On 3 October, 2022, the Government Legislation Centre published what is now the eighth version of a bill amending the National Cybersecurity System Act. The bill does not make any changes to the previously proposed group of entities that form the national cybersecurity system or those entities’ obligations. This group includes electronic communication undertakings and the Financial Supervision Authority, the President of the Office of Electronic Communication, and external SOCs. The new provisions on the national system of cybersecurity certification and instructions issued for security purposes also continue to be applicable.

According to media reports, government work on the amendment bill is nearing completion.[1] This is indicated by the proposed new ministerial regulations concerning the act, which were published together with the latest version of the bill:

  1. ministerial regulations on thresholds for defining a telecommunications incident as a serious telecommunications incident;
  2. ministerial regulations on the procedure for destroying materials that contain information obtained when CSIRT teams conduct security assessment and templates for the required documentation.

Under the new version of the bill – despite much criticism during public consultations – there will be no major change to the proposed procedure for classifying a hardware or software supplier as a high-risk supplier. A need to ensure national security or public safety and order will be a prerequisite for classification as a high-risk supplier. If particular products or services provided by high-risk suppliers are considered to pose a danger, the measures taken will include exclusion of those suppliers from the public tender system in Poland.

The most important difference compared to the previous version of the bill is that the company Polskie 5G will not be created. This company was intended to construct the nationwide 5G wholesale network, and was to be set up by the strategic security network operator, Polski Fundusz Rozwoju S.A. and telecommunications operators, who would be granted frequencies in the 713-733 MHz and 768-788 Mhz ranges.

Instead, the Minister of Digital Affairs is proposing that the 713-733 MHz and 768-788 MHz civilian frequency ranges be granted for providing wholesale services by way of the tender procedure specified in the Telecommunications Law.

The proposal was submitted on 6 October for review by the Cabinet Committee for National Security and Defense, and, once approved, will be submitted for approval to the Cabinet Standing Committee.[2] According to initial statements – the new National Cybersecurity System Act could be passed at the end of this year or in the new year.

[1] Polityka Insight Technologia, Czy 5G przyspieszy https://soundcloud.com/pi-technologia/8-wrzesnia-2022 (accessed: 11.10.2022)

[2] CyberDefence24, Nagły zwrot akcji. Co dalej z polskim 5G i projektem ustawy o KSC? https://cyberdefence24.pl/polityka-i-prawo/nagly-zwrot-akcji-co-dalej-z-polskim-5g-i-projektem-ustawy-o-ksc (accessed: 11.10.2022)