While the electronic communications services industry is still awaiting legislative developments regarding the Electronic Communications Act, which was to be the main act implementing Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the Communications Code (EECC) in Poland, changes are underway to the National Cybersecurity System Act, which also contains regulations introducing important obligations for electronic communications entrepreneurs.
Although this article primarily focuses on the amendments to the National Cybersecurity System Act, we also present the current legislative status of the Electronic Communications Act.
Bill amending the law on the national cybersecurity system
On March 25, 2022, the Latest Amendment to the National Cyber Security System Act and Certain Other Acts (Draft dated March 15, 2022, and hereinafter the “Draft”) was posted on the Government Legislative Center website . This is his seventh amendment and it is not yet final.
The project has been controversial from the start, and that extends to this latest release. The most controversial issue is the inclusion of electronic communications entrepreneurs in the national cybersecurity system.
The draft points out that the EECC came into force in 2018, emphasizing the security of networks and services. The EECC makes it possible (unlike the previous regulation, known as the framework directive) to harmonize the reporting and response to national incidents. This possibility (i.e. the harmonization of the incident reporting procedure within the meaning of the National Cybersecurity System Act regarding incidents reported by telecommunications companies) is also indicated in the published study recently “Synergies in Cybersecurity Incident Reporting”, prepared by the NIS Cooperation Group in cooperation with the European Cybersecurity Agency and the European Commission. As highlighted in the draft, the study directly indicates that countries can harmonize the procedures of the NIS Directive, the EECC and the eIDAS Regulation, among others, by having a similar taxonomy for the classification of incidents and defining thresholds incidents. Furthermore, the project emphasizes that the services covered by these three legal regimes are socially critical.
The new provisions will specifically implement the regulations of Articles 40, 41 and 94 of the EWC. The changes will be discussed in more detail later in this article.
Electronic communications contractors against national cybersecurity system
The draft proposes to add a new chapter governing the obligations of electronic communications entrepreneurs regarding their use of electronic measures to ensure the security of networks and services. The entities required to comply were determined by the recently added definition of electronic communications entrepreneur as a telecommunications operator or entity providing a publicly available, number-independent interpersonal communications service.
The draft also determines the obligations of electronic communications entrepreneurs to implement technical and organizational measures to ensure the confidentiality, integrity, availability and authenticity of all data processed. The contractor must also provide the appropriate level of security for the identified risk, which he must systematically estimate. In addition, in accordance with Article 94 of the EECC, mandatory technical and organizational measures have been included in the project.
It should be noted that the competent minister may define the minimum scope of the technical and organizational measures necessary to ensure the security of electronic communications networks and services or the documentation obligations in this regard, taking into account the type of activity carried out by a particular contractor.
The draft also introduces important regulations regarding the level of employee involvement of an electronic communications entrepreneur. According to the proposed wording, a contractor must appoint two employees responsible for maintaining contact with the entities of the national cybersecurity system. However, micro, small and medium entrepreneurs will be exempted.
In order to ensure an appropriate level of control over the implementation of the obligations by an entrepreneur, the draft grants several rights to the President of the UKE, in particular the right to evaluate the measures taken by an electronic communications operator to ensure the network and service security. If irregularities are observed, the President may compel the operator to apply additional security measures or appoint an independent third party to audit the operator.
The draft also contains a series of provisions on how an electronic communications entrepreneur must react if he discovers a telecommunications incident. Specifically, the Contractor must classify, report and manage the telecommunications incident, as well as provide access and cooperate with CSIRT and Telco CSIR. The project also specifies incident data, which should be included in a meaningful telecommunications incident report.
Furthermore, the electronic communications entrepreneur must inform the affected users about the security incident, the possible measures that these users can take and the costs. The contractor must also report whether the incident will have an impact on the availability of its services if, after assessment, the impact is significant.
If the telecommunications incident is serious, the UKE Chairman may require an electronic communications contractor to publish information about the incident on the UKE’s public newsletter or on the contractor’s website , if publication of the information is in the public interest.
