The bill on the national cybersecurity certification framework (hereinafter the ‘Bill’), published on 21 May 2024, stems from the obligation to ensure the application of Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (European Union Cybersecurity Agency) and Information and Communications Technology Cybersecurity Certification and repealing Regulation (EU) No 526/2013 (hereinafter the ‘Cybersecurity Act’).
One of the objectives of the Cybersecurity Act is to create a single European framework for cybersecurity certification for ICT products and services, so that cybersecurity certificates will automatically be honored across the EU. Until now, certification in the area of cybersecurity has been an unregulated area where general principles of civil law and contract law applied. The Cybersecurity Act is the second part of the EU’s cyber security strategy after the NIS Directive. At this point, it is worth noting that, in view of the dynamic digital development – and thus the increased risk of cyber threat – the NIS2 Directive, which is the second iteration of the legislation for a high common level of security for networks and information systems, will become applicable as of 18 October 2024.
In addition to aligning the Polish legal order with the obligations under the Cybersecurity Act, the Bill also implements Specific Objective 2 of the Cybersecurity Strategy of the Republic of Poland for 2019 – 2024, by increasing the level of resilience of information systems of the public administration and the private sector and achieving the ability to effectively prevent and respond to incidents.
Adoption of security certification legislation:
-
-
- is expected to raise awareness of the importance of cyber security in the business sector and drive businesses towards safer, proven solutions – thereby increasing the level of security for citizens;
- will create a framework for the operation of national cybersecurity certification schemes, which will aim to ensure that ICT products, services or processes certified in accordance with such schemes meet requirements to protect the availability, authenticity, integrity and confidentiality of stored, transmitted or processed data or related functions or services offered or accessed through these ICT products, services or processes throughout their life cycle;
- will complement the national cybersecurity system with a system for assessing ICT products, ICT services and ICT processes, which will identify products that meet the best standards in the field of cybersecurity;
- will not impose any additional obligations on entities that are not interested in participating in this system – certification will be entirely voluntary.
-
What solutions are proposed in the Bill?
As part of the Bill, the duties of the national government administration body competent in matters of security certification – i.e. the minister responsible for information technology – has been defined. The minister’s duties will include supervision and control over entities, inter alia, by conducting tests of ICT products for compliance with relevant requirements. In addition, as part of his duties, the minister will conduct administrative proceedings concerning, for example, the approval of certificates referring to the trust level ‘high’, the issuing of authorisations to conduct conformity assessments where the certification programme specifies specific requirements for assessment bodies, or the imposition of fines.
According to the Bill, in order to conduct tests of ICT products, services and processes, interested entities will have to be accredited by the Polish Centre for Accreditation, whose basis for operation in this area will be Chapter 4 of the Act of 13 April 2016 on conformity assessment and market surveillance systems.
The Bill also provides for the possibility to impose an administrative penalty on an entity which performs conformity assessment without the required accreditation in the amount equivalent to up to 20 times the average remuneration (Article 23(2) of the Bill). The same range of penalties is expressed in the case of failure to fulfil information obligations or obstruction of inspection.
The Bill will enter into force after one month from the date of its announcement (Article 27 of the Bill).