Poland - Commercial Guide
Cyber Security

This is a best prospect industry sector for this country. Includes a market overview and trade data.

Last published date: 2019-10-13

The European Network and Information Systems (NIS) Security Directive sets a minimum baseline of requirements to ensure better protection of critical infrastructures in Europe. The legislation targets three groups of stakeholders: 1. it sets basic principles for Member States for common minimum capacity building and strategic cooperation; 2. it directs operators of essential services (OES) and digital service providers (DSP) to ensure they apply basic common security requirements.  

DSPs are broadly defined to include: online/e-commerce marketplace (including app stores); online search engine (with the exclusion of search function limited to a specific website); and Cloud computing services.  NIS systems are considered the e-communications network, connected devices and digital data. 

A DSP and an OES are expected to ensure “the ability of NIS to resist any action that could compromise the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those systems.” Member states must identify OES and establish security and notification requirements for OES and for DSP. The level of security expected from OES should be higher than the level expected from DSP, because of the degree of risk posed to their infrastructure. Among obligations for both OES and DSP are, to take technical and organizational measures to NIS risk management; to prevent and minimize the impact of NIS security incidents; to notify, without undue delay, incidents having a significant impact on the continuity of the essential services they provide. 

This Directive has been adopted by the EU in July 2016. Member States  had until May 2018 to transpose the Directive into their national legal framework. The Polish Parliament passed the Act on the National Cybersecurity System (“ANCS” J on 5 July 2018 and the law entered into force on 28 August 2018.  The ANCS introduces a national cybersecurity system that  includes the biggest service providers from various sectors in Poland, as well as governmental and local administration. The new legislation aims to create an efficient and secure system to increase the  level of cybersecurity in Poland and allow for swift co-operation with other EU Member States.   

European Commission Recommendations on 5G Security: On March 26, the European Commission published its non-legislative Recommendation on Cybersecurity of 5G networks.  The Commission doesn’t impose hard limits on the access of Chinese technology in Europe but does set a timeline for EU countries to adopt a common procedure that would create new, tougher requirements on telecom companies as they roll out their 5G networks. Member States will have to complete their national risk assessments by 30 June 2019 and update necessary security measures.  In parallel, ENISA will complete a 5G threat landscape that will support  member states in the delivery by 1 October 2019 of the EU-wide risk assessment. By 31 December 2019, the NIS Cooperation Group will agree on mitigating measures to address cybersecurity risks identified at the national and EU levels. The recently approved Cybersecurity Act will be used to set up an EU-wide certification scheme covering 5G networks and equipment.