The Evolution of Cybersecurity Regulation in the European Union Law and Its Implementation in Poland

Abstract

The 2013 European Union Cybersecurity Strategy, the 2016 Directive, and the 2019 Regulation mark the next steps in strengthening the protection of cybersecurity by European Union bodies, linked to changes in member states’ laws. The rapid increase in threats, referred to as the “cyberpandemic”, requires prompt adaptation of legal instruments to new needs, but at the same time complicates ensuring consistency of multi-level regulation. The analysis of changes in the legal status in Poland shows that this concerns terminology, subject matter scope and the structure of cyber security systems. In order to reduce difficulties, it is worth considering introducing immediate amendments to those provisions in force which were negatively assessed during works on drafting new acts. Such a conclusion is prompted by the evolution of the definition of cybersecurity, which, according to the 2019 Regulation as well as the draft amendments to the Polish Act on National Cyber Security System and the draft of the new Directive, is to be understood as activities necessary to protect networks and information systems, users of such systems and other persons against cyber threats such as any potential circumstance, event or action that may cause damage, disruption or otherwise adversely affect networks and information systems. Another example is the maintenance of the distinction between key service operators and digital service providers in the 2019 EU Regulation and the 2021 draft amendment to the Polish law, although the 2020 NIS 2 directive draft recognizes that it has become irrelevant and replaces it with a distinction between essential and relevant entities. Also, other changes currently proposed are justified by the blurring of the boundaries between virtual and real space.