The System of Control and Supervision of Operators of Essential Services, Digital Service Providers and Entities Providing Cybersecurity Services

Nowikowska, Monika

doi:10.1007/978-3-030-78551-2_21

Monika Nowikowska³

4974 Accesses
1 Citations

Abstract

Cyberspace has become a new security environment. Technological progress added a new type of threat to the so-called “physical” threats—“ICT threats”. This entails the need to make numerous changes, both in legal and organisational terms. The considerations undertaken at work are aimed at defining the control and supervision system in the cyberspace environment. The issue of the system of control and supervision of operators of essential services, digital service providers and entities providing services in the field of cybersecurity is an important research issue. The Polish legislators have introduced the principle of supervision over the functioning of the national cybersecurity system, which is exercised by the minister competent for computerisation and competent authorities for cybersecurity. The article discusses the principles of supervision and control adopted in the Act of 5 July 2018 on the National Cybersecurity System in Poland.

You have full access to this open access chapter, Download chapter PDF

Comparing Canada’s proposed Critical Cyber Systems Protection Act with cybersecurity legal requirements in the EU

Article 01 March 2023

A security review of local government using NIST CSF: a case study

Article Open access 12 July 2018

Singapore’s Cybersecurity Act 2018: A New Generation Standard for Critical Information Infrastructure Protection

Keywords

The issue of the system of control and supervision of operators of essential services, digital service providers, and entities providing cybersecurity services, is a current and important research problem. The Polish legislators regulated the issue of supervision and control in the National Cybersecurity System Act of 5 July 2018 (the NCSA). The provisions of Article 53 of the NCSA introduce the principle of supervision over the functioning of the national cybersecurity system which is exercised by the Minister competent for computerisation and the authorities accountable for matters of cybersecurity.

It should be stressed that the National Cybersecurity System Act regulates both control and supervision. It is worth noting that in the Polish legal system, the terms “control” (kontrola) and “supervision” (nadzór) are often perceived as synonymous and applied interchangeably. Therefore, it seems appropriate to attempt to define the notion and essence of “control” within the present theoretical framework, and in compliance with the requirements of the existing practice, and to analyse the term “control” as opposed to “supervision”. The deliberations presented below are an attempt to clarify the meaning of these coexisting terms. Finding, confronting, and commenting on the analogies and differences between them might be helpful in the context of legal terminology. Accuracy in nomenclature is as vital in the domain of control as in any other field. The proper interpretation of the increasingly complex reality would be difficult without a correct hierarchy and classification, and it would be even more difficult to modify it in the desired direction.

The term “kontrola” has been in use for a long time, and the scope of the discussed notion has evolved over the centuries as the volume of sample material has increased. The dispute over the origin of the word in the Polish language still continues. French and British origins are considered. While the French etymology of the word “le contrôle” suggests an association with documenting taxes collected from taxpayers,^{Footnote 1} and indirectly emphasises the function of document authentication,^{Footnote 2} the Anglo-Saxon etymology of “control” points to the concept of power, i.e. the analogy between control and exercising public authority.^{Footnote 3} In this case, “control” means “exercising political authority” (administration).^{Footnote 4}

In the Polish language, “kontrola” combines both traditions. It generally means verifying, assessing something, reviewing an activity. On the other hand, the term also expresses the essence of having an impact, influence on someone. The phrase “someone controls something” is associated with power, having an influence on something.

Two different approaches to the definition of control are distinguished in the literature:^{Footnote 5} (a) general (control in the managerial sense) and (b) specific (control in the functional sense).

In the case of the general approach, control is defined as an approved management system (procedures, instructions, principles, mechanisms) for obtaining the rational certainty that the objectives of management will be achieved; the process by which specific actions are managed.

The specific approach, concerning “the functional dimension of control”, emphasises the process of verification and assessment. Academic textbooks and scientific studies provide definitions referring to a sequence of actions identified in this manner.^{Footnote 6}

J. Płoskonka stresses that control in the functional aspect relates to observations and review (of a case or result), assessment (based on a specific pattern), diagnosis formulated if any irregularities are found, and reaching conclusions.^{Footnote 7} The process of comparing the existing and desired state of affairs encompasses the sequence of consecutive actions: review—identification—assessment—diagnosis—conclusions.

Clearly, control is one of the functions of management defined as a comparison between what has been implemented and what is desired, as the identification of discrepancies and explanations for their reasons.^{Footnote 8} The definition formulated by J. Jagielski, describing control as a function encompassing four phases, is worth distinguishing from among the definitions provided by legal commentators. The first phase involves the monitoring and reviewing of activities; the second relates to the assessment of such activities by confronting the actual picture with the respective initial assumptions. The purpose of the assessment is to determine regularities or irregularities in specific actions. The diagnosis concerning the potential reasons for irregularities is enumerated by the author as the third phase, and conclusions on the future of such actions are mentioned as the fourth phase. “The discussed aspects of control show that control is not limited only to a single action, but rather that it assumes a certain process.^{Footnote 9}” Accordingly, E. Chojna-Duch points out that “control is interpreted as a process (activity) involving a comparison between the regulated condition (postulated, defined) and the factual one (implemented, real). Therefore, to control is to ensure coherence between the required and the actual condition.^{Footnote 10}” In the opinion of B. R. Kuc, “control is a phase (an intrinsic component), a cycle, of an organised action. In general, conclusions drawn from it are the starting point for the next action.”^{Footnote 11} K. Winiarska presents the opinion that “control is about continuously ensuring that the result of an action is consistent with its objectives, and that all activities and measures applied in the process of control are effective.^{Footnote 12}”

In defining control, J. Gnoiński^{Footnote 13} and M. Zembaty emphasise its correlation with human activities. “Control is integral in organising and directing human activities. Its function is to compare the specific and actual condition with the objectives, and to identify any potential irregularities in the actual condition as compared to the assumed framework of reference.^{Footnote 14}” No activities may be carried out in an organised and reliable manner without proper control. W. Kieżun additionally emphasises that, as a rule, “man is not keen on working, so he must be forced to work and permanently controlled”. Therefore, control is also an element of pressure generating a sense of threat, and thus, motivating a human being to work.^{Footnote 15}

