The development of artificial intelligence

Artificial intelligence is an interdisciplinary field of knowledge combining elements of computer science, mathematics, statistics, neuroscience, and cognitive science. Its goal is to create systems capable of performing tasks that previously required human intelligence. This includes the ability to learn from data, reason, make decisions, recognize patterns, and process and generate natural language. Unlike traditional programming, in which a computer executes strictly defined instructions, artificial intelligence aims to grant machines a degree of autonomy, allowing them to independently adapt their strategies to changing conditions. Today, AI is no longer an abstract theoretical concept, but a practical tool.

The development of artificial intelligence is one of the most dynamic phenomena in the history of science and technology. Its origins lie in simple deterministic algorithms, based on clearly defined logical and mathematical rules, used to automate repetitive calculations. However, the real breakthrough came in the second half of the 1990s, when, with the increasing availability of data and the development of computing power, machine learning began to be increasingly used. These methods allowed machines not only to perform pre-programmed tasks but, more importantly, to learn from input data and independently improve their results. The application of machine learning meant a shift from rule-based systems to statistical models capable of recognizing patterns and predicting future events. The next stage was the widespread adoption of deep learning, which gained practical significance in the second decade of the 21st century. These techniques utilize multi-layered neural networks capable of analyzing massive datasets in a manner similar to the perceptual processes occurring in the human brain. This enabled the recognition of images, speech, and natural language with unprecedented effectiveness. Deep learning is the basis of many modern solutions, such as recommendation systems.

The most recent phase of development is generative artificial intelligence, which became widely available around 2021. Unlike previous solutions, which focused on classifying and analyzing data, generative systems can create new content—text, images, sounds, and even complex economic strategies. The introduction of this type of technology has radically expanded the potential applications of AI, but it has also revealed new risks related to its impact on society and the economy. Generative models, capable of dynamically shaping information and influencing decision-making processes, can, for example, participate in market price manipulation.

Price manipulation with the help of new technologies

Price manipulation by sellers is unfair or illegal market practices that involve setting prices in a way that misleads consumers or restricts competition. One of the most commonly used strategies is price fixing. It involves agreements between independent businesses aimed at fixing or controlling prices. This can involve jointly setting minimum or maximum selling prices, coordinating price increases, or even fixing discounts. Such actions are automatically considered illegal – the mere fact of agreeing on prices is sufficient, even if the agreement is not fully implemented. The consequence of price fixing is the elimination of natural price competition. Consumers lose the opportunity to choose cheaper offers, and businesses lose the incentive to innovate.

Another form of manipulation is the abuse of a dominant position. A dominant position means that a business entity has an advantage in the relevant market, allowing it to operate largely independently of competitors, contractors, and consumers. Abuse occurs when a business entity uses its power to impose unfair pricing conditions. This can take various forms, such as setting prices that are excessively high relative to the value of the goods or using predatory pricing, i.e., underselling prices to eliminate competition. Each of these practices leads to market distortion, restricting access for new entrants, and worsening consumer conditions.

Pricing algorithms are computer programs that provide pricing recommendations or, in some cases, automatically adjust prices based on current and historical data on market conditions. These algorithms consider much of the same data that companies have always considered when making pricing decisions, including historical data as well as current supply and demand indicators. Compared to human price managers, algorithms can process significantly more data in a much shorter time. This efficiency allows companies using algorithmic pricing strategies to respond more quickly to changes in supply and demand and make pricing decisions based on a more accurate, real-time understanding of market conditions.

Ways to use algorithms

Algorithms can be used in various ways. One is to use the algorithm as a tool to achieve a goal set by the companies. In such a situation, the parties to the agreement make certain arrangements between themselves, and only their implementation is left to the algorithms. For example, two companies could agree to eliminate price competition between them. Simply using a software function that allows them to retrieve data on the prices of other market participants would be sufficient. A strategy would therefore be to automatically set prices slightly lower than other companies while simultaneously ignoring the prices of the colluding company. However, in this case, the mere fact of detecting the existence of such collusion does not raise any doubts under current competition law, as it is possible to attribute the concept of an agreement to this situation.

Another technique involves the joint use of a single price-response algorithm by several traders. This shared use of the same algorithm can lead to price alignment and less competition. One element of this type of agreement is the awareness of the participants that the information being shared will reach their competitors. Consequently, transparency regarding the future behavior of competitors is established between the recipients. Recipients are aware of the participation of their competitors at the same level of trade in the agreement and that their prices are disclosed to their competitors. However, in such cases, the use of algorithms remains a technical activity and can be assessed through the lens of the underlying conduct, to which existing provisions on anticompetitive agreements can be applied.

