The amended Act on the National Cybersecurity System, implementing the NIS2 Directive, has been in force since 3 April. The debate on the new obligations has focused mainly on the private sector – and wrongly so. The regulation also covers public entities, including local government bodies, their organisational units and municipal companies.
Our experts Paulina Jeziorska and Zuzanna Prandecka-Walek have analysed this topic in Dziennik Gazeta Prawna. In the article, they discuss step by step what the amendment means in practice for local authorities – from determining who is subject to the new regulations, through the catalogue of obligations, to the sanctions regime.
A few points worth noting:
A new classification of entities. The previous model, which distinguished between operators of key services and digital service providers, is being replaced by a classification into key entities and important entities. In the case of local authorities, the decisive factor is not the scale of their operations, but the type of authority and its position within the structure. Key entities include, amongst others, district authorities and local councils employing at least 50 people. Important entities, in turn, include local government budgetary units, budgetary institutions, cultural institutions and municipal companies – provided they carry out public tasks using information systems.
The obligations go far beyond mere formalities. Implementing an information security management system, handling and reporting incidents, ensuring business continuity, and streamlining relations with suppliers – this is not a one-off project, but a permanent change in the way the organisation operates. For important entities that are public bodies, the legislator has also provided a specific list of minimum requirements in an annex to the Act.
The penalties are substantial. Fines can reach up to €10 million for critical entities and €7 million for important entities. The head of the entity is held personally liable – up to 100% of their salary in the case of public entities. The regulations grant the authority some flexibility in determining the penalty, taking into account, among other things, the entity’s financial capacity, but the lower thresholds are set by law.
A key point of interpretation: is a key entity that does not use information systems to carry out public tasks completely exempt from these obligations? The wording of the regulations does not provide a clear answer, which in practice may create uncertainty for local authorities.
For many local authorities, the coming months will test their ability to rapidly build up the expertise and structures that they simply have not needed until now. Putting this off is no longer an option.
