Cybersecurity 2020

Last Updated March 16, 2020

Poland

Law and Practice

Authors



Ernst & Young Law Tałasiewicz, Zakrzewska i Wspólnicy sp.k. works alongside other EY professionals, including assurance, tax, transactions and advisory. Serving across borders, EY's sector-focused, multidisciplinary approach means it offers integrated, broad and pertinent advice. The legal team provides holistic guidance around strategic business decisions, reducing the gap between business advisers and legal counsel. Working with other EY service lines, EY Law builds interdisciplinary teams capable of leading projects requiring simultaneous consideration of many aspects – from legal, through risk, to architecture and implementation. Located in Warsaw, EY wavespace (a global network of growth and innovation centres) with OT/IoT Security Laboratory, enables co-operation leading to the development of ready-made solutions and knowledge transfer. All wavespace locations feature a shared methodology and platform that combines EY’s experience in disruptive technologies such as artificial intelligence, robotics process automation (RPA), blockchain, data analytics, digital, customer experience and cybersecurity with EY’s deep industry domain and regulatory experience. Special thanks for Joanna Galajda from EY Law for her input to this chapter.

Constitution

Cybersecurity is not directly regulated in the Polish Constitution. However, the Polish Constitution guarantees the right to privacy (Article 47), freedom and protection of communication (Article 49), and protection of personal data (Article 50).

Act on Personal Data Protection, GDPR and ePrivacy

Personal data protection is primarily regulated by the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. The GDPR is supplemented by the national provisions on data protection – the Act of 10 May 2018 on Personal Data Protection. This act regulates the organisation and functioning of the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych – PUODO).

Issues related to the protection of personal data and privacy in electronic communications are regulated mainly in the Telecommunications Law of 16 July 2014, as a result of the implementation of the ePrivacy Directive – Directive 2002/58/EC of the European Parliament and of the Council. The ePrivacy Directive complements the GDPR and will be ultimately replaced by the ePrivacy Regulation; the project is currently underway.

For more information on data protection regulations in Poland, please see the Polish chapter in Chambers Global Practice Guide: Data Protection and Privacy 2020.

Cybersecurity Act

The first Polish legal act on cybersecurity is the Act of 5 July 2018 on the National Cybersecurity System (Cybersecurity Act). The Cybersecurity Act is an implementation of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive).

The work on the Cybersecurity Act was carried out by an inter-ministerial team, and the act itself does not exhaust the complex issue of cybersecurity in Poland. Many issues, such as designation of the operators of essential services, or building the competence of adequate authorities, still require further hard work from the administration authorities. The private sector, on the other hand, has to make a big effort to adapt to the new regulations, especially regarding mandatory incident reporting to the appropriate computer security incident response teams (CSIRT) at the national level – until the implementation of the Cybersecurity Act, the reporting was not compulsory, except for the telecommunications sector and critical infrastructure operators.

The Cybersecurity Act applies to three types of entities: operators of essential services, digital service providers and public entities.

Operators of essential services and digital service providers may be fined from PLN1,000 to PLN1 million for failing to comply with their obligations under the Cybersecurity Act. Financial penalty is imposed by the authority competent for cybersecurity matters; the funds from the penalties will constitute state budget revenue.

The Cybersecurity Act is supplemented by a number of executive regulations that further specify the statutory provisions, namely:

  • Regulation of 10 September 2018 on organisational and technical conditions for entities providing cybersecurity services and the internal organisational structures of operators of essential services responsible for cybersecurity;
  • Regulation of 11 September 2018 on the list of essential services and materiality thresholds for the disruptive effect of an incident for the provision of services;
  • Regulation of 2 October 2018 on the scope and mode of operation of the Cybersecurity Board;
  • Regulation of 12 October 2018 on the list of certificates authorising to conduct a security audit;
  • Regulation of 16 October 2018 on the types of documentation regarding the cybersecurity of the information system used to provide essential services;
  • Regulation of 31 October 2018 on the thresholds for recognising an incident as serious.

Criminal Law

The Polish Criminal Code does not provide a legal definition of cybercrime. However, some of the crimes provided for in the Criminal Code (CC) can be considered as cyber-attacks, for example: illegal access to information (Article 267, CC), destruction of information (Article 268 CC), damage to databases (Article 268a, CC), computer sabotage (Article 287, CC), or disruption of networks (Article 269a, CC).

