The major laws and regulations concerning cybersecurity are as follows:

• Regulation (EU) 2019/881 of 17 April 2019 (Cybersecurity Act), which lays down organisational matters relating to the European Union Agency for Cybersecurity (ENISA) and a framework for the establishment of European cybersecurity certification schemes;
• Regulation (EU) 2016/679 of 27 April 2016 (GDPR), which establishes rules relating to the processing of personal data of natural persons;
• Regulation (EU) 910/2014 of 23 July 2014 (eIDAS Regulation), which lays down conditions and rules for electronic signatures and seals, trust services, and recognition of an electronic identification scheme;
• Directive (EU) 2016/1148 of 6 July 2016 (NIS Directive), which lays down measures aiming to achieve a high common level of security of network and information systems within the EU;
• Commission Implementing Regulation (EU) 2018/151 of 30 January 2018, which lays down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council, in regard to further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems, and of the parameters for determining whether an incident has a substantial impact;
• Act of 5 July 2018 on the national cybersecurity system (UKSC), which establishes the basic legal framework for cybersecurity (implementing the NIS Directive) along with a regulation of the Council of Ministers of 31 October 2018 on the thresholds for considering an incident as major, which establishes specific criteria for classifying incidents as major in specific sectors;
• Act of 10 May 2018 on the protection of personal data (UODO), which sets forth the procedures for compliance with and infringements of personal data protection provisions;
• Act of 26 April 2007 on crisis management, which establishes the general rules regarding critical infrastructure, responsibilities of its owners, and basic principles of operation in case of a crisis;
• Act of 16 July 2004 – the Telecommunications Law, which lays down a framework for telecommunications operators, including requirements regarding national security and data retention;
• Act of 17 February 2005 on computerisation of public services, which establishes the standards for data processing in the public sector as well as for the Electronic Platform of Public Administration Services (ePUAP), along with a regulation on the national interoperability framework;
• Act of 18 July 2002 on the provision of services by electronic means, which lays down the obligations and responsibilities of entities providing services by electronic means (implementing Directive 2000/31/CE);
• Act of 14 December 2018 on the protection of personal data processed in connection with preventing and combating crime, which establishes a special framework for data processing in relation to preventing and combating crime (implementing Directive 2016/680/EU);
• Act of 6 June 1997 – the Criminal Code (KK), which lays down penalties for various offences in cyberspace;
• Resolution No 97 of the Council of Ministers on the "Common State Information Infrastructure" Initiative (WIIP), which is only binding upon public governmental entities, setting forth the standards for cloud data processing.

Issues concerning the protection of personal data are also regulated in various sectoral laws (such as the Banking Law of 29 August 1997).

Basic Concepts

Except for the GDPR, which applies to all entities processing personal data, there is no general law regarding data security or cybersecurity. Specific regulations are provided for particular sectors or types of organisations.

The most important concepts and principles related to cybersecurity on the national level are defined in the UKSC. However, the UKSC only applies to particular types of entities, namely operators of essential services (OES), digital service providers (DSPs) and public entities.

Cybersecurity in the meaning of the UKSC is understood as resilience of information systems to actions that compromise the confidentiality, integrity, availability and authenticity of the data being processed or the related services offered by those systems. An incident within the meaning of the UKSC is any event that has or may have an adverse impact on cybersecurity. Hence, all data breaches in the entities included in the national cybersecurity system constitute incidents which are managed according to the UKSC. Incidents may be critical, major or significant. Depending on the type of incident, the UKSC provides a different procedure for managing the incident. The UKSC also distinguishes incidents in public entities as subject to a separate procedure.

A personal data breach is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

An incident within the meaning of the UKSC may be simultaneously a personal data breach within the meaning of the GDPR and vice versa. The requirements stemming from both regulations are applied independently. Risk assessment conducted with respect to the same event may therefore involve the perspective of personal rights and freedoms (personal data breach) and/or the perspective of business continuity/finances/reputation/national security (depending on the case).

Major Penalties

As for enforcement and penalties, breach of the UKSC by operators of essential services (OES) and digital service providers (DSPs) are subject to administrative fines of up to PLN1 million.