S. Kałużny states that the following actions are the components of the notion of control: determining the existing condition (the objectives); determining the actual condition (the performance); comparing the performance and objectives in order to identify regularities or irregularities within them; and explaining the reasons for the regularities or irregularities found in the performance and objectives. The author points out that the two basic elements of human activities—objectives and performance—are the starting point for defining the notion of “control”.^{Footnote 16} Special attention should be paid to the problem of setting objectives. It should be noted that the setting of objectives is not part of control activities, and that it goes beyond the notion of control. However, control may be used for analysing and identifying the objectives which are not adjusted to the actual reality, and hamper or obstruct the achievement of the defined objectives.^{Footnote 17} As K. Wierzbicki rightly notes, control assessments may not be based on the imagination and intuition of the controller, i.e. on subjective premises. Control does not exist if it is not accompanied by the specific objectives accepted as the basis of comparison.

J. Płoskonka presents a new approach to the notion of control by contrasting the “contemporary” and “traditional” approaches. According to the author, the traditional method focuses on inspection, responding to the violation of the applicable law. Control actions interpreted in this way are of horizontal and corrective nature. The contemporary method concentrates on the assessment of the achieved results, where compliance with the law is the necessary, but incomplete, condition.^{Footnote 18}

The deliberations presented above suggest that the term “control” can be interpreted in different ways: as functional (specific); as an extensive process of reviewing and assessing (a sequence of the consecutive actions: identification—assessment—diagnosis—conclusions); and managerial (general) as a management support system applied in an organisation. Therefore, the notion of control has a broad meaning. A specific definition should be applied for the purpose of deliberations on the control exercised over the operators of essential services, digital service providers, and entities providing cybersecurity services. In this sense, control serves as a tool for comparing the actual condition with the postulated one.

In Article 53 of the NCSA, the term “control” is accompanied by the term “supervision” (“nadzór”). These notions are closely interrelated, but markedly different despite their many common features. In the Polish language, “nadzór” is a concept broader than “kontrola”. It encompasses not only the verification, but also the components, of management. In the case of supervision, there is primacy (domination and subordination), i.e. the attributes missing in the notion of control. It means that, as well as controlling an entity’s activities, a supervisory authority may also issue binding instructions to such an entity. Supervision is not limited to monitoring, but it is linked with management through directives.^{Footnote 19} In this case, control activities are carried out by a permanent control department at the request of the supervising authority. If the control is carried out by the control department, binding decisions are issued by the supervisory authority, not by the control department. J. Starościak notes “where there is the right to give and observe instructions, there is supervision.^{Footnote 20}” Accordingly, supervision is not limited to monitoring, but it is linked with an aspect of management.^{Footnote 21} Control does not provide the right to issue follow-up recommendations based on the results of control and aimed at regulating specific matters. The powers of control are limited only to the issuance of recommendations and conclusions. These powers encompass only the right to recommend the observance of something which was regulated but remains neglected. Such recommendations, however, do not relate to administration or management, which are associated with supervision.

J. Gnoiński defines supervision as “the permanent, active monitoring of the activities of a given entity, and, consequently, associated with acts of intervention (the issuance of decisions). Therefore, it is a combination of control activities and management.^{Footnote 22}”

There is one more significant difference between control and supervision, i.e. supervisors are responsible for the substantive activities of the supervised entities, whereas the control authorities monitor the proper course of control.

Additionally, J. Jagielski suggests that, in general, supervision is a legal category not defined by the norms, which appears in various domains of legal regulations.^{Footnote 23}

Supervision has a meaning broader than control. Supervision always encompasses control with the option of giving imperative instructions. To be more precise, supervision is permanent and concurrent control over the activities of dependent or subordinated entities, exercised by the authorities or organisational units having the right to issue the relevant decisions aimed to improve, order, guide or advance the activities of the above category of authorities or organisational units.^{Footnote 24}

Supervision can take three forms: preventive, successive, and repressive. In the case of the preventive form of supervision, a lower executive is obliged to consult on his or her decision with a supervisor before such a decision is made, or to submit the draft decision to the higher executive for approval. Supervision in the successive form consists of entrusting the higher executive with the right to annul the decision which is made at any stage. When supervision takes the repressive form, the supervisory authority has the right to impose disciplinary sanctions on the supervised personnel. These aspects are absent in the process of control.

The above analysis shows the basic differences between the notions of control and supervision. It seems that supervision is similar to overseeing, the essence of which is based on the simple protection of the matters exercised directly by the overseeing authority. The organisational, hierarchical, relations between the supervisor and the supervised entity are key components of supervision. As O. Bogacz-Miętka rightly notes, supervision is broader than control, “as it consists of not only control powers, but also the authority to issue guidelines and recommendations to the supervised entity.^{Footnote 25}” On the other hand, individuals exercising control who are not superiors (supervisors) might give their instructions only with regard to the matters concerning control. Other authorisations than the issuance of binding instructions are missing in the case of control. Control only entails a reliable observer obliged to present the so-called “control snapshot”. However, he or she is not involved in management, and is not responsible for the circumstances existing in the controlled entity, but only for the reliability of the control as such.^{Footnote 26}

The Polish legislators have appointed the Minister competent for computerisation as the supervisory authority. The Minister verifies whether the internal structures or entities providing cybersecurity services, appointed by the operator of an essential service, are observing

(1)
the requirement to satisfy the organisational and technical conditions ensuring the cybersecurity of the supported operator of an essential service
(2)
the requirement to have the premises facilitating the provision of the services with regard to incident-handling, protected against physical and environmental risks
(3)
the requirement to apply protections aimed at ensuring the confidentiality, integrity, availability, and authenticity of the processed information involved, including the safety of people, operations, and system architecture.

