On 3 July 2023, a government bill amending the Act on the National Cybersecurity System and certain other acts (amendment to the ANCS) was submitted to the Sejm. This happened after nearly 33 months of work on the wording of the amended legislation. The adoption of the amendment continues to face new obstacles – work on it has now been postponed, due to its referral to a public hearing to be held on 11 September 2023.

The course of work on the ANCS amendment to date

The legislative process related to the ANCS amendment is taking an exceptionally long time. The initiative to amend the Act appeared as early as September 2020. The course of work on the amendment of the ANCS to date has also been rather bumpy, with the draft being amended several times and legislative work suspended and then resumed.

Numerous comments were made on successive versions of the draft during the public consultation. Also, the topic of cybersecurity itself has gained publicity and importance in the meantime due to the Russian aggression against Ukraine in February 2022 and the increase in hacking attacks resulting in the unauthorised acquisition of personal data or DDoS attacks. According to the authors’ calculations, the version addressed to the Sejm is the thirteenth (and let’s hope not unlucky) draft proposal of this act.

The adoption of the current ANCS text[1] was the result of the obligation to implement the EU NIS Directive[2]. On the other hand, the period of work on the ANCS amendment saw the publication in the Official Journal of the EU of the NIS 2 Directive[3], which replaces its predecessor and has an implementation deadline of 17 October 2024. At the same time, most of the changes that result from the NIS 2 Directive and the obligations it is supposed to impose on the various entities of the National Cybersecurity System were not included in the draft ANCS amendment. Given the above, some have questioned the legitimacy of proceeding with the current version of the draft, since the ANCS will soon have to be amended again to a significant extent in order to adapt it to the requirements of NIS 2.

In addition, concurrently with the work on the ANCS amendment, work is underway on the preparation of an Electronic Communications Law (ECL) to replace the current Telecommunications Law[4]. Its main addressees will be electronic communication undertakings, who, according to the ANCS amendment proposal, are to be included in the National Cybersecurity System. Importantly, in the current proposed wording of the ECL and the ANCS amendment, the links between the acts are directly noticeable. The ANCS amendment contains references to the ECL in a number of places, including definitions. Also in the explanatory memorandum to the draft ANCS amendment it is explicitly indicated that both these acts should enter into force at the same time.

The need for simultaneous implementation of the ECL is one of the biggest obstacles to the ANCS amendment. The ECL is a highly controversial regulation, with its draft having previously been submitted to the Sejm[5] and withdrawn from it on 21 April 2023. Since then, there has been no official information on the status of work on the new proposed law. In the context of the approaching end of the current term of the Parliament, it is doubtful that both the ANCS and the ECL will be able to be passed during the term.

These doubts were further exacerbated by a meeting of the joint Digitalisation, Innovation and New Technologies and National Defence committees on 11 July 2023. At the meeting, after almost an hour and a half of discussion on the general principles of the amendment, which was mainly attended by representatives of stakeholder organisations concerned with its form, a vote was held on a formal motion. As a result of this vote, the draft ANCS amendment has been referred to a public hearing to be held on 11 September 2023. Postponing work on the amendment for such a long time means that there will be little time left to pass it before the end of the term of the Parliament. Thus, it seems increasingly unlikely that the bill will be passed before the end of this term of the Sejm.

What key changes will the ANCS amendment introduce?

Revised definition of cybersecurity

One of the changes that the ANCS amendment in its current form introduces is a new definition of cybersecurity. It follows from the need to ensure consistency of the conceptual grid with other legislation, including EU regulations. The proposed definition of cybersecurity is the same as the definition introduced by the EU Cybersecurity Act[6]. According to the new definition, cybersecurity is: [7] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on cybersecurity certification in the field of information and communication technologies and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

“actions necessary to protect information systems, users of such systems and other entities from cyber threats.”

In contrast, the new concept of cyber threats is defined as:

“any potential circumstance, event or action that could cause damage, disruption or otherwise adversely affect information systems, users of such systems and other entities.”

In contrast, the definition of cybersecurity in the draft corresponds to the existing definition of information systems security. Importantly, however, this definition in the current wording of the ANCS amendment is not fully aligned with the concepts that have been introduced in other EU acts, i.e. the DORA Regulation[8] and the NIS 2 Directive.