The cybersecurity surveillance authority is comprised of the minister competent for digitalisation matters and the competent cybersecurity authorities supervising each of the key sectors of the economy.

A total of 11 sectors listed in the Cybersecurity Act are subject to the competence of a specific ministry, as presented below:

  • Minister competent for energy – energy;
  • Minister competent for transport – transport;
  • Minister competent for maritime economy and minister competent for inland navigation – water transport;
  • Polish Financial Supervision Authority – banking, financial market infrastructure;
  • Minister competent for health – healthcare;
  • Minister competent for water management – drinking water supply and distribution;
  • Minister competent for digitalisation – digital infrastructure, digital service providers;
  • Minister of National Defence (entities subordinated to the Ministry of National Defence and entrepreneurs of particular economic and defence importance) – health protection, digital infrastructure, digital service providers.

The competent authorities are the ministers competent for specific sectors, who, based on an agreement, may entrust the implementation of certain tasks to subordinate or supervised entities. This means that sector regulators (if any) can perform these functions instead of the minister responsible.

The duty of the authority competent for cybersecurity matters is to analyse the entities operating in a given sector and to issue decisions in the matter of recognising an entity as an operator of essential services. In addition, the competent authority also prepares recommendations for actions to strengthen the sector’s cybersecurity.

The duties of the competent authorities also include:

  • requesting the entity to remove vulnerabilities that led or are likely to lead to a serious incident;
  • control of the operators of essential services;
  • co-operation with other EU countries via the "single contact point";
  • participation in the exercising and processing of personal data necessary to carry out tasks.

The proceedings to deal with a breach of regulations concerning personal data protection are conducted by the PUODO based on the provisions of the Personal Data Protection Act. In matters not covered by this Act, the Code of Administrative Procedure shall apply. The proceedings are single-instance and the PUODO decision is final and terminates the proceedings. The PUODO may impose an administrative fine in the decision. If the entity does not agree with the decision, it is entitled to file a complaint with an administrative court within 30 days of the decision being served.

Under the Cybersecurity Act, the operators of essential services and digital service providers may be fined from PLN1,000 to PLN1 million for failing to comply with their obligations. These administrative fines are imposed obligatorily, by way of an administrative decision of the authority competent for cybersecurity matters. In addition, the authority may impose a penalty even if the entity has ceased violating the law or repaired the damage caused, if the authority competent for cybersecurity matters considers that it is justified by the duration, scope or effects of the violation (Article 76 of the Cybersecurity Act).

NIS Directive

The NIS Directive is the first piece of EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The deadline for implementation was set for 9 May 2018, although in some EU countries (including Poland) the NIS Directive was implemented with a delay. This act sets out certain obligations for all member states and provides for obligations related to ensuring network security for a large group of entrepreneurs. The NIS Directive regulates five main groups of tasks related to cybersecurity:

  • obligation for all member states to adopt a national strategy on the security of networks and information systems;
  • creation of a co-operation group composed of representatives of member states, the European Commission and the European Union Agency for Network and Information Security (ENISA);
  • creation of a network of teams responding to computer security incidents (CSIRT network);
  • setting out security and incident reporting requirements for essential service operators and digital service providers;
  • obligations for member states regarding the designation of competent national authorities, including single points of contact, to perform tasks related to the security of networks and information systems.

EU Cybersecurity Act

On 27 June 2019, the so-called Cybersecurity Act (Regulation (EU) No 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA, the European Union Agency for Cybersecurity, and on information and communications technology cybersecurity certification and repealing Regulation EU) No 526/2013 (EU Cybersecurity Act) was adopted.

The EU Cybersecurity Act sets out the rules for the organisation of ENISA. Following the entry into force of the regulation, ENISA has gained a permanent mandate and has become responsible for co-ordinating cybersecurity activities in Europe, as well as the framework for establishing European cybersecurity certification systems to ensure an appropriate level of cybersecurity of products and information and communications technology services in the EU.

The agency has been given extensive powers to co-ordinate the operational co-operation of cybersecurity incident response teams (CSIRTs) in the member states. Certification programmes, as indicated by the Ministry of Digitisation, are aimed at stimulating market development in the above-mentioned sector, as well as reducing the costs associated with testing the correct functioning and effectiveness of the security system. Each certification programme will be based on assessment criteria and test methods agreed by the EU and will be independent of manufacturers.

As a result of the development and creation of joint European certification programmes, test results and certificates are to be recognised by all member states, to increase the number of solutions used in the field of cybersecurity. This, in turn, is expected to translate into an increase of the availability of market offers in the field of secure software, services and devices for both citizens, entrepreneurs and institutions.