However, there does not always have to be any agreement between market players regarding the use of artificial intelligence in sales to raise legal concerns. An example would be the configuration of these modern tools to automatically respond to changes in competitors’ prices. This can take the form of faster price reductions, mimicking price increases, or simply adapting to current market price levels. The increasing use of specialized software by businesses that monitors websites and collects price data is making the online sales market increasingly transparent. This transparency allows for easy tracking of competitors’ pricing policies, quick detection of deviations from established price levels, and immediate response to such situations. This allows companies using algorithms to adjust their prices to rivals’ actions almost in real time. Consequently, traditional price reductions aimed at attracting customers often lose their purpose – competitors can offer the same reduction in a fraction of a second. The situation is different with price increases – if one seller decides to increase prices, others are likely to follow suit, leading to an overall price increase. As a result, prices naturally drift towards a level higher than fully competitive.

The most theoretical scenario is a situation in which self-learning algorithms, used independently by different companies, independently conclude that joint coordination is the most profitable strategy. This does not imply a formal agreement or explicit exchange of information, but rather the spontaneous development of behaviors akin to collusion. This could be facilitated by a combination of two factors: on the one hand, the vast amount of available data on competitors and consumers (e.g., thanks to the Internet of Things, transaction analysis, or online behavior tracking), and on the other, the growing capabilities of artificial intelligence algorithms that learn market strategies through experience.

Experimental environments have already demonstrated that algorithms using reinforcement learning are capable of developing stable pricing strategies that reduce competition, even when they are not explicitly programmed to do so. Research shows that such systems can gradually coordinate their behavior, balancing between exploration and exploitation of the environment in a manner resembling tacit collusion. Importantly, this phenomenon can occur even under conditions that hinder cooperation – for example, when new players enter the market or when demand fluctuates.

What is an AI algorithm?

An AI algorithm is a set of advanced mathematical rules and processes designed to solve tasks, make decisions, or imitate human behavior and thinking using a computer. An AI algorithm often leverages machine learning capabilities to analyze, process, and learn from data. This allows AI tools to more efficiently perform various tasks (predicting patterns, assessing trends, optimizing processes, etc.) that would otherwise require human intervention. AI algorithms form the foundation of artificial intelligence systems, enabling them to learn, reason, recognize patterns, process natural language, and make decisions.

AI algorithms can self-improve by adapting their actions based on the analysis of vast amounts of data. There are three major categories of AI algorithms: supervised learning, unsupervised learning, and reinforcement learning. The key differences between these algorithms lie in how they are trained and how they function.

Competition concerns – communication of algoritms

A problem that raises particular concerns among competition authorities is the potential ability of algorithms to communicate. Although there is currently no evidence that systems learn this type of interaction without human intervention, it theoretically cannot be ruled out that in the future, algorithms will develop their own mechanisms for exchanging information. The European Commission points to the risk of “novel forms of coordination” between computer systems. If such a situation were to occur, it would be easier to classify the companies’ actions as prohibited cooperation – similar to traditional information exchange between competitors.

The issue of legal liability, however, remains controversial. If algorithms merely anticipate competitors’ reactions and adapt their own strategies accordingly, companies can be said to have permitted market autonomy (pursuant to Article 101 of the TFEU). However, it is more difficult to assess cases in which the systems themselves create a “communication channel” leading to actual price coordination. Some legal doctrine proposes adopting an approach similar to that used in the case of unauthorized employee actions – the company would be liable for the tools used. This was aptly put by EU Competition Commissioner, emphasizing that “companies cannot hide behind computer code[1]“.

The current state of technology indicates that algorithms are not yet capable of concluding lasting cartel agreements in dynamic market conditions. However, the rapid development of artificial intelligence and the increasing complexity of predictive systems may enable the emergence of such practices in the future. Therefore, regulators are increasingly emphasizing the need to modernize competition law tools to effectively counter not only classic cartels but also “algorithmic collusion”. Failure to address this could lead to significant losses for consumers, a reduction in innovation, and the concentration of economic power in the hands of a few technological entities – creating a kind of “digital plutocracy.”

The effects of AI algorithmic pricing

One of the key problems with algorithmic pricing is the asymmetry in the speed of response to market changes. Companies with more advanced algorithms can update prices much more frequently—even continuously—while those with less advanced technological tools only make price adjustments at longer intervals, such as weekly. This leads to a structural competitive advantage for the former, as they can flexibly adapt to supply and demand and react almost immediately to competitive price movements. In practice, this means that companies with more advanced systems can aggressively lower prices before competitors have time to adapt their offerings, effectively driving them out of the market. This imbalance not only distorts the principles of fair competition but also leads to deeper market concentration, as smaller or technologically weaker companies gradually lose the ability to maintain their position against dominant players investing in advanced algorithmic solutions.