The GDPR provides for fines of up to EUR20 million or up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher. The UODO introduces criminal liability for individuals who process personal data without permission or authorisation. Such an action is punishable by up to three years’ imprisonment. According to the Polish Criminal Code, the same punishment applies in the case of fraudulent access to information. Damaging or in any way altering data of special importance – for instance, for national defence or security of communication – is punishable by up to eight years’ imprisonment.

Cybersecurity Authorities

The UKSC defines several authorities responsible for cybersecurity, depending on the sector. In most cases, it is the minister or the central supervisory body supervising the given sector who is also appointed the competent authority for cybersecurity (ie, for the energy sector – the minister in charge of energy policies, for the banking sector and financial markets infrastructure – the Financial Supervision Authority, etc).

The main tasks of these authorities include conducting ongoing analysis of entities in a given sector with regard to classifying them as OES, monitoring the compliance of OES and DSPs in a given sector with the UKSC, and auditing and issuing notices to OES and DSPs requiring remedy of any vulnerabilities that may lead to any major, significant, or critical incident.

Apart from the above-mentioned authorities, three Computer Security Incident Response Teams (CSIRT MON, CSIRT NASK and CSIRT GOV) are active on the national level to manage and mitigate cybersecurity risks. Additionally, one CSIRT is active for the purpose of managing and mitigating cybersecurity risks in the banking sector (CSIRT KNF).

Data Protection Authority

The supervisory authority responsible for protection of personal data is the President of the Personal Data Protection Office (PUODO). Most importantly, the PUODO carries out inspections in various sectors regarding compliance with the data protection requirements. The inspections may be initiated both in accordance with the audit plan implemented by the PUODO or on the basis of information obtained by the PUODO about possible infringements. Furthermore, the PUODO carries out data protection infringement proceedings in all sectors and may impose administrative fines and other sanctions provided for in the GDPR.

Financial Supervision Authority

The Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) supervises the banking, capital, insurance and pension sectors, payment institutions and payment service offices, electronic money institutions and credit unions. Even though data security is not the KNF’s main or only focus, it does undertake important measures in that field to support the proper and secure functioning of the financial market. Most notably, the KNF operates its own CSIRT for the purposes of the National Cybersecurity System dedicated for the financial sector.

Office of Electronic Communications

The Office of Electronic Communications (Urząd Komunikacji Elektronicznej, UKE) is a regulatory authority responsible mainly for telecommunications and frequency resources management. However, it also acts as a supervisory authority in the telecommunications sector and has broad powers to monitor the compliance of telecommunications companies with legal provisions, including those concerning cybersecurity. Telecommunications companies are required to notify the President of the UKE about a breach of security or integrity of networks or services which significantly affect the functioning of the network or services within 24 hours from discovering such breach.

Crisis Management Authorities

The Government Crisis Management Team is a consultative and advisory body competent in matters of initiating and co-ordinating activities undertaken in the field of crisis management. Its main tasks include preparing proposals for the use of forces and resources necessary to master a crisis, and issuing opinions on the needs for restoring infrastructure or restoring its original character. There are also crisis management teams on the voivodeship (provincial), county and municipal levels.

Data Protection Authority (PUODO)

The first phase of the regulatory offence procedure is the administrative phase, where the supervisory authority conducts an investigation as to the merits of the case and makes a decision whether or not to impose a penalty. The proceedings usually involve collecting information and documentation from the entity subject to the proceedings, as well as an on-site control, if necessary. A decision of the PUODO imposing an administrative fine should contain a reference and assessment of all criteria indicated in Article 83 of the GDPR. PUODO proceedings are single-instance.

The second phase is the judicial phase, where the administrative decision of the PUODO (including a decision imposing a fine) may be challenged in administrative court.

UKSC

With regard to OES/DSPs or public entities subject to the UKSC, a penalty may be imposed by the competent authority where UKSC requirements are breached (particularly in case of failure to conduct a risk assessment or apply required security measures). The entity subject to penalty may apply for revision of the decision by the competent authority, and consequently challenge it in administrative court based on regular court procedure.

Most relevant cybersecurity regulations in Poland are either directly or indirectly influenced by EU law. For the exact scope of the most important EU directives and regulations applicable to the Polish cybersecurity framework, see 1.1 Laws.

As a rule, the state is in charge of regulating and enforcing rules in cyberspace. Additionally, the ENISA has a permanent mandate to perform certain tasks that have impact on the Polish cybersecurity framework, such as in the field of cybersecurity certification and standardisation.

As a rule, information about threats and incidents in cyberspace is shared within the National Cybersecurity System (KSC). This comprises of various entities enumerated in Article 4 of the UKSC. As the UKSC is currently under revision, creation of ISACs (information sharing and analysis centres) is envisaged.

The Polish cybersecurity legal framework is heavily influenced by the model adopted on the EU level. Poland has adopted a sector-based approach that focuses on standardisation and efficient flow of information.

As the cybersecurity legal regime has been implemented relatively recently, many of its provisions are yet to be interpreted and/or enforced.

The most important issues discussed in Poland in the last 12 months are connected with the amendment of the UKSC. This is discussed in 1.8 Significant Pending Changes, Hot Topics and Issues. The most important issue is connected with the proposal to introduce the status of “high-risk vendor”. This would mean the products of such a provider could be virtually eliminated from the Polish market within a number of years after the relevant decision.

A new significant amendment to the UKSC is currently at the consultation stage. As of February 2022, the amendment aims to introduce:

• clarification of the status and tasks of SOC teams within the OES;
• Information Sharing and Analysis Centres on Cybersecurity (ISACs), operating within the National Cybersecurity System (KSC);
• a CSIRT INT team at the Intelligence Agency, operating for Polish diplomatic missions;
• sectoral CSIRT teams to support OES in incident handling;
• a national system of certification of cybersecurity based on the concepts of the Cybersecurity Act (Regulation 2019/881);
• new solutions regarding proceedings in cases of recognition as a high-risk vendor (as described below);
• new legal instruments related to response to a critical incident (warning and protective order);
• new solutions concerning the strategic security network operator and the strategic security network special-purpose fund;
• establishment of a state-controlled 5G company.

The most debated issue of the above-mentioned amendment is related to “high-risk vendors” (HRV) providing ICT solutions (products/services or processes) on behalf of public entities, OES, DSPs and telecommunication companies. The idea revolves around verifying if a vendor constitutes a high risk from the perspective of national security. When deciding which provider will be assessed as "high risk", the Cybersecurity College is to take into account factors such as the likelihood of the provider being under the influence of a country outside the EU or NATO. The consequences of being classified as “high-risk vendor” are grave as, in practice, it will result in removal of the products of such a company from use in the case of public entities, DSPs, OES and telecommunications companies. Failure to cease the use of such ICT solutions will result in significant fines (up to 3% of the entity’s global annual turnover).

The amendment is vigorously debated, not only due to the gravity of consequences for breach of the law, but also highly controversial legal mechanisms, which raise doubt as to its compliance with the Constitution and EU law.

The most important cybersecurity regulation in Poland is the UKSC. This establishes the National Cybersecurity System (KSC). There is also the Act on Computerisation (applicable to public authorities) The GDPR is the key legal act pertaining to security of personal data.

For a more detailed overview of relevant law, please see 1.1 Laws.

There is no single regulator for cybersecurity matters. As Poland adopted a sector-based approach, there are several authorities competent in the cybersecurity sphere depending on the scope of economic activities of OES, DSPs or public entities.

With regard to personal data protection, there is a single supervisory authority, namely the President of the Personal Data Protection Office (PUODO).

For details, please see 1.2 Regulators.

There is no over-arching cybersecurity agency on the national level in Poland. The National Cybersecurity System (KSC) is the most important framework for co-operation for different actors engaged in cybersecurity matters in Poland.

On the EU level, the ENISA has a permanent mandate to serve as a contact point and centre of expertise for EU member states and the institutions of the European Union on issues related to cybersecurity. Its activity consists of anticipating future network and information security challenges and assisting the European Union in responding to them, supporting EU member states and EU institutions in developing and implementing the strategies necessary to meet the legal and regulatory requirements for national information security, supporting the EU in building and developing state-of-the-art network and information security capacities and in its continuous adaptation to the latest trends, and strengthening the co-operation between EU member states and between national institutions to ensure network and information security.

In Poland, the authority responsible for supervising personal data protection issues is the President of the Office for Personal Data Protection (PUODO). The competences of the PUODO are provided for in the GDPR, whereas the formal requirements, rules of procedure and detailed operation provisions are described in the Act on Personal Data Protection of 2018.

Most importantly, the PUODO conducts proceedings concerning personal data security in companies. During these proceedings, the PUODO may order the controller or the data processor to provide all necessary information and conduct data protection audits and investigations. The PUODO may issue warnings to a controller or processor that intended processing operations are likely to infringe the GDPR, as well as reprimands when processing operations breach the GDPR. It may also order modification of data processing operations to achieve compliance or notify data subjects of a breach. The PUODO may also restrict data processing and impose administrative fines.

Poland has adopted a sectoral approach to regulating cybersecurity, and there is no single over-arching cybersecurity agency.

Financial Sector

When it comes to the financial market, it is regulated by the Financial Supervision Authority (KNF). The KNF issues recommendations and guidelines that are of crucial importance for entities in the financial sector. Most notably in the context of cybersecurity, KNF issued Recommendation D regarding the management of information technology and security of the IT environment in banks. Furthermore, the KNF has provided guidelines concerning the processing of information by supervised entities in a public or hybrid cloud computing system. When it comes to outsourcing, the KNF has issued the Position on Selected Issues related to the Entry into Force of the EBA Outsourcing Guidelines and their consideration in banks' activities. The KNF has extensive monitoring and supervisory competences in the financial sector.

In practice, it frequently adopts a strict approach, thus compliance with its recommendations and guidelines is of utmost importance for all supervised entities. In cases of gross breach, the KNF may, in theory, even revoke a licence to conduct business activities in the financial sector.

Telecommunications Sector

As far as the telecommunications sector is concerned, the President of the Office of Electronic Communications (UKE) is an important authority. The President of the UKE analyses, monitors and regulates the telecommunications market and may initiate administrative proceedings ending in administrative fines in the cases of non-compliance by telecommunications companies. In practice, the President of the UKE is not as active in the telecommunications sector as the KNF is in the financial sector.

The key regulators are listed in 1.2 Regulators and 2.5 Financial or Other Sectoral Regulators.

There is no general requirement to observe a particular security standard in Polish law. However, such standards are specified with regard to certain sectors or types of organisations. In particular:

• ISO 27 001 and 23 001 are frameworks required for compulsory documentation required from operators of essential services according to the UKSC;
• public entities subject to the regulation on the National Interoperability Framework (KRI) are deemed to be compliant with the requirements regarding data security management, risk management and IT security if they have implemented ISO 27 001, ISO 27002, ISO 27005, and ISO 24762;
• in the case of computing cloud services provided on behalf of governmental public entities, the WIIP resolution provides for extensive requirements, based on NIST SP 800-53 Rev. 4.

Moreover, ISO 27 001 is largely regarded as the basic standard when discussing the level of cybersecurity compliance in organisations – ie, with regard to use of cloud computing services by entities in the financial sector.

Standards such as SANS, NIST, CIS or COBIT are less widespread. However, they may be of some significance, for example, in the procurement process, especially those carried out by large corporations or state-controlled entities.

Please see 3.1 De Jure or De Facto Standards.

National Cybersecurity System Act (UKSC)

The National Cybersecurity Act implements the Network and Information Security Directive (NIS). It provides for requirements in particular with regard to operators of essential services (OES) and digital services providers (DSPs). The regulation provides for a risk-based approach so it does not contain specific requirements – ie, regardingmulti-factor authentication, anti-phishing measures, protection against business email compromise, ransomware, threat intelligence or insider threat programmes. It does, however, provide for general responsibilities, as follows.

OES

• Information security organisation according to national or international standards and risk management;
• handling information security breaches;
• physical and environmental security (including physical access to facilities);
• business continuity management, including chain of supply;
• continuous monitoring of IT systems used for essential services;
• applying security measures with regard to IT systems used for essential services, such as protection against breaches of confidentiality, integrity or availability or data as well as timely updating of software;
• maintaining security and IT systems documentations;
• establishing an internal or external security operation centre (SOC);
• carrying out an audit of IT systems used for essential services (at least every two years).

DSP

• Information security organisation according to national or international standards and risk management;
• physical and environmental security (including physical access to facilities);
• handling information security breaches;
• monitoring, audit and testing;
• business continuity management.

Both DSPs and OES should appoint individuals responsible for maintaining contacts with relevant authorities. They do not, however, need necessarily have the role of a CSO.

The National Cybersecurity System Act is currently under review and it is quite likely that it also will contain regulations regarding ICT vendor management (see 1.8 Significant Pending Changes, Hot Topics and Issues).

GDPR

The GDPR requires, in particular:

• implementation of security measures, including, as appropriate:
1. the pseudonymisation and encryption of personal data;
2. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing;
• appointment of a data protection officer (DPO) if, for instance, the core activities of the company consist of systematic monitoring of individuals, processing of special categories of data (such as health data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or other sensitive data) – in other cases, appointment of a DPO is voluntary;

• carrying out risk assessment, including data protection impact assessment on rights and freedoms of data subjects;
• when using a third party (processor), making sure the third party meets the requirements of the GDPR (processor due diligence).

Use of Cloud Outsourcing and Offshoring

Even though there is no general regulation regarding the use of cloud computing or – more broadly – outsourcing or offshoring data processing, particular sectors are subject to specific regulations, particularly in the form of soft law. In regard to the financial sector, numerous guidelines and recommendations from the regulator have been issued on that subject.

Horizontal Working Party on Cyber Issues (HWP CI)

The HWP CI assures strategic co-ordination of cybersecurity issues on the EU Council level. The Party focuses on providing common positions on such issues as cybersecurity strategy or response to illegal activities in cyberspace, as well as setting priorities for the EU in the field of cybersecurity policies and exchanging information regarding cyberspace within the EU.

NIS Co-operation Group

The Group was established based on a decision of the European Commission in order to support strategic co-ordination and information exchange between the EU members. The Group co-operates with the network of computer security incidents response teams (CSIRT).

ENISA

The European Union Agency for Cybersecurity (formerly named theEuropean Network and Information Security Agency) was created in 2004 and is currently regulated in the Cybersecurity Act (EU Regulation No 2019/881). The main focus of the ENISA consists of supporting creation of a common strategy regarding cyberthreats, sharing information and good practices, and providing cybersecurity guidance and recommendations. Based on the Cybersecurity Act, the ENISA also plays a key role in creating cybersecurity certification schemes.

See 3.3 Legal Requirements.

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

Critical infrastructure is regulated in the Crisis Management Act. An entity responsible for an element of critical infrastructure must:

• set up plans for protection of critical infrastructure, containing for instance a detailed description of the infrastructure, as well as a description of threats for the infrastructure and key variants of how the continuity of the infrastructure is assured;
• implement the plans as described above;
• maintain back-up systems assuring security and functioning of the critical infrastructure until it is fully recovered;
• appoint an individual responsible for contacts with the authorities.

If the owner of critical infrastructure is also an operator of essential services, they are also obligated to observe the UKSC.

Depending on the type of the critical infrastructure, there may also be requirements under sectoral regulations (ie, the Banking Law, the Telecommunications Law, Law on Medical Activities, etc).

Please see 3.1 De Jure or De Facto Standards and 3.3 Legal Requirements.

There is no specific regulation related to IoT solutions, so the general regulatory framework applies, namely the GDPR.

Regarding supply chain security in relation to high-risk vendors, see 1.8 Significant Pending Changes, Hot Topics and Issues.

UKSC

The UKSC uses the word "incident" rather than "data breach". An incident is defined as any event that has or may have an adverse impact on cybersecurity.

A critical incident is defined as an incident resulting in significant damage to security or public order, international interests, economic interests, operation of public institutions, civil rights and freedoms, or human life and health, classified by the appropriate CSIRT MON, CSIRT NASK or CSIRT GOV.

Major incidents refer to OES only and are defined as incidents that cause, or are likely to cause, serious degradation of quality or interruption of continuity of a critical service.

A significant incident is any incident that has a significant impact on the provision of a digital service within the meaning of Article 4 of Implementing Regulation (EU) 2018/151 of 30 January 2018.

Finally, an incident in a public entity refers to an incident that causes, or may cause, a decrease in the quality or interruption of the performance of a public task carried out by the public entities enumerated in Article 4(7-15) of the UKSC.

