The amendment to the National Cybersecurity System Act, which implements the NIS2 Directive in Polish law, means significant changes are ahead for many entities from different sectors of the economy. What is particularly important is that the number of entities that are part of the National Cybersecurity System Act will increase significantly. The specific responsibilities of these entities are also being clarified.
To make it easier to understand all of these changes, Rymarz Zdort Maruta has prepared a list of the most common questions and answers thereto, explaining which companies are covered by the new regulations and what steps they should take.
I. Is every operator in the sector regulated? How should we read this?
No, the fact of operating in one of the regulated sectors is only one of the elements we need to take into account when analyzing whether an operator is subject to the National Cybersecurity System Act (whether it is an essential or important entity). The other is the size of the entity concerned. The NIS2 Directive, and the following National Cybersecurity System Act, introduce an additional criterion, known as the “size-cap rule”. Pursuant to this rule, only medium-sized or large companies have to comply with the requirements. In practice, this means entities with at least 50 employees and an annual turnover or annual balance sheet total exceeding EUR 10 million.
II. Is the classification of activities relevant to qualification as an important or essential entity?
In an ancillary way – certainly yes. However, the Polish Classification of Activities (PKD) is not the main criterion for concluding that an entity will definitely be deemed an essential or important entity within the meaning of the regulations. This is because what is crucial are the actual activities conducted in one of the areas/sectors listed in the annexes to the National Cybersecurity System Act.
Naturally, it is worth making sure that the PKD codes listed in the register are up-to-date and in line with the actual business profile.
III. What if only one company in the group is regulated? Does this somehow affect the entire group of companies?
Directly, no. It is not the case that a company being subject to the National Cybersecurity System Act means that other companies in its group must also comply with these regulations. However, indirectly, such an impact will obviously occur and will often be significant. We must remember that groups of companies do not operate in a vacuum; they are linked by numerous dependencies, including contractual relations. Obligations related to the implementation of the requirements under the National Cybersecurity System Act will affect these dependencies and relationships, and it may be necessary to take into account the principles of cooperation on certain IT systems, or simply renegotiate existing agreements within the group. In addition, building compliance is also a cost. These, in turn, from a business point of view, may be felt by the entire group.
IV. What about companies specialising in cybersecurity? Are they also regulated?
Yes, these entities may also fall under the National Cybersecurity System Act. This is worth pointing out, as it is an often overlooked element of regulation. The National Cybersecurity System Act, in the wake of the NIS2 directive, introduces a definition of managed security service provider. Its scope is quite broad. It refers to a service provider of any activities relating to cybersecurity risk management. Therefore, if a company specialising in cybersecurity (a service provider) meets the size requirements, i.e. it is at least a medium-sized company, it will likely also be required to implement the requirements of the National Cybersecurity System Act. Obviously, each case must be considered individually, going through the scope of the services provided and definitions included in the National Cybersecurity System Act.
It is also worth noting that, as is clear from the literal wording of the regulations themselves, this also applies to companies providing such services exclusively to other companies in the same group. If, therefore, a cybersecurity company has been ring-fenced within the group, it too will have to think about the requirements of the National Cybersecurity System Act, and this regardless of whether any other company in the group is subject to the National Cybersecurity System Act.
V. What are the new supply chain obligations? Does it only apply to direct suppliers?
The NSC (based, of course, on the provisions/requirements of the NIS2 Directive) places significant emphasis on supply chain issues and security. Essential and important entities will have explicit obligations in this area. First of all, they will have to implement an information security management system, which in turn will ensure the security and continuity of the ICT product supply chains, ICT services and ICT processes. In practice, these are ICT products, ICT services and ICT processes on which the provision of an important or critical service depends.
The Act does not indicate specific measures or actions that will have to be taken. In practice, this means that essential and important entities, before deciding to work with a particular service provider, should assess its approach (practice) to the field of cybersecurity. Certainly, industry standards and certification of meeting certain requirements will play an important role. The next step will, obviously, be the conclusion of an appropriate service contract, i.e. one that includes provisions that guarantee an adequate level of cybersecurity.
