Implementing compliance with the National Interoperability Framework (KRI)

The Act of 5 July 2018 on the National Cybersecurity System applies to both companies and institutions.

The Act refers to:

  • Key Service Operators (OUK) including, among others, largest banks, companies from the energy sector, air and rail carriers, shipowners, hospitals,
  • Digital Service Providers (DUC) including, among others, companies with online marketplaces,
  • public institutuions.

The purpose of the Act is to implement Directive (EU) 2016/1148 of the European Parliament and of the Council on measures for a high common level of security of network and information systems across the Union into the Polish legal system.

The Directive requires States to guarantee a minimum level of cybersecurity capabilities. This is achieved by establishing competent authorities and a single point of contact for cybersecurity, setting up Computer Security Incident Response Teams (CSIRTs) and adopting national cybersecurity strategies.

In addition, the Directive lays down obligations to ensure the cybersecurity of information systems in service sectors that are critical to maintaining critical socio-economic activities.

Key aspects of the implementation include:

1. Organisation of roles, responsibilities and authorisations in the area of security of ICT systems.

2. Development of contractual provisions for the security of ICT systems.

3. Development of incident management, including the incident handling process:

  • identification of incidents,
  • the method of monitoring events related to the security of systems,
  • the method of reporting,
  • reporting of incidents to the CSIRT within 24 hours of their discovery.

4. Development of the risk assessment process:

  • internal rules describing the risk management methodology,
  • documentation of the periodic risk analysis for loss of integrity, confidentiality or availability of information, including a risk register with information on the risks identified, their level, a plan for dealing with the risks, in accordance with ISO/IEC 27005.

5. Development of the access control process:

  • internal rules describing the management of user rights to work in ICT systems,
  • rules for controlling access to ICT resources.

6. Development of business continuity rules:

  • internal rules that define the rules for creating, storing and testing backups of data and systems,
  • business continuity plans.

7. Development of change control policies:

  • internal rules describing the requirements for the implementation of systems,
  • internal rules describing the method of making changes to ICT systems.

8. Development of rules for documentation control:

  • rules to ensure access only for authorised persons,
  • internal regulations describing the principles for managing National Cybersecurity System (KSC) documentation,
  • principles for ensuring confidentiality, integrity and accessibility of documentation.

9. Development of a physical security standard.

10. Development of IT security standards.