Consultations on changes to the Cybersecurity Law

The Ministry of Digital Affairs has invited AmCham to participate in consultations on changes to the Cybersecurity Law. The aim of the new regulation is to strengthen the protection of citizens and institutions against growing threats in cyberspace and to adopt NIS2 Directive updating the EU cyber-security framework. This new regulation affects mostly key service operators and digital service providers.

The most important changes to the Cybersecurity Law include:
1) Expanding the catalogue of entities of the national cyber security system with new sectors of the economy, such as wastewater, ICT management, space activities, manufacturing, as well as production and distribution of chemicals and food;
2) Introducing new obligations regarding risk management on entities important in cybersecurity, concerning, in particular, the application of appropriate and proportionate technical, operational, and organizational measures;
3) Introducing accountability of the leadership of the critical entity or important entity for the performance of cybersecurity tasks;
4) Introducing the possibility of reporting incidents via the ICT system to the relevant sectoral CSIRT and national level CSIRT teams;
5) Strengthening the competence of supervisory cyber security authorities;
6) Introducing new fines for failure to comply with statutory obligations;
7) Establishing a National Plan for responding to large-scale cyber security incidents and emergencies;
8) Empowering the Government Plenipotentiary for Cyber Security by providing him with specific powers to offer recommendations to strengthen the level of cyber security;
9) Expanding the competencies of national-level CSIRT teams.

The currently proceeding draft bill also provides for a procedure for identifying high-risk vendors by the minister responsible for digital affairs. The products, types of services, and specific ICT processes identified in the decision will be prevented from being put into use and, if already in place, will have to be withdrawn within the deadlines indicated by the Cybersecurity Law. 

The Ministry of Digital Affairs, responsible for preparing the draft, has set a 30-day consultation period. Paweł Olszewski, Secretary of State, is responsible for the project.  

If your company would like AmCham to develop a position on this issue, please send your opinions in Polish by May 17, 2024 to [email protected].