EU Billions for Poland at Risk? Ministry Warns
- The Ministry of Digital Affairs is preparing for a fight to defend the amendment to the act on the National Cybersecurity System. The ministry fears an attempt to undermine it in the Sejm.
- This is an important regulation that is supposed to help combat threats to the state, including sabotage and terrorism. It will also have a broad impact on companies. Poland is late in adopting it - it has been sued before the European Court of Justice (CJEU) for this.
- The deputy director of the Ministry of Digital Affairs warns that without this amendment, Poland will face high fines and the European Commission may suspend payments from the National Recovery Plan for Poland.
- Marcin Wysocki, in an interview with WNP, also announces the next works of the MC: on the act on cloud computing standards in administration and local governments and the data embassies project.
Why should firefighters receive bonuses from the Cybersecurity Fund? This is what the Ministry of Digital Affairs wants.
- So we start with a trivial question.
Trivial?
- Yes, it's very simple. Several dozen people working at the Main Headquarters of the Fire Service and people working in provincial units are responsible for key IT systems related to emergency notification. These systems ensure, for example, that alarm sirens are activated at the right time. Rapid response to fires, accidents and other threats depends on the State Fire Service systems.
The modern rescue system on which human life and health depend is largely based on the reliability of IT systems.
In the future, the people responsible for them, under the act on the protection of the population, will be given additional duties, including the construction, development and maintenance of the Central Register of Collective Protection Facilities, in which the data necessary to make the right decisions regarding the use of protection and hiding places in crisis situations will be processed. This concerns failures, natural disasters or attacks with means of destruction. In places such as the Fire Department, we need specialists, so I am convinced that we should co-finance them.
Who should receive the Cybersecurity Fund allowance?And why co-finance firefighters, but not employees at the General Directorate for National Roads and Motorways or Polish Waters, who also maintain key systems?
- I think that the issue of the supplement you are asking about is one of the reasons why work on amending the National Cybersecurity System is not as effective as it should be.
It is not me who is asking, but the Minister of Infrastructure in the consultations on this bill.
- We are implementing the NIS2 directive, and other ministries are asking for changes to the act on special rules for remunerating people performing tasks in the field of cybersecurity. A separate project should be devoted to this - and perhaps will be. We are approached by many institutions that also believe that they should be covered by such a benefit. In my opinion, in the future, it would be necessary to prepare a transparent gradation, to consider the financing possibilities.
For now, the Ministry of Finance does not agree to increase the Cybersecurity Fund by PLN 250 million annually.
- We will convince the Ministry of Finance to change its mind, because we believe that it is wrong to make such comments on the National Cybersecurity System Act. PLN 250 million is slightly over half of the annual costs resulting from the assessment of the impact of regulations as effects on the implementation of the amendment to the KSC Act. The Act assumes the development of Computer Security Incident Response Teams (CSIRT) for individual sectors, the S46 platform, and it mentions educational projects.
What next with the amendment to the Act on the National Cybersecurity System?And when will the government's path to the bill end? MC announced that the bill would be submitted to the Sejm by the end of June.
- The project has been submitted to the Standing Committee of the Council of Ministers. I think it will be adopted by the government in the first or second week of July.
What difficulties may the project still encounter in the Council of Ministers?
- The first point we discussed is the conversation about costs. The second is those elements that may go beyond the minimum implementation of the NIS2 directive, the Minister of Development and Technology was tasked with drawing attention to them. The remaining matters seem to me to have already been resolved.
So high-risk suppliers stay in the project?
- I believe so and there is a strong determination on the part of Prime Minister Gawkowski in this regard. This is a matter of state security, its basic interests in this area. And I do not think that anyone could effectively postulate the removal of this procedure.
So the Prime Minister has pacified the digital traitors in the government?
- He did not so much pacify as convince people of the importance of these decisions.
Explaining how important the issue of high-risk suppliers is is such a challenge that many arguments concerning state security are classified information in accordance with the Act on the Protection of Classified Information. This is a permanent difficulty in communication, for example, of special services that postulate some solutions, but cannot defend them strongly enough, for example, at parliamentary committee meetings. Revealing the arguments they have is penalized, so they often have to simply keep quiet or say "tomato".
Do you expect a fierce fight in the Sejm over these provisions?
- There will certainly be a fight for this in the Sejm, we have already seen it during the discussion after the exposé of Prime Minister Donald Tusk. We are also observing the efforts of the lobby, which is working to make the content of this project ugly.
Meaning?
- One of such basic myths that persists is the issue of excluding a hardware or software supplier due to non-technical premises. These are referred to as "political". However, in practice they concern risk management related to, among others, the threat of terrorism or sabotage. And this risk results from the influence of a third country on the manufacturer of devices or software operating in that country, whether through law or through actions carried out directly.
Critics argue this is overregulation.
- What Poland is doing in this matter has already been adopted as a statutory solution in 21 countries, and is already applied in 12 of them. In addition, the European Commission, through the planned ICT Toolbox, identifies many security challenges, not only in 5G networks, but also in areas such as telemedicine devices, drones and security systems (e.g. airport gates).