Therefore, the authorities in charge of cybersecurity matters verify whether the operators of essential services are fulfilling the obligations arising from the Act concerning counteracting cybersecurity risks, and reporting major incidents, and whether digital service providers are satisfying the requirements concerning the safety of the digital services provided by them, defined in Implementing Regulation 2018/151, and whether they are meeting the obligations arising from the Act concerning the reporting of major incidents.

The Polish legislators have rightly noted that supervision is limited to control and the authority to impose fines on the operators of essential services and digital service providers. It means that control is one of the mechanisms of supervision.

The provisions of the NCSA define the material and subjective scopes of control. The material scope encompasses the activities of internal structures appointed by the operators of essential services, or the entities providing cybersecurity services. On the other hand, the subjective scope relates to the requirement to satisfy the organisational and technical conditions ensuring the cybersecurity of the supported operator of an essential service; the requirement to have the premises facilitating the provision of services in the field of incident-handling protected against physical and environmental risks; and the requirement to apply protections aimed at ensuring the confidentiality, integrity, availability, and authenticity of the processed information, including the safety of people, operations, and system architecture. The NCSA also defines the additional components of the control procedure, especially the resulting powers and obligations of the supervisory authority and the controlled entity. In this ambit, the discussed regulation leads to a large number of various legal solutions with regard to control procedures.

The provisions of Chapter 5 of the Entrepreneurs Law should be applied to the control proceedings instigated by the Minister competent for computerisation, aimed at verifying whether the statutory requirements are satisfied by the internal structures or entities providing services in the field of cybersecurity, which were appointed by the operator of an essential service.^{Footnote 27} In general, control needs to be exercised under the rules defined in the Act on Entrepreneurs, and the provisions of the specific Acts should be applied to control which exceeds the scope regulated under the above-mentioned law. Control authorities have an absolute obligation to apply the provisions of Chapter 5, which defines specific control standards, and then the provisions of the specific Acts. The latter may be applied in a scope not regulated by the provisions of the Entrepreneurs Law.

The control exercised under the Entrepreneurs Law needs to be carried out in accordance with the following principles: the principle of legality, proportionality, and the selection of a legal measure applicable to a specific situation; the principle of minimising the burden of the control procedure; the principle of balancing the public interest and the legitimate interests of the controlled entities; the principle of objectivity; and the principle of the right of the controlled entrepreneur to information concerning the control procedure.^{Footnote 28}

It should be noted that where the authorities responsible for matters of cybersecurity are carrying out controls to verify whether the operators of essential services are fulfilling the obligations arising from the Act involving counteracting the threats to cybersecurity and reporting major incidents, and whether digital service providers, being entrepreneurs, are satisfying the requirements of the security of the services provided by them specified in Implementing Regulation No. 2018/151; and whether they are implementing the obligations arising from the Act concerning the reporting of major incidents, such authorities should apply the provisions of Chapter 5 of the Act of Entrepreneurs. The provisions of the Act of 15 July 2011 on Control in State Administration should also be applied to the above-mentioned entities which are not entrepreneurs.^{Footnote 29}

In Article 55 of the NCSA, the legislators defined the rights of individuals controlling entities who are entrepreneurs. This provision introduces an extensive catalogue of powers entrusted to the controller, the implementation of which is intended to ensure an efficient control process. This control cannot be carried out without free access to the documents and materials encompassed by the scope of control. The right to review documents, file applications for the preparation of copies, duplicates, or extracts from the documents and estimates needed to exercise control, is also important. An employee requested by the controller to prepare such documents, or to make them available, may not reject this request. According to Article 55 of the NCSA, controllers have the right of free access and movement around the controlled entity without a pass. However, the controller is obliged to observe the principles of conduct concerning the access-control systems implemented in the controlled entity. The controller should observe the control procedures implemented in certain controlled entities, e.g. concerning luggage control.^{Footnote 30}

Special attention should be paid to Article 55(4) on the processing of personal data in the scope needed to achieve the purpose of the control. The Head of the controlled entity may not refuse the controller access to personal data solely on the basis of the lack of the relevant authorisation to process personal data issued by the controlled entity, or the failure to show such authorisation issued by the controlling entity.^{Footnote 31} The controller needs to process this personal data for the purpose of the control, and to exercise the powers and obligations entrusted to the controlling entity under the NCSA.

Under Article 55(5) and (6), the legislators established the principle under which evidence assessment may be freely applied. The controller may request the submission of oral or written explanations on the matters concerning the scope of control, and visually inspect the informational equipment, carriers, and systems. The principle of the free assessment of evidence is the main basis of evidentiary proceedings. The acceptance of the concept that the evidentiary proceedings should be based on the principle of the free assessment of evidence is justified by the fact that an authority establishing the facts on the basis of the evidence should not be restricted by any provisions as far as the value of individual types of evidence is concerned, and it should be able to freely establish the state of facts in a given case, based on the assessment of the result of the evidentiary proceedings (preliminary investigation), i.e. according to its sole discretion. The free assessment of evidence needs to be made in accordance with the standards of procedural law and the observance of the specific rules on assessment. These rules are as follows: relying on evidence collected by such an authority, making assessments on the basis of all the evidence, establishing the importance and value of the evidence, and reasoning in accordance with the rules of logic.

The provisions of Article 55 of the NCSA are consistent with the provisions concerning the obligations of the controlled entities who are entrepreneurs as defined in Article 56 of the Act. The controlled entity is obliged to ensure the conditions needed to carry out the control in a reliable manner. The obligation of reliable cooperation with controllers, especially in the form of the submission of documentation and written and oral explanations in line with the best knowledge, is imposed on the employees of the controlled entity. This provision expresses the principle of the efficiency of the procedure. The legislators have imposed on the Head of the controlled entity specific obligations to provide controllers with the genuine facility to carry out the control in accordance with the directives arising from the principle of minimising the burden of control activities. The controlled entity is obliged to afford the controllers conditions allowing the reliable course of control, by

(1)
immediately submitting the requested documents
(2)
providing timely oral and written explanations on the controlled matters
(3)
making available the necessary technical means
(4)
preparing, at its own cost, duplicates or printouts of documents and information stored on information carriers, equipment, and systems.