Member states have time until 28 June 2021 to adapt their national legislation to the new regulations.

The Cybersecurity Act sets up three teams to respond to computer security incidents operating at the national level – individual computer security incident response teams (CSIRT):

  • led by the Head of the Internal Security Agency (CSIRT GOV) – its tasks include handling or co-ordinating the handling of incidents reported by the units of the most importance for the continuity of the national state;
  • led by the Minister of National Defence (CSIRT MON) – it co-ordinates the handling of incidents reported by entities subordinate to or supervised by the Minister of National Defence and entrepreneurs of particular economic and defence importance;
  • led by the Scientific and Academic Computer Network (CSIRT NASK) – it co-ordinates the handling of incidents reported by, among others, research institutes, Polish Air Navigation Services Agency or individuals.

Since the NIS Directive provides for a minimal level harmonisation of the provisions on cybersecurity, the Polish legislator decided to provide a more detailed regulation at the national level. Consequently, the public administration and (indirectly, in some respects) the telecommunications sector were included in the Cybersecurity Act.

In addition, the legislator’s goal was to clearly separate responsibilities between individual CSIRTs at the national level, establish cybersecurity supervision (competent authorities, financial penalties), and create a political and strategic framework for managing cybersecurity in Poland (the Cybersecurity Strategy of the Republic of Poland, appointment of a proxy and the Cybersecurity Board).

The Cybersecurity Strategy of the Republic of Poland for 2019-2024 (Cybersecurity Strategy) was approved by the Council of Ministers on 22 October 2019, effective from 31 October 2019.

The Cybersecurity Strategy replaces the National Framework for Cybersecurity Policy of the Republic of Poland for 2017-2022. The document defines strategic goals and appropriate political and regulatory measures that must be implemented to ensure that information systems, essential service operators, critical infrastructure operators, digital service providers and public administration are immune to cyberthreats.

The main goal of the Cybersecurity Strategy is to increase the level of resistance to cyberthreats and the level of information protection in the public, military and private sectors. Better information protection will also be achieved by the promotion of knowledge and good practices among citizens.

Specific objectives of the Cybersecurity Strategy are as follows:

  • development of the national cybersecurity system;
  • increasing the resilience of public administration and private sector information systems and achieving the capacity to effectively prevent and respond to incidents;
  • increasing the national potential in cybersecurity technology;
  • building awareness and social competence in the field of cybersecurity;
  • building a strong international position of the Republic of Poland in the field of cybersecurity.

Within half a year of adopting the document, the Minister for Digital Affairs, in co-operation with members of the Council of Ministers, heads of central offices and the Director of the Government Centre for Security will develop and present an Action Plan for the implementation of the Cybersecurity Strategy. The Action Plan will set out the specific actions for government bodies, along with a schedule for their implementation and measures to assess the status of actions that are undertaken.

Cybersecurity of 5G networks and the internet of things (IoT) will be treated by the government as a priority. This is reflected in the analyses that are already being carried out to clarify the security requirements for telecommunications operators, especially in the construction of the 5G network. It is assumed that legal changes will be necessary in this area to allow adequate control over cybersecurity of 5G networks.

In the Cybersecurity Strategy, the Polish government emphasises the need to implement appropriate measures to ensure the security of new technologies, in particular those based on the 5G network. The Strategy notes that, in connection with the dynamically developing IT market – and particularly in connection with the development of the IoT, smart cities, industry 4.0 as well as cloud computing, mobile broadband communications networks (5G and subsequent generations) – there is a need to intensify research and development activities as well as production in the field of cybersecurity.

To this end, research programmes aiming at the development and implementation of new methods of protection against cyberthreats will be continued together with the National Centre for Research and Development.

Issues related to the protection of personal data are regulated in the GDPR, the Act of 10 May 2018 on Personal Data Protection and sectoral laws (ie, Banking Law, Energy Law, etc).

Issues related to the protection of personal data and privacy in electronic communications are regulated mainly in the Telecommunications Law of 16 July 2014, as a result of the implementation of the ePrivacy Directive.

Issues related to the security of the systems, infrastructure and data of the operators of essential services, digital service providers and public entities are regulated by the Cybersecurity Act, sectoral laws and regulatory guidelines.

For more information, please see 1.1 Laws.

Please see 1.2 Regulators.