I would bet a large bar of chocolate that in the future, non-technical grounds for excluding high-risk suppliers will become standard in the EU, also outside telecommunications networks, in selected sectors, such as energy. And then we would start this demanding process of amending the regulations anew.
Who is pushing for the deletion of non-technical premises?
- Huawei made this claim in public consultations. The company has not been speaking out directly lately, but there are other entities that are asking for exactly the same thing - deleting the so-called non-technical premises, which are called "political" for the sake of disgust, and stating that this is a Polish invention and overregulation. And we have already said to ourselves that this is not the case.
I also expect the Sejm to return to these arguments, as well as postulates that, under the guise of introducing transparency, will make the administrative procedure for a high-risk supplier practically unfeasible. There will probably be voices saying that our consultations are too short. However, I am convinced that the pool of ideas that could have been raised to knock out teeth, i.e. render this procedure useless, has been exhausted. And the act simply needs to be adopted. I assume that this will happen before the end of the year.
What if not?
- We are one of 19 countries that have not implemented the NIS2 directive , if we do not do it, we will pay penalties.
And there is probably no more stupid way to spend public money than paying fines for failure to transpose such an important directive.
The European Commission asks us every month what the progress of the work is. Also because the amendment to the KSC Act is a milestone for the National Reconstruction Plan. The lack of amendment may have really serious consequences for the Polish state.
Let's put it bluntly: either KSC or blocking the money from KPO?
- The Commission warns us that milestones must be met, and the actual transfer of subsequent tranches of financing and their settlement depend on whether we achieve them.
Will this be an argument for MPs for a quick procedure?
- This should be an argument for them that listening uncritically to the voices of critics of this bill may end very badly for Poland.
Ministry of Digital Affairs to develop cloud computing standards in administration and data embassiesWhat other security projects is MC working on?
- We are at the stage of preparing a draft regulation on cloud computing standards in administration. We want the new regulation, unlike the previous resolution of the Council of Ministers, to be binding also on local government units.
We should also focus on developing a government cloud and creating rules that would allow the migration of the most important data to a commercial cloud in another European country, e.g. in a state of imminent threat of war . We should take part in the experience of Ukraine, which was forced to transfer important data from state registers in the face of war, which was not in accordance with Ukrainian legislation until the relevant decree was issued by the local Council of Ministers, which, by the way, took place sixteen days after the armed aggression of the Russian Federation in Ukraine.
I would like no one's hand to tremble if Poland found itself in such a situation. Data embassies are also an important project. It is about ensuring the security and availability of state data in crisis situations, for example by creating backup copies in diplomatic missions.
There was already such a project in the previous term, but it has not been implemented to this day.
- This idea is very good, but we need to ensure that there are no regulations that would prevent its implementation. We are also trying to respond to challenges such as the lack of power for data centers in diplomatic missions.
In addition to traditional data centers, we are introducing the possibility of providing backup in a public or private cloud in another country of the European Economic Area.
When will concrete solutions in terms of cloud computing standards be on the table?
- I assume that the Minister of Digital Affairs will present the first version of the project this year. It will certainly be a challenge to process this project, it will be necessary to reconcile the interests and voices of many stakeholders. This will again be a conversation, among others, between our entrepreneurs and hyperscalers about how we should build our competences, capabilities and how we understand digital sovereignty.
The Deputy Prime Minister talks a lot about digital sovereignty. And Deputy Minister Rosiński promised during the European Economic Congress that the ministry will develop solutions that will support Polish entrepreneurs.
- And of course, we design such solutions. In the "Cloud Computing Cybersecurity Standards", which are an annex to the WIIP resolution (common state IT infrastructure - editor's note), there are specific levels that indicate when data should be processed in the European Economic Area and when in Poland. We will propose similar solutions in the act.
It's not like we're going to change the proportions in the cloud services market. Instead, we're going to focus on ensuring that the most important data is processed in Poland. This is also about expanding our own capabilities in this area.
And why is the ministry building another CSIRT for PLN 10 million ?
- That's a very good question. Currently, in the KSC system we have about 400 key service operators, which are supported by national level CSIRTs, e.g. in CSIRT NASK or CSIRT GOV in ABW. After the amendment, the scale will increase significantly - we are talking about several or even several dozen thousand entities. That is why we are creating a system of sectoral CSIRTs, which will serve as support for individual industries - just as the team in the PFSA (Polish Financial Supervision Authority - editorial note) does today for the financial sector or the e-Health Center for the health sector.
The CSIRT Cyfra you are asking about is one of these teams. In the digital infrastructure sector, which my team manages, we currently have fewer than 10 entities. After the new regulations come into force, cloud service providers and electronic communication entrepreneurs will be included there, which will significantly increase the scale – there will already be several dozen entities. This justifies the establishment of a dedicated team. Similar teams will be created in other ministries, for example in the Ministry of Climate and Environment. Their task will be to support entrepreneurs and relieve the work of national-level CSIRTs.
wnp.pl
