On 7 June, 2023, another version of the proposed amendment to the NCSSA was posted on the Ministry of Digital Affairs public bulletin website. This is now the twelfth version of the proposal. The proposal has been approved by the Council of Ministers, and therefore the amendment can be expected to be passed in the coming weeks.
To reiterate, the NCSSA implements the NIS directive into the Polish legal system, and is the principal source of legislation on cybersecurity in Poland. Work on the amendment has been protracted, lasting more than two and a half years. The work was first undertaken in light of a heightened cybersecurity threat, and was subsequently intensified due to the war across the Polish borders.
The tempo of work on the legislation has increased since the beginning of 2023, and this may be because the end of the parliamentary term is approaching. The adoption of the proposal by the Council of Ministers could portend rapid enactment of the amendment.
The new proposal contains very few changes compared to the previous version, while some continue the tendency in the 5 May, 2023, version, which was to insert references to the Electronic Communications Law (ECL) and make changes to align these two pieces of legislation. The statement of reasons for the proposal for the NCSSA states that they should both come into effect on the same day.
In this context, there is a crucial change, which was made in fact in the previous version, extending the vacatio legis of the amendment to the NCSSA from thirty days to six months.
The most significant change to the current version, however, is the dropping from the proposal of the institution of the protective order. This was a controversial instrument which drew criticism for instance because the protective order was intended to state only the “type of entity” to which the protective order would be issued. This would mean that certain entities might not be aware that they were required to take certain action under this administrative decision – while there was an administrative fine for not complying with the decision.
Other changes proposed are intended to fine tune certain provisions in the NCSSA, such as those relating to the national certification system or for example information sharing and analysis centers (ISAC).
Although the amendment is intended to enhance national cybersecurity, this proposal does not implement NIS 2, for which the deadline for implementation is 17 October, 2024. This means that even if the current proposal is passed soon, work on proposals to amend the NCSSA, or to produce a brand new bill that makes changes implementing NIS 2, can be expected in the near future.