ARTICLE
23 February 2026

NIS2 Implementation Enacted - Complete Guide

KL
Kobylanska Lewoszewski Mednis sp. j.

Contributor

Kobylanska Lewoszewski Mednis sp. j. logo
Explore Firm Details
The Directive on measures for a high common level of cybersecurity across the Union (NIS2 -2022/2555) entered into force in January 2023.
Poland Technology
Marcin Lewoszewski
Kobylanska Lewoszewski Mednis sp. j. are most popular:
  • within Privacy topic(s)
  • in United States
  • with readers working within the Technology industries

1. IMPLEMENTATION OF NIS2

The Directive on measures for a high common level of cybersecurity across the Union (NIS2 -2022/2555) entered into force in January 2023. Member States were obligated to implement the provisions of the Directive into their legal systems by 17 October 2024.

Poland implemented NIS2 by adopting the Act of 23 January 2026 , which serves as an amendment to the existing law - the Act on the National Cybersecurity System of 5 July 2018 (hereinafter: the "ANCS"). The amendment will enter into force after 30 days from the day of its publication.

This guide is based on the amending act adopted by the Polish Parliament on 23 January 2026 (hereinafter: the Amendment Act"). It outlines the most important changes introduced to the ANCS, focusing on new obligations for entities and new competencies of public authorities, as well as the main enforcement mechanisms.

2. EXPANSION OF THE SCOPE OF THE LAW

The Act of 23 January 2026 amending the ANCS introduces two new categories of entities: essential entities (podmioty kluczowe) and important entities (podmioty ważne).

The primary distinction between the two categories lies in the fact that, while both essential and important entities share identical obligations, the oversight of each category is conducted differently. Apart from that the essential entities are subject to slightly higher financial fines for the breach of obligations resulting from the ANCS.

2.1 RULES FOR CATEGORISATION

The entities will be classified into categories according to the following criteria:

  • the staff headcount ceilings for micro, small and medium enterprises set forth in Article 2(1) of Annex I to Commission Regulation (EU) No. 651/2014 of 17 June 2014 (hereinafter: "Regulation 651/2014/EU"); and
  • whether particular entity belongs to one of the sectors referred to in Annex I or II to the ANCS.
  • Criteria Microenterprise Small enterprise Medium-sized enterprise
    Employment Fewer than 10 employees Fewer than 50 employees Fewer than 250 employees
    Annual turnover Less than €2 million Less than €10 million Less than €50 million
    Balance sheet total Less than €2 million Less than €10 million Less than €43 million

Sectors from Annex I include:

  • Energy (mineral extraction, electricity, heat, oil and fuels, gas, nuclear energy, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Healthcare (provision of health services and public health, production and distribution of active substances, medicinal products and medical devices)
  • Drinking water supply and distribution
  • Collective wastewater disposal
  • Digital infrastructure (Digital infrastructure excluding electronic communications and electronic communications)
  • ICT service management
  • Space
  • Public entities

Sectors from Annex II include:

  • Postal services
  • Nuclear energy investments
  • Waste management (waste collection, waste transportation, activities performed as a waste seller or intermediary in waste trade)
  • Production, manufacture and distribution of chemicals
  • Food production, processing, and distribution
  • Manufacturing (manufacture of medical devices and in vitro diagnostic medical devices, manufacture of computers, electronic and optical products, manufacture of electrical equipment, manufacture of machinery and equipment not elsewhere classified, manufacture of motor vehicles, trailers, and semi-trailers, manufacture of other transport equipment)
  • Digital service providers
  • Scientific research
  • Specialized public entities

Essential entity

  • exceeds the ceiling for a medium-size enterprise; and
  • operates in one of the sectors referred to in Annex I to the ANCS.

