The amendment to the KSC Act and the implementation of NIS2 have entered a new stage in the legislative process. We know that Poland has not managed to implement the NIS2 Directive by the deadline set by the European Union, October 17, 2024. However, the Ministry of Digitization is busily working on a draft amendment to the National Cyber Security System (NSC) Act. The new legislation is expected to be enacted in 2025. The Ministry of Digitization has forwarded the modified draft law to the Committee for European Affairs, including a protocol of divergence. The protocol is an important document, as it contains comments not taken into account during the earlier stages of opinion. The Committee for European Affairs, on the other hand, provided comments on the submitted documents by the indicated deadline of October 22 this year.
Of course, one should follow the legal process, but in light of the growing cyber threats, it is worth taking preventive measures now and investing in effective cyber defense systems such as cyber deception. It is also worth noting the growing importance of tools such as IT audits, which enable companies to identify security vulnerabilities and address them accordingly. IT security supply chains will also be an important issue, especially in the context of new provisions for high-risk suppliers. Remember that regulations can only provide direction, but it is concrete actions that will protect companies from cyber attacks.
Public consultation and opinionated – listening to the voice of the market
The draft amendments to the KSC have so far passed the required legislative path for its review and public consultation. During the public consultations alone, the Ministry of Digitization received a total of, as many as 1,567 comments from 215 entities. Approximately 70% of these comments were incorporated into the new draft. The consultations were aimed at adapting the regulations to the real needs of the market, while ensuring that the new regulations effectively protect against cyber attacks. The changes are particularly important for key and important sectors that will be covered by the new regulations under NIS2.
Amendment of the Law on the NSC and implementation of NIS2 – key changes
The amendment to the law on the KSC, provides for a number of changes, compared to its original provisions, in order to improve the management of cyber security in Poland. The most important of these include:
1. changes in supervision of key entities
The new legislation provides clearer rules for the supervision of key and important entities. The draft envisages the possibility of appointing a single lead authority to supervise companies in key sectors, such as banks, telecommunications or energy. This is expected to increase the efficiency of response to risks and minimize the administrative burden on companies, which until now have had to comply with a variety of requirements of supervisory authorities.
2. moving some sectors to the “important” category
One of the key elements of the amendment is the reclassification of sectors. The production and distribution of food and chemicals, which were previously treated as key sectors, have been moved to the “important” category. So in this regard, the draft has been aligned with the provisions in NIS2.
3. move away from pointing to ISO standards
The new draft abandons direct references to ISO standards as a basis for assessing compliance with regulations. Instead, the draft law introduces a requirement for normative and operational documentation. Normative documentation will include a description of systems and procedures, while operational documentation will confirm the performance of these procedures in practice.
Author: Ministry of Digitization
Source: Explanatory Memorandum to the Draft Amendment to the Law on the National Cyber Security System
4. changes in security audits
An amendment to the law calls for a reduction in the frequency of security audits. According to the new regulations, businesses will now conduct audits every three years, instead of every two, responding to the demands they have made. In addition, the regulations extend the deadline for conducting the first audit to 24 months after the new regulations take effect.
5. fines
Amendments to the regulations on fines are intended to bring the sanctions in line with the new obligations imposed on key and important players. The amount of fines will depend on the scale of the violation, its length and the financial capacity of the entity. The minimum penalty for key entities will be PLN 20,000, and for important entities PLN 15,000. The maximum penalty can reach up to €10 million or 2% of annual revenues.
A new feature is the possibility of imposing a penalty on entities that fail to designate a contact person for supervisory authorities or fail to provide users with information on cyber threats. In addition, periodic penalties from PLN 500 to PLN 100,000 for each day of delay may be imposed for delays in implementing the supervisory authority’s decision. In the case of serious violations that may threaten state security or public health, the maximum penalty may be up to PLN 100 million. Such solutions are intended to ensure more effective prevention and deterrence of further violations.
6 Powers of the monitoring officer
In the new draft amendment to the KSC Law, the monitoring officer has gained more powers, including the ability to initiate an ad hoc inspection if suspected violations are confirmed. Significantly, his access to classified information will depend on his authority, which improves data security. There will be fines for obstructing an official’s work, such as not issuing a pass, to ensure effective supervision of key and important entities.
7. high-risk suppliers
High-risk suppliers will have to meet certain criteria, and failure to meet these requirements could result in fines or a ban on cooperation with KSC-regulated companies. In addition, if a supplier is deemed a threat to national security, the regulations allow it to be excluded from the market.
Conclusions – what does the amendment to the KSC Act and the implementation of NIS2 mean for companies?
The article signals some of the changes to indicate that the draft differs from the original provisions and should be revisited. Keep in mind that for companies in key and important sectors, the amendment to the KSC Law means that they will have to comply with all new cyber security requirements. Although work on the new regulations is still underway, they are scheduled to be enacted in 2025. Companies should start preparing now to meet the new obligations in order to minimize risks and ensure protection against growing cyber threats. Awareness among companies is steadily increasing in this area, but is still not sufficient. Of course, the final shape of the regulations is important, but it is the actions, not the documents themselves, that protect companies from cyber attacks.