It should be noted that the Polish legislators have imposed on the controlled entrepreneur the obligation to ensure reliable cooperation with the controllers. The regulation provided in Article 56 of the NCSA confirms the reliable and correct course of the control procedure. The obligations imposed on the controlled entity under the Act do not supersede the solutions commonly applied within this scope, and concerning other control procedures. The appointment of an employee responsible for cooperation with controllers on behalf of the entrepreneur, and for the implementation of the obligations imposed on the controlled entity under the Act, is the solution often applied in the practice of control.

The main obligation of the controlled entity is to ensure the immediate submission of the requested documents. The term “document” is not uniformly interpreted in the field of control. This notion is used with regard to the so-called “carrier of information” which can be meaningful in the control procedure, i.e. the source of evidence in a written form. Under the NCSA, a broad interpretation of a document may be applied. The following are the important components of a document serving as evidence in the control procedure: the written form i.e., its graphical aspect, the content of a document, i.e., the information contained therein, and the author of the document, i.e. the entity expressing an opinion in the document.^{Footnote 32} To be considered as a document, an item needs to be prepared in writing. It should be produced with the use of graphic characters—writing (handwriting, print, typewriting). It seems that plans, sketches, and designs may also be considered documents, because they are graphical representations expressing particular content, replacing verbal description, or placed next to it. Second, the document should express human thought in the form of a statement of will or knowledge, so it should encompass a certain intellectual content. Due to the content’s being information for the controlling authority, a document becomes the source of evidence for a particular control fact. The issue of the authorship of a document is associated with the person who prepared it. A document provides evidence in the form of intellectual content, i.e. the thought content. Then, evidence from a document is collected by rewriting its content in the control report.

The controlled entity is obliged to certify that the submitted documents are consistent with their originals. If confirmation of consistency with the originals is refused, the documents should be authenticated by the person carrying out the control activities, and the fact of such authentication should be mentioned in the control report. The controlled entity is also obliged to provide written and oral explanations on the controlled matters on time. Information on the established facts may be provided to the controller by a present or former employee.

Pursuant to Article 57 of the NCSA, the person carrying out control activities with respect of entities who are entrepreneurs establishes the facts on the basis of evidence collected in the course of the control, especially documents, items, and visual controls, as well as oral or written explanations and statements. That Article reflects one of the basic principles of the control procedure—the principle of objective truth. According to this principle, control findings should illustrate the true picture of the controlled activities. The principle of the objective truth applied in the control takes the form of the objective and honest establishment or presentation of the control findings, based on reliably collected evidence.

Evidentiary proceedings are one of the most important stages in the control procedure. Under the control procedure, the controller establishes the actual state and the control facts based on the collected evidence. The actual state must correspond to the reality, i.e. it needs to be proved. The interpretation of the provision set out in Article 57 allows us to state that the issue of the selection of evidence is entrusted to the controller. In an attempt to establish the actual state of the facts, the controller selects evidence at his or her sole discretion.^{Footnote 33} It should be noted that the Polish legislators have pointed out that evidence encompasses, in particular, documents, items, visual controls, and oral or written explanations or statements. The provisions of the NCSA do not provide a hierarchy of evidence. Each piece of evidence with an impact on the establishment of the actual state needs to be considered.^{Footnote 34}

In the context of Article 57 of the NCSA, an analysis of the notion of evidence leads to the conclusion that treating a document, statement, or item as evidence is only a mental shortcut. A clear distinction among the following notions—evidence, element of proof, and source of evidence—is particularly important for the proper understanding of the discussed issue. A control fact, which is provided to the controller in the course of the control procedure by, e.g., the content of the document, is the subject of reasoning. The content of the document does not form the evidence, but it is rather an element of proof used by the controller to establish the control fact. On the other hand, the document itself is the source of evidence. The evidence source contains potential evidence which is only revealed to the controller.^{Footnote 35} An analysis of Article 57 of the NCSA shows that, while defining the control evidence, the legislators used the three meanings of evidence—as a source of evidence: a document or an item; an element of proof: oral explanations or statements; and also as a method of collecting evidence—inspection. It seems that the discussed structure forms a kind of mental shortcut.

The NCSA enumerates the following types of evidence: (1) documents, (2) objects, (3) visual inspection, (4) oral or written explanations or statements. The enumerated evidence does not form a complete catalogue. The phrase “in particular” used by the legislators suggests that this catalogue is open, and it means that the controller may accept other evidence not enumerated in the Act, but should also define the manner of the evidence-taking by the proper application of the provisions concerning the pieces of evidence defined in the Act. As a result, these are unnamed pieces of evidence. In the Judgment of 20 July 2017, the Court of Appeal in Poznań noted that, in addition to documents, expert opinions and visual inspections, photographs found on the Internet, may also be considered evidence.^{Footnote 36}

In control practice, physical evidence is not used as often as documentary evidence. However, physical evidence is worth considering due to the quality of the provided information. As far as physical evidence is concerned, the pieces of evidence obtained from it are not easily distorted in terms of the manner in which they are perceived, remembered, and restored. In particular, any object with features which can provide the controller with information may form physical evidence. When the items are examined, the controller establishes the findings by analysing the external features of such objects. Visual inspection is the method of accepting physical evidence.^{Footnote 37}

Visual inspections of objects are made in order to establish their external or internal properties. Their perceived features need to be confirmed in the visual inspection report. The purpose of visual inspection is to establish the state of the objects and their properties. The need for deriving evidence from the items is each time decided by the controller. The control practice shows that the most common mistakes made in formulating findings from visual inspections are (a) the provision of data which cannot be established under visual inspection, but which arise from other documents, (b) subjective opinions and assessments, and (c) explanations and statements given by individuals participating in the visual inspection.

