Cyber-security
The development of commercial and social relations is accompanied by technological progress and the widescale use of information systems and services.
The need to ensure cyber-security arises from the speed of development, the complexity of IT technologies and the extent to which IT solutions are relied upon. Disruptions to the proper functioning of IT systems can negatively affect a company’s financial, commercial and security interests.
The National Cyber-Security System Act entered into force on 28th August 2018.
The act implements into Polish law the EU’s Directive 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. This legislation imposes numerous obligations on a range of entities.
Sanctions
Fine of up to PLN 200,000, or even PLN 1m in certain cases, may be imposed on entities that commit particular infringements. Firms may even be fined after they no longer infringe their obligation or have already remedied the losses they caused.
Important!
Fines can also be imposed on the managers of key service operators, up to 200% of the manager’s monthly remuneration.
How can we help?
Audit + Recommendations + Documentation
- analysis, review, developing internal procedures on cyber-security (Security Policy, BRP);
- internal audits and reviewing the compliance of new cyber-security documentation with existing internal security management procedures in place at the workplaces of key services operators and digital services suppliers.
Relations with supervisory authorities
- designing action plans to be implemented in the event of audits conducted by a cyber-security authority;
- representing clients in proceedings before cyber-security authorities, particularly as regards infringement proceedings;
- representing clients in court and administrative proceedings concerning cyber-security, especially as regards infringement proceedings.
Personal data protection
- advising entities on their cyber-security obligations regarding personal data processing and the provision of information to competent authorities;
- assessing internal documentation on cyber-security as regards the obligation to handle and report incidents that are covered by personal data protection rules.
Relations with IT providers
- advising on cooperation with IT providers, for example by analysing compliance of contracts concluded with IT providers with legal and regulatory requirements, including sector recommendations issued by the supervision authorities concerning the security of IT systems;
- supporting the implementation of security management systems in information systems used to provide key services, especially as regards drafting/assessing software purchase or maintenance agreements, creating internal incidents management structures, internal procedures for handling security management systems and reviewing whether the requirements for such systems are met;
- advising on how to conclude agreements to guard against cyber-attacks, negotiate insurance conditions and analyse insurance documentation.
Legal and regulatory monitoring (cyber-security compliance)
analysing the existing legal environment and any planned changes regarding cyber-security, including draft legislative proposals.
Training and workshops
providing dedicated trainings regarding the obligations of key services operators and digital services suppliers, including compliance with personal data protection rules.
