On 24 April 2024, the Ministry of Digital Affairs published a draft amendment to the National Cybersecurity System Act, which is a law implementing the EU NIS 2 Directive. It is worth noting, however, that in many aspects the Polish draft law deviates from the provisions of the NIS 2 Directive.
Although the draft amendment relatively faithfully reflects the content of the NIS 2 Directive, it diverges in certain aspects from the latter (including in terms of new autonomous solutions). Five most important differences are presented below.
1. Extended scope of entities.
The draft amendment expands the scope of entities covered by the regulation by classifying all managed security service providers (regardless of their size) as essential entities. It also classifies the entities identified in Annex 2 to the Act that exceed the criteria of a medium-sized enterprise as essential, and reclassifies certain important sectors (such as manufacturing) as essential sectors.
2. Mandatory registration.
The draft amendment requires entities classified as essential and important to apply for entry in the relevant list. Essential and important entities will have 2 months to submit an application and if they fail to do so, they may be fined.
3. Extension of CSIRT powers.
The draft amendment grants the relevant CSIRTs the power to examine ICT products, services and processes to identify potential vulnerabilities. To this end, CSIRTs will be authorised to use techniques for reproducing, multiplying or translating source codes of software. CSIRTs will not be bound by contractual provisions (in particular licensing agreements) of the ICT products, services or processes examined, and conducting the investigation will not require the consent of the licensor or user of such ICT product, service or process.
4. Introduced concept of a high-risk supplier.
The draft amendment provides for the possibility of classifying a hardware or software supplier as a high-risk supplier if it may pose a serious threat to state defence and security or public safety and order, or to human life and health. As a consequence, essential and important entities will not be able to introduce ICT products, services and processes from such suppliers, and those already introduced will have to be withdrawn.
5. Fines of up to PLN 100 million.
The draft amendment provides for the possibility of imposing a fine of up to PLN 100 million on an essential or important entity that causes:
(a) an imminent and serious cyber security threat to state defence and security, public safety and order or human life and health;
(b) the risk of causing serious damage to property or serious hindrance to the provision of services.
However, it should be borne in mind that we are still dealing with a draft amendment, so the solutions described may be changed in the course of further legislative work. This is possible, as these discrepancies have been signalled to the Ministry of Digital Affairs during the ongoing public consultations.