The draft amendment to the National Cyber Security System Act (the “Act”) extends the application of the Act to tens of thousands of entities from the 18 industries identified in the Act, including the health sector. The draft is intended to implement what is known as the NIS2 Directive.
Due to the scarcity of awareness-raising activities, many entities have no knowledge at all that they will be covered by the amendment. Inexplicably, entities from the energy, waste, health, water supply, chemicals, food, scientific research, waste water, and space sectors were omitted from the call for public consultation. Invitations were also not sent to any sub-sectors, with a call for consultation only being posted on the Ministry’s website.
Who does the amendment affect?
In the health industry, the new regulations will apply to:
- 44 entities in the sub-sectors of manufacturing medical devices and in vitro diagnostic medical devices;
- 1,248 entities in the sub-sectors of:
- manufacture of basic pharmaceutical substances and medicines and other pharmaceutical products,
- distribution and parallel import/import of medicinal products and active substances, including the operation of community pharmacies or pharmaceutical wholesalers,
- research and development in the field of biotechnology,
- manufacturers of certain medical devices, including telemedicine solutions, particularly those using cloud computing.
The previous regulations covered only those entities to which decisions were issued regarding recognising them as operators of essential services (i.e. approximately 270 entities). According to the estimates of the Ministry of Digitisation, the new regulations will apply to five times as many entities. Importantly, the new rules will not just pertain to large organisations, but also to organisations employing at least 50 people or having at least EUR 10 million in annual revenue.
Significantly, as many as 43 new full-time positions are planned to be created at the Ministry of Health to handle the entities newly covered by the legal regime under the Act. The new officials will be in charge of carrying out the relevant statutory duties and conducting inspections of compliance with the new regulations.
New obligations
The draft imposes a number of new obligations on the affected companies, the non-compliance with which carries multi-million financial penalties. These new requirements include:
- an obligation to establish information security management systems in accordance with ISO 27001 and ISO 22301;
- an obligation to implement safeguards against cybersecurity incidents in accordance with the underlying risk assessment and using state-of-the-art intelligence;
- an obligation to report incidents to the supervisory authority (an early warning to be submitted within 12hrs/24hrs, an incident notification within 72hrs) and to notify its own users of incidents;
- an obligation to implement new, enhanced cybersecurity documentation;
- an obligation to conduct, at its own expense, an initial audit within 12 months and to have regular security audits every two years carried out by suitably competent persons, as well as to make the results of the audits available to the regulatory authority within three days of receiving the same;
- an obligation to be registered in the national “S46” IT system and to exchange information through it;
- an obligation to manage the risk associated with the ICT service provider chain; and
- an obligation to provide its own employees with access to knowledge allowing them to gain an understanding of cybersecurity risks.
PLEASE NOTE: For each sector, the Council of Ministers may define, by means of a regulation, the specific requirements specifically applicable to a given type of activity.
The Act places personal liability on the managers of companies and organisations. If a specific responsible person is not designated, the entire management will be held accountable.
The provisions of the Act make it clear that financial penalties also apply if there has only been a one-off breach.
Costs of implementing the new regulations
The cost of implementing the new regulations in the private sector is estimated to range from tens to hundreds of thousands of zlotys, and sometimes even in excess of one million zlotys (especially for entities whose activities have not been focused on cybersecurity, such as food manufacturers). The annual cost of complying with all of these obligations can run to more than 100 thousand zlotys per year, and many times more in the case of large entities.
According to the assumptions of the impact assessment prepared by the Ministry of Digitisation, around 4,000 entities (about 10% of all entities subject to supervision should be inspected annually. The Ministry assumes that an inspection team of three people is only able to carry out around six inspections a year. As an example, in the area of the GDPR, so far around 50 inspections have been carried out annually, although the regulations affected almost one million entities.
The new regulations are expected to enter into force within one month of being published in the Journal of Laws. Entities covered by the legislation will have six months to bring their activities into line with the new requirements.
Information on the prospective regulations
- The information presented below relates to the draft amendment to the Act of 5 July 2018 on the National Cybersecurity System, prepared by the Ministry of Digitisation and dated 23 April 2024.
- The draft amendment is intended to implement into Polish law the NIS2 Directive – Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cyber security across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.
- The NIS2 Directive is applicable to all EU countries as of 16 January 2023. The deadline for its implementation into Polish law is 17 October 2024.
Who is affected by the new regulations?
- Public administration: 27,905 entities
- Electronic communication: 3,784 entities
- Food production, processing and distribution: 1,204 entities
- Healthcare: 1,248 entities
- Manufacturing, excluding medical devices: 1,120 entities
- Banking and financial markets infrastructure: 547 entities
- Energy: 365 entities
- Digital infrastructure (excluding electronic communications): 462 entities
- Medical device manufacturing and in vitro diagnostics: 44 entities
- Digital services: 40 entities
- ICT governance: 43 entities
- Scientific research: 169 entities
- Production, manufacture and distribution of chemicals: 214 entities
- Waste management: 276 entities
- Postal and courier services: 280 entities
- Drinking water: 268 entities
- Waste water: 102 entities
- Transportation: 450 entities
- Water transport: 11 entities