The National Cybersecurity System Act has been in force in Poland since 2018 in its original form. Its amendment, aimed at aligning it with the provisions of the EU NIS2 directive and modern cyber threats, is one of the current priorities of the Ministry of Digital Affairs. Legislative changes are expected to come into effect in 2024. What should you know about them?
Expert commentary provided by: Dominik Wcibisz, Regional Implementations Lead at Iron Mountain.
The National Cybersecurity System (NCS) was established to support the continuity of key services from the state’s perspective, respond appropriately to incidents related to cyber threats, and raise cybersecurity awareness and competence among citizens and businesses. The primary goal remains to enhance the resilience of the national infrastructure to cyber attacks through integrated preventative, educational, and reactive actions. This is an extremely important and current topic that will only become more significant over time. In 2023, as many as 66% of companies reported at least one cyber security incident, and their percentage increased year-on-year by 8 percentage points[1].
The main assumptions underlying the amendment of the 2018 NCS Act aim to ensure that the new regulations are more effective in response to the modern landscape of cyber threats. Through regional operational centers and a national contact point, the Ministry of Digital Affairs puts great emphasis on effective coordination of activities and improving the communication of entities responsible for cybersecurity. Cooperation with international institutions also remains crucial, which promotes the effectiveness of preventative and defensive actions.
In addition, the NCS introduces the obligation of regular audits and penetration tests to identify and then eliminate weak points in IT systems. Raising security standards also happens through the implementation of stringent requirements for safeguards, particularly in sectors strategic for the functioning of the state, such as energy, transport, finance, or health care.
In my opinion, education regarding threats, criminal arsenal, and ways to deal with them or respond in case of specific incidents should be an integral part of any project of this kind. Within its competences, the NCS can impose additional obligations on certain entities, especially for key service operators and digital service providers, which aim to increase cyber threat awareness among employees and other citizens. In the vein of closer cooperation between the NCS and the Ministry of Education, cybersecurity education is promoted in schools and universities, which in the long term will translate into an increase in staff resources with such specialization. Directions related to cybersecurity are currently some of the most sought after. Even 18 candidates aspired in 2023 to a place in the course called “Computer Science and Intelligent Systems”, and considering the total number of candidates, the most popular remains “Computer Science” (over 43 thousand)[2].
The standardization and streamlining procedures regarding monitoring, reporting, and responding to cyber security incidents are intended to shorten the time and increase the efficiency of responses, thereby minimizing their effects. The Computer Security Incident Response Team (CSIRT), appointed for this purpose, supervises the entire operation, monitoring and analyzing threats in real time. In Poland, there are several CSIRTs, including CSIRT GOV – dedicated to government administration, CSIRT NASK – operating within the Scientific and Academic Computer Network, and CSIRT MON – for the Ministry of National Defense. Each of them has a defined scope of activities and specialization depending on the sector it serves.
The NCS also assumes active participation of Poland in international initiatives and organizations dealing with cybersecurity. Cooperation with partners from the European Union allows for the exchange of best practices and technology, which strengthens our country’s defensive capacities in this area. Many EU countries have established similar offices responsible for this area. For example, in Germany there is the Federal Office for Information Security (BSI), in France the Agency for Information Systems Security (ANSSI), and in the UK the National Cybersecurity Centre (NCSC). These institutions, like the NCS in Poland, deal with monitoring and responding to cyber threats, coordinating actions at the national level, and international cooperation.
The National Cybersecurity System in Poland is consistent with the NIS2 assumptions and implements its provisions at the national level. As a result, Polish regulations are in line with EU standards, which facilitates international cooperation and exchange of information about threats. The implementation of NIS2 within the NCS means, among other things, a greater responsibility of key service operators and digital service providers to ensure a high level of security of their information systems.
I have no doubt that the amended NCS Act will play a key role in ensuring the stability and security of critical infrastructure in Poland. At the stage of preparations for its implementation, the priority remains to adapt the regulations to the dynamically changing landscape of cyber threats, which is absolutely necessary in the face of a growing number of cyber incidents. I believe that the key element of the NCS’s effectiveness is not only preventative and reactive actions but also education and raising awareness among all citizens. Investing in knowledge and skills in the field of cybersecurity is the foundation for building resistance to attacks and preparation for future challenges in this area.
[1] Cybersecurity Barometer, KPMG, 2024
[2] MEN Data for 2023.
Source: https://managerplus.pl/jakie-zmiany-wprowadza-nowelizacja-ustawy-o-krajowym-systemie-cyberbezpieczenstwa-48662