In addition, there will be special categorization rules for certain types of entities:

The following entities will also be considered essential under the ANCS:

  1. An electronic communications undertaking entrepreneur which, at the minimum, meets the requirements for a medium-sized entrepreneur, as set forth in Regulation 651/2014/EU;
  2. Regardless of the entity's size:
    • DNS service providers;
    • providers of managed cybersecurity services;
    • critical entities (to be understood as critical entities within the meaning of Directive (EU) 2022/2557 (so called CER Directive);
    • public entities indicated in Annex I to the ANCS
    • entities identified as essential entity pursuant to Article 7l;
    • top-level domain name registries (TLD);
    • state legal persons identified as the essential entities under Article 7m;
    • top-level domain name registry (TLD),
    • entity providing domain name registration services.
    • entities that are nuclear power facility operators pursuant to Polish Act on Developing and Implementing Nuclear Energy Projects and Related Facilities.

Important entity:

  • is an entity which is not an essential entity;
  • operates in one of the sectors referred to in Annex I or II; and
  • complies with the threshold for the medium-sized entrepreneurs.

The following entities will also be considered as important entities for the purposes of the ANCS:

  • non-qualified trust service providers falling into one of the categories of a micro, small or medium-sized enterprises referred to in Article 2(1) of Annex I to Regulation 651/2014/EU;
  • electronic communication entrepreneurs being one of the micro-, small or medium-sized enterprises referred to in Article 2(1) of Annex I to Regulation 651/2014/EU,
  • an entity identified as an important entity pursuant to Article 7l,
  • an entity being an investor in a nuclear power project under the Act on Developing and Implementing Nuclear Energy Projects and Related Facilities.
  • public entities which are not essential entities and are local government budgetary units, local government budgetary establishments, local government cultural institutions or public utility companies performing public tasks with the use of information systems (Article 5(2)(8) ANCS).

If an entity meets both the criteria for an essential entity and an important entity, it is classified as an essential entity.

Healthcare entities which are not entrepreneurs are important entities if they employ between 50 and 249 persons, and become essential entities if they employ at least 250 persons (Article 5(8) ANCS).

2.2 WHEN POLISH LAW APPLIES

Entities providing services essential to the functioning of the modern information society operate across borders. An essential entity or an important entity is subject to the obligations under the ANCS if they reside in Poland or conduct business in Poland through their registered offices, branches or as part of cross-border activities.

Entities such as a DNS service provider, top-level domain name (TLD) registry, domain name registration service provider, cloud computing provider, data center service provider, content delivery network provider, managed service provider, managed cybersecurity service provider, online marketplace provider, internet search engine provider, or provider of social networking platform providing services in Poland are subject to the obligations arising from the ANCS if Poland is their principal place of business. Principal place of business is in Poland if (1) the head of the entity who is the entity's decision-maker regarding its information security management system is based here , or (2) the tasks related to the entity's information security management system are carried out here, or (3) Poland is the country with the largest number of the entity's employees as compared to other EU countries (Article 5a ANCS).

2.3 OBLIGATIONS IMPOSED ON THE ESSENTIAL AND IMPORTANT ENTITIES

2.3.1 OBLIGATION TO BE REGISTERED

The ANCS requires non-EU businesses operating in the European Union to appoint representatives who will be contacted by the National cybersecurity system institutions, such as CSIRT, regarding their obligations. (Article 5a (7-9) ANCS).

In order to facilitate identification of an entity as an essential or important one, the entity is obliged to register itself, as required under Articles 7c ANCS. The registration takes place within the list of essential and important entities, which will be maintained by the Minister of Digitization This regulation will replace the existing regulations on the list of operators of essential services.

Entities that meet the requirements for an essential or important entity are required to apply for the registration within six months after they have met the relevant criteria (Article 7c (1) ANCS). The registry will provide all information necessary to effectively exercise supervision of such entities, including data identifying the entity - name (business name), economy sector, subsector and type of entity, in accordance with the annexes to the laws, registered office and mailing address, (if assigned) electronic delivery address, e-mail address, tax identification number (NIP), REGON number and the code number in the relevant register of regulated activities (article 7 (2) ANCS)

The essential and important entities are required to join an ICT system through which they will report incidents (Article 46(1)(1a) and (4) ANCS). The system, so-called S46, is already in place, supporting the exchange of information among the entities of the national cybersecurity system. Ultimately, the system will consolidate all communications regarding cybersecurity issues and furnish tools to assist the interconnected entities in doing risk assessments, among other functions.

