, substantial and critical incidents, and to provide information about incidents, both within the network of government organisations related to cybersecurity and to the general public.
The Act on the national cybersecurity system also introduces two new entities involved in the coordination of activities concerning the provision of cybersecurity and ensuring the coordination of the implementation of tasks at the government level, which are the Government Plenipotentiary of Cybersecurity and Cybersecurity Court.
In addition, in accordance with the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC (General Data Protection Regulation), the Act on the national cybersecurity system sets out the rules for the processing of personal data as part of the functioning of the national cybersecurity system, including the processing of data on incidents.
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
To date, there is no regulation covering the voluntary sharing of information on cybercrime. Law enforcement agencies have informed the public about the state of cybersecurity in Poland through the publication of annual reports.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
The need for the government sector to cooperate with the private sector within the framework of ensuring cyberspace security was reflected in the provisions of ‘Cybersecurity strategy of the Republic of Poland for 2017-2022’. According to this document, the government is obliged to strive to build an effective system of public-private partnership, as well as to engage in existing and emerging forms of European public-private cooperation.
The above is to be implemented, inter alia, through active government support for research and development projects in the field of cybersecurity, including projects carried out in cooperation with private companies and research centres.
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Insurance against cyber risks (also known commercially as cyberinsurance) is becoming more and more popular on the Polish market. The addressees of offers prepared by insurance companies are entrepreneurs operating on the Polish market, collecting, processing or transmitting any data. The scope of insurance normally covers three types of costs incurred in connection with a cyberattack, that is, (i) costs related to data recovery, purchase of software, deletion of malicious software, etc; (ii) additional costs such as legal defence costs, public relations costs, costs of external consultations; and (iii) civil liability.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The competence to supervise the application of the provisions of the Act by the obliged entities was allocated at ministerial level. The competent authorities shall be as follows:
- Minister in charge of information technology - for digital infrastructure and digital service providers sector;
- Minister of National Defence - for the healthcare sector, digital infrastructure and healthcare sector in the area covered by the Ministry of National Defence and digital service providers - entrepreneurs of particular economic and defence importance;
- Minister in charge of energy - for the energy sector;
- Minister in charge of maritime economy and Minister in charge of inland navigation - for the water transport subsector;
- Minister in charge of transport - for the transport sector, excluding the water transport subsector;
- Minister in charge of health - for the healthcare system;
- Minister in charge of water management - for drinking water supply and distribution sector; and
- the Polish Financial Supervision Authority - for the banking sector and financial markets infrastructure.
The competence of these authorities includes, among others, monitoring the application of the Act by operators of essential services and digital service providers, conducting inspections of these entities and calling on them to remove the detected vulnerabilities of the systems within a specific time limit.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
State authorities have the same powers in detecting and prosecuting cybercrimes as in the case of other crimes. These powers include, but are not limited to carrying out a search of a room or person, seizure of property, seizure and control of correspondence, seizure of documents, including documents containing secrecy, inspection and recording of conversations and control of email. In addition, the provisions of the Code of Penal Procedure oblige officers, institutions and entities conducting ICT business activities to immediately secure - at the request of the court of prosecutor - information data stored in the information system or on data carriers.
An internal unit dedicated to detecting and combating crimes committed in cyberspace, called the Office for Combating Cybercrime. The tasks of the Office include, in particular: supervising, coordinating and supporting activities aimed at combating cybercrime, conducted by province police departments within the scope of operational and exploratory activities, cooperation with the Polish Central Bureau of Investigation, conducting operational and exploratory activities, initiating and conducting cooperation with government administration bodies, law enforcement bodies and state institutions, conducting international cooperation, conducting a 24-hour service in the scope of coordinating police activities concerning cybercrimes and cyberthreats and combating them as well as cooperation of Police organisational units with domestic and foreign bodies and entities, conducting technical consultations, initiating and supporting research, and cooperation with domestic and foreign entities to implement modern solutions in the fight against cybercrime.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Effective detection and prosecution of cybercrimes faces a number of difficulties, often owing to the inadequacy of the legal system in the face of rapidly evolving IT tools and services. One of the most serious obstacles is the fast development of online tools enabling the anonymisation of networks used to commit crimes, and the concealment of identity and location. Another obstacle in combating and effectively prosecuting cybercrime is the difference in national legislation and the cross-border nature of the internet. As a result, on the one hand, access to internet services provided by foreign companies not obliged to comply with Polish law is practically unlimited for internet users, and on the other hand, prosecution of crimes committed outside of Poland, whose target were natural persons or legal persons with Polish domicile, encounters a legislative barrier that significantly delays crucial reaction time and in extreme cases makes it impossible to prosecute in relation to the crime committed. Though efforts are being made within the European Union to ensure an efficient exchange of information on cybercrimes and cyberthreats, cooperation with third countries in this area is significantly hampered, if not impossible in some cases.
For this reason, the Polish legislator has placed considerable emphasis on procedures for the smooth reporting and exchange of information within the national structures as well as within the framework of cooperation in the European Union, as reflected in the provisions of the Act on the national cybersecurity system.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
The Act on the national cybersecurity system provides for financial penalties for violation of obligations imposed on entities obliged to apply it. The amount of financial penalties depends on the type of violation and ranges from a fine of up to 15,000 zlotys to a fine of up to 150,000 zlotys. This penalty may be imposed either in the form of a single penalty or in the form of the sum of the penalties for each violation.
In the event that, as a result of control carried out by the competent authority in charge of cybersecurity, the operator of essential services or digital service provider persistently violates the provisions of the Act - causing (i) a direct and major cyberthreat to defence, state security and public order or human life and health; or (ii) a threat of causing serious property damage or serious difficulties in providing essential services - the authority is entitled to impose a fine of up to 1 million zlotys.
