New legislative proposal to amend the National Cybersecurity System Act
A government proposal to amend the National Cybersecurity System Act (CSA) has been published after many weeks of public statements. The proposal is somewhat similar to the proposal for an amendment to the act of last year, which was discussed in our previous international newsletter. However, it contains a range of new solutions not announced to the public before. Although a very short timeframe has been set, many comments have been submitted regarding the proposed bill, from business organizations and elsewhere. Government officials have said that the proposal has been submitted to the Government National Security and Defence Committee (KRMBNSO).
There is a major change compared to the previous version of the amendment, which is that telecommunications operators, which to date were completely excluded, will be included in the National Cybersecurity System. Telecommunications operators are only to be subject to the CSA to a certain extent, and the wording in this respect is vague and imprecise. This will apply only where telecommunications operators belong to one of the groups with special obligations under the CSA, for example they are digital service providers or operators of essential services.
As in the previous proposal, the National Cybersecurity System will include new entities such as institutions of higher education, or for example the Polish Financial Supervision Authority. Another change that has been retained is that Security Operations Centers (SOCs) have to be used to comply with obligations of operators of essential services where this relates for instance to management of security of an IT system, or dealing with and reporting incidents. Under the new provisions, agreements for SOC services performed for an operator of essential services must state Polish law as the governing law, and the competent minister will have an obligation to maintain a list of all SOCs in operation.
As in the previous proposal for the amendment, under the current proposal a national system of cybersecurity certification will be created. Under this system, a national cybersecurity certification scheme will be set up, and will have three trust levels (basic, essential, and high) for ICT products, services, and processes. The concept of creating a strategic cybersecurity network has also been retained, and this will be used by a strategic cybersecurity network operator to provide services to the most important state authorities (such as the Chancellery of the President, the Chancellery of the Sejm and Senate, and the National Security Bureau).
Once again, there is strong feeling and controversy surrounding the procedure for classifying a hardware or software supplier as a high-risk supplier and the power of the minister competent for computerization to issue instructions for security purposes.
Under the proposal, if a supplier is designated as high-risk, a significant number of firms operating on the market (such as digital service providers, operators of essential services, and telecommunications operators) may be prohibited from using certain hardware or software supplied by that supplier.
Meanwhile, under the new system for issuing instructions for security purposes, the instructions would take the form of an administrative decision. Security instructions are to be issued in cases of critical incidents, and for example it will be possible, in these instructions, to prohibit entities in the national cybersecurity system (such as operators of essential services and digital service providers) from using particular hardware or software, require them to place limits on traffic from IP or URL addresses of a particular entity joining the infrastructure, or order that distribution of a specific version of software be stopped or installation of that software be prohibited. Under the amendment, the penalty for not complying with instructions for security purposes is an administrative fine as high as 3% of total annual global turnover in the previous financial year in the case of digital service providers.
There is a new development in relation to the previous proposal for the amendment, concerning 5G networks. Under the current proposal, a new capital company will be formed called Polskie 5G, and it will have the goal of establishing the nationwide wholesale 5G network. Principally, the company will be responsible for ensuring that the wholesale 5G network signal covers the entire country and for providing wholesale paid telecommunications services via that network. According to the proposed provisions, the 5G network frequencies would be granted to telecommunications operators in an auction held by the President of the Office of Electronic Communications.