The National Cybersecurity System Act of 5 July 2018 forms the legal and institutional bases for cybersecurity in Poland. On 15 March 2022, another version of the proposed amendment to the act was published on the Government Legislation Centre website. This could have major implications, including for the public procurement market in Poland. The proposal allows a business undertaking to be classified as a high-risk supplier, and this may result in a bid being rejected.

The proposal has been commented upon as possibly aimed at certain manufacturers based in non-EU and non-NATO countries. For this and other reasons, work on the amendment has become significantly protracted. The latest version was published in March 2022. With regard to issues indirectly concerning public procurement regulations, the proposal is similar to the previous version of October 2021, while the tension surrounding the amendment has now abated slightly. Following Russia’s attack on Ukraine, in general Russian companies or companies with ties to Russia have been disqualified from the EU public procurement market under Regulation 2022/576, and thus the amendment will not affect them in the foreseeable future.

The amendment provides for proceedings to classify a hardware or software supplier as a high-risk supplier. This is to be decided by the minister responsible for computerization, if they consider the supplier to pose a serious risk to defense, state security, public safety or order, or human life and health. The minister will have an obligation to consult the Cybersecurity College.

In cases of public procurement proceedings conducted by entities listed in the proposal for article 66a(1) – which at the same time are contracting authorities bound by the Public Procurement Law of 11 September 2019 (for example national cybersecurity system entities, which include many state entities), a decision naming a supplier as high-risk will have serious consequences for contractors, whether they are potential bidders or entities performing concluded agreements. State contracting authorities will not be able to permit use of products that are subject to the decision, or withdraw from use products that are already in their possession for seven years. During that time, the only permitted use will be repair, modernization, or upgrading, provided that it is necessary to ensure proper quality and continuity of services.

As a result, the entity concerned would be eliminated from the market in the case of public tenders subject to the National Cybersecurity System Act with respect to the products named in the decision.

TKP is monitoring work on the amendment and we will provide updates on progress on the bill in future newsletters.