The NIS Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union was adopted by the European Parliament on July 6, 2016. It was entered into force in August 2016, and Poland as a member state completed the implementation of its provisions in November 2018.

All the necessary provisions are included in the act on the national cybersecurity system and its executive regulations, including the list of key services and the organizational and technical conditions for entities providing cybersecurity services, as well as internal organizational structures of key service operators responsible for cybersecurity.

These regulations initiated a certain change within many organizations that had previously treated some cybersecurity issues with lack of severity. They introduced the unification of the cybersecurity area, defined cybersecurity, and clearly indicated who is responsible from the national level to the operators of key services and critical infrastructure.

A very important element of the functioning of the entire cybersecurity area are CSIRTs on the national level, i.e. CSIRT NASK – responsible for responding to incidents in the public space, CSIRT GOV – responsible for responding and handling incidents in the public administration space and critical infrastructure operators, as well as CSIRT MON – responsible for reacting and handling incidents in the area subordinate to the Minister of National Defence.

The Act introduced a clear provision that these CSIRTs cooperate with each other with competent authorities, national and international entities in the field of incident handling. This is a big step forward in the organization of the incident response and response system, as it engages all forces and resources to counteract and respond to such serious threats. There is no need to convince anyone about the serious threat posed by cyber attacks, and this can be confirmed by the fact that one of NATO’s military domains is cyberspace.
The introduced law act, in addition to forcing certain actions, have one very important aspect, they encourage people to recognize that the problems that accompany cybersecurity have been seriously treated, and appropriate people and resources are allocated to ensure and manage cybersecurity.

There is also the issue of the private sector, which, if it does not fall within the definition of companies providing services subject to the provisions of the Act, it could make its own decisions on how to deal with cybersecurity. Therefore, many projects have been created both at the government level at the Ministry of Digitalization – the aim of which is to educate end users in this area – but also projects of non-governmental organizations. That is the area where cybersecurity is not only required to adapt their organizations to certain requirements, but also want to use this area for business activities by offering various types of solutions or services to improve cybersecurity as a whole.

It is also worth mentioning a very important element in the functioning of the cybersecurity area which are the people who create organizations and companies, but also take care and manage our cyberspace security. To ensure a proper capacity building and constant supply of staff, many training programs and projects were launched i.e. for schools. The main aim is to create interest in young people in the subject of cybersecurity, safe movement within cyberspace, to show the principles related to this area, and to provide knowledge and skills necessary for further education at the university level. One such program has been organized by the Ministry of National Defence “cyber.mil z klasą”. This program is prepared with the cooperation with National Cyber Security Centre and Military University of Technology to help with cybersecurity and improve knowledge. This is a proposal for schools that want to expand their educational offer in the areas such as cybersecurity and modern technologies.

However, we should remember about the key issue, necessary to ensure cybersecurity throughout the EU, i.e. international cooperation. Apart from the cooperation at the national level between CSIRTs and the exchange of information, it is necessary to create a common system of information exchange on threats to which the national level CSIRTs should have access. There are currently systems that perform these tasks, but the current threats and actions from adversaries require more comprehensive solutions based on machine learning and artificial intelligence systems. Not only to inform but to prevent and make our society more resilient.

Despite the new cybersecurity law, issues continue to arise and generate some large questions that must be answered. Most notably, the audit of critical infrastructure cybersecurity and responsible actors, the issue of risk analysis and the methodology for organisations to pick from, the current situation we find ourselves in where many are working from home and perhaps not following basic cybersecrutiy rules – as a result, many problems occurred connecting with Business Continuity and Disaster Recovery because even critical infrastructure have not prepared for such a scenario. As such, we should update our cybersecurity law, to take note of new developments and ensure the most current information is available.

Perhaps at some point we will see a cyber threat information system that could send alerts about hacking campaigns directly to our smartphone in the form of text messages.Let’s start discussions with company owners, universities, and cybersecurity managers who can deliver new ideas on how to solve our cybersecurity issues and create better and safe environment for all of us.