Please see 1.4 Multilateral and Subnational Issues regarding the EU Cybersecurity Act.

The PUODO is the authority competent in the matters of personal data protection. It initiates proceedings in the event of a complaint regarding a breach of personal data protection or at its own discretion – as a result of an inspection or after obtaining information about irregularities. The PUODO may require written explanations from the inspected entities, and direct inspections may be carried out by its authorised employees. In addition to ad hoc controls, the PUODO also carries out scheduled inspections.

The Office of the Polish Financial Supervision Authority (PFSA) has presented an action plan and initiatives to be implemented in the field of new technologies, innovation and cybersecurity in the near future – the Digital Surveillance Agenda (Agenda).

One of the areas discussed in the Agenda is cybersecurity. The PFSA intends to take the following actions in the field of cybersecurity: increase the level of security of information processed in the cloud; review and update recommendations regarding IT risk management on the financial market; introduce a uniform analytical model of cybersecurity risk; and implement various forms of educational activities in the field of cybersecurity.

Among the actions undertaken by the PFSA was the issuance, in January 2020, of new guidelines on the implementation of cloud computing in the financial sector. The document specifies the cloud adoption reference model for financial market entities, guidelines for information classification and risk assessment as well as requirements to be met by cloud service providers.

In addition to cloud security, the PFSA plans to review the recommendations for IT risk management on the financial market. The dynamic development of digital technologies and the occurrence of new risks associated with them force the PFSA to revise and update the current risk management requirements.

The NASK Institute is a state research institute whose mission is to search for and implement solutions to develop ICT networks in Poland and improve their efficiency and security. NASK conducts scientific research, development works as well as operational activities for security of Polish cyberspace. An important aspect of NASK's activities is also education of users and promotion of the concept of "the information society", mainly to protect children and young people against threats related to the use of new technologies.

The key field of NASK's activity includes activities related to ensuring internet security. The Cyber ​​Security Centre Division is responsible for responding to the events that violate network security in Poland and co-ordinates activities in this area. Pursuant to the Cybersecurity Act, NASK-PIB was designated as one of the CSIRTs, which co-ordinate the handling of incidents reported by the operators of essential services, digital service providers and local government. All users can also report incidents to CSIRT NASK. Furthermore, NASK co-creates analytical facilities and research and development centres for the national cybersecurity system.

There are no regulations at the country level that impose directly specific de jure standards. However, the existing laws and regulations refer to the standards as a framework that could be followed and implemented by companies being subject to the particular law or regulation.

The Polish Financial Supervision Authority (PFSA) has issued recommendations and guidelines on the Management of Information Technology and ICT Environment Security. This regulation applies to the banking sector, general pension companies, insurance and reinsurance undertakings, investment funds and other capital market infrastructure entities. The regulation refers to ISO/IEC 27000 standards, COBIT (Control Objectives for Information and related Technology), GTAG (Global Technology Audit Guide) and GAIT (Guide to the Assessment for IT Risk) as standards that provide a reference model in various domains of the information security operations and governance model.

The Statement of the Polish Financial Supervision Authority on cloud computing, which applies to the companies being subject to the PFSA, also refers to different standards. According to the Statement, while selecting cloud service providers, companies that are subject to the PFSA should consider if the provider complies with the following standards: ISO/IEC ISO 20000; ISO/IEC 27001; ISO 22301; ISO/IEC 27017; and ISO/IEC 27018. It is recommended to verify if the cloud service provider meets the requirements of the Polish Standard PN-EN 50600 (Equipment and the Infrastructure of the Data Processing Centre), minimum class 3, or ANSI/TIA-942, minimum class Tier III.

For SCADA/IOT environments, the standards that provide commonly deployed guidance are ISO/IEC 27001/27019 and ISA/IEC 62443.

Please see 3.1 De Jure or De Facto Standards.

Written Information Security Plans or Programmes

According to the Cybersecurity Act (Article 8(2) point (d)), the operators of essential services are obliged to implement, document and maintain action plans enabling continuous and uninterrupted provision of key services and ensuring confidentiality, integrity, availability and authenticity of information. Implementation of business continuity plans is also required by regulations and guidelines specific for some regulated sectors – eg, the Polish Banking Law imposes an obligation on the banks to implement a business continuity plan for outsourced activities. Also, the PFSA, in its Recommendation D on the management of information technology and security of the ICT environment in banks, imposed such an obligation on banks.

