Cybersecurity and public procurement in Poland. Legislative proposal to amend the National Cybersecurity System Act
The National Cybersecurity System Act of 5 July 2018 forms the legal and institutional bases for cybersecurity in Poland. On 12 October 2021, a controversial proposal to amend the act was submitted for consultations. This could have major implications, including for the public procurement market in Poland. The proposal allows a business undertaking to be classified as a high-risk supplier, and this may result in a bid being rejected.
The proposal has been commented upon as possibly aimed at certain manufacturers based in non-EU and non-NATO countries. For this and other reasons, work on the bill is beginning to become protracted. On 12 October 2021, a version was published that is theoretically close to the final version.
The amendment provides for proceedings to classify a hardware or software supplier as high-risk. This is to be decided by the minister responsible for computerization, if they consider the supplier to pose a serious risk to defense, state security, public safety or order, or human life and health. The Cybersecurity College will issue an opinion on this subject. According to the statement of reasons for the amendment, the College’s opinion may be based on substantive criteria, but other aspects which are “non-technical” may be considered as well. This gives rise to a risk that the minister’s decisions might be arbitrary, and concerns that decisions may be politically motivated in some cases.
In cases of public procurement proceedings conducted by entities listed in the proposal for art. 66a(1)(1) – (4) which at the same time are contracting authorities bound by the Public Procurement Law of 11 September 2019 (for example national cybersecurity system entities, which include many state entities), a decision naming a supplier as high-risk will have serious consequences for that supplier. Contracting authorities in the public sector will not be permitted to purchase hardware and software, or services, specified in the decision. This means that a bid submitted by a high-risk supplier would have to be rejected. As a result, the entity concerned would be eliminated from the market in the case of public tenders subject to the National Cybersecurity System Act with respect to the products named in the decision.
TKP is monitoring work on the amendment and we will provide updates on progress on the bill in future newsletters.
More can be found on the subject discussed above on our Polish blog.