NIS2 and the amendment of the NCS Act getting closer – how is the latest bill different?
The NIS2 Directive should have been implemented into the Polish legal framework in October 2024 at the latest. However, this did not happen, and Poland is not the only country still working on NIS2 implementation.
On 12 February 2025, another new bill to amend the National Cyber Security System Act (“NCS amendment“), dated 7 February 2025, was published on the website of the Government Legislation Centre, aiming to implement NIS2 in Poland. What does the latest bill bring?
New classification for public entities
Not all public entities will be considered “key entities“. Local budget units, cultural institutions and public companies performing public tasks will be classified as ‘important entities‘, which means that they will have fewer obligations. It is emphasized that this treatment is intended to offer a compromise between increased cybersecurity and the organizational realities of public entities, in particular local government units.
The amendment introduces procedural simplifications that reduce the scope of the criteria required of public entities, without compromising the standard of adequate level of security. Examples of such changes include a simplified information security management system and simplified incident reporting requirements.
Access to knowledge through links to government websites
The new legislation provides that the obligation to offer access to knowledge on cyber threats, imposed on key and important entities in relation to the use of their services by users, can be implemented by providing links to the websites of the authority responsible for cyber security, the CSIRT GOV, the CSIRT MON, the CSIRT NASK or the sectoral CSIRT. This solution aims to facilitate access to reliable and up-to-date information, while reducing the formal requirements imposed on each entity.
Changes to the powers of the supervisory authority
The authority responsible for cybersecurity will be given more powers to enforce compliance with the NCS by key entities. If orders or decisions are not complied with, the authority in charge of cyber security will have the power to impose sanctions on key entities, including withholding or limiting licenses, suspending operations or prohibiting the exercise of management functions therein. Previously, such powers were held by a licensing authority or a court.
Information Security Governance System
As a reminder, the most important issue related to the amendment of the NCS is that each entity must carry out a self-assessment to determine whether its activities place it in the category of an important entity or a key entity.
The increased level of cyber security is to be achieved by implementing an information security governance system, which requires careful planning of the entire process and finding or building competence in this area within the organization. At the same time, it should be emphasized that the responsibility for the implementation of cyber security rests with the board of directors as a whole or with a board member appointed for this purpose. Financial penalties for the breach by board members of the obligations set out in the NCS amendment may amount to 300% of their remuneration.
We expect the bill of amendment to the NCS Act to be submitted to the Sejm at the end of March/beginning of April. The vacatio legis period provided for therein is one month from the date of promulgation. It is therefore advisable to check now whether your organization needs to prepare for NIS2 and to plan each step. An early start will allow you to avoid the rush associated with the new obligations coming into force and give you time to build the right skills within your organization.
If you have any questions or need assistance in preparing for NIS2, please do not hesitate to contact us. Our experts will be happy to provide detailed information and help you determine whether NIS2 applies to your organization.
KONTAKT
E: magdalena.patryas@pl.Andersen.com
T: +48 32 731 68 84
M: +48 502 392 419
E: marcin.matyka@pl.Andersen.com
T: +48 22 690 08 60
M: +48 669 768 444
