On 5 July 2018, the Polish Parliament passed the Act on the National Cybersecurity System (“ANCS” J. of Laws 2018.1560), which will enter into force on 28 August 2018.
The ANCS will implement the provisions of the Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (“NIS Directive“). The ANCS will introduce a national cybersecurity system, which will include the biggest service providers from various sectors in Poland, as well as governmental and local administration. The new legislation aims to create an efficient and secure system which will increase the level of cybersecurity in Poland and allow for swift co-operation with other Member States of the EU.
The key points of the ANCS are:
- Additional obligations will be imposed on the providers of services deemed vital for maintaining Polish economy and society, in particular, ICTs and entities from the energy, transport, water, banking, financial market infrastructure, healthcare and digital infrastructure sectors. These entities will be identified as the operator of essential services (“Operators“). The status of an Operator can be given to an entity with an establishment in Poland if the relevant authority issues a decision. The Operators will be listed in an official registry, operated by the Minister of Digitization. The decisions are to be issued by 9 November 2018.
- The Operators will have to take appropriate security measures and notify serious incidents within 24 hours to the relevant authority. In addition, they will have to conduct periodical risk assessments in relation to cybersecurity and notify and co-operate with the relevant Computer Security Incident Response Team (CSIRT) in case of an incident. An incident is defined in the ANCS as “any event having an actual adverse effect on cybersecurity“, while the NIS Directive defines an incident as “any event having an actual adverse effect on the security of network and information systems“. A serious incident is defined in the ANCS as “an incident that will cause or may cause a serious deterioration or interruption of the provision of a key service“.
- The Operators will also be obliged to appoint a person or entity responsible for the cybersecurity of a particular Operator, serious incident notification and staff training.
- Most of the new requirements for the Operators will need to be met within three months from the receipt of the particular decision. The first audit of the IT systems of an Operator will need to be conducted within a year from the decision.
- Additionally, a number of the new obligations apply to digital service providers, i.e. online marketplaces, search engines and cloud services, in particular security and incident notification requirements.
- The National Cybersecurity System will involve private and governmental sector and will be managed both on the working level (Serious Incident Response Team) and institutional level (Governmental Representative for Cybersecurity and the Board for Cybersecurity). Each economic sector is assigned a relevant governmental authority. There will also be a single contact point for cybersecurity, operating under the Polish Minister of Digitization, which will be responsible for the exchange of information on the national level and co-operation on the EU level.
- The incident response model is based on the principle of notification to the relevant Computer Security Incident Response Team – CSIRT GOV (subject to the Agency of Internal Security – ABW), CSIRT NASK (subject to the National Academic Computer Web – NASK) or CSIRT MON (subject to the Minister of Defence), depending on the type of incident. Each of CSIRTs will co-operate with the relevant cybersecurity authorities, Minister of Digitization and the Governmental Representative for Cybersecurity. All of these entities will act as a coherent and complete risk management system on the national level.
- Natural persons will also be able to notify every type of incident to CSIRT NASK, but such notifications will be of lesser priority.
- Administrative sanctions for non-compliance with the ANCS include a sanction of up to PLN 150,000 (approx. EUR 35,000) for a single occurrence of non-compliance and up to PLN 1,000,000 (approx. EUR 233,000) for ongoing non-compliance leading to severe risks to national cybersecurity.
- The ANCS will also be accompanied by a set of implementing regulations, which will include more specific requirements for particular sectors and institutions, in line with the NIS Directive. As of now, eight regulations are under legislation and will be finalised in the following months.