Predatory pricing, in which a dominant firm incurs short-term losses by deliberately pricing goods and services below cost to eliminate competitors or new entrants, is another practice that modern technology is currently employing. This strategy typically involves two stages: first, the dominant firm aggressively undercuts competitors’ prices to drive them out of the market (the predation phase), and then uses its market power to raise prices to recoup losses and generate profits after the competitors disappear (the loss recovery phase). For predatory pricing strategies to be effective, a firm must maintain low prices long enough to eliminate competitors. Pricing algorithms can help firms target specific customers of competitors by offering them prices even below cost. For example, an established firm might do this to avoid losing customers to a new competitor. An established firm might use an algorithm to target customers most likely to switch suppliers, seeking to retain them rather than offering lower prices to all its customers. This could help an established company minimize losses. These algorithms can also help companies pursue predatory pricing strategies and build a reputation for lowering prices in the future if new entrants struggle. Pricing algorithms can also help companies raise prices for consumers who are more willing to pay or less sensitive to price changes. They enable companies to simultaneously engage in predatory pricing and recover losses without the need for a human intervention, using automated means.

Finally, algorithmic pricing introduces a significant element of uncertainty for consumers, who are unable to predict how much they will ultimately pay for a product or service. These mechanisms, based on automated supply and demand analyses, lead to constant and opaque price fluctuations, undermining market trust and limiting the ability to make rational purchasing decisions. Price instability often causes consumers to feel compelled to buy quickly for fear of further cost increases, which encourages impulsive and economically unfavorable choices. In the long term, such practices destabilize the market, hinder healthy competition, and strengthen the position of dominant players who exploit technological advantages at the expense of weaker market participants.

The question of legality

However, a fundamental question arises regarding the legality of such practices under Polish law. The Act of 9 May 2014 on Information on the Prices of Goods and Services[2] imposes on businesses the obligation to clearly and unambiguously disclose the prices of their products. According to the Act, the price should be clearly displayed and allow for comparison with other market offers. However, dynamic price changes, even occurring several times a day, can raise interpretational questions regarding compliance with the requirement of unambiguous price presentation. A consumer who sees significantly different prices for the same product or service within a short period of time may be deprived of the ability to make a rational economic choice. It should be emphasized that the legislator also introduced the obligation to disclose the lowest price applicable within thirty days prior to the discount. In the context of algorithmic pricing, the question arises as to whether every short-term price change resulting from the operation of an algorithm should be treated as a discount within the meaning of the Act, or whether it should be classified as a normal market fluctuation. The lack of clear regulations in this area leads to legal uncertainty for both entrepreneurs and consumers.

The Act of 16 February 2007 on Competition and Consumer Protection[3] opens up an even wider field of interpretation. This Act provides both instruments for counteracting practices that violate the collective interests of consumers and protection against anti-competitive practices. In this context, the problem of so-called tacit algorithmic collusion is particularly significant. In this context, independently operating algorithmic systems of various businesses, monitoring and reacting to competitors’ prices, can stabilize them at an inflated level without the need for a formal agreement. This type of phenomenon, although difficult to detect and prove, can be classified as a violation of fair competition principles, potentially subject to intervention by market protection authorities. The literature indicates that the increasing automation of decision-making processes in price setting raises the risk of developing anti-competitive coordination mechanisms that fall outside the traditional categories of antitrust law.

At the same time, the Competition and Consumer Protection Act imposes an obligation on businesses to avoid misleading practices. In the case of dynamic pricing, the lack of full transparency becomes a problem. If consumers are not informed upfront that prices may fluctuate significantly depending on demand or transaction time, they may be deemed misleading, and the practice itself may be deemed to violate collective consumer interests. In this sense, the obligation of transparency takes on particular significance and should also include information about the pricing mechanism, not just the current price level.

An analysis of the applicable regulations leads to the conclusion that algorithmic pricing per se is not a prohibited practice in Poland. However, its legality depends on whether the entrepreneur complies with the obligations arising from specific laws, as well as on whether the use of algorithms does not lead to practices that restrict competition or violate consumer rights. Entrepreneurs are obligated to provide consumers with reliable and complete information and to avoid practices that may destabilize the market. In the event of a violation of these obligations, sanctions may be imposed by both the Trade Inspection Authority (in the case of incorrect pricing information) and the President of the Office of Competition and Consumer Protection (in the case of practices that violate competition rules or are misleading).

Case law review

It is also worth taking a closer look at decisions issued on algorithmic pricing by state and EU authorities.

