NIS Directive Met, Polish Cybersecurity in Effect

NIS Directive Met, Polish Cybersecurity in Effect

Poland's National Cybersecurity System Act, which aims to ensure an appropriate level of security of ICT systems, today enters into full effect. Originally adopted on 5 July 2018 by the Sejm, the lower house of the Parliament of Poland, the system covers a wide range of entities from operators of essential services to digital service providers and a cybersecurity council.

Along with its executive regulations, the act will fully implement the EU NIS Directive into Poland's legal order and create a single point of contact for cybersecurity matters.

Earlier this month, Poland was one of 17 countries to receive a warning from the European Commission for missing the 9 May 2018 deadline “to adopt an EU Directive that is designed to ensure the security of digital networks and information systems across the EU,” according to CISO Mag.

Concerns over the security of critical infrastructure have continued to grow as “the number of reported vulnerabilities related to supervisory control and data acquisition (SCADA) systems increased since the second half of 2017, and many of these vulnerabilities were found in human-machine interface (HMI) software,” according to a post from Trend Micro today.

The act distinguishes three different computer security incident response teams (CSIRTs). The teams will each be responsible for handling incident response in three particular realms of Poland’s cyberspace. CSIRT GOV will respond to governmental and subordinate unit infrastructures, including the NBP and BGK banks.

The CSIRT NASK team will be responsible for handling citizen and company incidents, including self-governmental organizations and state universities.

Finally, the CSIRT MON will handle the computer security incident response for entities supervised by the Ministry of Defense, which will include companies with economic and military significance.

In categorizing the responses, the teams will identify incidents as either critical, serious or significant.

Source: Information Security Magazine