EU NIS2 in Poland

Current status

NIS2 will be transposed by an amendment to existing Cybersecurity and NIS law. In July 2018, the National Cybersecurity Systems Act (NCSSA) commenced in Poland. NCSSA was created in part to transpose the original NIS Directive (EU 2016/1148) into Polish law and has since been amended several times by the Polish state.

On 24 April 2024, a proposal for a new amendment to this law was published by the Ministry of Digital Affairs on the official government website to transpose EU NIS2 into Polish law. It is currently in a thirty-day period for comments from other ministries and organisations. The law will come into force one month after its promulgation. A date has not yet been set.

NIS2 Requirements

Government authorities

Responsibility for the implementation, monitoring and supervision of the NCSSA, and therefore the NIS2 Directive, is shared between many government bodies in Poland. The implementation of NIS2 is handled by the Ministry of Digital Affairs, which is also responsible for the registration of entities.

Competent authorities for cybersecurity in Poland are sector-specific with responsibility usually at the relevant ministry (e.g. for health sector the Ministry of Health, for transport sector the Ministry of Transportation). These competent authorities for cybersecurity are responsible for the supervision of the application of the law by entities in that sector.

NCSSA also establishes three Computer Security Incident Response Teams (CSIRTs): CSIRT GOV led by the Head of the Internal Security Agency, CSIRT MON led by the Defence Minister and CSIRT NASK, led by the Scientific and Academic Computer Network. These CSIRTs may be complemented by even more sector-specific CSIRTs.

Entities and sectors

The definition of essential and important entities in Poland follows the EU NIS2 Directive. Poland also generally separates NIS2 sectors into two groups (Annex I and II) like NIS2. There are however some differences in the Polish transposition of the directive:

• Energy sector was expanded by the subsector mineral extraction (entities operating in the business of mining coal) and the subsector Oil was changed to Oil and Fuel to include entities operating in the business of producing, storing or transporting fuel.
• Also, Managed cybersecurity service providers for entities in the energy sector and Entities subordinate or supervised by the Energy Ministry are also added to the Energy sector.
• Banking and financial market infrastructure sector has added more types of entities.
• Public adminstration sector has added a substantial list of public entities.
• Sectors Production, manufacture and distribution of chemicals, Food production, processing and distribution, and Production were all moved to Annex I from II, i.e. to essential sectors.

Registration

After the law takes effect, entities will have two months to register with the Ministry of Digital Affairs as essential or important entity. Entities will then have six months to comply with the obligations set out in NCSSA. The two-month period also applies to entities that meet the requirements at a later date.

If an entity has not registered itself, but is deemed to fall under one of the categories, it will be added to the register by the competent authority for cybersecurity on the basis of publicly available data. Entities will be notified of their inclusion and will have two weeks to provide the missing information to the Department for Digital Affairs.

Fines

Poland generally follows the fines set out in the Directive in terms of upper and lower limits and percentage of the offender’s revenue. However, an additional category of fines is added: If an entity violates the law and causes a direct and serious cybersecurity threat to Polish defence, state security, public safety and order, human life and health, a fine of up to PLN 100,000,000 (around 23m EUR) may be imposed.

Cybersecurity measures

The amended NCSSA will require essential and important entities to implement an information security management system (ISMS) as those set out in EU NIS2. Polish law explicitly mentions PN-EN ISO/IEC 27001 and ISO 22301. Organisations that have implemented an ISMS with these standards will meet the requirements of the new amended NCSSA law. The Ministry of Digital Affairs will publish a mapping of the requirements of the NIS2 law to these standards.

Essential and important entities must report cybersecurity incidents to their relevant CSIRT.

In addition, they must audit their information security management system at least every two years and submit the audit results to their relevant cybersecurity authority. Entities may also be subject to a security assessment by their competent authority for cybersecurity or CSIRTs.

Jurisdiction and EU territoriality

NCSSA specifies when the law should apply to entities that are active in the EU member states and in Poland, like DNS, TLD and cloud providers (equivalent to Art. 26 NIS2 Directive).

These entities fall under Polish law if the management body responsible for the ISMS is located in Poland (1), tasks related to risk assessment and incident reporting are performed in Poland (2) or the entity has the most employees in Poland (3). (Art. 5 (4) NCSSA) The exact cases for an entity to fall into category (2) remains vague.

Sources

1. Draft law amending the Act on the National Cybersecurity System and some other acts, Government Legislation Center Poland, 2024.
2. National cybersecurity system, Ministry of Digital Affairs, 2024.
3. Law On the National Cybersecurity System, Internet database System of Legal Acts Sejm of the Republic of Poland, 2018.