Abstract

Both the NIS Directive and the Polish Cybersecurity Act regulate the exemption of telecom operators from the application of cybersecurity rules as in as far as security requirements and incident reporting are concerned. However, this regulation does not mean that telecoms operators are completely excluded from the national cybersecurity system. It is possible to consider a telecom operator as an operator of the essential services or a digital service provider - in such case, this entity will be subject to the regulations of the Cybersecurity Act and, what is more, it will also be subject to the obligations imposed by the Telecommunications Act.

The regulations contained in those acts follow the risk-based approach - thus, the assessment of which organisational and technical measures will be appropriate and proportionate is the responsibility of the entity that is to implement them. This approach of the legislator allows telecom operators to adopt uniform technical and organisational measures both as regards telecommunications services and digital services or essential services. It seems that the adoption of the European Electronic Communications Code and its implementation into Polish law will not change this situation and will not introduce many changes to the security of networks and services in relation to the regulations currently in force.