Explanations and statements are yet another type of evidence providing the controller with information from personal sources.

Each employee, including the head of the controlled entity, may be requested to provide explanations. In general, the circumstances accompanying disclosed irregularities are usually the subject of provided explanations. The procedure for documenting explanations can take two forms: written—when the person giving explanations prepares the explanations individually and submits them to the controller, and oral—when the controller writes down the explanations in the form of a report and signs it along with the person giving the explanations.

While taking evidence in the form of explanations, the controller is obliged to make sure that the explanations are comprehensive. The controller has the right to request explanations, and may exercise this right at his or her sole discretion. In practical terms, it is necessary to obtain explanations from persons named as being responsible for the disclosed irregularities. Irregularities in control findings presented in follow-up opinions and obtained explanations are inadmissible. If this happens, the disclosed irregularities need to be justified by the collected evidence defining the part of the explanations incompatible with the truth, and providing the reasoning behind such irregularities.

As far as statements are concerned, a current or former employee of the controlled entity, as well as any other person providing the controller with information covered by the control, may be a source of evidence. Therefore, the subjective catalogue is broader, and it can also include persons from outside the controlled entity. The source of the initiative is the basic difference between evidence from explanations and statements. In the case of explanations, the controller is always the originator, and in the second case, it is the person giving the statement.^{Footnote 38} It should be stressed that if statements are taken, the controller’s conduct depends on the type of information given in the statement. If the information lies within the scope of the control, and its value is significant, it may be used in the control process as evidence. If it deviates from the subject of the control, it may be used as a starting point for further actions, such as broadening the control subject or disregarding it without consideration.

In Article 58 of the NCSA, the legislators assumed the principle according to which a report of the controlled activities carried out with reference to entities who are entrepreneurs needs to be drawn up. According to the implemented solutions, the findings made in the course of the control should be documented in the control format to which the appeal procedure may be applied. This format encompasses the mandatory elements defined under the Act, including the trade name or the name and surname and address of the controlled entity; the name and surname of the person representing the controlled entity; the name of the authority representing the entity; the name, surname, function, and authorisation number of the controller; the start and completion dates of the control activities; the identification of the subject and scope of the control; a description of the actual state established in the course of the control; and other information of significant importance for the carried-out control, including the scope of, reasons for, and results of the disclosed irregularities, and a list of appendices. The legislators do not impose any limitations concerning the volume of the document, but it should be remembered that conciseness is one of the features of a properly prepared follow-up document.

The report includes the trade name or the name and surname and address of the controlled entity. Generally, there should be no doubt about the interpretation of this provision. Sometimes, however, the fact that the entity is based in various locations, or its address changes during the course of the control, can raise some difficulties. The report includes the name, surname, and official position and authorisation number of the controller. All persons carrying out the control need to be named, whether the control is carried out by a single person or a group of controllers.

In Article 58(2)(4) of the NCSA, the legislators stated that the report should include the date of the start and completion of the control activities. This is technical information. Generally, the date of the start of a control is the same as the date given in the authorisation. On the other hand, the date when the controller or a control team finishes their work in the controlled entity is assumed as the date of the completion of the control activities. It should be stressed that all breaks taken in the course of the control may be recorded in the control report.

The schedule also includes the subject and scope of the control. The subject of the control relates to the issues which need to be verified, and the scope relates to the timeline when these issues will be verified.

The control report should also include a description of the actual state established in the course of the control, and other information of significant importance for the control being carried out, including the scope of, reasons for, and results of any irregularities. This is the most important element in the follow-up document—the essence of the control procedure. The ability to establish the actual state of facts should be the basic feature of the controller’s skills. It should be stressed that the purpose of a control carried out in accordance with the provisions of the NCSA is to establish the actual situation, and any potential irregularities. These are the basics of the controller’s work, because a control consists of an examination or review, the purpose of which is to establish the actual state of the facts, to compare it with the desired state of the facts, and to make an assessment of them. Here it should be noted that in the findings the controller should discuss any irregularities, and also the examined elements which should be considered as positive.

If any irregularities are found, their scope, reasons, and results should be discussed. These elements form the so-called control facts. The concept of the control facts on which the description of the actual state of facts is based, encompasses the following components: the applicable legal standard, any action or neglect departing from the rule, the reasons for and results of any derogation from the rule, and the identification of responsible persons.^{Footnote 39} The control fact may not be merely an allegation—it has to correspond to reality, i.e. it needs to be proved. The scope of, reasons for, and results of irregularities have to arise directly from the evidence collected under the control procedure. The basic tasks of the controller include establishing the scope of the irregularities (what happened), the reasons (why it happened) and the effects of the disclosed irregularities (what the results were).

The control report is handed over to the person representing the controlled entity. It needs to be signed by the controller—the person carrying out the control activities—and the person representing the controlled entity. The controller is responsible for the document as its author. The controller’s signature on the document means that its content has been accepted by the controller. If the control is carried out by a group of controllers, the document needs to be signed by all the persons carrying out the control activities. The signing of the control report by the expert delivering the opinion on the control subject does not seem to be appropriate. The expert is not the controller.

The analysis of Article 58 of the NCSA shows that the control report does not include any instructions addressed to the person representing the controlled entity concerning the right to submit a statement of objections to the report. The controlled entity may submit the statement of objections before the report is signed, 7 days from the date when it is presented to the controlled entity for signing. The person representing the controlled entity has the right to report any objections before the document is signed. The person needs to do so within 7 days from the day when the report is submitted for signing. This is a relatively short period of time. The objections should be expressed in writing, and reasoned, i.e. their justification should be presented. The objections should point out the part of the document prompting the objections, what is being questioned by the objecting party, and why. Moreover, the objections should include supporting evidence, and, potentially, the suggested new content of the document.

