While the electronic communications services industry is still awaiting legislative developments regarding the Electronic Communications Law, which was to be the main act implementing Directive (EU) 2018/1972 of the European Parliament and of the Council of December 11, 2018, establishing the European Electronic Communications Code (EECC) in Poland, amendments are underway on the National Cyber Security System Act, which also contains regulations introducing important obligations on electronic communications entrepreneurs.
Although this article mainly focuses on amendments to the National Cyber Security System Act, we also present the current legislative status of the Electronic Communications Law.
Draft Act Amending the National Cyber Security System Act
On March 25, 2022, the latest amendment to the National Cyber Security System Act and certain other acts (draft dated March 15, 2022, and hereinafter the “Draft”) was published on the Government Legislative Centre website. This is its seventh amendment and it is still not yet final.
The project has been controversial from the beginning, and this extends to this latest version. The most contentious issue is the inclusion of electronic communications entrepreneurs in the national cyber security system.
The Draft points out that the EECC came into force in 2018, emphasizing network and service security. The EECC makes it possible (contrary to the previous regulation, the so-called Framework Directive) to harmonize reporting and respond to national incidents. This possibility (i.e., harmonization of the incident reporting procedure within the meaning of the National Cyber Security System Act regarding incidents reported by telecommunications undertakings) is also indicated in the recently published study “Synergies in Cybersecurity Incident Reporting,” prepared by the NIS Cooperation Group in cooperation with the European Union Cyber Security Agency and the European Commission. As highlighted in the Draft, the study directly indicates that countries can harmonize procedures from the NIS Directive, the EECC and the eIDAS Regulation by, among other things, having a similar taxonomy for incident classification and defining incident thresholds. Additionally, the Draft emphasizes that the services covered by these three legal regimes are socially critical.
The new provisions will specifically implement the regulations in Articles 40, 41 and 94 of the EECC. The changes will be discussed in greater detail later in this article.
Electronic Communications Entrepreneurs vs National Cyber Security System
The Draft proposes to add a new chapter governing the obligations of electronic communications entrepreneurs concerning their use of electronic measures to ensure network and service security. The entities obliged to comply have been determined by the recently added definition of electronic communications entrepreneur as a telecommunications operator or an entity providing a publicly available number-independent interpersonal communications service.
The Draft also determines the obligations on electronic communications entrepreneurs to implement technical and organizational measures to ensure the confidentiality, integrity, availability and authenticity of any processed data. The entrepreneur should also provide the security level adequate to the identified risk, which the entrepreneur should systematically estimate. Additionally, following Article 94 of the EECC, obligatory technical and organizational measures have been included in the Draft.
It is worth noting that the relevant minister will be able to define the minimum scope of the technical and organizational measures required to ensure the security of electronic communication networks and services or the documentation obligations in this respect, taking into account the type of activity performed by a particular entrepreneur.
The Draft also introduces significant regulations regarding the level of involvement of an electronic communications entrepreneur’s employees. According to the proposed wording, an entrepreneur must appoint two employees responsible for maintaining contact with the national cyber security system entities. However, micro, small and medium-sized entrepreneurs will be exempt.
To ensure an appropriate level of control over an entrepreneur’s implementation of the obligations, the Draft provides several entitlements to the President of UKE, including the President being permitted to assess the measures taken by an electronic communications operator to ensure the security of networks and services. If irregularities are identified, the President may compel the operator to apply additional security measures or appoint an independent third party to audit the operator.
The Draft also contains a series of provisions on how an electronic communications entrepreneur must respond if it discovers a telecommunications incident. Specifically, the entrepreneur must classify, report and handle the telecommunications incident, as well as provide access to, and cooperate with, the CSIRT and the Telco CSIR. The Draft also indicates the incident data, which shall be included in a significant telecommunications incident report.
In addition, the electronic communications entrepreneur must inform affected users of the security incident, the possible measures that those users can take and the costs. The entrepreneur must also report whether the incident will impact the availability of its services if, on assessment, the impact is significant.