An entity may request delisting if it no longer meets the criteria of an essential or important entity, which will be confirmed by the cybersecurity authority (Article 7f ANCS).

Article 53c has been introduced to ensure that the supervisory authority can properly exercise its powers. It provides that, upon request, essential and important entities provide cybersecurity authorities with all data, information and documents the authority needs to exercise its powers and obligations provided by law.

2.3.2 OBLIGATIONS UNDER ARTICLE 21 NIS 2 AND OTHER OBLIGATIONS

Following the implementation of Article 21 of NIS 2, Article 8 of the ANCS imposes an obligation on the essential and important entities to deploy an information security management system (ISMS) which has been extended and more specific in comparison to the existing regulations. The ISMS must guarantee:

  • regular incident risk estimation and management;
  • implementation of the technical and organizational measures appropriate and proportionate to the estimated risk, considering the state of the art, cost of implementation, entity's size, likelihood of the incidents, entity's exposure to various risks and social and economic impact, including among others: policies for risk assessment and information system security, information system testing, security and continuity of the supply chain, maintaining business continuity plan, access control policies, cybersecurity education for personnel. collecting information on cyberthreats and vulnerabilities of the information system by which the service is provided;
  • incident management;
  • application of measures to prevent and reduce the impact of incidents on the security of the information system by which the service is provided;
  • use of secure means of electronic communication as part of the national cybersecurity system, considering multi-factor authentication.

It is worth noting that pursuant to Article 8 ANCS, information security management systems do not need be certified for any standards. It is sufficient to implement the system in compliance with the law and to document it accordingly.

Article 8h ANCS sets a framework for the exchange of critical cybersecurity information among the essential and important entities; sharing information about threats and attacks will allow other entities to secure their systems and protect themselves against the threat. The entities grouped in the national cybersecurity system, CSIRTs, suppliers of ICT products and services and sectoral associations may also enter into agreements for mutual exchange of information.

Each of the essential and important entities must also designate at least two contact persons to maintain relations with the national cybersecurity system entities (or at least one person where the entity is a micro- or small enterprise, or an important public entity) such other entities (Article 9 (1-3) Point 1 ANCS). The entities are also required to provide service users with knowledge to understand cyberthreats and apply effective ways to protect against them to the extent related to the service provided (Article 9 (1) Point( 2) ANCS). This obligation can be done by publishing their own content or linking to content provided by competent authorities and CSIRTs.

2.3.3 OBLIGATIONS OF THE MANAGEMENT BODIES OF THE ESSENTIAL AND IMPORTANT ENTITIES

Articles 8c-8f of the ANCS impose obligations on the management bodies of the essential and important entities.

The head of an essential or important entity is responsible for the entity's performance of its duties in cybersecurity. If the head is a multi-member body, then all members of the body are responsible for that unless a specific person has been designated as responsible. The head will also be responsible in cases that were consensually entrusted to another person.

Article 8d-8e ANCS provides for some of the other obligations and competencies of the entity's head, including specifically:

  • making decisions on the preparation, implementation, application and review of the entity's information security management system;
  • planning adequate financial resources for the implementation of the cybersecurity obligations;
  • assigns cybersecurity tasks within this entity and supervises their implementation;
  • undergoing the cybersecurity training every year together with any person to whom the head's cybersecurity responsibilities are delegated.

Provisions under which the operators of essential services have performed their duties through internal structures or through cybersecurity service providers have been repealed in the ANCS. Now, such entities will be directly obliged to implement information security management systems but they may still rely on managed security service providers to support them.

In case of failure to comply with the obligations, management bodies may be subject to financial fines as described in 2.3.7 below.

