Amendment to the law on the national cybersecurity system
Even last year, draft amendments to the law of July 5, 2018 on the national cybersecurity system (CSA) were announced and the first draft law was submitted for public consultation on September 7, 2020. Since then, the proposed modification has been revised. several times during legislative work, and the final version of the bill – of March 4, 2021 – is currently being examined by the Council of Ministers. While it does not affect the critical issues regulated by law, the CSA amendment is generating a lot of interest from businesses, not just companies in the IT market. The proposed changes are briefly summarized below, although it is still not certain whether the proposed changes will pass due to the lengthy period of work on the bill.
The amendment is of interest to many firms, as the CSA impose specific obligations on a wide variety of firms. In addition, under the proposals made by EU lawmakers, the range of companies involved will most likely be extended in the near future (see article on the NIS 2 proposal).
The telecommunications operators will still not be subjected to the CSA, whereas this was envisaged in the initial proposals. This means that the requirements for ensuring adequate security of the services provided and for reporting detected incidents will not apply to telecommunications operators or network operators. On the other hand, these operators may have to comply with other requirements set out in the new provisions of the law on electronic communications, which is the subject of legislative work in parallel, and aims to harmonize the Polish law with the European Union Directive 2018/1972. Parliament and of the Council of 11 December 2018 establishing the European Code of Electronic Communications.
In the current CSA proposal, this exemption will not apply to operators of strategic communication networks, that is to say to operators of a special telecommunications network created for national security and defense purposes. A strategic communication network should be used for the functioning of the most important organs of the country, such as the Chancellery of the President, the Chancellery of the Sejm and the Senate, or for example the Office of National Security. The modification of the CSA will therefore apply to the operators of strategic communication networks.
The proposal also contemplates more specific provisions on the obligations of key service operators – for the time being, key service operators can fulfill these obligations themselves or outsource them to cybersecurity companies. Under the proposed new rules, however, these obligations will be carried out by the Security Operations Center, which includes teams that act as an operational security center – created within the organization in question or functioning as providers of security. independent security services. There will be an obligation for all organizations which act as SOCs to be registered in a special register, which will be classified. Thus, the range of organizations providing cybersecurity services to key service operators and fulfilling their obligations would be limited.
Under the amendment, further changes would also be made to the Polish cybersecurity system, giving the Cybersecurity College and other bodies powers to assess risks regarding suppliers of cybersecurity critical hardware or software. bodies of the national cybersecurity system (i.e. key service operators and digital service providers, among others) or regulating the operations of the ISAC (Center for Information Sharing and Analysis) regarding vulnerabilities, cyber threats and incidents.
It is important to note that the modification of the CFS is still at the legislative stage and that no progress has been made since March of this year. Therefore, the future of the proposed amendment is uncertain and it is not clear whether these changes will become law.
Legislative developments / legislative initiatives
Legislation, e.g. a new perspective of regulatory authorities, authorities
Judgments and judicial and administrative decisions