Poland

(a) What is the NIS2 implementation status?

On 7 October 2024, the second draft amendment to the Act on the National Cybersecurity System (KSC) was released. This draft aims to implement the EU NIS2 Directive into Polish law. The new draft, dated 3 October 2024, incorporates many comments from public consultations and inter-ministerial agreements.

Key changes:

• Extended deadlines: The deadlines for essential and important entities to fulfill their obligations have been extended. For example, the deadline for registration in the list of essential and important entities has been extended from two to three months.
• Audit requirements: The obligation to conduct regular external audits is now limited to essential entities only. Important entities are no longer required to conduct these audits.
• Information security management system: Essential and important entities must still implement appropriate organizational and technical measures within their information security management systems. However, the presumption of compliance with ISO/IEC 27001 and ISO/IEC 22301 standards has been removed.
• Financial penalties: The new draft does not change the amount of financial penalties but expands the range of cases where penalties can be imposed.

(b) What is the envisaged NIS2 implementation timeline?

The Ministry of Digital Affairs aims to have this draft adopted by the Council of Ministers by the end of 2024 and submitted to the Parliament for enactment at the beginning of 2025.

(c) What does the NIS2 mean for other national cybersecurity legislation?

The statutory regulations are aimed at adapting Polish law to the increased requirements imposed by the NIS2 itself, as well as correcting the inconveniences observed in the application of the earlier laws. For instance, it is argued that the powers of the Government Representative for Cyber Security are insufficient. The Representative lacks effective means of influencing entities in the national cyber security system. In addition, only two sector cyber security teams have been established so far – other sectors of the economy lack teams to support businesses in responding to incidents.

Furthermore, as the justification for the Draft Law indicates, due to references in the NIS2 itself, hereby the Draft Law will depend on draft acts implementing or used for implementation:

Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code – implemented by the draft Electronic Communications Act;

Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC – (CER Directive)

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 – (DORA Regulation).

Another of the impacts of the NIS2 on legislation will be the inclusion of a statutory delegation. The Council of Ministers will be able to establish, via regulation, separately for the type of activities performed by essential entities or important entities, detailed requirements for the information security management system.

From the necessity of compliance of sub-statutory acts with the statutory acts, the amendment will imply changes in regulations such as the Regulation of the Council of Ministers of 12 April 2012 on the National Interoperability Framework, minimum requirements for public registers and exchange of information in electronic form and minimum requirements for ICT systems.

(d) Who will be the supervisory authority and how are they preparing the market?

The authorities responsible for cyber security for essential entities will be:

• for the energy sector – the minister in charge of energy;
• for the transport sector excluding the water transport subsector – the minister in charge of transport;
• for the water transport subsector – the minister in charge of maritime economy and the minister in charge of inland navigation
• for the banking sector and financial markets infrastructure – the Financial Supervision Commission;
• for the health sector – the minister responsible for health;
• for the drinking water supply and distribution sector – the minister responsible for water management;
• for the digital infrastructure sector – the minister responsible for informatization;
• for the digital infrastructure sector of the electronic communications subsector – the President of the Office of Electronic Communications;
• for the wastewater sector – the minister responsible for water management;
• for the ICT service management sector – the minister responsible for informatization;
• for the space sector – the minister responsible for economy;
• for the sector of production, manufacture and distribution of chemicals – the minister responsible for health;
• for the sector of production, manufacture and distribution of chemicals – the minister responsible for health;
• for the food production, processing and distribution sector – the minister responsible for agriculture;
• for the manufacturing sector, excluding the subsector of production of medical devices and in vitro diagnostic medical devices – the minister responsible for economic affairs,
• for the subsector of production of medical devices and medical devices for in vitro diagnosis – the minister responsible for health.

The authorities competent for cyber security for important entities will be:

• for the postal services sector – the President of the Office of Electronic Communications;
• for the waste management sector – the minister responsible for climate affairs;
• for the sector of digital service providers – the minister responsible for informatization;
• for the scientific research sector – the minister responsible for science

Coordination of incident management will be conducted by CSIRT teams. CSIRT MON, CSIRT NASK and CSIRT GOV will be responsible for implementing corrective actions.

In addition, there is an obligation for the cybersecurity authority to appoint a sector-specific or subsector-specific CSIRT to support the sector’s key entities and important entities in the area of incident response. Key and important entities will report major incidents to those teams and then the information will be forwarded to the relevant CSIRT (CSIRT MON, CSIRT NASK or CSIRT GOV).

Authorities responsible for cyber security will submit reports on the functioning of sectoral CSIRTs to the Government Representative for Cyber Security once a year, by 31 January.

In order to provide all the information necessary for effective supervision of entities, the minister responsible for digitalization will keep a register of essential and important entities. This authority will also be responsible for incident management and crisis management in large-scale cybersecurity in the civil sector.

(e) What should you be doing/on the lookout for?

It should be noted that the NIS2 uses the concept of services in a comprehensive sense. In the Polish legal system, public entities carry out public tasks, therefore, for the avoidance of doubt, the general provisions explicitly indicate that in the case of a public entity, the term service is understood to include the public task carried out by the entity.

Until now, key service providers (essential entities) have been designated through an administrative decision by the authority responsible for cyber security. A major problem, however, has been the identification of digital service providers within the meaning of the NIS1. To simplify the identification of important and important entities, self-registration of these entities has been made mandatory. Registration will take place in the register of key and important entities, which will be maintained by the minister responsible for digitalization. Entities that meet the requirements for key and important entities will be required to register in this register within two months of meeting the requirements for recognition as either an essential entity or an important entity.

Considering the large potential number of entities subject to registration, the registration action will not have the form of an administrative decision. There will be applied a formula of another public administration action, and the subject will be able to complain about such an action to an administrative court. A new legal institution included in the draft is a protective order issued by the Minister of Digitalization in the form of a general decision. It will be possible to order a given group of entities to perform a certain act to prevent a critical incident.