2.3.4 REPORTING INCIDENTS

Article 11 of the ANCS follows incident-reporting standards provided in NIS2. An affected entity, whether it is an essential or important one, is required, without undue delay, but no later than within 24 hours of becoming aware of a significant incident, to send an early warning notice to the sectorial CSIRT. In the warning, the entity, where applicable, indicates whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact (Article 12 (1)(4) ANCS).

The early warning notice may include a request for guidance on implementable mitigation measures for a significant incident or for technical support in handling the incident. If the significant incident bears the attributes of a crime, the sectoral CSIRT will provide information on how to report it to the prosecuting authorities. The sectoral CSIRT is obliged to provide the requested support or guidance within 24 hours.

Within 72 hours of becoming aware of a significant incident, the affected entity will send an incident notification to the respective sectoral CSIRT including a description of the impact, causes, likely consequences and remedial measures (Article 11(1)(4a) and Article 12(3–5) ANCS). Furthermore, the affected entity will also be obliged to submit periodic incident handling reports upon request from the sectoral CSIRT and a final report within one month from notification (or, if incident handling is still ongoing, a progress report followed by a final report within one month after closure) (Articles 11(1)(4b–4c) and 12a–12b ANCS).

Trust service providers are subject to a shorter deadline: they must notify significant incidents within 24 hours (Article 11(1a) ANCS).

In addition, in case of serious cyberthreats that may affect users, entities must inform users about possible mitigation measures and, where it does not increase the risk, about the threat itself and serious incidents impacting the services they receive (Article 11(2a–2b) ANCS).

All early warnings, notifications and reports are transmitted via the ICT system referred to in Article 46(1) ANCS (Article 11(2) ANCS).

2.3.5 AUDITS

Essential and important entities are required to carry out, at their own expense, security audits of their information systems (Article 15 (1) ANCS) at least once in three years. Within three business days of receiving the report, the entity must submit an electronic copy to the competent cybersecurity authority.

The competent cybersecurity authority will have the power to have the essential and important entities in case of significant incidents or other breaches of the ANCS, undergo ad hoc external audits, specifying the scope, timing and types of auditors that may perform such audits.

The audit of the information security management system must be conducted by independent auditors without a bias regarding the audited entity. The audit may not be performed by individuals who, up to one year prior to the audit, have worked or still work for the audited entity while executing tasks concerning the information security system management, incident reporting or incident response.

2.3.6 IMPLEMENTATION DEADLINES

Essential and important entities must carry out their obligations within 12 months from the date they have fulfilled the conditions to recognize them as such, and the audit is to be performed for the first time within 24 months from the date of fulfilment of the said prerequisites.

2.3.7 SANTIONS FOR INFRINGEMENT

An essential or important entity may be fined for failures to among others:

  • fulfil its obligations regarding the register of essential and important entities;
  • introduce an information security management system;
  • conduct regular risk assessment or to manage the risk of an incident;
  • notify serious incidents;
  • run an audit to the deadline;
  • appoint a person for contacts with such other entities;
  • provide service users with access to knowledge to understand cyberthreats and apply effective ways to protect against them to the extent related to the services provided;
  • respond to lawful requests for information and documentation from supervisory authorities.

Fines may be imposed when justified by the gravity and importance of the violated regulations. An essential or important entity may even be fined when its action or failure to act is a one-time occurrence.

The minimum penalty for the essential entities is PLN 20,000. The penalty shall not surpass the greater of the following two amounts: the PLN equivalent of EUR 10,000,000, calculated using the average exchange rate published by the National Bank of Poland on 31 December of the year preceding of the penalty decision, or 2% of the revenue accrued by the essential entity from its business operations in the fiscal year prior to the penalty's imposition (Article 73(3) ANCS). Where the entity has no revenue history, the revenue base is deemed to be EUR 500,000 (Article 73(3a) ANCS).

For the important entities, the minimum fine level has been set at PLN 15,000. In principle, the fine may not exceed the higher of the PLN equivalent of EUR 7,000,000 as determined using the average exchange rate announced by the National Bank of Poland on 31 December of the previous year, or 1.4% of the revenue generated by the important entity from its business activities in the fiscal year preceding the imposition of the penalty; where there is no revenue, the revenue base is deemed to be EUR 250,000 (Article 73(4) ANCS).