The procedure assumed by the legislators in this situation ensures the observance of the adversarial principle for the benefit of the controlled entity, and it also provides an opportunity for collecting the complete evidence which is the basis for the actual state of the facts. Apart from the adversarial principle, the discussed provisions relate to the principle of using the written form. The objections expressed by the controlled entity should be submitted in writing. The submitted objections should indicate the new facts, and present specific information or documents. If possible, any additional documents should be attached to the objections in the form of appendices. If objections are reported, the person carrying out the control activities analyses them, and, as necessary, carries out additional control activities, and if the objections are found to be justified, the person modifies or complements the relevant part of the document in the form of an annex to the report. Article 58(4) and (6) may be interpreted as a certain whole. They define the right to file objections, the manner and procedure concerning the consideration of objections to the control report and any potential modification to the content of the document if the submitted objections are found justified. Article 58 of the NCSA combines several methods relating to the consideration of the submitted objections, and not only by the persons carrying out the control activities. Article 58(4) refers to the rights of the person representing the controlled entity, (5) facilitates carrying out additional control activities, and (6) refers to the method in which objections should be handled. The person carrying out the control activities modifies or complements the relevant part of the document in the form of an annex to the report, if this person considers the objections justified. If the objections are not considered in full or in part, the person carrying out the control activities informs the controlled entity about it in writing. These provisions form a logical and integral whole.

The procedure involving the consideration of objections to the control report needs to be performed by the person carrying out the control activities. This person should decide on the manner of considering the objections. The objections are analysed in formal and substantive terms. According to Article 58(5) and (6), the controller has, de facto, four options. The first one is the dismissal of the submitted objections. This is the case when the objections are filed after the expiry of the 7-day period. Consequently, written information on the above sent to the objecting party is sufficient. If possible, the controllers should be flexible in handling the formal aspects concerning the submitted objections. Any potential doubts about the formal aspects of filing an objection should be considered for the benefit of the controlled entity to enable the substantive consideration of the objections. The second option relates to the positive consideration of objections—the assessment of their validity. This is the case when the controllers consider the objections as substantially justified. The third and fourth options concern the dismissal of the objections in full or in part. This is the case when the person carrying out the control activities does not consider the arguments arising from the objections as convincing. It should be noted that passing on information only if the objections are dismissed in full or in part forms a statutory requirement. Therefore, there is no requirement to inform about objections. The controlled entity will obtain such information while reading the control report. The delivered opinion should satisfy specific criteria: it should be signed by the person carrying out the control activities, and should provide justification of how individual objections will be handled. The arguments given in justifications to the individual objections should be addressed, and own arguments should be presented.

According to the provisions of Article 58(6) of the NCSA, the person carrying out the control activities reviews the objections and informs the controlled entity about the decision in writing. The Act does not provide any further appeal procedure, e.g. a complaint lodged with an administrative court. This phase of the control procedure is thus completed. The legislators have provided the opportunity for refusing to sign the report by the person representing the controlled entity. In such a case, the person carrying out the control activities records this in the report with the date. The schedule in paper form is produced in two counterparts, one of which should be handed over to the controlled entity and the other to the controller.

If the controlled entity confirms in the document the probability of a violation of the provisions of the NCSA, according to Article 59 the authority responsible for matters of cybersecurity or the Minister competent for computerisation hands over the follow-up recommendations concerning the removal of the irregularity. Recommendations are the essential feature of the control procedure. The recommendations should be formulated objectively, and should be based on the findings made in the course of the control, supported with evidence. The recommendations need to be based on facts, and not on opinions or experiences (impartiality). Bias is defined as a non-objective approach to problem solving, in the form of an attempt to confirm the individual assumptions to the detriment of the main control objectives. Distortion of information under the control procedure, bias in the presented opinions, and disclosing only the negative aspects of the activities carried out by the controlled entity, are examples of the violation of impartiality in the control procedure.

The NCSA includes definitions of follow-up recommendations. An analysis of Article 59(1) shows that the recommendations should involve the elimination of irregularities. There is no appeal procedure concerning follow-up recommendations, which means that they are binding.^{Footnote 40} It should be assumed that this phase of the control is completed, and the document will not be analysed by any administrative court.^{Footnote 41} It means that the follow-up recommendations may not be compared with an administrative decision, i.e. a unilateral, superior act issued by an administrative authority solving an individual case of a specific addressee.^{Footnote 42} In Article 59(3), the legislators provided the opportunity for obtaining information if the controlled entity implements the follow-up recommendations. It should be noted that this is the purpose of handing over to the controlled entity the results of the control, including the established state of the facts and recommendations to the controlled entity. Based on this knowledge, the controlled entity should take the proper managerial measures to remedy the disclosed irregularities. Only in the results of these activities is a given area really changed, because these actions form the actual meeting of the expectations of the authority competent for cybersecurity matters or the Minister competent for computerisation. Moreover, the solution provided under the Act facilitates assessments concerning the accuracy of the findings. The controlled entity is obliged to state how the irregularities should be removed within the prescribed period. The legislators do not make a precise reference to the period in which the appropriate authority should be informed. According to the legislators, this period may be freely defined. On each occasion, the period will be dependent on the circumstances accompanying the given control procedure and the nature of the disclosed irregularities.

The deliberations presented in this paper relate also to the presentation of the issue of the functionality of control and supervision of the operators of essential services, digital service providers, and entities providing cybersecurity services, based on the NCSA. It is the institutional system having a broad subjective spectrum and a precisely defined objective range of impact. In the subjective and objective scopes, the system is complete, which means that it features no significant gaps.

To sum up the presented discussion, it may be stated that the control objectives should be defined from the perspective of the functioning of the entire cybersecurity system. An effective control system should promote the proper course of the implementation processes and the achievement of the best possible results in any type of activity. The efficiency of controls comprises two main elements. The proper selection of the control subject is the first one. So-called control proficiency is the second. It should be understood as the proper training of controllers in substantive and ethical terms. It should be noted that the good aspects are promoted only by the hard work of controllers, their achievements, and tradition, as well as constant improvements in the control procedure.

