It was supposed to be safer. The amendment to the KSC will hit entrepreneurs

The implementation of the EU NIS2 directive is finally scheduled to take place in 2026. “It has” — and it should, because the implementation deadline passed over a year ago. The stakes are high: Poland’s digital security is at stake.

– After years of announcements and failed attempts, Poland is finally moving towards the real implementation of the EU NIS2 directive and organizing the cybersecurity system. Today, cyber threats are one of the key risks for the state and the economy, and the lack of a coherent legal framework hinders both the administration’s response and companies’ investments in digital security. The very fact that the government decided to end the analysis stage (after a few years, as the work began under the previous coalition) and move on to legislation deserves a positive assessment. However, the problem is not the goal, but the selection of means, says cybersecurity expert Col. Piotr Potejko, Ph.D., in an interview with “Wprost”.

Over-tuned design?

However, the draft amendment to the Act on the National Cybersecurity System (KSC), which is to transfer EU regulations to the national level, raises serious doubts.

– The Polish draft amendment to the Act on the KSC goes further than the above-mentioned directive. The scale of the regulation, covering a very wide catalog of sectors and tens of thousands of entities, raises questions about its adequacy and feasibility, and above all, real effectiveness – says Col. Dr. Piotr Potejko.

The expert explains that the proposed amendment shifts the focus from the assessment of specific technologies to the qualification of suppliers according to subjective criteria, including the country of origin.

– Testing, certification, audits and operational control of technical solutions are of decisive importance in cybersecurity. The starting point is not the country of origin, but technologies that can be researched, configured and adapted to your own security requirements. Economic practice shows that regulations based solely on the origin criterion may be ineffective, because embargoed products can bypass restrictions by changing the formal label, explains Potejko.

Cross-border companies have real problems

According to the expert, the proposed regulations pose serious challenges, including: for companies operating cross-border.

– If a given technology supplier is approved for use in Germany or the Czech Republic but is excluded in Poland, the question arises about the consequences for operations within the single market. What about devices used in forwarding, transport and logistics by companies that regularly operate in Poland? Will cars and trains be banned from entering Poland? The lack of clear answers may result in market fragmentation and additional costs for entrepreneurs. Above all, it will be chaos, which will weaken the effect of the new law – explains Potejko.

“New regulations should act like a scalpel, not an axe”

– There is no doubt that the government is right to point out Poland’s particular vulnerability to cyberattacks and hybrid threats. However, it is worth remembering that other EU countries also face similar challenges. Their experience shows that effective cybersecurity regulation is based primarily on the ability to quickly and precisely respond to real threats, and not on the mass exclusion of entire categories of suppliers. From the point of view of the economy and security, it is crucial that the new regulations act like a scalpel, not an ax – says a cybersecurity expert.

Potejko emphasizes that the state should have tools to act decisively in crisis situations, but regulation cannot generate chaos on the market, limit competition or increase regulatory risk for companies that invest and plan in the long term.

– NIS2 implementation is the right direction. However, to strengthen security without weakening the market, more precise regulations are needed, based on technology and risk analysis, and not on broad subjective qualifications. Otherwise, the cost of regulation may turn out to be higher than the benefits it is expected to bring, Potejko points out.