Incident Response Plans

There is no legal requirement to implement “incident response plans”; however, such plans can be part of the business continuity plans implemented by the obligated entities.

Appointment of Chief Information Security Officer (or Equivalent)

According to the Cybersecurity Act, the operators of essential services are obliged to designate a person responsible for maintaining contacts with entities being part of the national cybersecurity system (Article 8), and to set up internal structures responsible for cybersecurity or conclude a contract with an external entity providing cybersecurity services.

Involvement of Board of Directors (or Equivalent)

According to the Cybersecurity Act, it is permitted to impose a fine on the operators of essential services, and in certain cases on the operator of essential services’ manager, when they failed to exercise due diligence to meet certain obligations arising from the Cybersecurity Act.

Conducting Internal Risk Assessments, Vulnerability Scanning, Penetration Tests, etc

According to the Cybersecurity Act, the operators of essential services are obliged to conduct a systematic risk assessment and incident management (Article 8(1)) and to conduct a security audit of IT systems at least twice a year (Article 15(1)). It should be noted that the Polish Criminal Code allows appropriate actions to be taken to detect errors in information systems security, such as vulnerability scanning or penetration tests (Article 269c, CC.). According to this provision, a person who works solely to secure the IT system or IT network, or to develop a method for ensuring such security, does not commit the crime of illegal access to information (Article 267, CC) or disruption of networks (Article 269a, CC).

Vendor and Service Provider Due Diligence, Oversight and Monitoring

Some financial market regulations and PFSA recommendations – in particular, the new guidelines for the use of cloud computing by the supervised entities – require a due diligence and monitoring of the providers of outsourcing services to be conducted.

Use of Cloud, Outsourcing, Offshoring

Specific requirements for outsourcing and for the use of cloud solutions are imposed on the entities in the financial market. In particular, the Polish Banking Law imposed additional requirements for outsourcing. Also, the PFSA’s Guidelines for the use of cloud computing by the supervised entities regulate the use of cloud computing in the regulated market.

There are no specific requirements related to multinational relationships.

The Polish Personal Data Protection Act (PDPA) of 10 May 2018 follows the GDPR risk-based approach; hence, it does not specify any particular technical or organisational measures, as the steps to be taken should result from the client’s assessment of privacy impact. There are no specific reporting requirements either.

Institutions accredited by the Polish Accreditation Centre will be obliged, within the scope of their accreditation, to provide certification to the interested parties. In terms of the adoption of the guidelines regarding the certification and accreditation criteria according to the GDPR (Articles 42 and 43), public consultations were carried out in 2018 and 2019 regarding the adoption of guidelines concerning the certification and accreditation criteria

The President of the Polish Data Protection Authority (PUODO) is not currently working on any certification mechanism. It is not yet possible to obtain a certificate of compliance with the GDPR from the President of the Office for Personal Data Protection or another entity, or to indicate any authorised certification bodies. In Poland, no companies have yet applied for or received a certificate from the PUODO, and the cost of obtaining a certificate is as yet unknown.

Furthermore, no list of documents required from the data administrator to obtain a certificate, or from another entity to acquire the right to issue certificates, has yet been drawn up. Finally, the PUODO is not currently carrying out any works to create national accreditation and certification criteria as referred to in Articles 13 and 16 of the Personal Data Protection Act. Therefore, the date for their release is as yet unknown.

The President of the Polish Data Protection Authority has the right to perform an independent inspection in the certified organisation, not earlier than seven days after a written notice of the inspection has been served.

The matter is not relevant in this jurisdiction.

The legal basis for protecting critical infrastructure, networks and systems in Poland is provided by the Act on Crisis Management (Ustawa o zarządzaniu kryzysowym), which defines critical infrastructure and details security requirements for its protection.

At the national level, these requirements include compilation of crisis management plans including critical infrastructure related aspects and adoption of the National Critical Infrastructure Protection Program aimed at creating conditions for improving the security of critical infrastructure. Other critical infrastructure protection requirements outlined in the regulation include collecting and processing information on potential threats to critical infrastructure, developing and implementing procedures provided in case of such threats and reconstructing critical infrastructure.

In addition to the Act on Crisis Management, critical infrastructure protection is provided by the Act on the National Cybersecurity System (the NCS) (Ustawa o krajowym systemie cyberbezpieczeństwa – KSC), as an entity can be classified both as a critical infrastructure operator and an operator of essential services (who is subject to the KSC). Some security requirements of the NCS, such as possession of documentation, have been, therefore, adapted to critical infrastructure operators. In terms of reporting, critical infrastructure operators that were identified as operators of essential services are required by the NCS to report on incidents to the Computer Security Incident Response Team led by the Head of the Internal Security Agency (CSIRT GOV) or by the Minister of National Defence (CSIRT MON).

