KSC amendment in public entities

The NIS2 Directive and the proposed amendment to the National Cyber Security System (NSC) Act will introduce significant changes for public entities in Poland. The public sector, as one of the key areas of state operations, will be subject to new requirements. The requirements are expected to increase resilience to cyber threats and improve digital security management. The results of a report by the Supreme Audit Office (NIK) and events such as the 2024 cyber attacks underscore the need to quickly implement effective safeguards in these institutions. Public entities will need to adapt their systems to new standards, which includes both technological and organizational processes.

Legislative process – where are we with the amendment to the KSC law?

• October 7, 2024. The Ministry of Digitization said it has referred the bill to the Committees of the Council of Ministers and the Joint Commission of the Government and Local Government (KWRiST),

• By letter dated October 14, 2024, the draft was referred to the Committee for European Affairs,
• On October 22 , 2024, the Committee submitted comments on the draft and the protocol of divergence,
• In a letter dated November 18, 2024, the draft, after further amendments on November 18, was referred to the Committee for European Affairs with a recommendation that the Council of Ministers resolve the unaccounted for comments contained in the protocol of divergences, to allow the necessary time for their analysis and possible inclusion in the content of the draft,

• November 20, 2024. The KWRiST’s Information Society Team has put discussion of the proposed changes to the KSC on the agenda,
• By letter dated December 6, 2024 , the draft, after further amendments on December 2, was referred to the Committee on European Affairs in the mode for confirmation, in which only comments submitted at an earlier stage of the CEA’s work are considered,
• By December 10, 2024, the European Affairs Committee is to report any comments on the December 2, 2024 draft .

What is KWRiST and what is its role?

The Joint Commission of Government and Local Self-Government (KWRiST) is the key forum for cooperation between the central administration and local governments. Its main task is to develop common positions on issues concerning state policy toward local governments. The Commission consists of 11 thematic teams that deal with various aspects of the administration’s functioning.

The draft amendment to the Law on the National Cyber Security System (KSC) has been referred to the Information Society Team. The task of this team is to analyze changes regarding informatization and digital security, which are crucial for the operation of local governments.

As the draft amendments to the KSC currently stand, numerous public entities will be classified as key entities, with additional IT security requirements.

Public entities covered by new regulations

The draft amendment to the Key Sector KSC Law indicates:

1. public authorities, including government administration bodies, state control and law protection bodies, as well as courts and tribunals;
2. Local government units and their unions;
3. metropolitan unions;
4. budget units;
5. local government budget establishments;
6. executive agencies;
7. budget economy institutions;
8. The Social Insurance Institution and the funds it manages, and the Agricultural Social Insurance Fund and the funds managed by the President of the Agricultural Social Insurance Fund;
9. National Health Fund;
10. public universities;
11. Polish Academy of Sciences and the organizational units it creates;
12. State and local government cultural institutions.

KSC amendment in public entities – new responsibilities

Entities classified as key entities must, among other things:

1. Report security incidents to appropriate response teams (CSIRT).
2. Conduct regular IT security audits.
3. Implement risk management systems and incident response plans.
4. Use advanced security tools.
5. Conduct cyber security training.

These are just some of the challenges that public entities will face. Public entities will need to change their approach to cyber threats, invest in IT infrastructure, and implement effective processes and solutions.

NIK report – on cyber security in public entities

We can read about what cyber-security looks like at present in some local governments in an audit statement by the Supreme Audit Office (NIK). The NIK’s April 2024 audit of local governments in the West Pomeranian Voivodeship revealed that the audited units failed to meet basic cyber security requirements.

