Abstract

The Act of 5 July 2018 on the national cybersecurity system specifies the manner of implementation of the measures provided for in the National Cybersecurity System, the main goal of which is to prevent occurrences prejudicial to cybersecurity as well as responding to the consequences of such events. Therefore, the Act defines measures aimed at minimizing the dangers arising from violation of confidentiality, integrity, accessibility and authenticity of processed data. A method to eliminate occurrences which may adversely affect the functioning of IT systems is the specification of duties imposed on Key Services Operators and Digital Services Providers.Those duties refer, inter alia, the energy sector, air, road and water transport, banking and financial markets infrastructure, digital infrastructure or the health care sector. All sectors, subsectors and types of entities subject to the Act have been listed in the appendix thereto, while detailed information on key services is provided in the List of Key Services in the Ordinance of the Council of Ministers of 11 September 2018 concerning the list of key services and materiality thresholds of a distortive consequence of an incident for the provision of key services. Apart from the division into sectors, subsectors and types of entities, the List of Key Services also defines all key services that are covered by the Act and individual criteria allowing to assess risk evaluation – so-called „materiality threshold of a distortive consequence”, to assess, among others, such factors as the determination of the time and scale of an incident and its potential impact on business, social activity as well as public safety.