At the national level, critical infrastructure protection is co-ordinated by the Government Security Centre (Rządowe Centrum Bezpieczeństwa – RCB). As part of its mission, the Government Security Centre systematically publishes National Critical Infrastructure Protection Programmes, as required by the Act on Crisis Management, with the last Programme issued in 2018. The aim of these documents is to create conditions for improving critical infrastructure security and, together with other related documents, increasing the security of Poland, as an overarching goal.

In addition to the National Critical Infrastructure Protection Programme, the Government Security Centre published, in 2019, a series of documents aimed at supporting the entities responsible for critical infrastructure in building security in the field of industrial automation. To date, two publications outlining good practices in the field of management and security of industrial automation were issued by the Government Security Centre for two sectors – (i) power and utilities and (ii) oil and gas. These publications may serve as a source of security guidelines for voluntary critical infrastructure operators in these and related sectors. Other resources shared by the Government Security Centre include a video guide on critical infrastructure and an information guide on ICT protection.

Other sources of security requirements for critical infrastructure protection may be obtained from European and international standards, such as ENISA publications or NERC’s CIP Standards.

Security requirements to prevent denial-of-service attacks are not regulated by law. However, some general requirements for preventing attacks (including DoS attacks) can be found in the security standards (eg, ISO standards) and regulatory guidelines (eg, Recommendation D).

The matter is not relevant in this jurisdiction.

Data Protection

There is no additional definition of personal data security incident or breach in the PDPA – hence, the definition provided by the GDPR in Article 33 is applied, which is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The number of notifications about potential personal data breaches reported by private and public companies to the Polish Data Protection Authority in the second half of 2018 reached almost 2,500, while the number of complaints reported to the Polish Data Protection Authority by private individuals in the same period reached almost 4,500 cases and over 7,000 cases in the whole calendar year 2019.

Cybersecurity

The Cybersecurity Act provided a new definition and concept of security incidents. According to that Act, an incident is an event that has or may have an adverse effect on cybersecurity. The legislator distinguished several types of incidents:

  • a critical incident results in key damage to public safety or order, international or economic interests, functioning of public institutions, civil rights and freedoms or health or life of people – such incidents are classified by the relevant CSIRT;
  • a serious incident may cause a significant reduction in quality or interruption of the continuity of key service provision;
  • a significant incident significantly affects the provision of the digital service;
  • an incident in a public entity may cause a reduction in quality or interruption of the public task carried out by a public entity.

The matter is not relevant in this jurisdiction.

The matter is not relevant in this jurisdiction.

The matter is not relevant in this jurisdiction.

The current global trend of IT and OT convergence resulted in the exposure of critical industrial control systems (ICS) and SCADA to new threats, which entailed the need for ensuring adequate security measures – a challenge that the Polish organisations handling ICS are becoming increasingly aware of.

Currently, no specific security regulations for ICS exist in Poland. However, once these systems are identified by a regulatory body as "critical infrastructure" or by their operators as operators of essential services, they are required to comply with the relevant existing regulations, namely the Act on Crisis Management and the Act on the National Cybersecurity System, respectively. Both of these regulations assume reporting on security incidents to designated authorities (CSIRTs).

Otherwise, the above legislation may still be used as guidelines on a voluntarily basis, as a source of security requirements to improve the cybersecurity level of ICS.

In addition, ICS operators may use the cybersecurity guidelines and good practices developed by the Government Security Centre, which are aimed at supporting the entities responsible for critical infrastructure in building security in the field of industrial automation, in both power and utilities and in oil and gas.

Finally, recognised industry security standards can be used by organisations as a source of security requirements to be implemented, the most common of which in Poland include industrial security standards such as NIST’s Guide to Industrial Control Systems (ICS) Security, the ISA/IEC 62443 series of standards or, at a more general level, ISO/IEC 27001.

IoT is becoming increasingly common among Polish organisations in various sectors, and considerable interest has been expressed in adopting this emerging trend. The Polish Ministry of Digital Affairs acknowledges the expected rapid growth of the IoT technologies and solutions market and sees the potential for absorption of IoT by the Polish economy.