Expanding the catalogue of entities subject to the ANCS and imposing new obligations on them

In the current law on the National Cybersecurity System, the largest group of entities subject to the obligations set out therein are key service operators (hereinafter: “KSO”), digital service providers (hereinafter: “DSP”) and public entities. However, the catalogue of entities subject to the obligations set out in the ANCS may increase, with the inclusion in the National Cybersecurity System of electronic communication companies: telecommunications companies and entities providing a publicly available interpersonal communication service that does not use numbers.

The draft ANCS amendment also proposes that with the inclusion of electronic communication undertakings in the National Cybersecurity System, they will be obliged, inter alia, to systematically assess the risk of a specific threat situation and take technical and organisational measures to ensure the confidentiality, integrity, availability and authenticity of the processed data, as well as a level of security appropriate to the degree of the identified risk (Article 20a(2) of the draft ANCS amendment).

Other important obligations that would be imposed on electronic communication undertakings are obligations to document cybersecurity measures taken and to handle a security incident, in particular incident reporting and cooperation with relevant cybersecurity authorities (Articles 20a-20f of the draft ANCS amendment).

Some of the obligations are quite strict – for example, an electronic communications undertaking will be required to report a serious telecommunications incident to the CSIRT Telco within a maximum deadline of just 8 hours (Article 20d(1)(2) of the draft ANCS amendment). Interestingly, the deadline was drastically shortened between the different versions of the project – it was originally 24 hours.

The ANCS amendment also introduces financial sanctions for failure to comply with the obligations imposed on electronic communication undertakings. They will be subject to a fine of up to 3% of the penalised entity’s annual revenue generated in the previous calendar year (Article 76b(1) of the draft ANCS amendment).

In addition, a fine of up to 300% of one month’s salary, calculated as the equivalent of annual leave, may be imposed on the person in charge of an entity breaching the obligations set out in the ANCS (Articles 73(7) and 76a(5) of the draft ANCS amendment).

With the entry into force of the amendment, further public entities that perform public tasks that depend on the information system within the meaning of the National Cybersecurity System Act will be included in the National Cybersecurity System, in addition to electronic communication undertakings. These include:

  • universities and other entities of the higher education system,
  • Office of the Financial Supervision Authority,
  • Państwowe Gospodarstwo Wodne Wody Polskie (State Water Holding “Polish Waters”) and
  • development institutions, the Polish Development Fund or the Polish Agency for Enterprise Development.

Two new CSIRTs, or Computer Security Incident Response Teams, have also been introduced:

  • CSIRT INT, which is to act for organisational units subordinate to the minister in charge of foreign affairs and the Intelligence Agency, and
  • CSIRT Telco established for the needs of electronic communication undertakings.

SOC – a new category of cybersecurity system entities

As part of the proposed amendment to the law, the institution of a SOC (security operations centre) was also introduced into the National Cybersecurity System.

SOCs are to replace the existing structures responsible for cybersecurity at key service operators. SOCs are teams of cybersecurity specialists. They are to be tasked with carrying out all cybersecurity monitoring and management functions for key service operators, and optionally for other entities.

The draft ANCS amendment provides for the operation of:

  • in-house SOCs, which are to perform the functions of an operational security centre at the key service operator through its own internal resources; and
  • external SOCs, which are to consist of contracting a specialised external entity to perform this function.

It is important to note that the contracts for the provision of SOC services will have to be in force under Polish law and subject to appropriate notification to the authorities competent for cybersecurity. SOC service providers should also be included in the list of SOCs to be maintained by the minister in charge of IT.

Key service operators, according to the draft ANCS amendment, will be required to have SOC infrastructure used to perform certain tasks (including the obligation to implement a security management system; develop, implement and update cybersecurity documentation; handle incidents) on the territory of the Republic of Poland, and personnel performing these tasks will be required to hold a ‘confidential’ security clearance (Articles 14(10) and 11 of the draft ANCS amendment).

Such a requirement is judged by many commentators to be highly disproportionate. In their view, in practice, it can be a significant impediment to the establishment and organisation of SOCs by key service operators. There are also doubts about the obligation for all SOC staff to hold a ‘confidential’ clearance when their internal tasks do not involve the handling of documents with such a classification.

High-risk suppliers and new competences of the minister in charge of IT

Another controversial change is the extension of the competences of the minister in charge of IT. The minister will be able to conduct proceedings to recognise an entity as a high-risk supplier, which may result in an administrative decision recognising a hardware or software supplier as a high-risk supplier. This may occur if it is determined that the supplier poses a serious threat to defence, state security, public safety and order or human life or health. In the event of such a decision, entities vulnerable to cyber threats (including, but not limited to, the DSPs and KSOs and certain electronic communications undertakings) will be forced to stop using the products, services or processes covered by such a decision.

