The Ministry of Digital Affairs has recently issued “Cloud Computing Cybersecurity Standards” (SCCO), which is part of a broader initiative called “Common State IT Infrastructure” (WIIP). The document is a set of requirements, including legal requirements, addressed to public sector entities that intend to use a Government Cloud (RChO) or a Public Cloud (PChO). In simple terms, the RChO model may be defined as a cloud provided “by the administration for the administration”, while the PChO model assumes the involvement of private providers.

Levels of requirements

The document distinguishes between four levels of security requirements:

  • SCCO1 – applicable to information earmarked to be made publicly available that is not subject to legal restrictions regarding confidentiality;

  • SCCO2 – applicable to information which, albeit essential to the execution of statutory activities of public administrative institutions (e.g. information containing personal data), does not contain classified information protected under the provisions of law;

  • SCCO3 – applicable to sensitive, legally protected information, and

  • SCCO4 – applicable to classified information, the processing of which in non-accredited (and specifically public) cloud environments is currently prohibited.

The classification of information into one of these categories is crucial to making a decision about the cloud computing model to be used (i.e. RChO or PChO).

Involvement of private providers

The requirements applicable to the SCCO1 and SCCO2 levels of security are relevant from the perspective of private providers offering cloud services to Polish public sector entities. This is because, if information is classified as SCCO3, a Government Cloud must be used. Of these requirements, the following are relevant:

  • the location of data centres – which in certain cases is limited to the EEA or even just Poland;

  • specific requirements concerning security (e.g. encryption, back-ups, incident management, etc.);

  • personal requirements that must be met by personnel that may have access to protected information and data.

Broader regulatory environment

It is also worth noting that the document comprising the SCCO is not a complete set of standards and requirements applicable to the use of cloud services by the public sector, but is set in the broad regulatory environment. Requirements concerning the application of cloud solutions can also be found in such documents as the Act on the National Cyber-security System or the Council of Ministers’ Regulation from September 2019 on the “Common State IT Infrastructure” Initiative.