On 21 November 2018, Poland’s Council of Ministers adopted the regulation of 31 October 2018 on the thresholds for the recognition of cybersecurity incidents as serious. Adoption of the regulation ended in Poland the process of implementing Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016, which measures are aimed at ensuring a high common level of security of network and information systems across the Union and were initiated by adopting the Act of 5 July 2018 on national cybersecurity systems into the Polish legal order.
The provisions of the Act impose certain obligations on digital service providers, public entities, and operators of so-called key services. These include entities operating in, among other industries, the energy, transport, banking and financial market infrastructures, digital infrastructure, and health sectors. Not every entity operating on the market is therefore obliged to conform to the Act.
The Act introduces general security measures that operators of essential services, digital service providers, and public entities must implement to ensure the security of information and information systems, including technical and organizational measures to assess and address risks, collect and report information on cyberthreats and incidents, and communicate properly and safely within the national cybersecurity system. Responsibility for supervising the application of the provisions of the Act by the obliged entities was allocated at the ministerial level. The Act also provides for financial penalties for violation of obligations imposed on entities that are required to adhere to its provisions.
For more information about data privacy and cybersecurity law in Poland and the EU, please contact your Ally Law lawyer.