Abstract

AbstractThe author presents the structure and principles which the Polish legislature imposes on public entities in the field of cybersecurity. The analysed regulations cover government authorities, state control authorities, law enforcement authorities, courts (both common and special), local government units and their associations (including metropolitan unions), budgetary units and Budget establishments, executive agencies, budgetary institutions, the Social Insurance Institution (ZUS) and managed funds, the Agricultural Social Insurance Fund (KRUS) and the funds managed by its President, the National Health Found, public universities, and the Polish Academy of Sciences. In addition to these public finance entities, special cybersecurity obligations have been imposed on research institutes, the National Bank of Poland, Bank Gospodarstwa Krajowego (BGK), Office of Technical Inspection (UDT), the Polish Air Navigation Services Agency (PENSA), Polish Centre for Accreditation (PCA), the National Fund for Environmental Protection and Water Management (NFEP&WM) and the provincial funds, as well as municipal companies. Despite differences in the form of activity (including possession or absence of legal personality), it is commonly agreed that the analysed regulations treat public entities as public administration authorities, at least in the functional sense, as evidenced by the indication that the obligations of public entities should be carried out within the framework of public tasks.

Highlights

  • It should be noted that the understanding of the term “public entity” significantly exceeds the confines of the term “public administration authority” as used by legal commentators

  • Apart from these public finance sector entities, special cybersecurity obligations have been imposed on research institutes, the National Bank of Poland, Bank Gospodarstwa Krajowego, the Office of Technical Inspection, the Polish Air Navigation Services Agency, the Polish Centre for Accreditation, the National Fund for Environmental Protection and Water Management, and Voivodeship Water Management Funds

  • Within the framework of the cooperation of public entities with the competent Computer Security Incident Response Team (CSIRT), the legislators have introduced a specific informational procedure for transferring the data of the responsible person appointed on the basis of the National Cybersecurity System Act

Read more

Summary

Range of Public Entities Subject to Cyber Security Obligations

The National Cybersecurity System attempts to cover comprehensively and complementarily all entities which use IT tools in the spheres of both public and private activities (under private law) and are significant for state security. The principle of the functional approach to public entities is clearly apparent, and is closely related to the public tasks implemented by these entities

Obligation to Report and Handle an Incident in a Public Entity
Formal Requirements for Reporting an Incident in a Public Entity
Obligation to Provide Information to the Competent CSIRT
Summary
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call