On 19 January 2023, a new version of the bill amending the National Cybersecurity System Act (NCSSA) was published. The proposal does not introduce too many changes, but they are significant as they tighten up or introduce new obligations for electronic communications undertakings.
The NCSSA implements the NIS Directive into the Polish legal system and it is the main piece of legislation governing cybersecurity in Poland. This is now the ninth version of the amendment to the National Cybersecurity System Act, which is also the next step in the legislative process for this regulation, which has been ongoing since September 2020. The new version of the bill amending the NCSSA came quite soon after the previous one, which was published in October 2022. In large part, however, the changes are significant as they tighten up or impose new obligations on the main addressees of the NCSSA- electronic communications undertakings.
One of the most important changes in the new version of the bill is the shortening of the deadline for an electronic communications undertaking to report a serious telecommunications incident. In the previous version of the bill, of October 2022, the deadline was 24 hours, while now it is only 8 hours from the moment of detection.
An especially important change introduced by the new proposal for an amendment to the NCSSA is also more stringent obligations related to SOC (Security Operation Centre) infrastructure of essential entities, i.e. entities providing services that are essential for maintaining critical social or economic activity of the state. Under the new proposal amending the NCSSA, they will be required to maintain the SOC infrastructure used to perform certain tasks in Poland, and the personnel performing these tasks will have to hold secrecy clause level security clearance in the meaning of the Act of 5 August, 2010, on the Protection of Classified Information. Security clearance for access to information classified as "secret" is granted once the state security services (Internal Security Agency or Military Counterintelligence Service) and the security officer have conducted a detailed screening procedure.
There were no consultations or communications regarding the obligations described above during the previous stages of the work. This is all the more relevant as they may create a serious, often disproportionate financial and organizational burden on the entities concerned. Moreover, these changes are the initiative of the Polish legislator and do not result from the need to implement EU regulations.
We will keep you informed of further developments in this regard.