European Commission and Poland separately enact new cybersecurity regulations amid rising hacker attacks.
New EU and Polish Cybersecurity Regulations
On January 20, the European Commission published a draft of changes to cybersecurity regulations, led by the second act on cybersecurity, which is to replace the current one from 2019. Almost simultaneously, on January 23, the Sejm passed a major amendment to the law on the national cybersecurity system, and on January 28, it was adopted by the Senate without amendments. Now it has been sent to the President of the Republic.
The amendment finally aims to implement the NIS2 directive, whose implementation deadline expired in October 2024. The European Commission now intends to amend this directive.
High-Risk Supplier Identification Mechanisms
The European Commission will gain the right to qualify foreign states and entities originating from them as high-risk suppliers. This includes states requiring their manufacturers to report vulnerabilities before customers learn about them. The Commission will determine the list of high-risk suppliers through implementing acts.
Polish law provides for recognizing suppliers of hardware or teleinformatic software as high-risk suppliers through administrative decisions by the minister responsible for informatization. High-risk suppliers will be excluded from European standardization systems, certification processes, public procurement, and EU-funded programs.
Differences Between EU and Polish Approaches
While the Polish regulation derives from the EU’s 5g Toolbox, differences between the two systems are significant. The Polish system is based on administrative proceedings focusing on specific suppliers, while the EU system uses implementing acts targeting entire states.
The EU mechanism benefits from economies of scale, with data from all member states and regulatory burden for entrepreneurs being smaller with a one-time EU assessment rather than separate national assessments.
Potential for Duplicate Regulations
Questions arise about whether Poland’s legal system might end up with two types of high-risk suppliers: those identified at the EU level and those identified nationally. The EU emphasizes that its system aims to establish equal rules across member states.
The current EU project creates concerns about excessive regulation in Poland. Even if maintaining separate national regulations is permitted, Polish laws should complement rather than duplicate EU regulations.
