On June 22, 2023, the Polish telecommunications regulator (the President of UKE) announced an auction of 3,6 GHZ frequencies intended for the 5G network. The auction will consist of a few phases, including submissions of initial bids, a formal assessment, trial auctions, auctions, and reservations of frequencies. It is expected that the auction will be settled this year. Despite the announced plans, the auction is affected by significant cybersecurity issues which have yet to be resolved.
A few days after the auction announcement, a draft act amending the Act of 5 July 2018 on the national cybersecurity system was submitted by the Government to the Polish Parliament (Sejm). One of the most important changes proposed in the draft act is the inclusion of telecommunications undertakings and the introduction of provisions on so-called “high-risk suppliers.” The new act defines a high-risk supplier by specifying technical and non-technical conditions to be recognized as one.
Technical conditions focus on the supplier’s products and include information on the number and types of detected vulnerabilities and incidents regarding products, services, or processes provided by the supplier, and cybersecurity certificates for those products, services, or processes, issued or recognized in EU member states or NATO. Non-technical conditions include the ownership structure of the supplier of hardware or software, the ability of the supplier’s country of origin to interfere with the supplier’s freedom of economic activity, or legislation and the application of laws on the protection of personal data, in particular when there are no agreements on the protection of such data between the European Union and the supplier’s country. All conditions will be assessed through the lens of counter-terrorism and intelligence and economic or other threats to national security that the supplier may pose, taking into account information on threats received from EU member states or bodies of the European Union or NATO.
A high-risk supplier will be recognized after a few months of proceedings by way of a decision issued by the Minister of Digitization. If a supplier gains the status of a high-risk supplier, entities of the national cybersecurity system will not be allowed to use any new products, services, or processes from that supplier and will be obliged to remove the currently used ones within seven years of the decision.
The assessment of suppliers’ risk profiles as well as measures to counteract cyber threats from high-risk suppliers come from the documents issued by the European Commission – the so-called “EU 5G Toolbox.” The concept acquired a legal form last year in the NIS 2 Directive. The new directive contains provisions on the security of the supply chain, providing for the assessment of risks related to the security of critical supply chains, corresponding to the risk assessment carried out for the 5G network. It also contains provisions on the inclusion of supply chain policies in the national cybersecurity strategies prepared by member states.
It seems unlikely that the new law will be passed before the parliamentary elections that will take place this autumn. Thus, it is unlikely it will come before the first months of 2024, which may pose a problem to the announced auction in light of the expected cybersecurity requirements imposed on wining telecommunications operators.
Once passed, the new law will apply to a broad spectrum of sectors since the entities of the national cybersecurity system include not only telecommunications firms but also companies from the banking, financial, and healthcare sectors. In the future, that group will be expanded on the basis of the provisions of the NIS 2 Directive to include, among others, numerous production sectors, such as the manufacturing of motor vehicles, computers, electronic and optical products, and medical devices. This means that those entities will also be obliged to follow the rules concerning high-risk suppliers’ products.
The 5G auction was already announced by the Polish telecommunications regulator in 2020 but was unexpectedly canceled – allegedly, due to the pandemic. Hopefully, this auction will be successful, because the Polish market keenly awaits the arrival of 5G technology.
By Agnieszka Besiekierska, Head of Digital Business, Noerr Poland
This article was originally published in Issue 10.7 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
