Poland’s President signed the national cybersecurity system amendment but referred it to the Constitutional Tribunal following business concerns about excessive obligations.
President’s Position
President Andrzej Duda signed the amendment to the law on the national cybersecurity system (KSC), stating it strengthens defense mechanisms, improves institutional cooperation, and allows for the elimination of high-risk providers. He emphasized that “security has no party colors” but noted his decision to respond to business concerns perceiving the obligations as “excessive and disproportionate.”
The President sent the bill to the Constitutional Tribunal for subsequent review of the provisions.
Government Success
Deputy Minister of Digitalization Paweł Olszewski, responsible for preparing the amendment, commented on the President’s decision, stating: “Success of Donald Tusk’s government in cybersecurity!” He added that despite another move with the Constitutional Tribunal, Poland now has a modern National Cybersecurity System after 6 years of proceedings.
Olszewski emphasized that Poland is becoming a significantly more difficult target in cyberspace, stating: “We cannot afford half measures.”
Key and Important Sectors
The amendment designates key sectors including energy, transport, healthcare, banking, financial markets, water supply, digital infrastructure, sewage, ICT management, and space – the latter three not previously included in the KSC. Public entities such as offices, local governments, schools, hospitals, and research institutes are also classified as key sectors.
Important sectors under the new law include postal services; waste management; digital service providers; production and distribution of chemicals; production, processing, and distribution of food; and production including medical devices, computers, electrical equipment, and vehicles.
Company Obligations
Companies must self-assess whether they meet the criteria for a key or important entity. If they do, they are required to register in the KSC entity register within 6 months of self-identification. Failure to register in the system carries the risk of penalties.
Organizations from key and important sectors will have various new cybersecurity obligations, including implementing an information security management system, regularly assessing the risk of incidents, and managing incidents. They must also collect information about cyber threats and vulnerabilities and apply measures limiting the impact of incidents.
Technical Measures and Reporting
Entities covered by the KSC will need to implement technical and organizational measures proportional to the assessed risk, adjusted to factors including organization size. These include cybersecurity policies and procedures, access control to systems, secure communication methods with multi-factor authentication, and employee training.
The amendment requires key and important entities to exchange incident, cyber threat, and vulnerability information through system s46. Key entities will also be required to conduct a security audit at their own expense at least once every 3 years.
Implementation Timeline and Penalties
Key and important entities will have 12 months to comply with the provisions from the date the amendment enters into force. The amendment also provides for the creation of sectoral CSIRT teams to support KSC entities in handling cybersecurity incidents.
“Serious incident” is defined as one that causes or may cause: significant reduction in quality; interruption in service continuity; financial losses; or affects other persons and entities by causing serious damage. Key and important entities must report such incidents to the appropriate CSIRT within 72 hours of detection and provide “early warning” within 24 hours.
Penalties for non-compliance can reach 2% of a company’s revenue for key entities (minimum 20,000 zł, maximum 10 million euros) and 1.4% for important entities (minimum 15,000 zł, maximum 7 million euros). Additional penalties of 500 zł to 100,000 zł per day of delay apply for not following cybersecurity authority orders. Special penalties up to 100 million zł can be imposed for causing direct and serious cybersecurity threats to national security.
Legislative Changes and Background
During parliamentary work on the law, changes were adopted to clarify certain solutions. One introduced the obligation for a presidential representative to participate in government work on the resolution of the Council of Ministers regarding the National Incident Response Plan. Another provided that administrative monetary penalties for failure to fulfill obligations under the KSC amendment could be imposed for the first time after 2 years from its entry into force.
The previous version of the KSC law dates from 2018 and lacks provisions implementing the EU NIS 2 directive. The deadline for its implementation into the national legal order expired on October 18, 2024. The amendment to the law on the national cybersecurity system is to enter into force one month after its announcement.