In the Eturas case, the contested agreement was supported by a digital platform (software for selling travel online), where the system’s administrator proposed to competing travel agencies the use of a technical instrument imposing a ceiling on discounts on packages offered. The EU Court found it reasonable to assume that travel agencies that were aware of the content of messages sent via the system were participants in an anticompetitive agreement, unless they rebutted that presumption. The Commission also states that the prohibition under Article 101(1) TFEU is likely to cover cases in which “pricing rules” were defined by undertakings “in a common algorithmic tool (e.g., rules for adjusting the price to the lowest price on a specific online platform or in a specific online store), and this qualification would be accepted “even in the absence of an express agreement to adjust future prices”[4].

In commercial transactions, there are also cases in which entrepreneurs use the same algorithm to set prices for their services, yet there are no grounds to conclude that they have entered into an anticompetitive agreement. An example of a case assessed by the President of the Office of Competition and Consumer Protection (UOKiK) is the UBER app. Its use does result in the restriction or even elimination of price competition between UBER drivers, which is, after all, centrally determined by the app. This also constitutes an agreement between UBER and individual drivers. In this case, however, such algorithmic pricing is necessary for the proper functioning of the UBER system, and at the same time, it does not lead to the elimination of competition, being a proportionate measure. This justifies treating such an agreement as not violating the prohibition of Article 6, Section 1 of the UOKiK based on the construction of ancillary restrictions.

A problematic scenario can arise when a large number of businesses utilize the same or similarly functioning algorithm without any collusion between them regarding the selection of one algorithm over another. In this situation, each of these businesses uses a specific program as a tool to inform them about the market situation and enable a rapid response. In this scenario, there is a significant increase in market transparency, which can have anti-competitive effects, as the use of an algorithm allows businesses to react much more quickly to any market changes, including price reductions by competitors, which can reduce their incentive to make such reductions. In such a case, businesses merely adjust their prices to those of their competitors. Such conduct – so-called parallel conduct – has for years been viewed by EU and Polish jurisprudence as not violating antitrust rules. In fact, in this case, it cannot be said that an agreement was concluded. Moreover, under the soft law provisions issued regarding vertical relationships, the Commission itself has indicated that price monitoring using computer programs is not prohibited, or more precisely, it may benefit from an exemption from the prohibition of anticompetitive agreements. Therefore, from the Commission’s position, it can be deduced that the antitrust permissibility of such algorithmic price monitoring is determined by the lack of grounds for attributing such conduct the status of an agreement, and that it constitutes a manifestation of the parallel conduct mentioned above.

According to the authorities, it would also be possible to attribute antitrust liability to the creator of the algorithm. The VM- Remonts formula, developed in EU case law, could be particularly applicable to this. In this case, while the Court recognized as a rule that an undertaking cannot “be held liable for participating in a concerted practice on the basis of the actions of an independent service provider”[5], it also identified exceptions to this rule. Fulfilling one of these exceptions justifies the application of Article 101(1) TFEU also to the service provider, for example, the software developer. Polish legal literature also argues that the constructions of extended liability for competition law infringements developed in EU case law (especially the concept of cartel accessory liability) could also be used to attribute antitrust liability to an undertaking that provides participants in an agreement with tools (including digital tools) enabling the conclusion or implementation of a prohibited agreement.

Summary

Dynamic, algorithmic pricing lies at the intersection of two key areas of law: consumer law and competition law. This practice, while permissible, requires particular caution on the part of businesses and the development of consistent interpretative guidelines by the legislature. The lack of clear regulations creates a risk not only for consumers, who may be exposed to non-transparent and unfair practices, but also for businesses themselves, who may suffer severe financial consequences if they violate fair competition regulations. Given the growing importance of algorithmic technologies, it seems necessary to further develop and clarify the legal framework to enable businesses to use innovative price management tools, while also ensuring an adequate level of consumer protection and the integrity of market mechanisms.

The most serious challenge for competition authorities is when algorithms maintain elevated prices without formal information exchange between companies. In such cases, the classic dogmatics of antitrust law may prove insufficient, and consumers will bear the cost in the form of a loss of some of their well-being. Therefore, developing technical competencies of supervisory authorities, enabling them to understand and analyze the mechanisms of algorithms used in business practice, is particularly important.

At this stage, it seems premature to introduce new regulations on algorithmic pricing, as this could hinder the development of innovative technologies and limit their beneficial applications. Further interdisciplinary research combining law, economics, and computer science, as well as careful observation of market practice and case law, is essential.

[1] Speech of the European Commissioner for Competition M. Vestager, Berlin, 16/03/2017.

