Even last year, plans were announced to amend the Act of 5 July 2018 on the National Cybersecurity System (CSA), and the first draft of the bill was submitted for public consultations on 7 September 2020. Since then, the envisaged amendment has been revised repeatedly in the course of legislative work, and the final version of the bill – of 4 March 2021 – is now being reviewed by the Council of Ministers. Although it does not affect the crucial issues regulated in the act, there is a lot of interest in the amendment to the CSA on the part of business, and not only firms on the IT market. The proposed changes are briefly summarized below, while it is still not certain that the proposed changes will be enacted due to the lengthy period of work on the bill.
The amendment is a matter of interest to many firms, as the CSA places special obligations on a broad range of firms. In addition, under proposals made by EU lawmakers, the range of firms affected will most likely be extended in the near future (see article on proposal for NIS 2).
Telecommunications operators will still not be subject to the CSA, although this was envisaged in the initial proposals. This means that requirements with regard to ensuring adequate security of the provided services and reporting detected incidents will not apply to telecommunications operators or network operators. On the other hand, these operators may have to comply with other requirements laid down in new provisions in the Electronic Communications Law, which is undergoing legislative work at the same time, and is intended to harmonize Polish law with Directive 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronics Communications Code.
Under the current proposal for the CSA, this exemption will not apply to strategic communication network operators, i.e. namely operators of a special telecommunications network created for national security and defense purposes. A strategic communications network is to be used for operation of the country’s most important bodies, such as the Chancellery of the President, Chancellery of the Sejm and Senate, or for instance the National Security Bureau. The amendment to the CSA will therefore apply to operators of strategic communication networks.
The proposal also envisages more precise provisions on obligations of operators of key services – at the moment, operators of key services may discharge these obligations themselves, or outsource them to cybersecurity firms. Under the proposed new rules, however, these obligations will be performed by the Security Operations Center, which comprises teams that act as an operational security center – created within the organization in question or operating as independent security service providers. There will be an obligation for all organizations that act as SOCs to be listed in a special register, which will be classified. Thus the range of organizations providing cybersecurity services for operators of key services, and discharging those operators’ obligations, would be limited.
Under the amendment, other changes would also be made to the Polish cybersecurity system, giving the College of Cybersecurity and other bodies powers of risk assessment concerning suppliers of hardware or software vital to cybersecurity of bodies in the national cybersecurity system (i.e. operators of key services and suppliers of digital services, among others) or regulating operations of the ISAC (Information Sharing and Analysis Center) regarding vulnerabilities, cyberthreats, and incidents. Importantly, the amendment to the CSA is still at the legislative stage, and no progress has been made since March this year. Therefore, the future of the proposed amendment is uncertain and it is not clear whether these changes will become law.