In addition, if a threat to the security of the networks and services is identified, the telecommunications contractor’s communications may be blocked and its electronic communications services may be interrupted or restricted.
Other key questions of the project
The concept of Security Operations Centers (SOCs) has been introduced into the national cybersecurity system. These entities will replace the existing structures responsible for cybersecurity at the main service operators. SOCs are well-established teams that perform all cybersecurity oversight and management functions, both internally and as services provided to other entities. Major service providers will be able to create SOC structures internally within their organization or contract with external SOC service providers (external SOCs). These structures will carry out a risk assessment, as well as the detection and response to incidents. The Minister responsible for IT will maintain a list of SOCs.
The project includes a procedure for recognizing a supplier of hardware or software for key economic entities as a high-risk supplier. The Minister in charge of IT will lead the procedure.
As part of the procedure, the Minister will seek an opinion on the hardware or software provider and the ICT products, services and processes it offers. The opinion will consider both technical and non-technical aspects that may have an impact on national security. The procedure will end when an administrative decision has been taken as to whether the supplier is considered a high-risk supplier. The supplier may appeal the decision to the administrative court.
Why is such a procedure important? If the Minister responsible for IT recognizes a supplier as high risk, the entities of the national cybersecurity system (mainly the main service providers and digital service providers) and the telecommunications contractors (which are large companies) must stop using equipment or software from a high-risk vendor. supplier within seven years of the pronouncement of the decision.
On the other hand, large telecommunications companies must retire ICT products, services and processes within five years if they fall within the critical functions specified in Annex 3 of the project. The withdrawal obligation will only apply to ICT products, services and processes specified by the Minister responsible for IT (i.e. not to all ICT products, services and processes offered by a supplier to high risk).
In particular, several of the largest telecommunications companies may be permitted to join proceedings as parties if, during the previous financial year, they received income from telecommunications activities in the amount of at least minus 20,000 times the average salary in the national economy (as stated in the latest announcement by the President of Statistics Poland referred to in Article 20(1)(a) of the Pensions Act of December 17, 1998 of the Social Insurance Fund). However, such a contractor must file an appropriate application before attending the proceeding.
There are concerns about the “entry threshold” for a party to join proceedings, the amount being estimated at 100 million PLN (around 22 million euros).
Implementation of the European Electronic Communications Code
Poland is one of 10 European countries that the European Commission has taken to the Court of Justice of the European Union for failing to fully transpose the EECC into national law and an adequate information policy.
Poland has implemented some of the provisions of the EECC. Please note that when commenting on the Electronic Communications Act, we are referring to two legal acts (i.e. the Electronic Communications Act and the Act Introducing the Electronic Communications Act). These laws are still in the legislative process, but the Polish authorities expect the law on electronic communications to enter into force in 2023.
The Electronic Communications Act will replace the current Polish Telecommunications Act. The provision of number-independent interpersonal communications services will be recognized as an electronic communications activity, covered by said Regulation alongside the traditional telecommunications activity (i.e. the provision of telecommunications services, the provision of telecommunications networks and the provision of related services). Therefore, contractors providing such services will be classified as providers of electronic communications services.
Providers of number-independent interpersonal communications services, covered by the Electronic Communications Bill, will be subject to several requirements previously imposed on other entities under the Telecommunications Act.
Electronic communications entrepreneurs are facing significant changes in their obligations. While the direction of the Electronic Communications Act can be predicted, changes to the National Cyber Security System Act may be subject to other significant changes. We anticipate that work on the two laws will intersect in the near future to ensure consistency.
The project will enter into force 30 days after its promulgation. Industry representatives have raised the issue of inequity regarding the procedure for deeming an entity a high-risk supplier and called for further public consultation on the project.
© Copyright 2022 Squire Patton Boggs (USA) LLPNational Law Review, Volume XII, Number 104