[2] Act of 9 May 2014 on providing information on prices of goods and services (consolidated text: Journal of Laws of 2023, item 168).

[3] Act of 16 February 2007 on competition and consumer protection (consolidated text: Journal of Laws of 2024, item 1616, as amended).

[4] Point 397 of Guidelines 2023/C 259/01.

[5] Point 33 of the judgment of the Court of Justice of July 21, 2016, C-542/14, SIA “VM Remonts” (formerly SIA “DIV un KO”) and others. v. Konkurences padom, ECLI:EU:C:2016:578.

Artykuł AI algorithmic pricing and its assessment under Polish and EU competition law pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

In an era of dynamic digital technology development and a growing number of cyberthreats, cybersecurity and personal data protection are becoming key aspects of how organizations operate in the European Union. New regulations, such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the current GDPR, create a comprehensive security system aimed at raising protection standards and ensuring greater transparency in data processing.

NIS2 and GDPR: Strengthening Data Protection and Incident Response

The Network and Information Security Directive (NIS2) is another step towards increasing the cyber resilience of entities operating in key economic sectors. In 2025, its implementation will require organizations to take a number of actions, including:

• Expanding security measures against cyberattacks,
• Introducing more rigorous incident reporting procedures,
• Strengthening cooperation between supervisory authorities and the private sector.

NIS2, in conjunction with GDPR (Regulation 2016/679), means that businesses will not only have to protect personal data more effectively, but also implement new procedures for risk management and auditing of IT security activities.

5 Things You Need to Know About NIS2

01 – Fines up to €10 million or 2% of total annual global turnover

02 – Expanded scope compared to NIS1, changing the way companies are classified and requiring more of them to comply with the directives

03 – Management staff is liable for violations and the authorities may suspend activities or functions

04 – Broad security risk management measures and shift to a risk-based approach

05 – Initial reporting of security incidents within 24 hours, further action within 72 hours, and final summary within 1 month

DORA: Cyber Resilience and Personal Data Security in Finance

DORA is the Regulation of the European Parliament and of the Council (EU) of 14 December 2022 on the digital operational resilience of the financial sector. This is another of many recent regulations concerning cybersecurity and the broadly defined security of information technology.

The Digital Operational Resilience Act (DORA) focuses on the financial sector, which is particularly vulnerable to cyberattacks. Key requirements imposed by DORA include:

• Testing the operational resilience of IT systems,
• Implementing risk management strategies based on threat analysis,
• Obligation to monitor and report digital incidents.

DORA applies to:

1. credit institutions;
2. payment institutions, including payment institutions exempted under Directive (EU) 2015/2366;
3. providers of account information access services;
4. electronic money institutions, including electronic money institutions exempted under Directive 2009/110/EC;
5. investment companies;
6. crypto-asset service providers,
7. central securities depositories;
8. central counterparties;
9. trading systems;
10. transaction repositories;
11. alternative investment fund managers;
12. management companies;
13. information sharing service providers;
14. insurance and reinsurance undertakings;
15. insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
16. institutions of occupational pension programs;
17. rating agencies;
18. administrators of critical benchmarks;
19. crowdfunding service providers;
20. securitization repositories;
21. external ICT service providers.

In the context of GDPR compliance, financial institutions must ensure adequate security measures to protect customer data against unauthorized access and information leakage. GDPR also mandates cooperation with cloud service providers and external IT operators, which requires thorough verification of their security standards.

Article 33 of the DORA Directive requires personal data breaches to be reported without undue delay, and within 72 hours where possible. In the event of a delay, an explanation of the reason for the delay must be included.

AI Act and GDPR: Managing Artificial Intelligence and Data Protection

The AI Act regulations classify AI systems according to risk level and impose obligations on entities that implement them. In the context of data protection, the AI Act requires:

• Transparency of artificial intelligence algorithms and mechanisms,
• Possibilities of controlling and auditing decisions made by AI,
• Compliance with the principles of data minimization and limitation of the processing purpose.

Companies that use AI to process personal data will have to meet stringent GDPR requirements, giving users greater control over their information and minimizing the risk of abuse.

CRA: Cyber Resilience Act – Security of Digital Products

The Cyber Resilience Act (CRA) introduces obligations related to the security of digital software and hardware. Its key requirements include:

• Designing secure digital products,
• Monitoring vulnerabilities and updating them regularly,
• Manufacturers’ responsibility to ensure continued safety throughout the product life cycle.

CRA aims to increase cybersecurity across the entire digital ecosystem, minimizing the risk of attacks based on device and application vulnerabilities.

eIDAS 2.0: Strengthening digital identification

The amendment to the eIDAS (electronic IDentification, