The fifth draft amendment to the National Cybersecurity System Act dated February 7, 2025 (the "Draft Act")[1] introduces significant changes in the supervision of essential and important entities and the liability of their management. These modifications substantially increase the competencies of supervisory authorities and clarify the rules for applying supervisory measures and financial penalties. This article discusses selected modifications in this area.
Extended Competencies of Supervisory Authorities
A significant change is granting cybersecurity competent authorities direct powers to apply supervisory measures. According to Article 53(9) of the Draft Act, the supervisory authority may independently issue decisions on suspending a granted license or limiting its scope, suspending the activities of an entity registered in the regulated activity register, suspending authorization to conduct business activities, suspending the activities of an entity registered in CEIDG or KRS, as well as prohibiting the performance of management functions by the entity's management.
In previous drafts, supervisory authorities could only request other institutions to apply such measures. The new solution streamlines the process of enforcing cybersecurity-related obligations, but may raise concerns about compliance with the principle of proportionality and the separation of competencies between different public administration bodies.
Ad Hoc Inspection System
The Draft Act also introduces an expanded system of ad hoc inspections, which constitutes a significant strengthening of the supervisory toolkit. These inspections may be conducted without prior notification of the entity, increasing their effectiveness. According to Article 59c of the Draft Act, ad hoc inspections may be ordered to verify the implementation of post-inspection recommendations, verify information about potential violations, analyze documents received from the entity, or verify information from the monitoring officer.
A new element of the supervisory system is the institution of the monitoring officer, introduced in Article 53(5)(6) of the Draft Act. This officer may be appointed for a period of up to one month to supervise the entity's compliance with obligations. Such an officer receives broad powers, including the right to free access to the entity's premises, inspection of documents, and conducting examinations of equipment and information systems. This institution enables ongoing supervision of the entity's activities, particularly in high-risk situations.
Limitations of Management Function Prohibitions
A particularly severe supervisory measure introduced in the fifth draft is the possibility of issuing a prohibition on performing management functions by the entity's management. However, the legislator has introduced a significant limitation of this measure. Article 53(9)(6) of the Draft Act specifies that it may be applied only to the extent that "it will not prevent the essential entity from functioning to the extent necessary to remedy deficiencies or cease violations."
This means that even when this measure is applied, the entity must retain the ability to remedy identified irregularities.
Temporal Limitations of Supervisory Measures
The Draft Act introduces precise regulations regarding the duration of supervisory measures, which constitutes an important safeguard against abuse of these instruments. According to Article 53e(2) of the Draft Act, these measures may be applied for a maximum of 14 days from the delivery of the decision. The duration of supervisory measures is determined taking into account the severity of the violation, its duration, the nature of the act, and corrective actions taken.
If the entity does not remedy the violations within the specified time limit, the authority may issue another decision for the next period not exceeding 14 days. This procedure may be continued until the deficiencies are remedied. Such a solution gives supervisory authorities flexibility in applying measures while forcing them to cyclically verify the justification for maintaining them.
Procedures for Revoking Decisions on Supervisory Measures
The regulations concerning the application of supervisory measures are supplemented by provisions on their revocation. The Draft Act precisely defines procedures in this regard, which is significant for entities subject to supervision. According to Article 53e(5) of the Draft Act, the cybersecurity competent authority revokes the decision on applying a supervisory measure ex officio or upon request of the entity after remedying deficiencies or ceasing violations.
An essential entity may submit a request to revoke the decision, presenting evidence confirming compliance with the imposed obligations. The supervisory authority has only 7 days to consider such a request, which is intended to ensure prompt restoration of the entity's normal functioning. Such a solution balances the interests of the supervisory authority and the supervised entity, ensuring that supervisory measures are not applied longer than necessary.
Financial Penalties for Entity Management
The provisions on management liability are supplemented by regulations concerning financial penalties. Article 73a of the Draft Act defines a detailed catalog of violations for which the entity's management may be subject to financial penalties. This includes, among others, failure to fulfill obligations related to registration in the register of essential and important entities, lack of implementation of an information security management system, lack of required security documentation, or failure to ensure the possibility of reporting cyber threats.
Compared to earlier versions of the draft, the maximum penalty amount for management has been reduced. According to Article 73a(4) of the Draft Act, the penalty may amount to a maximum of 300% of the penalized person's remuneration, calculated according to the rules used when determining vacation pay equivalent. This is a mitigation compared to previous proposals, but still constitutes a severe financial sanction. Penalties for management may be imposed independently of penalties for the entities themselves, which constitutes an additional element motivating management to ensure compliance with regulations. This solution aims to strengthen personal responsibility for the state of cybersecurity in supervised entities.
Summary
The changes introduced in the Draft Act significantly affect the legal situation of essential and important entities and their management. They increase the legal and operational risks associated with non-compliance with cybersecurity regulations. However, we are still dealing with a draft act, so the final shape of Polish regulations may change.
The BSJP bnt law firm team, in cooperation with cybersecurity specialists, provides comprehensive advisory services for meeting the requirements specified in the NIS2 Directive. For any questions related to the changes, we encourage you to contact our experts Marcin Kroll (marcin.kroll@bsjp.pl ) and Rafał Wieczerzak (rafal.wieczerzak@bsjp.pl).