This restriction is also to apply to entities to which the Act of 11 September 2019 – Public Procurement Law (PPL Law) applies [9]. They will not be able to purchase equipment, software and services specified in the decision on recognition of a supplier as a high-risk supplier (Article 67b(4) of the draft ANCS amendment). The addition of another premise for excluding a contractor from a procedure, which does not directly derive from the classic public procurement directive[10], raises certain doubts as to the compliance of such a procedure with EU law. This fact was pointed out, among others, by the Minister for European Union Affairs during inter-ministerial arrangements of the draft ANCS amendment[11].

The ANCS amendment also changes the provisions of the PPL Act in this respect, adding (in Article 226(1)(19) of the PPL Act) another basis for rejecting a contractor’s bid. A bid which includes a product, service or ICT process specified in the decision to recognise the supplier as a high-risk supplier will be rejected.

Removal of the security order

In one of the latest versions of the draft ANCS amendment, the highly controversial institution of the security order was removed. It consisted of the competence of the minister responsible for IT to issue a security order in the event of a critical incident. The security order was to take the form of an administrative decision and could apply to a large proportion of National Cybersecurity System entities. A security order could impose prohibitions or obligations on its addressees, including, for example, the ability to use certain hardware or software. In the case of this institution, the biggest concern was that the content of the security order was only to include an indication of the ‘type of entities’ to which the order was to be addressed. The specified entities could therefore not even be aware that they had been obliged to behave in a certain way by an administrative decision, as they would not have been directly informed of this.

  • Creation of a strategic safety net

An important consequence of the enactment of the ANCS amendment will also be the creation of a legal framework for the strategic security network (Article 76c et seq. of the draft ANCS amendment), i.e. the telecommunications network infrastructure, in which tasks for defence, state security and public safety and order in the field of telecommunications will be performed. The strategic security network is to provide encrypted communication between end users for data services, voice calls and text messages.

The amendment provides for the creation of a separate entity – the Strategic Security Network Operator (SSNO). It will provide telecommunications and, inter alia, cybersecurity services for the needs of the most important state authorities. The SSNO will also manage the strategic security network. The SSNO will be appointed by the Prime Minister from among entities meeting a number of criteria. Among other things, they must be a sole shareholder company of the State Treasury and a telecommunications entrepreneur, as well as provide a guarantee of due performance of the tasks of a strategic security network operator. The Strategic Security Network Operator will be able to provide communication services based on government frequencies.

The SSNO will also have the ability to request the President of the Office of Electronic Communications to grant temporary access to the use of civilian frequencies (713-733MHz or 768-788MHz frequency band) provided that there is a special emergency and the government frequencies are fully utilised. The President of Office of Electronic Communications will then be able to impose an obligation on the entity holding the civil frequency reservation to make it available to the SSNO. This institution, too, raises some questions of compatibility with Union law, in particular the European Electronic Communications Code, which sets out conditions for granting access to frequencies and exceptions to the principle of free provision of electronic communications networks and services.

Establishment of a National Cybersecurity Certification System

The ANCS amendment draft also envisages the creation of a National Cybersecurity Certification System, under which a national cybersecurity certification programme will be developed. Under its terms, dedicated cybersecurity certification programmes will also be able to be developed for individual ICT products, services or processes, taking into account their individual characteristics.

Vacatio legis

The amendment will enter into force six months after its announcement. The vacatio legis has been extended relatively recently. Previously, a 30-day vacatio legis was proposed. The change results from the need to make the ANCS amendment consistent with the ECL.

[1] Act of 5 July 2018 on the National Cybersecurity System (i.e. Journal of Laws 2023, item 913).

[2] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of networks and information systems within the Union.

[3] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 concerning measures for a high common level of cybersecurity within the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive).

[4] Act of 16 July 2004 – Telecommunications Law (i.e. Journal of Laws 2022, item 1648, as amended).

[5] Sejm Paper No. 2861.

[6] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on cybersecurity certification in the field of information and communication technologies and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

[7] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience in the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (DORA Regulation).

[8] Act of 11 September 2019 – Public Procurement Law (i.e. Journal of Laws of 2022, item 1710, as amended).

[9] Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement, repealing Directive 2004/18/EC (OJ EU. L. 2014 No. 94, p. 65 as amended).

[10] Ref. No. KPDPUE.920.1030.2021.AR(8)(KWM).