CyberSecUpdate #8: NIS2 / UKSC – Act Signed
The act implementing the NIS2 Directive and amending the Act on the National Cybersecurity System (UKSC) has been signed. At the same time, a subsequent application has been lodged with the Constitutional Tribunal for a review of its compliance with the Constitution.
NIS2 / UKSC implementing act signed – what does the application to the Constitutional Tribunal mean?
- the act will enter into force as planned, i.e. one month after its publication in the Journal of Laws,
- the Constitutional Tribunal may rule on the constitutionality of the act as a whole or of specific provisions, but until such a ruling is issued the act remains in force and benefits from the presumption of constitutionality,
- in practice, the application to the Constitutional Tribunal does not suspend obligations – important and essential entities must nevertheless start preparing to implement the new NIS2/UKSC requirements.
In other words: the waiting time is over – it is time to act.
Why important and essential entities cannot wait for the Constitutional Tribunal’s decision
First – the legal situation is clear.
The provisions of the act are binding until they are potentially declared unconstitutional. Until then, important and essential entities remain subject to the new obligations arising from NIS2/UKSC.
Second – the outcome of the proceedings before the Constitutional Tribunal is uncertain.
There is no guarantee that the Tribunal will strike down any provisions of the act. Even if it does, the consequences are not predetermined. The Tribunal may, for example:
- defer the loss of binding force of the challenged provisions,
- grant the legislator time to adopt corrective amendments,
- invalidate only selected fragments of the regulation.
Third – the timing of the Tribunal’s decision is unknown.
There is no way of knowing when the Constitutional Tribunal will hear the case. It may be six months, a year, or even several years from now. In the meantime, all statutory deadlines will continue to run, and a failure to meet them may result in severe supervisory and financial consequences.
Key NIS2 / UKSC implementation deadlines for important and essential entities
- 1 month – the act enters into force one month after its publication in the Journal of Laws,
- 6 months from the date of entry into force – deadline for registration in the register of important and essential entities,
- 12 months from the date of entry into force – final deadline for the full implementation of the new NIS2/UKSC requirements in the organisation (including the information security management system, risk analysis, incident handling, supply chain security etc.).
NIS2 / UKSC: an obligation, but also an opportunity to strengthen cybersecurity and competitive advantage
- providers of ICT managed services and cybersecurity services,
- digital infrastructure providers (e.g. data centers),
- entities from energy, transport, healthcare sectors,
- producers of: computer and electronic devices, automobiles, chemicals, food, pharmaceuticals,
- providers of digital services,
- scientific research organizations,
- key suppliers in ICT supply chains.
- protect against sanctions and liability,
- increase the resilience of the organisation to security incidents,
- build a real competitive advantage on the market.
