The number and severity of cyberattacks are on the rise, and companies simply cannot rely on their governments to protect them. In fact, quite the opposite is true. Governments are increasingly requiring corporations to defend themselves and, by extension, the state as a whole.

Poland, like China and Singapore, is the latest example of a nation that has passed far-reaching cybersecurity legislation to better ensure that its critical infrastructure is protected. As many cybersecurity principles are already reflected in the EU’s General Data Protection Regulation (GDPR), which affects Polish companies, Poland’s cybersecurity bill is a recognition that cybersecurity is not just about protecting personal data from exfiltration and misuse. Rather, it is also about protecting the availability and integrity of essential services like food, water, heat, transportation, banking and electricity.

On July 5, 2018, Poland passed the Act on the National Cybersecurity System (ANCS), which went into effect on August 28 and implements provisions of the European Union’s Directive of Network and Information Systems (NIS Directive). An entity’s failure to comply with the ANCS can amount to penalties up to 1,000,000 PLZ or over $260,000.

But, as cyber threats know no boundaries, this legislation has implications for non-Polish companies as well.

Which companies are affected?

The law imposes obligations on two groups of companies registered in Poland: Essential Service Operators and Digital Service Providers, with Government agencies making the determination on which companies qualify by November 8, 2018.

The agencies will make these determinations based on whether:

1. The service provided by the operator is an “essential service”;
2. The provision of that service relies on information systems; and
3. A cybersecurity breach would have a significant disruptive effect on the provision of that service.

Under the ANCS, Essential Service Operators will, among other things, need to:

1. Monitor cybersecurity threats;
2. Assess cybersecurity risks and take appropriate organizational measures to manage such risk; and
3. Prevent and minimize the impact of cyberattacks.

Digital Service Providers, on the other hand, are those companies that fall into any or all of the following:

1. Online marketplaces;
2. Online search engines; and
3. Cloud computing services.

Among other things, the Act requires them to:

1. Take appropriate and proportionate technical and organizational measures to manage risk (it might be useful to turn to ENISA’s guidelines, Technical Guidelines for the implementation of minimum security measures for Digital Service Providers, as well as international standards such as ISO/IEC 21001, CCS, OCF, BSI C5 or NIST;
2. Take preventive steps and steps to minimize the impact of incidents (e.g., fall-back, disaster recovery or business continuity procedures); and
3. Appoint a representative responsible for contacts with the competent authority.

Do companies outside of Poland need to worry about this?

Global organizations that operate within Poland will likely have to comply with the ANCS. While it will be less common for a foreign-based organization to be designated as an Essential Service Operator under the Act, the “Digital Service Provider” umbrella is far broader and likely to hit US and European companies with operations in Poland.

Notification requirement

In the event of a cybersecurity incident having a significant impact on the continuity of the essential service, organizations that must comply with the Act will have a mere 24 hours to report the cybersecurity incident after it is identified.¹ This tight deadline is profoundly significant for those breaches that also require GDPR reporting, because the 72-hour GDPR deadline is effectively reduced to 24 hours, since no regulator wants to first find out about a breach affecting one of its regulated entities in the morning paper.

Comparison with other regulatory requirements

While the notification deadline differs, the ANCS will require organizational changes on the part of business entities to ensure compliance, many of which will look familiar to those companies already GDPR compliant and to those companies who have had to comply with other global cybersecurity regulations.

For example, similarly to the GDPR, the Act imposes on essential service operators a transparency obligation, requiring them to provide information on cybersecurity to their customers. Customers should be informed on potential cyber-threats and preventive measures they might take. This can be done by publishing special alerts on an operator’s website or in an email sent directly to each customer.

Furthermore, the Act requires accountability, meaning that operators must be able to demonstrate compliance with the Act as they do with the GDPR, a tack similar to regulators in the United States like New York State’s Department of Financial Services. Therefore, the essential service providers are to provide the competent authorities with information necessary to assess the security of their network or IT systems, including documented security policies and evidence of the effective implementation of the policies, and to undergo a cybersecurity audit at least once every two years.

In addition, both Essential Service Operators and Digital Service Providers should appoint representatives responsible for contacting the CSIRT and other cybersecurity authorities. They should also develop internal or external units dedicated to addressing cybersecurity issues.

Conclusion

While Poland is the latest country to implement a broad cybersecurity law, it will not be the last. As similar as many of these requirements may appear to those companies already subject to cybersecurity regulations, there are also key differences, requiring global companies to have a nuanced, global regulatory strategy.

Eversheds Sutherland will continue to provide updates on the ANCS, GDPR, and other cybersecurity laws as these regulations further develop. View for more details on the ANCS in Polish.

_____

¹ Note that only when the provider has enough information to determine that an incident has a significant impact does the clock start.

[View source.]