If the essential entity's or important entity's action or omission poses an imminent serious cybersecurity threat to the national defense, state security, public safety and order, or human life and health, or may cause serious property damage or serious obstruction of services, the fine imposed by the competent authority may amount up to PLN 100,000,000.00.

The head of an essential or important entity may also be fined for failure to fulfil the obligations set forth in ANCS (Article 73a (1- 3) ANCS), and the fine may be imposed regardless of whether the entity itself was also fined or not. The fine may amount to 300% of the monthly salary, whereas in case of the public sector, the fine is limited to 100% of their salary.

To compel an entity to comply with obligations set on it, the cybersecurity authority may impose on the entity, by decision, a periodic fine ranging from PLN 500 (~EUR 120) to PLN 100 000 (~EUR 24 000) for each day of delay (Article 76b ANCS). It should be noted that the periodic fine differs from the fine envisaged in the preceding articles of the law, since it is not the violation of the ANCS itself that is punished but rather the delay in executing the steps ordered by the authority, often in connection with the violation.

In case of a breach of cybersecurity obligations, the supervising authority may also apply non-financial supervisory measures: it may suspend licenses, permits, or restrictions on the scope of business activities until the violations are remedied, prohibit the person liable for the violations from holding management positions, order the entity to publicly disclose information about a violation or the occurrence of a serious incident (Article 53 (9).

3. AUTHORITIES RESPONSIBLE FOR CYBERSECURITY

3.1 SUPERVISORY AUTHORITIES

There are over twenty supervisory authorities, in most cases ministers, who are appointed for the relevant sectors. For example, the Minister of Digitization is the supervisory authority for the important entities in the sector of digital service providers or the minister responsible for the economy is the supervisory authority for the chemical production, manufacturing, and distribution sector.

The supervisory authorities have among others the following oversight measures (Article 53 (2) ANCS):

  • on-site or remote inspections, requesting information, access to data, documents and information;
  • imposing obligation to run a security audit:
  • ordering CSIRT MON, CSIRT NASK, CSIRT GOV or a sectoral CSIRT to perform a security assessment of the entity's information system;
  • requesting essential entities to provide information necessary to assess the risk-management measures referred to in Article 8 (1) (2) and (5) ANCS and the correctness of data/information provided by the entity to the registry;
  • requesting evidence of compliance with the obligations.

In the event of reasonable suspicion that an essential entity, by its actions or omissions, may violate the ANCS, the authority may issue a warning specifying such actions or omissions and the measures that the entity shall take to prevent or cease the violation in the form of an electronic warning letter indicating the required actions the deadline (Article 53 (4) ANCS).

Under Article 53 (5) (7) ANCS, the supervisory authority may also appoint a monitoring officer to supervise the performance of the obligations of an essential entity. Under the ANCS, the monitoring officer is appointed (by decision) for a specified period not longer than one month. The officer may access premises, documents, and the right to request explanations and inspect devices/systems, while respecting legally protected secrecy.

The ANCS specifies the rules for an ad-hoc inspection. In particular, an ad hoc inspection may also be carried out where it was not possible to notify the inspected entity in advance about the inspection date; in such a case, the justification for the lack of prior notice is included in the post-inspection documentation.

3.2 COMPUTER SECURITY RESPONSE TEAMS (CSIRTs)

The tasks of CSIRTs were expanded and more precisely specified in NIS 2 Directive; this has been reflected in a new catalogue of the tasks in the ANCS. It should be noted that the CSIRT teams have already been performing some of these tasks, mostly incidents' handling.

The proposed regulations give the Government Representative for Cybersecurity the right to request that a Polish CSIRT assists a cybersecurity authority of another national system. The ANCS introduces a mutual assistance framework between competent cybersecurity authorities of EU Member States in the scope of supervision (Article 59b ANCS), including requests made via the Single Point of Contact (Article 59b (2) ANCS).