The imposition of a financial penalty on an entity failing to comply with statutory obligations or violating accepted standards of conduct shall be effected by a decision issued by an authority in charge of cybersecurity. The proceeds from the imposed penalties constitute revenue for the state budget.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Pursuant to the provisions of the Act on the national cybersecurity system, for violation of the obligation to report an incident, the operator of essential service and the digital service provider may be punished with a fine of up to 20,000 zlotys for each violation.
Furthermore, for a breach of the obligation to cooperate in handling a major and a critical incident with the relevant CSIRT GOV, CSIRT MON or CSIRT NASK, including the transmission of all necessary data, the operator of the essential service and the digital service provider may be punished with a fine of up to 20,000 zlotys.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
The Civil Code is the basis for claiming compensation for damage suffered in connection with committing a cybercrime or failure to maintain an adequate level of security, within the framework of a private action.
To claim compensation, a person who suffered damage owing to a breach of cybersecurity rules shall demonstrate a causal link between the damage suffered and the fact that the IT system administrator failed to maintain an adequate level of security, and will document the amount and type of damage suffered.
Threat detection and reporting
Policies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
The legal regulation on cybersecurity in force in Poland does not impose obligations on all participants in economic trading, but only on operators of essential services and digital service providers.
The primary duty of operators of essential services and digital service providers, to protect data against cyberthreats, is to collect information on threats and vulnerabilities of the information system used to provide the service as well as to cooperate with state CSIRT and other authorities responsible for data security. In addition, the operator or provider is obliged to apply measures to prevent and mitigate incidents, such as applying mechanisms to ensure data security, taking care to keep the software up to date, protecting against unauthorised modification or taking immediate action when vulnerabilities or threats are identified. The operator must also designate a person responsible for maintaining contact with the entities of the national cybersecurity system, making available to the user of the service provided information that enables them to understand and protect themselves against threats. In the event of an incident, the operator shall ensure that the incident is handled and, in the event of a major incident, shall inform the relevant CSIRT without delay and at the latest within 24 hours.
To perform its data protection duties, the operator shall set up its own structures responsible for cybersecurity or enter into a contract with an entity providing such services. In accordance with the Regulation, these entities apply standardised procedures of ISO 27001 and ISO 22301.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
According to Polish regulations, operators of essential services are obliged to prepare and update documentation on the cybersecurity of the information system. Upon withdrawal or termination of the provision of an essential service, the operator shall keep such documentation for at least two years.
With regard to documentation containing personal data processed by the relevant CSIRT in connection with cybersecurity incidents or threats, there is an obligation to delete or anonymise such data within five years from the date on which the incident was handled.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
The Act on the national cybersecurity system imposes specific obligations on operators of essential services and digital service providers within the scope of reporting incidents. The operator of the essential service reports the incident as major to the appropriate CSIRT. A major incident is understood by the legislator as one that causes or may cause a major deterioration in the quality or interruption in the provision of an essential service. Digital service providers, however, are obliged to report a substantial incident, as defined in the European Commission Implementing Regulation 2018/151. Public entities are required to report each incident, regardless of its classification.
In the event of a cybercrime, under the general rules of criminal procedure, it is the responsibility of everyone who learns about it to notify the competent authorities.
What is the timeline for reporting to the authorities?
In accordance with Polish regulations regarding the entities that are obliged to inform the relevant CSIRT about incidents, the reporting shall take place immediately, but not later than within 24 hours. At the time of reporting, these entities must provide all the information on the incident known at the time of reporting. The legislator has provided for the competent CSIRT to request from the reporting party access to information containing legally protected secrets to the extent necessary to carry out the tasks of the CSIRT in relation to the reported incident. The reporting party itself is obliged to correctly identify information that is a legally protected secret (eg, a business secret).
For other entities to which the provisions on the national cybersecurity system and providers of electronic communications services do not apply, where there has been a breach of personal data protection, the controller shall, without undue delay and as far as possible and no later than within 72 hours after the breach has been identified, notify the breach to the supervisory authority, unless the breach is unlikely to result in a risk of infringement of the rights or freedoms of individuals.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
Within Polish cybersecurity system regulations, information about incidents, threats or vulnerabilities is published by the appropriate CSIRT in the Public Information Bulletin. Such information shall be published if the CSIRT considers that it will contribute to increasing the cybersecurity of the information systems used by citizens and businesses, or ensure the secure use of the systems. Published information may not, however, violate the provisions on the protection of confidential information or legally protected secrets and the provisions on the personal data protection.
In accordance with the Polish Telecommunications Act, the service provider is obliged to inform users of any particular risk of a breach of network security, requiring measures going beyond the technical and organisational measures taken by the service provider as well as of the existing security capabilities and associated costs.
In addition, Polish regulations do not impose an information obligation on entities; however, this is recommended to protect the interests of consumers and to increase the security of information systems in sectors of the economy exposed to data loss and data security.
Update and trends
Update and trends
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in your jurisdiction?
Undoubtedly, the challenge for the authorities responsible for cybersecurity in Poland in the near future will be to standardise the issue on the legislative grounds. The implementing provisions of the Act on the national cybersecurity system provide for the entry into force of the Act as a whole in 2021.
An important aspect of cybersecurity in Poland is also strengthening the ability to counteract cyberthreats, which should be based on cross-border cooperation between law enforcement agencies and CSIRT. Special attention is paid to the creation of efficient and trusted channels for the exchange of information and rapid reaction.
In the next few years, we expect the development of practices and tasks regulated in the provisions of the Act on the national cybersecurity system and the ‘Cybersecurity strategy of the Republic of Poland for 2017-2022’, which is a policy paper setting out the direction of action of authorities responsible for cybersecurity.