Due to its innovative nature and rapid growth, the current landscape of Polish legal regulations does not directly cover IoT aspects and, in particular, cybersecurity issues related to IoT development and usage. Polish government authorities are, however, aware of the need to address this problem, which is considered as one of the barriers to IoT development in the country.

To that end, the Ministry of Digital Affairs established an IoT working group with the objective to identify actions necessary to create favourable conditions for IoT technologies development in Poland. In 2019, the working group issued a report focused on IoT in the Polish economy which, in terms of IoT security, recommends various regulatory initiatives, such as developing cybersecurity standards and certification methods for IoT, adjusting the legal ecosystem of IoT taking into account current legislation as well as introducing data protection regulations.

At present, legal security requirements for IoT can be found dispersed across various, more general, security regulations in force, such as the Act on Personal Data Protection, the Act on the National Cybersecurity System as well as sectoral regulations (eg, for medical devices). Notably, with regard to data breach reporting and notification, the Act on Personal Data Protection requires organisations to immediately report a personal data breach to the supervisory authority and, in particular cases, also to data subjects, while the Act on the National Cybersecurity System applicable to the operators of essential services, among other security obligations, imposes a requirement to immediately (ie, within 24 hours) report significant incidents to designated authorities.

In addition to mandatory compliance with legal regulations, Polish IoT adopters, developers and other stakeholders may voluntarily seek IoT security guidelines and good practices within IoT-oriented publications of European and international security organisations. Examples of such may include ENISA’s Good Practices for Security of IoT or NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.

Please see 5.1 Definition of Data Security Incident or Breach. In addition, thresholds for recognising an incident as serious in each sector indicated as “essential” are set out in the Regulation of 31 October 2018.

Thresholds for recognising an incident as serious in each sector indicated as “essential” are set out in the Regulation of 31 October 2018.

Together with the GDPR, the Polish Act on Personal Data Protection entered into force, bringing about changes including amendment of labour law provisions. The Labour Code has been extended to include regulations regarding video monitoring in the workplace, monitoring of official emails and other forms of employee monitoring.

Right to Monitor Employees’ Emails

For the use of electronic mail monitoring in accordance with Article 223 §1 of the Labour Code, it is necessary to ensure:

  • organisation of work enabling full utilisation of working time – as part of achieving this goal, the employer may, for example, check that employees do not use the internet or particular websites for purposes other than performing their official duties;
  • proper use of the working tools made available to the employee – this control is intended not only to ensure that the employee uses the tools entrusted to him or her for professional purposes, but also that he or she is not overloaded with work.

Prohibition of Violating Confidentiality of Correspondence

There is another condition for the admissibility of employee email monitoring. In accordance with Article 223 §1 of the Labour Code, control of employees' mailboxes must not violate either confidentiality of correspondence or other personal rights of the employee.

The above-mentioned conditions for admissibility of electronic mail monitoring apply accordingly to other forms of employee monitoring. Article 223 §4 of the Labour Code indicates other forms of monitoring and includes, in particular, monitoring with the use of new technologies (eg, biometrics or GPS). This provision will also cover the monitoring of employees’ business phones regarding conversations and text messages sent from the phone.

The critical issues regarding the intersection of cybersecurity and privacy are associated with the pace at which emerging technologies and advanced cybersecurity solutions, in particular data monitoring and advanced data analytics, are being used. However, the lack of regulation at the EU level regarding the application of artificial intelligence (AI), including its application for cybersecurity purposes, may be a source of significant concern going forward.

In October 2019, based on the Act on the National Cybersecurity System, the Cyber Security Strategy of the Republic of Poland for 2019-2024 became effective. One of the strategic goals outlined in this document is the development of the National Cybersecurity System, which will be achieved through the development of the information sharing system for the purpose of managing national security, as stated in the Strategy.

To improve security management, the Strategy indicates that activities will be carried out to exchange information and agree on responses, both at the strategic and operational level, in particular between the civilian and military spheres. The document also draws attention to the need for building a cyberthreat-resistant information exchange system to address the needs of public administration, using the latest information exchange technologies.

The Act on the National Cybersecurity System itself introduces the concept of sectoral cybersecurity team, which may be appointed by the authority competent for cybersecurity matters for a given sector or sub-sector. Such entity can transfer and receive, to and from other countries, including the European Union member states, information about serious incidents, including those concerning two or more EU member states. The sectoral cybersecurity team may also receive reports of such incidents from another EU member state and, in such a case, it should forward these notifications to the appropriate Computer Security Incident Response Team and the designated "single contact point".

