Legal Alert | Amendment to the Act on The National Cybersecurity System (NIS2)

What is changing?

The amendment to the KSC implementing the NIS2 Directive introduces:

• a new classification into critical entities and important entities,
• expanded obligations regarding cybersecurity risk management,
• new rules for reporting incidents (within short timeframes),
• enhanced powers for supervisory authorities.

Core cybersecurity obligations will include the implementation of an information security management system, encompassing, among other things, systematic risk assessment, the application of appropriate technical and organisational measures, incident management, business continuity assurance, supply chain security, monitoring of information systems, and evaluation of the effectiveness of security measures.

At the same time, the legislature has provided for transition periods. As a rule, entities meeting the criteria for designation as a critical or important entity will have 12 months to fulfil the obligations under the Act, and critical entities will have 24 months to conduct the first information system security audit. 

Additionally, key entities and important entities are required to apply for inclusion in the register maintained by the competent authority. Such an application must be submitted within 6 months of the date on which the criteria for being classified as a key or important entity are met.

New industries covered by the regulation

Of particular significance is the expansion of the list of sectors covered by the Act. In addition to areas previously associated with cybersecurity regulations, the new provisions will also cover industries that have so far remained outside the regulatory framework or operated on their periphery.

This applies to the following sectors: 

• food production, processing, and distribution,
• waste management, 
• chemical production and distribution, 
• postal and courier services 
• and the broadly defined manufacturing sector (including the production of medical devices, motor vehicles, computers, and electrical equipment.

Who should verify their status first?

Entities operating in sectors covered by regulation for the first time should analyse the issue of falling under the amended KSC first, particularly businesses in the food, manufacturing, chemical, waste management, and logistics industries. In practice, it will be important not only to classify the business activity into the appropriate sector but also to assess whether the entity meets the criteria to be considered a key or important entity. Therefore, it is advisable to conduct a preliminary analysis at this stage.

What does this mean in practice?

The new regulations mean not only the need to determine whether a given organisation is considered a key or important entity. For many organisations, they will also require streamlining internal processes, defining responsibilities, and reviewing relationships with suppliers, and preparing procedures related to the detection, handling, and reporting of incidents. An important element of compliance with the amended KSC will also ensure appropriate cybersecurity training for both staff and management.

In practice, this may mean conducting a gap analysis, reviewing existing policies and procedures, and verifying whether the current security management model meets the new requirements. The supply chain, business continuity, and collaboration between legal, compliance, security, and IT functions also take on particular importance.

Administrative Sanctions

The amendment provides for significant administrative sanctions for violations of the obligations under the Act. In particular, the supervisory authority will be authorised to impose fines of up to:

• up to EUR 10 million or 2% of the company’s total annual global turnover — for critical entities,
• up to EUR 7 million or 1.4% of the company’s total annual global turnover — for important entities

(whichever is higher).

Regardless of these limits, failure to fulfil the obligations imposed on a key or significant entity will result in a fine ranging from PLN 500 to PLN 100,000 for each day of delay
in complying with an administrative decision. This may apply, among other things, to a decision ordering the cessation of violations of the Act, ensuring compliance of the information security management system, fulfilling the obligation to report a serious incident, or implementing recommendations issued because of an audit.

An early analysis of the obligations arising from the amended KSC will help mitigate the risks associated with non-compliance with these regulations.