Remarkably, the provisions under discussion may lead to a de facto extension of the scope of application of the National Cybersecurity System Act to service providers, particularly those operating in the ICT industry. While they will not in every case have to directly comply with the requirements of the new law, this may indirectly be “imposed” on them as a requirement of the recipients of their services.
VI. What might supplier verification look like in practice?
Following the lead of the verification of data processors under the GDPR, which has been implemented since 2018, supplier verification under the National Cybersecurity System Act will most likely take the form of supplier declarations of will made by completing a detailed verification questionnaire and, in key processes, by performing an audit. The National Cybersecurity System Act does not impose any requirements on businesses in this respect, but requires them to exercise due diligence. Hence, undoubtedly, essential and important entities should approach this task very seriously. One of the components of this verification will be to confirm that no decision has been issued against the intended supplier declaring it a high-risk supplier, not to mention checking whether the intended supplier holds the required certification.
VII. When can I expect a decision on recognition as an important or essential entity?
No such decision can be expected. Currently, an essential service operator is an entity for which a decision on recognition as an essential service operator has been issued by the cybersecurity authority. Entities in the sectors regulated by the National Cybersecurity System Act therefore do not need to take any steps to confirm their status. The amendment to the National Cybersecurity System Act changes this approach completely, shifting the burden to the operators, who will be required to determine whether they meet the statutory requirements of an essential or important entity, and then complete an application for inclusion in the list of essential and important entities. The period within which these operators will be required to act is very important. This is because it is a period of two months after meeting the statutory requirements for an essential or important entity. As one of the elements determining the status of an essential or important entity is the criterion of the size of the entity, the number of employees, and the turnover achieved, this verification should be repeated periodically. This will be particularly important for entities with a headcount of 50 employees and that meet the turnover criteria indicated in the Act. The two-month deadline for the inclusion of a company on the list of essential or important entities is calculated from the moment when the conditions for recognition as an essential or important entity are met.
VIII. How much time is there to implement the requirements of the National Cybersecurity System Act?
Pursuant to the current wording of the amendment to the National Cybersecurity System Act, an essential and important entity will be required to implement regulations to the extent that it is able to comply with the requirements of the National Cybersecurity System Act within six months of meeting the prerequisites for being recognised as an essential and important entity. An exception to this deadline, however, relates to conducting a security audit of the information systems used to provide key services. Here, the legislature has extended this period to 12 months from qualifying for recognition as an essential or important entity. During this period, an essential or important entity must conduct such security audit. The date of the entry into force of the law is planned to be 14 days after its promulgation.
IX. Do the amendments to the National Cybersecurity System Act provide for implementing regulations containing requirements for an information security management system? Where to look for guidance?
Yes, but not for all activities performed by essential or important entities, and there is no guarantee that such regulations will actually be issued. As a general rule, an essential or important entity will be required to implement a security system that meets the requirements indicated in the National Cybersecurity System Act, and it should be emphasised that these are quite general. However, the legislature has provided for the possibility for the Council of Ministers to issue regulations specifying separately the types of activities performed by essential or important entities, and detailed requirements for the safety management system, taking into account international recommendations of a specialised nature. At present, the bill includes a guideline that can be followed in establishing the requirements for the security system, namely, it indicates that the requirements of the National Cybersecurity System Act for the security system will be deemed fulfilled if the business operator provides an information security management system, taking into account the requirements set ou3t in the Polish Standards PN-EN ISO/IEC 27001 and PN – EN ISO/IEC 22301. However, this particular provision will most likely be amended.
X. Whether entities that already apply the National Cybersecurity System Act should take action in relation to the amendment to these provisions?
Yes. Operators of essential services that are already obliged to comply with the National Cybersecurity System Act, will, by law, continue to be qualified as essential or important entities and included in the list of essential or important entities. In this aspect, these companies do not need to take any measures. However, the amendment to the National Cybersecurity System Act introduces a number of other changes to the way in which existing obligations are implemented as well as new obligations. In view of this, today’s operators of essential services should take stock of the differences arising from the current and proposed amendments to the National Cybersecurity System Act, then carry out a compliance audit/investigation to determine the extent to which they should implement the new regulations.