GDPR

A personal data breach is defined in the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Telecommunications Law

A personal data breach is also defined somewhat similarly in the Telecommunications Law as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed by a telecommunications company in connection with the provision of publicly available telecommunications services.

The Telecommunications Law refers to the definition of an incident used in the UKSC for the purposes of informing the appropriate CSIRT about incidents. The President of the UKE is obliged to provide such information on the basis of information received from telecommunications companies. The notification requirement imposed on telecommunications companies is somehow different from that under the UKSC, as it encompasses all events of breach of security or integrity of networks or services which significantly affects the functioning of the network or services.

Any data that is personal data according to Article 4 of the GDPR is covered by the obligation of data breach response. The cybersecurity regulations (UKSC) are broader and apply also to data that is non-personal, providing that the event meets the definition of an incident given in the UKSC.

All systems that are used to process personal data are covered by the obligation of data breach response, irrespective of their owner and purpose.

The cybersecurity regulations (UKSC), on the other hand, apply to the systems which are used for provision of essential, digital or public services, by an OES, DSPs or a public entity respectively.

Medical devices may be subject to the assessment of the impact of the envisaged processing operations on the protection of personal data as defined in Article 35 of the GDPR. In its Communication of 17 June 2019 on the list of types of personal data processing operations requiring an assessment of the effects of the processing for their protection, the PUDO stated that certain medical devices collecting personal data, such as medical bands, should be subject to data protection impact assessment.

Apart from the above, there are no particular additional legal requirements arising in this sector (only those applicable to OES, DSPs or public entities might be relevant).

In terms of the GDPR, the standard procedure as outlined in 5.8 Reporting Triggers is applicable.

There are no particular additional legal requirements arising in this sector (only those applicable to OES, DSPs or public entities might be relevant).

In terms of the GDPR, the standard procedure as outlined in 5.8 Reporting Triggers is applicable.

Certain items commonly referred to as part of the internet of things (IoT) may be subject to the requirements of Article 35 of the GDPR as indicated in the Communication of the PUODO mentioned in 5.4 Security Requirements for Medical Devices.

There are no particular additional legal requirements arising in this sector (only those applicable to OES, DSPs or public entities might be relevant).

In terms of the GDPR, the standard procedure as outlined in 5.8 Reporting Triggers is applicable.

The standard regime for remedying vulnerabilities proposed in the UKSC applies. The vulnerabilities that led to a major, critical or significant incident must be patched at the request of a relevant supervisory body in a designated timeframe.

From the GDPR perspective, the concept of “privacy by design” should be mentioned, providing for the obligation to plan any process involving processing of personal data taking into account the security concerns.

Depending on the type of entity (OES, DSP or public entity), different triggers for reporting apply and are outlined in the UKSC. Please see 5.9 “Risk of Harm” Thresholds or Standards for more details.

The reporting triggers for personal data protection are specified in the GDPR and are the same as in other EU countries in this respect. Pursuant to Article 33 GDPR in the event of a personal data breach, the controller must notify the PUODO without delay and, if possible, within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The controller must also notify the data subject without undue delay if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons or if the supervisory authority orders the controller to do so.

When it comes to telecommunications companies, they are obliged to report to the President of UKE any breaches of security or integrity of networks or services which significantly affect the functioning of the network or services, within 24 hours, in accordance with Commission Regulation (EU) 611/2013.

Incidents Subject to the UKSC

The “risk of harm” thresholds are outlined in the UKSC in relation to OES, DSPs and public entities. Depending on the type of incident, different obligations arise.

An OES must report all major incidents to the appropriate CSIRT. An OES appraises an incident as based on the criteria provided in the Regulation of the Council of Ministers of 31 October 2018 on the thresholds for considering an incident as major. The criteria are different depending on the sector and are relatively specific (ie, number of individuals affected by the incident, geographic area, duration of the incident, etc).

A DSP must report all significant incidents to the appropriate CSIRT. A DSP classifies an incident as significant taking into consideration in particular:

• the number of users affected by the incident, in particular users dependent on the service for the provision of their own services;
• the duration of the incident;
• the geographical area affected by the incident;
• the scope of service disruption;
• the extent of the impact of the incident on business and social activities.

