After nearly 7 years of stormy work, the amendment of the National Cybersecurity strategy (KSC) Act became a fact.
President Karol Nawrocki signed it, officially implementing the NIS 2 directive in Polish EU law. However, he did so with large reservations, immediately sending the fresh provisions to the Constitutional Court. For Polish business and technology providers, this is the beginning of fresh problems.
The KSC Act is 1 of the most crucial and controversial legal acts in the past of Polish digitisation. Its main nonsubjective is to increase the state's resilience to cyber-space attacks, but the tools it gives officials have been causing panic in the private sector for years.
Powerful extension and bat on advanced hazard Suppliers (DWR)
The signed amendment dramatically extends the list of entities that the State considers to be ‘key and important’. From now on, as many as 18 industries will be subject to stringent cybersecurity requirements (and controls), including space, mail, food production and sewage management. As part of the Act, dedicated consequence Teams to Incidents (CSIRTs) will be created for them and the National investigation Institute of NASK will receive additional funding.
However, the alleged advanced hazard Suppliers (DWR) rules are absolutely crucial for the technological market. The fresh bill gives the Ministry of Digitization a powerful tool: the anticipation of officially identifying the supplier of equipment or software as “dangerous” for the state. In practice, this means an absolute ban on buying fresh solutions from specified a maker and an work to remove existing equipment from public and critical infrastructure.
It's a return signature. What's the president afraid of?
Despite signing, president Karol Nawrocki directed the bill to the Constitutional Court, scoring its biggest shortcomings, about which the IT manufacture had been alerting for years. The President's office points out that:
- No compensation: the State may order entrepreneurs to exchange costly equipment and software (as part of the DWR decision), without offering in return a broken penny of compensation and without securing funds in the budget.
- Overregulation: including as many as 18 industries is simply a "single government initiative" which goes beyond what the European Union has truly required of us in the NIS 2 Directive.
- Drakonian penalties: the strategy of administrative penalties for non-compliance is highly restrictive, and the appeal procedure does not give firms adequate guarantees of judicial protection.
If the Constitutional Court does not block the provisions under the safeguards procedure, the revised National Cybersecurity strategy Act will enter into force within 1 period of its publication in the authoritative diary of the Laws. For many IT infrastructure providers and telecommunications operators in Poland, a serious stopwatch has just started.
If article The end of a seven-year-old saga. The president signs the KSC Act, but sends it to the Court. Earthquake for IT industry does not look right in your RSS reader, then see it on iMagazine.
