Polish parliament has adopted amendments to the National Cybersecurity System (KSC) Act, implementing EU’s NIS2 directive with more flexible compliance requirements.
NIS2 Implementation with Flexibility
The amendment to the KSC Act implements the EU’s NIS2 directive into Polish law. Under it, entrepreneurs will have to register themselves with a register maintained by the Minister of Digital Affairs and determine whether they are important or key entities. Failure to fulfill this obligation alone will be punishable, as well as failure to comply with security measures stipulated in the act.
High-Risk Suppliers and Government Decisions
According to the provisions adopted by the Sejm, suppliers of equipment or software that threatens public security will be designated as high-risk suppliers. The Minister of Digital Affairs will be able to issue a decision under which entities key to the functioning of the state will not be able to use the products of these suppliers.
Risk Assessment Tool for ICT
The amendment also introduces a risk assessment tool for suppliers of ICT devices and software (related to information and communication technologies – so-called toolbox).
Parliamentary Amendments and Deadlines
The Sejm adopted the law with amendments, including two by PiS MPs. The first provides that financial penalties for non-compliance will be imposed only two years after the act comes into force. The second amendment requires a representative of the president to participate in the work on the KSC.
Meanwhile, the adopted KO amendments include extending the deadline to six months for submitting applications to the list of key and important entities. The project provides that these entities will transmit incident information via the s46 system, with the deadline for starting to use the system extended to 12 months.
Closed-Session Committee Meeting
Although the law will now go to the Senate, the parliamentary committee on digitization will meet again regarding the enacted provisions. This follows a proposal by Deputy Minister of Digital Affairs Paweł Olszewski, who suggested a closed session for MPs to review documents about alleged illegal lobbying around the act.
Potential Future Amendments
The European Commission published a proposal for a new regulation, the Cybersecurity Act 2.0 (CSA2), on January 20. This document aims to harmonize ICT supply chain security and certification throughout the European Union and would expand the risk assessment toolbox to 18 economic sectors, not just 5G mobile networks.
Legislative Stage
Law enacted by the Sejm
