Cybersecurity

About this practice area

Cybersecurity is becoming increasingly important. Not so long ago, neither entrepreneurs nor public entities considered cybersecurity a priority. Nowadays, however, in the era of cloud-based solutions, remote work, and an information-based economy, data protection has become a key issue. Polish and EU legislators have responded accordingly. The need to ensure information and data security is triggering more and more regulatory measures. The regulations that apply to ICT systems processing data have also been expanded.

Our experts have been investigating legal aspects of cybersecurity for years. Drawing on our extensive experience, we have developed effective working practices which benefit our Clients. We collaborate with operators of essential services, digital service providers, IT providers, IT system procurers, and other public entities.

Cybersecurity considerations cannot be ignored. Enterprises gain a competitive edge by ensuring security of the data processed.

What we do?
  • Verification of the applicability of cybersecurity regulations to your business (or business group).
  • Organisational, technical, legal audit of solutions and services in terms of compliance with cybersecurity regulations.
  • Support in the process of preparation and implementation of required cybersecurity measures (including policies and procedures) within your organisation.
  • Support related to an incident management system and supervisory and control proceedings.
  • Preparation for and support in the process of negotiating contracts for implementation/IT maintenance services.
  • Formal and legal support in setting up/organising and running an ISAC.
  • Training and ongoing advice.
Cooperation benefits

We handle all the legal formalities related to the implementation and maintenance of cybersecurity within an organization on behalf of our Clients. This is a major benefit, as it allows enterprises and public institutions to fully focus on their tasks. In the long run, it is both time- and cost-effective.

Our Clients may seek assistance from a team of lawyers with expertise spanning cybersecurity and information and data security, as well as sector-specific regulations. Our Law Firm can also advise on technical matters. We work on a permanent basiswith several consultancy firms specializing in cybersecurity and with brokers offering insurance against cyber threats. With a vast knowledge of the working practices available, we help our Clients protect themselves and their business against cyber threats.

Entrepreneurs who fail to maintain cybersecurity standards may suffer financial losses and immeasurable damage to their reputation. With our expert teams support, that risk can be significantly mitigated or even completely eliminated.

Why choose us?
  • We offer expertise in cybersecurity, and constantly keep that expertise up to date.
  • We can respond to a crisis instantly – in the event of cyber security incidents or data and security breaches.
  • We monitor any legislative developments and the latest case law.
  • We can provide comprehensive support with regard to legal provisions and technical IT expertise.
  • We take a multi-disciplinary problem-solving approach, based on an in-depth knowledge of the industry and developed in collaboration with brokers who provide insurance against cyber threats.

Advisers

Xawery Konarski

Attorney‑at‑lawSenior PartnerCo‑Managing Partner

Agnieszka Wachowska

Attorney‑at‑lawCo‑Managing Partner

Dominika Nowak-Byrtek

Attorney‑at‑lawManaging Associate

Marcin Ręgorowicz

Attorney‑at‑lawManaging Associate

Konrad Basaj

Trainee attorney‑at‑lawJunior Associate

Piotr Konieczny

Trainee attorney‑at‑lawJunior Associate

Related articles

19 Sep 2023

The Act on Combating Abuses in Electronic Communication: new obligations for telecommunications operators and e-mail providers

On 25 August 2023, the Act on Combating Abuses in Electronic Communication (CAECA) was published in the Polish Journal of Laws. While the act was enacted in full over a long period (starting on the next day after promulgation and continuing for twelve months from the day it took effect), the obligations under the new legislation will mostly begin to apply from 25 September 2023.

12 Sep 2023

Proposal for the new NIST Cybersecurity Framework now revealed

The U.S. NIST recently released an update of a tool of its own design, the Cybersecurity Framework. This upgrade comes as the rate of growth in the field of cybersecurity is increasing, in terms of both legislation and norms, and cyberthreats. The important role played by the NIST means that this upgraded version has major implications for the entire cybersecurity sector.

