US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Draft amendment to the Act on the National Cybersecurity System. What awaits us?

    Draft amendment to the Act on the National Cybersecurity System. What awaits us?

    Date: 03.06.2024

    Category: Security

    Online threats are developing at an equally dizzying pace as other technologies. Now, in the face of the unstable geopolitical situation – probably even faster. Legislative changes must keep pace with them, allowing for a minimum level of protection and, at least to a basic extent, ensuring strategic security, the well-being of recipients and the continuity of services. Together with the European NIS2 directive, a draft amendment to the KSC Act (Act on the National Cybersecurity System) was created. What awaits us?

    On April 24, the Ministry of Digitization presented a draft amendment to the Act on the National Cybersecurity System. Submitting a project is just the first step. For the amendment to enter into force, it must go through the full legislative process:

    1. The Sejm must consider the bill in three readings (justification of the bill, debate on the bill and submitting amendments, and vote on accepting or rejecting the bill).
    2. The Senate must adopt the approved draft amendment.
    3. The president must sign the bill approved by the Senate.
    4. A vaccatio legis must expire if the law provides for it.

    New threats and background for the draft amendment to the KSC Act

    The current act, introduced in 2018, is primarily a broad strategy for Polish cybersecurity, the scope of tasks and responsibilities of entities specified in the document as key, and the method of exercising control over them. Although 6 years is a gulf in technology, the framework provisions allowed it to function effectively for a long time. The most important provisions included the creation of CSRIT, i.e. incident response teams at the national level. It obliged all entities covered by the act to introduce and comply with security procedures. It included a description of the warning system and detailed instructions in the event of incidents. On this basis, assessments were made and certificates were awarded.

    First, the pandemic, then the war in Ukraine, increasingly complicated relations between countries and the spread of AI meant that its shelf life has expired.

    In the face of new threats and connection with the entry into force of the NIS2 directive, Poland must adapt the KSC Act to new, more stringent requirements.

    New entities covered by the Act on the National Cybersecurity System

    The draft amendment to the KSC Act is based largely on the new EU directive NIS2, which introduces significant changes in the approach to state IT security.

    The most important change from a national perspective concerns the significant expansion of entities covered by the Act. So far, it only covered trust service providers, healthcare entities and telecommunications service providers.

    Now it will also include companies and institutions employing more than 50 people and conducting activities related to:

    • Production, in particular entities related to the production, processing and distribution of food and chemicals,
    • IT service management,
    • Postal services,
    • Scientific research,
    • Waste and sewage management,
    • Collaborating with or directly involved in space-related activities.

    Since it is currently impossible to conduct a census of all such entities, a self-identification system will be created, and companies from the mentioned sectors will be obliged to register.

    New, faster responses to incidents

    The need to immediately report incidents is one of the most stringent changes in the Act. It regulates the time when entities should report their occurrence to the appropriate CSRIT. For key entities, it will be 24 hours, but entrepreneurs from the telecommunications sector will only have 12 hours from the moment the event is detected. They must implement and use the S46 system to report incidents.

    There will also be a list of vendors whose devices or software have security penetration vulnerabilities or are not properly certified. Entities covered by the act will have 7 years to withdraw them from use and replace them with others.

    This is not the only change affecting suppliers. It will be necessary to diversify them so that continuous operation is possible. Both geographically and quantitatively.

    Finally, the act will expand the competencies of the Minister of Digitization, who can make general decisions regarding a given sector and indicate the need to take specific actions to improve security.

    New guidelines for security audits

    Many large and medium-sized private and public entities will be required to implement the new guidelines, adapt their infrastructure and conduct regular security audits every two years.

    This means, first of all, high infrastructure costs, but it also generates competence problems. Many companies do not have people with the appropriate skills to entrust them with this task. It will be necessary to create additional positions or rely on external support.

    […] Although some people seem to ignore it, cybersecurity is an absolute priority for the functioning of the state. Today, cyber threats increasingly concern, for example, critical infrastructure – Michał Kanownik, President of the Management Board of the Digital Poland Association, mentions in his letter.

    As specialists in the field of network services, we share this opinion and understand that although the changes represent a huge challenge, they are necessary to ensure the strategic security of the state and citizens, but also for everyday comfort and access to basic services. This is our common goal, which requires collective commitment.

    Look what our client gained having conducted an IT infrastructure audit

    Security for the public and private sectors

    The design and implementation of network infrastructure should be approached holistically and take into account not only its efficiency, reliability, and compliance with needs but above all – security. We can look at threats by examining the vulnerability of devices and prepare procedures by analyzing the weakest link of the entire system – its users.

    Numerous partnerships help us choose equipment that fulfils its role well and is optimally priced.

    If you want to learn more about security audits or infrastructure for your company, contact our consultants.


    Joanna Sajkowska

    Experienced in the areas of portfolio management, communication strategy and technical content. Backed by her background in Systems Engineering and business development, Joanna puts focus on translating features into benefits and showcasing the unique values of Grandmetric products and services.

    Comments are closed here.