By 17 October this year, EU member states are required to implement the NIS 2 Directive, which changes the cybersecurity landscape in the European Union. Public administration bodies have been included as regulated entities, implying changes to public procurement law. The changes affect both the central and local government levels.

At the end of April, a draft law was published, providing new grounds for the rejection of a bid in a public procurement procedure. These include:

  • bids involving an ICT product, ICT service or ICT process identified in the recommendations of the Government Plenipotentiary for Cybersecurity regarding the use of IT devices or software as having a negative impact on public safety or national security;
  • bids involving an ICT product, the type of which is specified in a decision concerning the designation of a supplier as a high-risk supplier, or an ICT process, as specified in that decision.

While this is the only change introduced to the Public Procurement Law at the moment, public entities are also required to consider other cybersecurity issues, including:

1)           The need to take into account the so-called cybersecurity of the supply chain – both at the stage of the public procurement procedure and at the contract execution stage. According to the draft law, public entities are obliged to implement technical, organisational measures that are appropriate and proportionate to the assessed risks, ensuring the security and continuity of the supply chain of ICT products, ICT services and ICT processes crucial to the provision of the service, taking into account the relationship with the hardware or software supplier;

2)           Audit obligations during the performance of the contract – the law imposes an obligation to conduct, at the entity’s own expense, a security audit of the IT system used to provide the service at least once every 2 years;

3)           Cooperation on the part of the contractor in the event of the detection of a cybersecurity incident;

4)           The need for a so-called security order to be implemented by the Minister for Digital Affairs in the event of a critical incident;

5)           The possibility of terminating the contract, e.g. in the event that an administrative decision is issued against the contractor, which is a key entity, ordering the rectification of an infringement of the Act, imposing a fine or deleting the contractor from the register of regulated activities.

The draft law is at the legislative stage and the final form may therefore still be subject to change.


Author: Marta Pasztaleniec, Attorney‑at‑law, Senior Associate

More from Traple Konarski Podrecki & Partners