If the telecommunications incident is severe, the President of UKE will be able to oblige an electronic communications entrepreneur to publish information about the incident on UKE’s Public Information Bulletin or the entrepreneur’s website, if posting the information is in the public interest.
Additionally, if a threat to the security of networks and services is identified, communications from the telecommunications entrepreneur can be blocked and its electronic communications services can be interrupted or restricted.
Other Key Issues in the Draft
The concept of security operations centers (SOCs) has been introduced into the national cyber security system. These entities will replace the existing structures responsible for cyber security at key service operators. SOCs are well-established teams performing all cybersecurity monitoring and management functions, both internally and as services provided to other entities. Key service providers will be able to create SOC structures internally within their organization or contract with external SOC service providers (external SOCs). These structures will conduct a risk assessment, as well as detect and respond to incidents. The minister responsible for IT will maintain a list of SOCs.
The Draft includes a procedure for recognizing a hardware or software supplier for key economy entities as a high-risk supplier. The minister responsible for IT will conduct the proceeding.
In conducting the proceeding, the minister will seek an opinion on the hardware or software supplier and the ICT products, services and processes it provides. The opinion will consider both technical and non-technical aspects with the potential to impact on national security. The procedure will end when an administrative decision has been made on whether the supplier is deemed a high-risk supplier. The supplier will be able to appeal against the decision to the administrative court.
Why does such a proceeding matter? If the minister responsible for IT recognizes a supplier as high risk, national cyber security system entities (mainly key service providers and digital service providers) and telecommunications entrepreneurs (which are large enterprises) must withdraw from using equipment or software originating from a high-risk provider within seven years from the issuance of the decision.
On the other hand, large telecommunications companies must withdraw ICT products, services and processes within five years if they are within the critical functions specified in Annex 3 of the Draft. The withdrawal obligation will apply only to ICT products, services and processes specified by the minister responsible for IT (i.e., not all ICT products, services and processes offered by a high-risk provider).
Notably, several of the most significant telecommunications undertakings may be permitted to join a proceeding as parties, if in the previous financial year they received revenue from telecommunications activities in the amount of at least 20,000 times the average salary in the national economy (as indicated in the latest announcement of the President of Statistics Poland referred to in Article 20(1)(a) of the December 17, 1998 Social Insurance Fund Pensions Act). However, such an entrepreneur must file an appropriate application before attending the proceeding.
There are concerns about the “entry threshold amount” for a party to join a proceeding, with the amount estimated to be PLN100 million (approximately €22 million).
Implementation of the European Electronic Communications Code
Poland is among 10 European countries that the European Commission has sued in the Court of Justice of the European Union for failure to fully transpose the EECC into national law and an adequate information policy.
Poland has implemented some of the EECC’s provisions. Please note that when we comment on the Electronic Communications Law, we are referring to two legal acts (i.e., the Electronic Communications Law and the Act Introducing the Electronic Communications Law). These acts are still in the legislative process, but Polish officials expect the Electronic Communications Law will enter into force in 2023.
The Electronic Communications Law will replace the current Polish Telecommunications Law. The provision of number-independent interpersonal communications service will be recognized as an electronic communications activity, covered by said regulation alongside traditional telecommunications activity (i.e., the provision of telecommunications services, the provision of telecommunications networks and the provision of related services). Therefore, entrepreneurs providing such services will be classified as providers of electronic communications services.
The providers of number-independent interpersonal communications services, covered by the proposed Electronic Communications Law, will be subject to several previously imposed requirements on other entities under the Telecommunications Law.
Electronic communications entrepreneurs face significant changes to their obligations. While the direction of the Electronic Communications Law can be predicted, changes to the National Cyber Security System Act may be subject to further significant amends. We anticipate that work on both acts will cross over in the near future to ensure consistency.
The Draft shall come into force 30 days after its promulgation. Industry representatives have raised the issue of inequality regarding the procedure for considering an entity as a high-risk supplier and have called for further public consultation on the Draft.