A new Act on the National Cybersecurity System entered into force in Poland on 27 August 2018. The Act is designed to implement the measures laid down in the NIS Directive (Directive (EU) 2016/1148) and is another step (as well the GDPR, which reinforces protection of personal data) in extending the duties of companies in relation to cybersecurity.

  Unlike the GDPR which applies broadly, the Act imposes certain obligations solely on specific groups of entities as follows: 

  • Operators of essential services playing an important role in providing security in the areas of healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply. The operators of essential services are private businesses or public entities with an organisational unit in Poland, which have been considered as operators of essential services by a way of a decision of the relevant authority on cybersecurity.  
  • Digital service providers including online marketplaces, cloud computing services and search engine providers.

Under the NIS Directive, Member States have until 9 November 2018 to identify the entities that operate in their territory as operators of essential services. The Act covers entities which at least have their organisational unit in Poland. Smaller digital service providers (i.e., below 50 employees and an annual turnover and/or annual balance sheet total below EUR 10 million) do not fall under the scope of the Act.  

The Act sets out a series of requirements in order to increase the level of cybersecurity. The Act adopts a risk-based approach. Companies subject to the act are obliged to adapt certain technical and organisational arrangements depending on the identified risk. Operators of essential services are obliged to introduce a system of risk assessment and management, and take steps to prevent and limit the impact of incidents on the security of their systems. The obligations of digital services providers are less extensive and focused mainly on taking appropriate and proportionate technical and organisational measures in order to manage risks for information systems used for providing digital services. Operators of essential services and providers of digital services also have an obligation to identify incidents, determine their seriousness and report them no later than within 24 hours from the moment of identification.  

The risk-based approach may already be familiar to entities covered by the GDPR rules, as it is founded on the same principles. For this reason, experience and work undertaken in order to achieve GDPR compliance, may be helpful for entities subject to the Act.  

If operators of essential services fail to comply with the requirements specified in the Act this may result in the relevant authority imposing an administrative fine of up to PLN 200,000 (~EUR 47,000). Digital service providers can be fined up to PLN 20,000 (~EUR 4,700) for each unreported incident. Repeated infringements of the Act, causing a serious and direct cybersecurity threat for defence, security, public order or public health or causing a threat of serious harm or serious difficulty in providing essential services, committed both by operators of essential services or providers of digital services may be punished by fine of up to PLN 1 million (~EUR 235,000)