In addition, the Act requires the identified operators of essential services to immediately (ie, within 24 hours) report on significant incidents to the appropriate Computer Security Incident Response Team.

There is no dedicated legislation that would impose an obligation to share information on cyberthreats at the national level. The Polish Financial Supervision Authority has issued recommendations and guidelines on the Management of Information Technology and ICT Environment Security. This regulation applies to the banking sector, general pension companies, insurance and reinsurance undertakings, investment funds and other capital market infrastructure entities.

According to the regulation, it is recommended that the companies concerned enter into co-operation with others within the same industry to exchange information on identified information security threats. However, information sharing has not been specifically regulated. Proper cybersecurity practices should be followed in the case of such information sharing.

Moreover, the following provide opportunities for information sharing:

  • all public and private organisations may inform an appropriate Computer Security Incident Response Team (CSIRT) about cybersecurity incidents for analysis and support on a voluntary basis; 
  • participation in voluntary security communities – Polish and international – eg, (ISC)2 Poland Chapter, ISSA Poland, ISA community, etc;
  • participation in cybersecurity conferences.

In September 2019, the PUODO imposed a fine of over PLN2.8 million on Morele.net (an online store) for insufficient security of personal data.

In December 2018, Morele.net announced that a cyber-attack had been carried out on its IT systems and that the attackers "had gained an unauthorised access to the customer database". The matter was audited by the PUODO.

On 10 September 2019, the PUODO issued a decision in which it explicitly stated that Morele.net had violated the provisions of the GDPR. Justifying the decision to impose a financial penalty, it stated that Morele.net had not provided sufficient organisational and technical security, and this had led to customers’ data leakage on such a large scale. The company also failed to ensure adequate monitoring of potential threats resulting from unusual network traffic.

As a result of negligence, information such as customers’ names, telephone numbers, email and delivery addresses leaked out. In addition, in some cases, very sensitive customer data also leaked out, such as: PESEL number, ID card number, registered address, correspondence address, source of income and its amount, income per household member, maintenance and credit obligations in other institutions as well as marital status and education.

The PUODO classified this type of violation as a breach of the confidentiality rule set out in Article 5(1) point (f) of the GDPR. In the opinion of the authority, the Morele.net store used ineffective means of authenticating access to data.

Please see 8.1 Regulatory Enforcement or Litigation.

The proceedings to deal with a breach of regulations concerning personal data protection are conducted by the PUODO based on the provisions of the Personal Data Protection Act. In the matters not covered by this Act, the Code of Administrative Procedure shall apply.

The matter is not relevant in this jurisdiction.

The matter is not relevant in this jurisdiction.

Due to the absence of any rules or regulations for conducting diligence in the cybersecurity domain in corporate transactions, there is no defined common approach.

Incident reporting is mandatory (and so it was before the implementation of the Cybersecurity Act) for the telecommunications sector (under the Telecommunications Law) and critical infrastructure operators (under the Crisis Management Act).

All significant issues have already been addressed.

Ernst & Young Law Tałasiewicz, Zakrzewska i Wspólnicy sp.k.

Rondo ONZ 1
00-124 Warszawa
Poland

+48 22 557 70 00

+48 22 557 70 01

justyna.wilczynska-baraniak@pl.ey.com www.ey.com
Author Business Card

Law and Practice

Authors



Ernst & Young Law Tałasiewicz, Zakrzewska i Wspólnicy sp.k. works alongside other EY professionals, including assurance, tax, transactions and advisory. Serving across borders, EY's sector-focused, multidisciplinary approach means it offers integrated, broad and pertinent advice. The legal team provides holistic guidance around strategic business decisions, reducing the gap between business advisers and legal counsel. Working with other EY service lines, EY Law builds interdisciplinary teams capable of leading projects requiring simultaneous consideration of many aspects – from legal, through risk, to architecture and implementation. Located in Warsaw, EY wavespace (a global network of growth and innovation centres) with OT/IoT Security Laboratory, enables co-operation leading to the development of ready-made solutions and knowledge transfer. All wavespace locations feature a shared methodology and platform that combines EY’s experience in disruptive technologies such as artificial intelligence, robotics process automation (RPA), blockchain, data analytics, digital, customer experience and cybersecurity with EY’s deep industry domain and regulatory experience. Special thanks for Joanna Galajda from EY Law for her input to this chapter.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.