12 Jul 2023

The draft amendment to the Act on the National Cybersecurity System was submitted to the Sejm

On 3 July 2023, a government bill amending the Act on the National Cybersecurity System and certain other acts (amendment to the ANCS) was submitted to the Sejm. This happened after nearly 33 months of work on the wording of the amended legislation. The adoption of the amendment continues to face new obstacles – work on it has now been postponed, due to its referral to a public hearing to be held on 11 September 2023.

12 Jan 2023

New technologies law – the most important legislative developments in 2023 in EU and Poland

Work is currently underway in Poland and the EU on more than fifty legislative acts that constitute the sources of new technologies law. A list of the most important of these acts is given below, divided into particular subject areas within new technologies (cybersecurity, e-privacy, e-commerce, innovation, Internet, telecommunications, intellectual property, and data management).

11 Jan 2023

Further National Cybersecurity Standards (NCS) published by the Chancellery of the Prime Minister, based on US NIST cybersecurity standards

Towards the end of December (specifically 23 December 2022), the Chancellery of the Prime Minister published more of the National Cybersecurity Standards.

The Chancellery of the Prime Minister has said that the latest materials concern assessment of security and privacy protection measures taken as an element of effective risk management, ensuring security of industrial control systems, and cloud processing.

27 Oct 2022

A new version of the National Cybersecurity System Act close to being passed

On 3 October, 2022, the Government Legislation Centre published what is now the eighth version of a bill amending the National Cybersecurity System Act. The bill does not make any changes to the previously proposed group of entities that form the national cybersecurity system or those entities’ obligations. This group includes electronic communication undertakings and the Financial Supervision Authority, the President of the Office of Electronic Communication, and external SOCs. The new provisions on the national system of cybersecurity certification and instructions issued for security purposes also continue to be applicable.

25 Oct 2022

NFTs and cybersecurity

Like other digital solutions, an NFT (non-fungible token) is exposed to the danger of cyberthreats.

02 Aug 2022

Envisaged new rules on cybersecurity – legislative proposal for combating abuses in electronic communication

On 15 June 2022, a proposal for a bill on combating abuses in electronic communication was published on the Government Legislation Centre website. The proposal is intended mainly to combat and counteract cyberthreats such as generation of artificial traffic, smishing, and CLI spoofing. To this end, specific obligations are envisaged under the legislation for telecommunications operators and e-mail providers. Public consultations have been completed and the document is currently undergoing an interdepartmental consultation process.

31 May 2022

Another seventh, new legislative proposal to amend the National Cybersecurity system act

On 25 March 2022, the Government Legislation Centre published what is now the seventh version of a bill amending the National Cybersecurity System Act. The previous version of the bill, of 12 October 2021, caused much controversy among the public – especially proposals regarding the procedure for classifying a hardware or software supplier as a high-risk supplier, and the possibility of instructions being issued as security measures requiring the entities that form the national cybersecurity system to take certain kinds of action.

22 Mar 2022

Council of the European Union proposals for the NIS2 Directive and CER Directive

In December 2021, the Council of the European Union, of which the presidency was held by Slovenia, reached a consensus on the wording of the NIS2 Directive, due to replace the current NIS Directive (2016/1148) in force since 2016, and the Critical Entity Resilience Directive (CER), due to replace Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European Critical Infrastructures.

08 Nov 2021

Amendment to Act on National Cybersecurity System

Even last year, plans were announced to amend the Act of 5 July 2018 on the National Cybersecurity System (CSA), and the first draft of the bill was submitted for public consultations on 7 September 2020. Since then, the envisaged amendment has been revised repeatedly in the course of legislative work, and the final version of the bill – of 4 March 2021 – is now being reviewed by the Council of Ministers. Although it does not affect the crucial issues regulated in the act, there is a lot of interest in the amendment to the CSA on the part of business, and not only firms on the IT market. The proposed changes are briefly summarized below, while it is still not certain that the proposed changes will be enacted due to the lengthy period of work on the bill.

03 Jun 2021

Cybersecurity changes envisaged in a proposal for NIS Directive 2

The implementation of the NIS Directive in the Member States led to additional obligations for certain digital service providers, including in areas such as ensuring cybersecurity or incident reporting. After four years, the existing regulations were found to be insufficient, and a proposal for NIS Directive 2 was published, expanding the group of entities concerned and placing new obligations upon them.