Notes

1.
Filipek (2001), p. 215.
2.
Kiczka (2018), p. 37.
3.
Jagielski (2012), p. 14; Jagielski (2004), pp. 13–30.
4.
Kałużny (2008), pp. 16 and 20.
5.
For more information, see Jagielski (2012), pp. 13–22; Płoskonka (2006), p. 8; Nitkowski (2013), p. 19; Bogacz-Miętka (2018), p. 18; Celarek (2015), p. 33.
6.
K. Nitkowski notes that institutional control “is a component of a complex control system applied in an organisation.” This approach enables the institutional control to be properly placed within the system. See Nitkowski (2013), p. 19.
7.
Płoskonka (2006), p. 8.
8.
Winiarska (2003), p. 157; Owczarek (1990), p. 1; Jemioła (1987), p. 48.
9.
Jagielski (2012), p. 157.
10.
Chojna-Duch (2003), p. 13.
11.
Kuc (1983), p. 14.
12.
Winiarska (2003), p. 163.
13.
Gnoiński (1972b), p. 24; Gnoiński (1972a), p. 40; Gnoiński (1974), p. 5.
14.
Zembaty (1988), p. 58.
15.
Kieżun (1972), p. 34.
16.
Kałużny (2008), p. 21.
17.
Gnoiński (1974), pp. 7–8.
18.
Płoskonka (2006), p. 7; Płoskonka (2005), pp. 138–165.
19.
Kałużny (2008), p. 25.
20.
Starościak (1971), p. 356; Starościak (1975), p. 346.
21.
See Longchamps de Berier (1964), p. 4; Lang (1963), p. 40.
22.
Gnoiński (1972a), p. 43; Gnoiński (1974), p. 10.
23.
Jagielski (2012), p. 30.
24.
Antoniak (2012), p. 16.
25.
Bogacz-Miętka (2018), p. 18; also: Nitkowski (2013), p. 20.
26.
Popławski (1965), p. 7.
27.
Act of 6 March 2018 on Entrepreneurs, consolidated text Polish Journal of Laws of 2019, item 1292, as amended.
28.
Blicharz (2013), pp. 103–108.
29.
Act of 15 July 2011 on Control in State Administration, consolidated text Polish Journal of Laws of 2020, item 224, as amended.
30.
Bolek and Dobruk (2018), pp. 140–141.
31.
Ninard (2017), p. 105.
32.
Nowikowska and Walczuk (2018), p. 96.
33.
Cz (1968), p. 62.
34.
See Judgment of the Provincial Administrative Court in Kraków of 09.05.2017, III S.A./Kr 384/16, Lex No. 2286959; Judgment of the Supreme Administrative Court of 29.03.2017, II OSK 1936/15, Lex No. 2283181.
35.
Warchoł (2013), p. 565; Ponikowski (2012), p. 266.
36.
See Judgment of the Administrative Court in Poznań of 20.07.2017, IV SA/Po 167/17, Lex No. 2341989; Judgment of the Provincial Administrative Court in Kraków of 19.12.2017, II SA/Kr 1203/17, Lex No. 2425316; Judgment of the Provincial Administrative Court in Kraków of 15.12.2017, I SA/Kr 233/17, Lex No. 2442272.
37.
Jarkiewicz (1972), p. 21.
38.
Kowalski (1971), p. 27.
39.
Wiechowski (1969), p. 58.
40.
Nowikowska and Cieślak (2015), p. 187.
41.
Judgment of the Provincial Administrative Court in Warsaw of 22.11.2010, V S.A./Wa 2517/10, Lex No. 781401.
42.
Jarzęcka-Siwik and Skwarka (2013), p. 29 et al.

