Cybersec Update #6: Entrepreneurs, beware of gold-plating in cybersecurity
This is an important topic for entities affected by the amendment to the Act
on the National Cybersecurity System (UKSC) in connection with the NIS2 Directive. It is important because it imposes additional obligations on entrepreneurs that… do not necessarily result from NIS2.
“Gold-plating” of regulations is becoming increasingly common
Gold-plating, or overregulation, which occurs when EU regulations are transposed into national legal systems, is not a phenomenon that affects only the area related to the implementation of NIS2.
The phenomenon can take various forms, e.g., the adoption of more stringent regulations than required by EU legislation, the establishment of additional obligations during the implementation of EU legislation that are not provided for in EU legislation, or the continued maintenance of solutions that were adopted during the implementation of EU legislation that is no longer in force.
NIS2 in the headquarters of 40,000 Polish entrepreneurs
In the case of the implementation of the NIS2 Directive, this problem is raised in particular
because the amendment to the UKSC is expected to affect nearly 40,000 entities, which will be the largest number among all EU Member States. For comparison,
in Germany there are about 35,000 entities, in Spain 25,000, and in France 15,000.
In the draft amendment to the UKSC, we find at least a few cases that confirm that gold-plating has not spared the Polish process of transposing the NIS2 Directive.
The cybersecurity authority will decide on the continued operation of a key entity
According to the draft amendment to the UKSC, the cybersecurity authority is to be granted the power to suspend the license or operation of a key entity in order to enforce the provisions of the KSC Act. NIS2 grants freedom in shaping the powers of the competent authorities in the application of supervisory measures, and one of the possibilities is indeed to grant the power to suspend the authorization to operate by a key entity. Other solutions that the Polish drafters did not use include requesting the authority that granted the license or the court to temporarily suspend the license to operate a key entity.
HRV in all sectors
The draft amendment to the UKSC stipulates that the issue of recognizing certain ICT component suppliers as high-risk suppliers and the related need to withdraw equipment should apply not only to the telecommunications sector, but to all other sectors from which key and important entities may be selected. This is only part of the issue that is considered overregulation in the area of HRV (high risk vendors).
Additional financial penalties
The draft provides for the possibility of the cybersecurity authority imposing financial penalties
in cases and in amounts that do not result from the NIS2 directive. Violations of the provisions of the Act that cause, among other things, a direct and serious cyber threat to defense, state security, public safety and order, or human life and health may be subject to a penalty
of up to PLN 100,000,000.
Meanwhile, the provisions of NIS2 provide for administrative fines of up to at least EUR 10 million or EUR 7 million, depending on the type of violation.
