Online threats are developing at an equally dizzying pace as other technologies. Now, in the face of the unstable geopolitical situation – probably even faster. Legislative changes must keep pace with them, allowing for a minimum level of protection and, at least to a basic extent, ensuring strategic security, the well-being of recipients and the continuity of services. Together with the European NIS2 directive, a draft amendment to the KSC Act (Act on the National Cybersecurity System) was created. What awaits us?
On April 24, the Ministry of Digitization presented a draft amendment to the Act on the National Cybersecurity System. Submitting a project is just the first step. For the amendment to enter into force, it must go through the full legislative process:
The current act, introduced in 2018, is primarily a broad strategy for Polish cybersecurity, the scope of tasks and responsibilities of entities specified in the document as key, and the method of exercising control over them. Although 6 years is a gulf in technology, the framework provisions allowed it to function effectively for a long time. The most important provisions included the creation of CSRIT, i.e. incident response teams at the national level. It obliged all entities covered by the act to introduce and comply with security procedures. It included a description of the warning system and detailed instructions in the event of incidents. On this basis, assessments were made and certificates were awarded.
First, the pandemic, then the war in Ukraine, increasingly complicated relations between countries and the spread of AI meant that its shelf life has expired.
In the face of new threats and connection with the entry into force of the NIS2 directive, Poland must adapt the KSC Act to new, more stringent requirements.
The draft amendment to the KSC Act is based largely on the new EU directive NIS2, which introduces significant changes in the approach to state IT security.
The most important change from a national perspective concerns the significant expansion of entities covered by the Act. So far, it only covered trust service providers, healthcare entities and telecommunications service providers.
Now it will also include companies and institutions employing more than 50 people and conducting activities related to:
Since it is currently impossible to conduct a census of all such entities, a self-identification system will be created, and companies from the mentioned sectors will be obliged to register.
The need to immediately report incidents is one of the most stringent changes in the Act. It regulates the time when entities should report their occurrence to the appropriate CSRIT. For key entities, it will be 24 hours, but entrepreneurs from the telecommunications sector will only have 12 hours from the moment the event is detected. They must implement and use the S46 system to report incidents.
There will also be a list of vendors whose devices or software have security penetration vulnerabilities or are not properly certified. Entities covered by the act will have 7 years to withdraw them from use and replace them with others.
This is not the only change affecting suppliers. It will be necessary to diversify them so that continuous operation is possible. Both geographically and quantitatively.
Finally, the act will expand the competencies of the Minister of Digitization, who can make general decisions regarding a given sector and indicate the need to take specific actions to improve security.
Many large and medium-sized private and public entities will be required to implement the new guidelines, adapt their infrastructure and conduct regular security audits every two years.
This means, first of all, high infrastructure costs, but it also generates competence problems. Many companies do not have people with the appropriate skills to entrust them with this task. It will be necessary to create additional positions or rely on external support.
[…] Although some people seem to ignore it, cybersecurity is an absolute priority for the functioning of the state. Today, cyber threats increasingly concern, for example, critical infrastructure – Michał Kanownik, President of the Management Board of the Digital Poland Association, mentions in his letter.
As specialists in the field of network services, we share this opinion and understand that although the changes represent a huge challenge, they are necessary to ensure the strategic security of the state and citizens, but also for everyday comfort and access to basic services. This is our common goal, which requires collective commitment.
The design and implementation of network infrastructure should be approached holistically and take into account not only its efficiency, reliability, and compliance with needs but above all – security. We can look at threats by examining the vulnerability of devices and prepare procedures by analyzing the weakest link of the entire system – its users.
Numerous partnerships help us choose equipment that fulfils its role well and is optimally priced.
If you want to learn more about security audits or infrastructure for your company, contact our consultants.