References

Antoniak M (2012) Kontrola rządowa w administracji publicznej. Poradnik dla kontrolujących i kontrolowanych, Warsaw
Google Scholar
Blicharz R (2013) In: Blicharz R (ed) Kontrola przedsiębiorcy, Warsaw
Google Scholar
Bogacz-Miętka O (2018) Kompendium wiedzy o nadzorze i kontroli nad przedsiębiorstwem, Warsaw
Google Scholar
Bolek T, Dobruk M (2018) Ustawa o kontroli w administracji rządowej. Komentarz z wzorami dokumentów, Warsaw
Google Scholar
Celarek K (2015) Prawne i praktyczne aspekty kontroli i nadzoru nad działalnością samorządu terytorialnego, Warsaw
Google Scholar
Chojna-Duch E (2003) Kontrola finansowa i audyt – ustawowe implikacje. In: Kontrola i audyt w administracji publicznej, Stan i perspektywy, 1st Conference, Warsaw
Google Scholar
Cz B (1968) Dowód z dokumentu w postępowaniu kontrolnym, Kontrola Państwowa 2
Google Scholar
Filipek J (2001) Prawo administracyjne. Instytucje ogólne, part II, Kraków
Google Scholar
Gnoiński J (1972a) Formy działania kontrolnego i odpowiadająca im terminologia, Kontrola Państwowa 3
Google Scholar
Gnoiński J (1972b) Próba określenia pojęcia i istoty kontroli, Kontrola Państwowa 2
Google Scholar
Gnoiński J (1974) Niektóre zagadnienia teorii działania kontrolnego, Kontrola Państwowa 7
Google Scholar
Jagielski J (2004) Współczesna funkcja kontroli administracji publicznej (kilka refleksji teoretycznych). Kontrola Państwowa 1
Google Scholar
Jagielski J (2012) Kontrola administracji publicznej, Warsaw
Google Scholar
Jarkiewicz Z (1972) Rola oględzin w procesie kontrolnym, Kontrola Państwowa 1
Google Scholar
Jarzęcka-Siwik E, Skwarka B (2013) Dopuszczalność zaskarżania wyników kontroli – możliwość weryfikacji ustaleń pokontrolnych, Kontrola Państwowa 4
Google Scholar
Jemioła S (1987) O zaktywizowanie i wzmocnienie kontroli wewnętrznej, Kontrola Państwowa 1
Google Scholar
Kałużny S (2008) Kontrola wewnętrzna. Teoria i praktyka, Warsaw
Google Scholar
Kiczka K (2018) Pozycja kontroli w publicznym prawie gospodarczym. In: Kokocińska K (ed) Kontrola działań administracji publicznej w sferze gospodarki, Poznań
Google Scholar
Kieżun W (1972) Problemy kontroli w systemach zarządzania, Kontrola Państwowa 3
Google Scholar
Kowalski A (1971) Wyjaśnienia i oświadczenia jako środki dowodowe w procesie kontroli, Kontrola Państwowa 4
Google Scholar
Kuc BR (1983) Kontrola w systemie zarządzania, Warsaw
Google Scholar
Lang W (1963) Struktura kontroli prawnej organów państwowych Polskiej, Kraków
Google Scholar
Longchamps de Berier F (1964) Rzut oka na system kontroli nad administracją, Kontrola Państwowa 3
Google Scholar
Ninard G (2017) Udzielenie upoważnienia do przetwarzania danych osobowych a udostępnienie akt podmiotowi kontrolującemu, Nowe Zeszyty Samorządowe 6
Google Scholar
Nitkowski K (2013) Kontrola wewnętrzna instytucjonalna w systemie kontroli w przedsiębiorstwie, Warsaw
Google Scholar
Nowikowska M, Cieślak J (2015) O potrzebie zmian w ustawie o kontroli w administracji rządowej – uwagi de lege ferenda, Kontrola Państwowa 4
Google Scholar
Nowikowska M, Walczuk K (2018) Dowody w postępowaniu kontrolnym (w trybie ustawy o kontroli w administracji rządowej) i możliwość ich wykorzystania w postępowaniu karnym. In: Paszkowski M, Daniluk D, Rzewuska M (eds) Teoretyczne i praktyczne aspekty postępowania dowodowego, KPP Monographs, Olsztyn
Google Scholar
Owczarek T (1990) Kontrola – integralna funkcja zarządzania, Kontrola Państwowa 1
Google Scholar
Płoskonka J (2005) Zmiany w stosowanych przez polską administrację publiczną metodach i narzędziach. Kontrola Państwowa 1
Google Scholar
Płoskonka J (2006) Pojęcie kontroli w ujęciu zarządczym. Kontrola Państwowa 2
Google Scholar
Ponikowski R (2012) Dowody – zagadnienia podstawowe i systemowe. In: Skorupka J (ed) Postępowanie karne. Część ogólna, Warsaw
Google Scholar
Popławski H (1965) Obowiązki kierownika przedsiębiorstwa w zakresie kontroli i nadzoru. Kontrola Państwowa 2
Google Scholar
Starościak J (1971) Zarys nauki administracji, Warsaw
Google Scholar
Starościak J (1975) Prawo administracyjne, Warsaw
Google Scholar
Warchoł M (2013) Dowody. In: Hofmański P (ed) System Prawa Karnego Procesowego v. II, Proces karny. Rozwiązania modelowe w ujęciu prawno porównawczym, Warsaw
Google Scholar
Wiechowski Z (1969) Fakt kontrolny – teoria a praktyka, Kontrola Państwowa 6
Google Scholar
Winiarska K (2003) Definicja i klasyfikacja kontroli. In: Kontrola i audyt w administracji publicznej, Stan i perspektywy, 1st Conference, Warsaw 2003
Google Scholar
Zembaty M (1988) Z rozważań nad teorią kontroli, Kontrola Państwowa 4
Google Scholar

Download references

Author information

Authors and Affiliations

Instytut Prawa/Institute of Law, Akademia Sztuki Wojennej w Warszawie/War Studies University in Warsaw, Warsaw, Poland
Monika Nowikowska

Authors

Monika Nowikowska
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Monika Nowikowska .

Editor information

Editors and Affiliations

Akademickie Centrum Polityki Cyberbezpieczeństwa/Academic Center for Cybersecurity Policy, Akademia Sztuki Wojennej w Warszawie/War Studies University in Warsaw, Warsaw, Poland
Katarzyna Chałubińska-Jentkiewicz & Filip Radoniewicz &
Wydział Wojskowy/Faculty of Military Studies, Akademia Sztuki Wojennej w Warszawie/War Studies University in Warsaw, Warsaw, Poland
Tadeusz Zieliński

Rights and permissions

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Nowikowska, M. (2022). The System of Control and Supervision of Operators of Essential Services, Digital Service Providers and Entities Providing Cybersecurity Services. In: Chałubińska-Jentkiewicz, K., Radoniewicz, F., Zieliński, T. (eds) Cybersecurity in Poland. Springer, Cham. https://doi.org/10.1007/978-3-030-78551-2_21

Download citation

DOI: https://doi.org/10.1007/978-3-030-78551-2_21
Published: 28 October 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78550-5
Online ISBN: 978-3-030-78551-2
eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

The System of Control and Supervision of Operators of Essential Services, Digital Service Providers and Entities Providing Cybersecurity Services

Abstract

Similar content being viewed by others

Comparing Canada’s proposed Critical Cyber Systems Protection Act with cybersecurity legal requirements in the EU

A security review of local government using NIST CSF: a case study

Singapore’s Cybersecurity Act 2018: A New Generation Standard for Critical Information Infrastructure Protection

Keywords

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this chapter

Cite this chapter

Download citation

Publish with us

Navigation

The System of Control and Supervision of Operators of Essential Services, Digital Service Providers and Entities Providing Cybersecurity Services

Abstract

Similar content being viewed by others

Comparing Canada’s proposed Critical Cyber Systems Protection Act with cybersecurity legal requirements in the EU

A security review of local government using NIST CSF: a case study

Singapore’s Cybersecurity Act 2018: A New Generation Standard for Critical Information Infrastructure Protection

Keywords

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this chapter

Cite this chapter

Download citation

Share this chapter

Publish with us

Search

Navigation