Cybersecurity

The pace of development, the complexity of IT technologies and their widespread use are all linked to the issue of ensuring cybersecurity. Failures in this area carry a real risk of negative consequences, as individual companies, institutions or even governments are increasingly finding out.

We provide full legal support to help you reduce cybersecurity risks in your business. We negotiate contracts, design internal procedures and provide training and workshops.

How can we help?

Cybersecurity regulations impose numerous obligations on a wide range of bodies: key service operators (energy, transport, banking and financial markets infrastructure, healthcare, drinking water or digital infrastructure providers and distributors) and digital service providers (online trading platforms, cloud computing services, search engines).

The responsibilities of operators of essential services include:

implementing a security management system for information systems used to provide an essential service;
designating a person responsible for liaising with the entities of the national cybersecurity system;
ensuring that the essential service user has access to knowledge on cybersecurity risks;
developing, applying and updating the cybersecurity documentation of the information system used to provide the key service;
incident handling, reporting major incidents and cooperation in handling a major incident and a critical incident;
setting up internal structures responsible for cybersecurity or contracting with a cybersecurity service provider;
ensuring that a security audit of the information system used to provide the essential service is carried out;
the status of an entity as an operator of an essential service is determined by a decision issued by the authority competent for cyber security.

The obligations of digital service providers (online trading platforms, cloud computing services, search engines) include:

taking the technical and organisational measures set out in Implementing Regulation 2018/151 to manage the risks to which the information systems used to provide the digital service are exposed;
the obligation to handle incidents.

Sanctions

Failure to comply with the new regulations is punishable by a fine of up to PLN 200,000 (and in some cases up to PLN 1 million) for entities that commit certain breaches. Penalties may be imposed even if the entity has ceased the infringement or repaired the damage caused.

DORA – relevant for financial institutions

EU regulation tightening risk assessment and reporting requirements in the financial sector – Regulation on the operational resilience of the digital sector and amending Regulations (EC ) No 1060/2009, (EU ) No 648/2012, (EU ) No 600/2014, (EU ) No 909/2014 and (EU ) 2016/1011 (“DORA”) will become applicable 24 months after its entry into force, i.e. from 17 January 2025.

NIS2 – the extension of cybersecurity regulation to new sectors of the economy

On 27 December 2022, the Directive on measures for a high common level of cybersecurity within the Union, repealing Directive (EU) 2016/1148 (“NIS2”) was published in the Official Journal of the European Union. From the entry into force of the Directive, Member States have 21 months to implement it into their national laws. The deadline is 16 October 2024.

Who will be subject to NIS2?

Essential entities operating in the following sectors:

energy;
transport;
banking;
financial markets infrastructure;
healthcare;
drinking water;
wastewater;
digital infrastructure;
ICT service management;
public administration;
space.

Important entities operating in the following sectors:

postal and courier services;
waste management;
production, processing and distribution of chemicals;
production, processing and distribution of food;
manufacturing;
digital services;
scientific research.

Audit + Recommendations + Documentation

Analysing, reviewing and developing internal cybersecurity procedures (Security Policies, BRP Plans);
Conducting internal audits and reviewing the consistency of the new cybersecurity documentation with the existing internal security management procedures of the key service provider and digital service provider.

Relations with supervisory authorities

Developing procedures to be followed in the event of an audit of the cybersecurity authority;
Representing clients in proceedings before the cybersecurity authority, especially regarding sanctions or administrative proceedings.

Personal data protection

Advising entities covered by the national cybersecurity regime on the rules of sharing information with the competent authorities and the processing of personal data;
Reviewing internal cybersecurity documentation on the obligation to handle and report incidents, to ensure compliance with the principles of data protection.

Legal advice in relations with IT suppliers

Analysing contracts concluded with IT service providers;
Advising on implementing IT system security management solutions;
Negotiating terms and conditions with insurers and analysing insurance documentation required to conclude an insurance contract against cyber attacks.

Legal and regulatory monitoring ( cybersecurity compliance)

Analysing the legal environment and reforms which affect cyber security, including legislative proposals (cybersecurity compliance).

Training and workshops

Providing customised training on the obligations of essential service operators and digital service providers, including compliance with data protection rules.