Key findings from the NIK audit of ICT security in municipal offices:

• Deficiencies in documentation and safety standards:
  • None of the units had a complete Information Security Management System.
  • In three cases, the documentation did not meet the requirements of PN-ISO/IEC 27001.
  • In one office for 2 years, and in three for 4 years, there was no designated contact person for the National Cyber Security System.
• Unpreparedness to restore data after a cyber attack:
  • 50% of the offices did not have procedures for restoring resources after an attack.
  • In one case, the procedure existed, but its effectiveness was not tested.
  • Backups were made, but they were not verified for completeness or data recoverability.
  • In one office, backups were vulnerable to infection if the main server was infected.
• Problems with configuration and software updates:
  • Half of the offices were using outdated software with critical security vulnerabilities.
  • In one case, the security software was improperly configured, rendering it ineffective.
• Deficiencies in employee training:
  • None of the authorities provided adequate cyber security training.
  • Employees did not have sufficient knowledge to recognize the risks and respond to them appropriately.

Source: results of a survey conducted by the Supreme Audit Office in controlled local governments
West Pomeranian municipalities unprepared for cyber threats – Supreme Chamber of Control

• No inventory of the IT environment:
  • In none of the offices was the IT environment inventoried, making it difficult to control the systems and their security.
• Security incident management issues:
  • Two offices lacked an effective system for identifying and responding to incidents.
  • One office did not record incidents and did not report them to NASK’s CSIRT, despite the existence of a procedure.
• Improper use of cloud services:
  • Cloud services were used without specific policies and controls, increasing the risk of data security breaches.
• Inadequate server protection:
  • In one municipality, the server was in an open closet in a pass-through office, exposing it to unauthorized access or accidental damage.
  • Other units lacked adequate physical protection for servers.

Source: audit materials of the Supreme Audit Office
West Pomeranian municipalities unprepared for cyber threats – Supreme Audit Office

Why is digital security in public entities crucial for citizens and businesses?

Cybercriminals are increasingly targeting public entities. Suffice it to recall the attacks in 2024 alone on the County Office in Świebodzin and the County Office in Jędrzejów. In both cases, data was intercepted and the work of the offices was partially paralyzed. Digital security in public entities therefore has a direct impact on the daily lives of residents and the operation of local businesses. public entities manage key systems and data that are important to the health, safety and comfort of citizens. In the event of a hacking attack, vital public services can be paralyzed, with serious social and economic consequences.

Examples of threats:

1. Theft of personal data
   Public agencies store citizens’ personal data, including PESELs, addresses or bank account numbers. Leakage of such information can lead to identity theft, fraudulent loans or other financial crimes.
2. Blocking the work of government offices
   Ransomware attacks on public entities result in blocked access to systems. Citizens are then unable to handle important matters such as the issuance of ID cards, birth certificates or building permits. Companies may experience delays in obtaining licenses or permits.
3. Disinformation and social chaos
   Attacks on the communication systems of public entities can lead to the spread of false information. For example, hackers can send false emergency warnings or transmit false data about water or air quality, causing panic.

Conclusions and recommendations – what should be done to meet the challenges?

1. Investment in IT infrastructure – replacing outdated systems and implementing effective protection for workstations and servers, including investment in proven antivirus software, cyber deception solutions, securing logins with strong passwords, using two-factor authentication on key systems, and creating data backups.
2. Training for employees – building risk awareness and response skills.
3. Conducting audits – identifying weaknesses and updating procedures on an ongoing basis.
4. Commissioning penetration tests – checking the resilience of systems to potential attacks.

Summary

The amendment of the NSC Act and the implementation of the NIS2 Directive are a challenge, but also an opportunity for the Polish public sector. The results of the audit of the Supreme Audit Office (NIK) and the 2024 incidents have highlighted the scale of negligence in the area of cyber security. With the implementation of the new regulations, there is an opportunity to increase resilience to threats, but it requires commitment and investment in IT infrastructure. Nevertheless, there is an important task ahead for the KWRiST to consider the revised regulations extremely carefully. While large entities can bear the brunt of the changes, small local governments or cultural institutions can achieve such an effect as the results of the NIK audit present. In the current era of cyber threats, it is not about creating regulations for the sake of regulations, but implementing effective solutions to serve us all.