On April 24, 2024, the Ministry of Digitization (the Ministry) announced that it had published a draft act amending the National Cybersecurity System and opened a public consultation on the same. The Ministry explained that the draft act is aimed at significantly strengthening the protection of citizens and institutions against growing threats in cyberspace. Additionally, the amendments seek to bring the current National Cybersecurity System Act in line with the Directive on Measures for a High Common Level of Cybersecurity across the Union (the NIS 2 Directive).

What changes are being proposed? 

• Reporting of serious incidents will be directed to the sector's Computer Security Incident Response Team (CSIRT) and made immediately, but no later than 72 hours from detection, except for:
  • reporting within key and important entities within 24 hours of detection; and
  • reporting in the telecommunications sector within 12 hours of detection.
• Introduction of a self-identification mechanism for covered entities to register with their sector CSIRTs and national-level CSIRTs.
• Broadening the scope of the act to include sectors such as sewage, ICT service management, outer space, postal services, waste management, production, manufacturing and distribution of chemicals, food production, processing and distribution, production, and research as key and important entities.
• Incorporation and transposition of the EU-level minimum harmonization and standardization measures on 5G network cybersecurity solutions.
• Introduction of a security command as a legal institution enabling response to critical incidents, such as being able to order a given group of entities to perform specific tasks to prevent a critical incident.
• Expanding the scope of the national cybersecurity strategy.
• Introduction of a new strategic document - entitled National Large-Scale Cybersecurity Incident and Crisis Response Plan.
• Clarifying the tasks of state authorities in the area of cybersecurity.
• Appointing the National Research Institute CSIRT (CSIRT NASK) as the national coordinator for Coordinated Vulnerability Disclosure (CVD) and strengthening the powers of national-level CSIRTs.

The draft act is open for public consultation until May 24, 2024, and comments can be submitted via email to [email protected]. Furthermore, the Ministry noted that the aim is to ensure the adoption of the new act by 2024.

You can read the press release here and download the draft act here, both only available in Polish.