Fines up to EUR 10 million. Polish companies with new responsibilities

Poland has already officially entered the cybersecurity regime. The Act on the National Cybersecurity System (KSC), signed last week by President Karol Nawrocki, implementing the EU NIS2 directive, is tangible proof of this. Although not everyone liked its final shape, it must be emphasized that it is Poland’s response to the tense geopolitical situation and the growing scale of cyberattacks.

– According to CERT Polska data, hundreds of thousands of cybersecurity incidents are recorded every year, affecting both Polish companies and their partners and suppliers – notes Weronika Czaplewska, vice-president of Quantifier, in an interview with “Wprost”.

What does the implementation of KSC mean for Polish companies?

First of all, it means change. The NIS2 directive expands the list of entities covered by the regulation and introduces clear responsibility of top management for cybersecurity risk management. According to the expert, it is the issue of management board responsibility that is the biggest change.

– Cybersecurity is no longer exclusively the domain of technical or IT departments – formal responsibility for cyber risk management rests with management board members – explains Weronika Czaplewska.

As he explains, for companies this means the need for real supervision over the cybersecurity system in the organization, appointing people responsible for this area and ensuring appropriate procedures and resources.

Fines can be up to EUR 10 million

The changes introduced by the KSC Act also concern penalties. And these are really harsh.

– The stakes are high because fines for non-compliance can reach up to EUR 10 million or 2%. global annual turnover, and in the case of important entities, EUR 7 million or 1.4%. turnover – depending on which value is higher – notes Weronika Czaplewska.

But that’s not all. The Polish act implementing the directive stipulates that these penalties cannot be lower than PLN 20,000 for key entities and PLN 15,000 for important entities. It also assumes that the managers of these entities may also be subject to financial liability for failure to perform their duties – up to 300%. received remuneration, calculated as the cash equivalent for leave.

– The directive also introduces very quick reporting obligations: early warning of a serious incident within 24 hours, and full reporting of the incident within 72 hours of its detection – adds the expert.

“This is not a purely technological project”

Implementing KSC is not only about meeting formal requirements or preparing documentation.

– In practice, this means the need to implement a continuous compliance approach, i.e. a system for continuous monitoring of compliance with regulations and ongoing cyber risk management – ​​explains Czaplewska.

As he emphasizes, this is not a purely technological project.

– Implementation requires cooperation of the management board, IT and compliance departments, legal teams, but also HR and purchasing departments, because NIS2 also covers employee training and security in the supply chain. Cybersecurity is no longer a technical topic, but becomes a strategic responsibility of the management board and the entire organization, says the vice-president of Quantifier.

Although some of the regulations regarding high-risk suppliers will still be subject to subsequent review by the Constitutional Tribunal, the act itself is already entering into force. There is no turning back from cybersecurity and there is no longer a concessionary tariff for Polish companies.