Additionally, a DSP classifies an incident as significant when at least one of the following situations exists:

• the service provided by the DSP was unavailable for more than 5 million user-hours – the term "user-hour" refers to the number of affected users in the EU for a duration of 60 minutes;
• the incident has resulted in a loss of integrity, authenticity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, a network and information system of the DSP affecting more than 100,000 users in the EU;
• the incident has created a risk to public safety, public security or of loss of life;
• the incident has caused material damage to at least one user in the EU where the damage caused to that user exceeds EUR1 million.

Public entities must report any incident that causes or may cause a decrease in the quality or interruption of the performance of a public task carried out by the public entity to the appropriate CSIRT.

Personal Data Breach

When it comes to personal data, the notification obligation arising from Article 33 of the GDPR pertains to all events in which the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

The cybersecurity defensive measures must be viewed from the perspective of the restrictions imposed by the Polish Labour Code, which provides for specific regulations regarding employee monitoring. While the “passive” measures (such as blocking websites ex ante) do not raise any issues, more intrusive measures, including email monitoring or GPS tracking of company vehicles or DLP tools implemented with regard to company mobile devices, may be regarded as employee monitoring. In such a case, the employer is required to:

• describe the purpose, scope and method of employee monitoring in the working regulations or collective bargaining agreement;
• inform the employees of the planned monitoring, both generally and also individually before the employee starts work;
• assure that the monitoring does not infringe correspondence secrecy, privacy or other personal rights of the employee.

General regulations resulting from the GDPR also apply, in particular:

• making sure the legal basis for data processing is valid (including legitimate interest assessment when required);
• applying appropriate security measures;
• setting appropriate retention periods for collected data.

The key intersection between cybersecurity and privacy lies in the perspective taken on the risk assessment. Data protection/privacy risk is considered taking into account the rights and freedoms of an individual (data subject), whereas cybersecurity is considered more broadly, such as business/financial/reputational consequences of a data breach, as well as possible national security or well-being of a community.

This becomes particularly important when the proportionality of security measures or the level of risk must be assessed from those two perspectives.

See also 6.1 Cybersecurity Defensive Measures, for example, on the interplay of cybersecurity and privacy principles.

An OES must provide access to information about registered incidents to the competent CSIRT. Apart from that, an OES must report all major incidents to the above-mentioned administrative bodies immediately, not later than within 24 hours from the moment of detection. Major incidents are understood as incidents that cause or are likely to cause a serious degradation of quality or interruption of continuity of critical services as defined in the UKSC.

An OES co-operates during handling of a major or a critical incident with appropriate CSIRT, providing necessary data, including personal data. An OES must share the following information when a major incident is detected:

• data of the notifying entity, including the entrepreneur's company, number in the relevant register, seat and address;
• name and surname, telephone number and email address of the person submitting the notification;
• name and surname, telephone number and email address of the person authorised to provide explanations regarding the reported information;
• a description of the impact of the major incident on the provision of the critical service, including the notifier's key services affected by the major incident, number of users of the key service affected by the major incident, the time of occurrence and detection of the major incident and its duration, the geographical area affected by the major incident, impact of the major incident on the provision of the key service by other OES and DSPs, the cause of the major incident and how it occurred, and its impact on information systems or provided key services;
• information allowing the relevant CSIRT to determine whether the incident concerns two or more member states of the European Union;
• if an incident may have affected provision of a key service, description of the causes of the incident, how the incident unfolded, and the probable impact on information systems;
• information about preventive actions taken;
• information about corrective actions taken;
• other relevant information.

Similar requirements apply to a DSP and public entities, while in this case a DSP must provide access to information about registered critical incidents to CSIRT MON, CSIRT NASK or CSIRT GOV. Critical incidents are understood as incidents resulting in significant damage to security or public order, international interests, economic interests, operation of public institutions, civil rights and freedoms, or human life and health.

According to the UKSC, OES, DSPs and public entities may voluntarily share the following information with the appropriate CSIRT:

• information about incidents other than those indicated in 7.1 Required or Authorised Sharing of Cybersecurity Information;
• information about cybersecurity threats;
• information on risk estimation;
• information about vulnerabilities;
• information on used technologies.

Any other entity or individual (not subject to the UKSC) may also notify CSIRT NASK of any discovered incident. However, priority is given to incidents notified by an OES, DSP or public entity.

