The new project implementing the NIS2 directive contains such discretionary solutions that instead of increasing the level of safety in Poland, it poses a threat to national security – believe the authors of a report published in December by the Adam Smith Center.
The Ministry of Digitization announced in October that work on the Act on the National Cybersecurity System had been completed. Deputy Minister of Digitization Paweł Olszewski assured that “thoughtful solutions have been prepared that will streamline supervision over the key entities of the cybersecurity system in Poland.” However, experts have a different opinion.
The earlier published EY report entitled “Implementation of the NIS2 Directive in Poland against the background of selected EU countries” states that the proposed changes go far beyond the directive and are overly restrictive and mainly arbitrary. By giving unchecked power to the administration, they are conducive to abusing public positions to achieve private benefits.
In the past, under the pretext of the necessity to implement EU directives in Poland, governments often introduced additional solutions that were not required by the EU. The Union was blamed for the negative effects of these solutions. The case of implementing the NIS2 directive is similar, as it does not provide for the introduction of high-risk suppliers, nor does it extend the scope of Toolbox 5G to all generations of radio networks, as the government does. Moreover, unlike other EU countries, the Polish legislator introduces the exclusion of suppliers from as many as eighteen sectors based on the political criterion of the country of origin. Furthermore, Poland is the only EU country that does not exclude local self-government units (JST) from the directive. This means that the implementation of the directive will cause high costs for the JSTs, which already lack 45 billion zlotys simply for maintaining education. Public health care entities will face a similar situation, the vast majority of which use devices from outside the EU and NATO.
“Any expert knows that this is about eliminating Chinese equipment from Polish telecommunications networks. From a study on the use of equipment from suppliers outside the European Union or the North Atlantic Treaty Organization in the telecommunications sector, conducted in October 2024 by KIKE, it appears that 100% of the respondents indicated that in the construction of telecommunications networks, small and medium Polish operators predominantly use devices from manufacturers from Asia. This means that if Chinese equipment were to be removed from all Polish stationary, wireless, municipality networks, etc., the cost would amount to tens of billions of zlotys. But why should we spend tens of billions of zlotys and replace high-quality equipment? Just to change the country of the manufacturer? This is a strictly political decision and has nothing to do with security,” says Karol Skupień, Chairman of the Board of the National Ethernet Communication Chamber (KIKE).
The inconsistent and discriminatory procedure of recognizing a supplier as a high-risk provider, focusing on its origin, and subsequently leading to the suspension, limitation, or closure of economic activity, will cause irreversible financial consequences in eighteen sectors recognized as key and in local government units. The Ministry of Digitization has apparently not estimated these costs because it allocates an absurdly low amount to cybersecurity and digitization expenses.
“Only in the next two years will we spend nearly 10 billion zlotys, which will also be responsible for how the state arms its cyber shield,” Deputy Prime Minister, Minister of Digitization Krzysztof Gawkowski said at the “Security of Poland Congress” in October 2024. The Ministry of Digitization clarified that this amount includes expenditures on cybersecurity and digitization.
According to experts, the amendment of the Act is a legal mess. What do they advise the government?
“It should be transposed as most EU countries have done, through minimal harmonization. If we were to transpose the NIS2 directive as it is, according to regulations on the creation of legal acts, we would automatically solve a number of problems – with excessive regulation, with the issues of ensuring verification of the appropriate supply chain, assessing risks associated with the use of certain equipment, with organizational and financial consequences for entrepreneurs says Professor Maciej Rogalski, a market expert. – I would advise not to generate problems. If anyone, the government should act in accordance with the law.”
Source: https://managerplus.pl/nowelizacja-ustawy-o-cyberbezpieczenstwie-krytykowana-eksperci-ostrzegaja-przed-ryzykiem-dla-gospodarki-i-bezpieczenstwa-19816
