#CyberSecUpdate #7: NIS2 implementation passed by the Sejm!
After many difficulties and versions (including at least a few marked as ‘final’), the Sejm passed a draft amendment to the Act on the National Cybersecurity System (the so-called #uksc2/#ksc2) implementing the provisions of Directive #NIS2 in Poland.
It is high time, as the deadline for implementation for EU Member States expired on 17 October 2024. 407 MPs voted in favour of the draft, with only 10 against. As for the future of the Act, it would certainly be a good sign if it remained outside the political dispute.
The amendment is so extensive and profound that it inspired us at KWKR to launch the #RozpracowujemyNIS2 series, but let us try to briefly summarise the most important changes:
– expansion of entities covered by the regulations – according to government estimates, there may be approximately 30,000 such entities from various industries considered key (e.g. energy, transport, finance, ICT managed services, cybersecurity, digital infrastructure, public sector, healthcare, pharmaceuticals, etc.) or important (food production, electronics production, motor vehicles, water supply, waste management, digital services, etc.);
– implementation of organisational and technical measures comprising an information security management system (ISMS), including information security policies and thematic policies (e.g. access control, encryption, backup creation, change management, etc.), business continuity plans and disaster recovery plans;
– regular, periodic IT security audits and training for staff and management;
– ensuring security also within the supply chain;
– removing responsibility for cybersecurity from IT/cybersecurity departments and placing it irrevocably on the shoulders of the organisation’s management (company board);
– new powers and responsibilities for institutions responsible for cybersecurity (e.g. in terms of imposing penalties by supervisory authorities), new rules for reporting security incidents;
– introduction of a procedure for recognising high-risk suppliers.
The bill will now go to the Senate, which has 30 days to adopt it without changes, introduce amendments or reject it in its entirety. If the Senate rejects the bill or introduces amendments to it, another vote will have to be held in the Sejm, which may reject the amendments or the Senate’s veto by an absolute majority of votes. Once parliamentary work is complete, the bill will be sent to the President of Poland for signature, who may veto it (rejection of the veto by the Sejm requires a 3/5 majority), refer it to the Constitutional Tribunal for review of its constitutionality, or sign it. Once signed by the President, the bill will be published in the Journal of Laws. The UKSC2 will enter into force one month after its publication, and key and important entities will have six months to adapt to the new rules.
There is not much time, so it is worth thinking about it now.
