The Polish President signed off on 1 August 2018 a new Act on the national cybersecurity system, which is designed to introduce the measures laid down in the so-called NIS Directive. The Act is expected to enter into force at the end of August 2018. The Act is another step (as well as GDPR) in extending the duties of companies in relation to cybersecurity. The key issues are as follows:
- The Act will impose a series of requirements related to increasing the level of cybersecurity on operators of essential services from the energy, banking, health, transport and water supply sectors and also covers so-called digital service providers;
- Companies subject to the Act will be required to introduce systems of risk assessment and management and to report the incidents to the relevant authorities in a timely manner.
Non-compliance with the provisions of the new Act may lead to the imposition of significant administrative fines.
What changes can be expected?
Operators of essential services are private businesses or public entities with an organisational unit in Poland, which have been considered as operators of essential services by a way of a decision of the relevant authority on cybersecurity. Such operators play an important role in providing security in the areas of healthcare, transport, energy, banking and financial market infrastructure, digital infrastructure and water supply. The category of digital service providers includes online marketplaces, cloud computing services and search engine providers. According to the Directive, Member States have until 9 November 2018 to identify the entities that operate in their territory as operators of essential services.
The Act covers entities which at least have their organisational unit in Poland. Smaller digital service providers (i.e. below 50 employees and an annual turnover and/or annual balance sheet total below EUR 10 million) do not fall under the scope of the Act.
Requirements for operators of essential services and digital service providers
In particular, operators of essential services will be obliged to introduce a system of risk assessment and management, and will have to take steps to prevent and limit the impact of incidents on the security of their systems. Operators of essential services and providers of digital services will also have an additional obligation to identify incidents, determine their seriousness and report them no later than within 24 hours from the moment of identification.
Fines for non-compliance
Lack of compliance of operators of essential services with the requirements specified in the Act may result in the relevant authority imposing an administrative fine of up to PLN 200,000 (~ EUR 47,000). Digital service providers can be fined up to PLN 20,000 (~ EUR 4,700) for each unreported incident. The relevant body for a given sector can also impose an administrative fine of up to PLN 1 million (~ EUR 235,000) for operators of essential services or providers of digital services which repeatedly infringe the Act, causing a serious and direct cybersecurity threat for defence, security, public order or public health; or causing a threat of serious harm or serious difficulty in providing essential services.