Amendment to the Sanctions Act
12 February 2025
Download the alert in pdf On 26 February 2025, the provisions of the amended Polish Sanctions Act1 and the Act on the National Revenue Administration2, among others, will come into force. The ...
17 May 2024
The draft amendment to the National Cyber Security System Act (the “Act”) extends the application of the Act to tens of thousands of entities from the 18 industries identified in the Act, including the health sector. The draft is intended to implement what is known as the NIS2 Directive.
Due to the scarcity of awareness-raising activities, many entities have no knowledge at all that they will be covered by the amendment. Inexplicably, entities from the energy, waste, health, water supply, chemicals, food, scientific research, waste water, and space sectors were omitted from the call for public consultation. Invitations were also not sent to any sub-sectors, with a call for consultation only being posted on the Ministry’s website.
In the health industry, the new regulations will apply to:
The previous regulations covered only those entities to which decisions were issued regarding recognising them as operators of essential services (i.e. approximately 270 entities). According to the estimates of the Ministry of Digitisation, the new regulations will apply to five times as many entities. Importantly, the new rules will not just pertain to large organisations, but also to organisations employing at least 50 people or having at least EUR 10 million in annual revenue.
Significantly, as many as 43 new full-time positions are planned to be created at the Ministry of Health to handle the entities newly covered by the legal regime under the Act. The new officials will be in charge of carrying out the relevant statutory duties and conducting inspections of compliance with the new regulations.
The draft imposes a number of new obligations on the affected companies, the non-compliance with which carries multi-million financial penalties. These new requirements include:
PLEASE NOTE: For each sector, the Council of Ministers may define, by means of a regulation, the specific requirements specifically applicable to a given type of activity.
The Act places personal liability on the managers of companies and organisations. If a specific responsible person is not designated, the entire management will be held accountable.
The provisions of the Act make it clear that financial penalties also apply if there has only been a one-off breach.
The cost of implementing the new regulations in the private sector is estimated to range from tens to hundreds of thousands of zlotys, and sometimes even in excess of one million zlotys (especially for entities whose activities have not been focused on cybersecurity, such as food manufacturers). The annual cost of complying with all of these obligations can run to more than 100 thousand zlotys per year, and many times more in the case of large entities.
According to the assumptions of the impact assessment prepared by the Ministry of Digitisation, around 4,000 entities (about 10% of all entities subject to supervision should be inspected annually. The Ministry assumes that an inspection team of three people is only able to carry out around six inspections a year. As an example, in the area of the GDPR, so far around 50 inspections have been carried out annually, although the regulations affected almost one million entities.
The new regulations are expected to enter into force within one month of being published in the Journal of Laws. Entities covered by the legislation will have six months to bring their activities into line with the new requirements.
12 February 2025
Download the alert in pdf On 26 February 2025, the provisions of the amended Polish Sanctions Act1 and the Act on the National Revenue Administration2, among others, will come into force. The ...
4 November 2024
The time has come to use plain language in banks' communications with customers. To date, despite the lack of a statutory obligation, some banks have already begun implementing accessible language and...
13 September 2024
The amendment to the National Cybersecurity System Act, which implements the NIS2 Directive in Polish law, means significant changes are ahead for many entities from different sectors of the economy. ...