CSIRT NASK will carry out the tasks of a coordinated disclosure of the vulnerabilities of ICT products or ICT services in the European Union (Article 26a (5) ANCS). To this end, it will receive reports of vulnerabilities and then contact the manufacturers or suppliers of the products and services in question to determine the method and timetable to eliminate the vulnerability. Under the ANCS, CSIRT NASK performs the function of the coordinator for coordinated vulnerability disclosure (Article 26a (1) ANCS). Any natural person, legal person or organisational unit without legal personality may report a detected vulnerability to CSIRT NASK (Article 26a (2) ANCS); the report is submitted electronically (or otherwise if electronic submission is not possible) (Article 26a (3) ANCS); CSIRT NASK ensures a reporting form enabling anonymous reporting (Article 26a (4) ANCS) and may process personal data provided for the purposes of performing the tasks referred to in Article 26a (5) ANCS; CSIRT NASK also cooperates with CSIRTs of other EU Member States where vulnerabilities affect entities in other Member States (Article 26a (6) ANCS).

CSIRT MON, CSIRT NASK, CSIRT GOV or sectoral CSIRTs may conduct security assessments of the information systems used by entities of the national cybersecurity system (Article 36a (1) ANCS). The assessment is to be agreed to by the relevant national-level CSIRTs.

In the event that during a security assessment the CSIRT discovers a vulnerability that may also appear in other information systems, it will be obliged, under Article 36c, to notify the Minister for Digitization and the Government Representative for Cybersecurity Affairs of such discovery. For clarity, Article 36c ANCS requires that CSIRT MON, CSIRT NASK, CSIRT GOV and a sectoral CSIRT inform without delay the minister responsible for informatization and the Government Representative for Cybersecurity about the detected vulnerability and the possibility of its occurrence in other information systems.

3.3 MINISTER FOR DIGITALIZATION

The Minister for Digitization maintains the registry of essential and important entities described in 2.3.1 above).

Pursuant to Article 67g, in the event of a critical incident, the Minister for Digitization, may issue a security command – to the extent necessary and proportionate – to an unspecified number of the essential or important entities and most financial entities, requiring them to implement specific measures aimed at limiting the effects of the critical incident or preventing its spread.

The catalogue of permissible conduct obligations include (67g (10) ANCS) ordering:

  • risk assessment and proportionate measures for a specified ICT product/service/process,
  • review of continuity/contingency/recovery plans,
  • application of a specified security patch or specified configuration,
  • enhanced monitoring;
  • use of specified vulnerable ICT product/service;
  • limitation of inbound network traffic classified by CSIRT MON/CSIRT NASK/CSIRT GOV as the cause of the ongoing critical incident;
  • suspension of distribution or prohibiting installation of a specified software version;
  • securing specified information (including system logs).

The Minister will ex officio conduct proceedings to recognize a hardware or software supplier as a high-risk supplier (Article 67b ANCS). The proceedings may involve suppliers of ICT products, services and processes if the premise of protecting state security or security and public order is met (Article 67b (1) ANCS). The decision recognizing the supplier (and entities in its capital group within the meaning of the Accounting Act) as high-risk is issued where the supplier constitutes a threat to the fundamental interest of state security (Article 67b (15) ANCS), indicates the types of ICT products / kinds of ICT services / specific ICT processes covered (Article 67b (16) ANCS), is announced in Monitor Polski and published in the Minister's BIP and on the website of the office servicing the Minister (Article 67b (17) ANCS), is immediately enforceable (Article 67b (18) ANCS) and is not subject to a request for re-examination (Article 67b (19) ANCS).

The essential or important entities covered by Article 67b (1) ANCS are obliged not to introduce into use the covered ICT products/services/processes and to withdraw them from use within the deadlines set out in Article 67c ANCS (including, in particular: 7 years generally (Article 67c (1) (2) ANCS) and 4 years for specified telecom functions listed in Annex 3 (Article 67c (2) ANCS).

3.4 GOVERNMENT REPRESENTATIVE FOR CYBERSECURITY

In accordance with the new regulations the Government Representative for Cybersecurity may be the Minister of Digitization, the Secretary of State or the Undersecretary of State at the Office of the Minister of Digitization (Article 61 (3) ANCS).

The competencies of the Representative will include the issuing of the recommendations specifying the technical and organizational measures applied to enhance the security of the information systems of the entities grouped in the national cybersecurity system. Th recommendations will be published on the sub-page of the Representative in the Public Information Bulletin (Article 67a (1-2) ANCS). Under the ANCS, before issuing recommendations the Representative may seek an opinion of the Council for Cybersecurity Affairs (Article 67a (3) ANCS); the recommendations may indicate categories of entities to which they are addressed (Article 67a (4) ANCS); and their application is voluntary (Article 67a (5) ANCS).

3.5 COUNCIL FOR CYBERSECURITY AFFAIRS

The ANCS expands the composition of the Council for Cybersecurity Affairs, the scope of its tasks and clarifies certain issues related to its operation. In particular, the ANCS expands the composition of the Council (including, among others: the Commander of the Cyberspace Defense Component (or deputy), the Prosecutor General (or deputy), the Head of the Intelligence Agency (or deputy), and the Head of the Military Intelligence Service (or deputy)) (Article 66 (4) (6–9) ANCS) and introduces a broader substitution rule for certain members (Article 66 (3) ANCS).

The proposed amendment provides for new types of analyses that may be commissioned to CSIRT MON, CSIRT NASK or CSIRT GOV, which will deal with the impact of specific ICT products, ICT services or ICT processes on the security of the services provided by specific entities, as well as the manner and extent to which the manufacturing and delivery procedures for the products, services and processes are supervised by the supplier. The analyses will be performed at the request of the Chairman of the Council for Cybersecurity Affairs, and may be used as evidence in proceedings to recognize a supplier as a high-risk supplier, which may also be conducted ex officio by the Minister of Digitization. Under the ANCS, these analyses are expressly regulated in Article 65a ANCS and include: (i) analysis of the impact of specific ICT products/services/processes on the security of services provided by entities referred to in Article 67b (1) ANCS (Article 65a (1) ANCS), and (ii) analysis of the manner and scope in which a supplier exercises supervision over manufacturing and delivery procedures of ICT products/ services/processes (Article 65a (2) ANCS).

3.6 COMBINED CYBERSECURITY OPERATIONS CENTER

The Government Representative for Cybersecurity will set up a Combined Cybersecurity Operations Center (Polish acronym: "PCOC"), which will be an auxiliary body that will coordinate activities and implement the government policy to ensure cybersecurity (Article 62a ANCS). The PCOC will include representatives of certain key government institutions providing cybersecurity in Poland (which are listed under Article 62a (2) ANCS) and the PCOC Secretary (Article 62a (2) (2) ANCS). The President of the Republic of Poland may appoint a representative to participate in the PCOC's works (Article 62a (3) ANCS) and representatives of essential/important entities (or other entities) may be invited to meetings if required by the meeting topic (Article 62a (4) ANCS). Meetings are chaired by the Government Representative for Cybersecurity (Article 62a (5) ANCS).

Pursuant to Article 62a (6) (1-6), the PCOC's tasks will include:

  • exchange of information on cyberthreats, incidents and vulnerabilities at the national level;
  • exchange of information on the results of risk assessments of the revealed cyberthreats and incidents that have occurred;
  • exchange of information on investigations regarding computer devices or software (run under Article 33 (1) ANCS)
  • exchange of information regarding crisis situations in cyberspace;
  • preparation of up-to-date information on the situation in cyberspace for the Government Representative for Cybersecurity.
  • exchange of information regarding processes and international cooperation in cyberspace security.

To view all formatting for this article (e.g. tables, footnotes), please access the original here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Marcin Lewoszewski
Marcin Lewoszewski
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More