The highest penalty so far in Poland was imposed by the PUODO in the Morele.net case and is PLN2,830,410. The penalty was imposed for infringements of numerous provisions of the GDPR that manifested themselves as a failure to ensure the security and confidentiality of the personal data processed, resulting in unauthorised access to the personal data of the company's customers, and as a violation of the principles of legality, reliability and accountability. The company Morele.net sp. z o. o. runs numerous online shopping sites and as a result has an extensive database of customer personal data, which was leaked.

The decision of the PUODO imposing a penalty was unsuccessfully contested before the Voivodeship Administrative Court (the case remained open due to the appeal to the Supreme Administrative Court).

More recently, Cyfrowy Polsat S.A., a Polish TV operator, was fined PLN1,136,975 for a failure to implement appropriate technical and organisational measures to ensure the security of personal data processed in co-operation with a courier service provider by quickly identifying breaches of personal data protection. In this case, the personal data of clients were lost by couriers who consistently delivered documents containing personal data to the wrong recipients.

Another interesting case concerns a fine imposed by the PUODO on the Chief National Geologist due to publication of land and mortgage register numbers on its website. According to the PUODO, such numbers combined with other publicly available sources allowed users to easily identify the owner and obtain sensitive data such as their personal number (PESEL) or date of birth. The PUODO’s standpoint was upheld by an administrative court and challenged in proceedings in the Supreme Administrative Court. 

When it comes to cybersecurity regulatory enforcement or litigation, the regulations implemented by the UKSC are relatively new and no significant enforcement procedure has been initiated on that basis.

Please see 8.1 Regulatory Enforcement or Litigation.

The applicable legal standards are specified in 1.1 Laws and include mainly the GDPR, UODO and UKSC.

When it comes to administrative proceedings concerning personal data breach, they are governed by the dedicated provisions included in Chapter 7 of the UODO. A characteristic element of those proceedings is the fact that they are single-instance proceedings. All matters not regulated in the UODO are conducted in accordance with the Administrative Procedure Code of 14 June 1960. Similarly, administrative proceedings arising from other legal acts, such as the UKSC, are governed by the Administrative Procedure Code.

All administrative decisions can be challenged in court. Such court proceedings are conducted in accordance with the Law on Proceedings before Administrative Courts of 30 August 2002.

There are no known major private enforcement cases as yet.

In Polish law, class actions are permitted and can be applied in cases involving claims for liability for damage caused by a hazardous product, for tort, for liability for failure to perform or improper performance of a contractual obligation, or for unjust enrichment, and, with respect to consumer protection claims, also in other cases. However, it is not possible to use class actions to pursue claims for protection of personality rights. In practical terms, this means that in most cases connected with data protection, class actions cannot be used.

At present, there are no known major class actions concerning cybersecurity or personal data protection.

The process of due diligence normally takes into account both GDPR-related and other business risks. The GDPR provides for the obligation of using third parties which guarantee compliance with the GDPR. Due diligence with regard to those issues is usually combined with cybersecurity due diligence and implemented into the procurement process. Due diligence usually focuses on two perspectives:

• a third party’s formal and organisational compliance (documentation, assigned roles of the DPO, history of co-operation, reputation, etc);
• security measures applied by the third party.

In most cases, the due diligence process, if carried out, consists of sending a questionnaire or a survey to prospective contractor/supplier. The surveys vary with regard to the level of detail required from the third party (organisation’s own questionnaire, checklists based on frameworks such as OWASP). An on-site audit is carried out only in cases of large or complicated contracts.

There is no regulation requiring disclosure of cybersecurity risk profile or experience.

The key cybersecurity-related topics that are currently debated are linked to:

• an increasing number of cases of "spoofing”;
• mobile device vulnerabilities which may be exposed to various types of attacks;
• an increasing number of ransomware attacks on business and public entities;
• threats and opportunities related to the development of the 5G network.

An important perspective of interplay between cybersecurity and politics should be taken into account as well.

Cybersecurity Insurance

A number of Polish insurance companies offer cybersecurity insurance, covering the costs of IT forensics, PR activities, notification to data subjects, recovering data, imposed fines, etc (depending on the scope). Such insurance is usually of most interest to medium-sized and large enterprises, especially those of international structure.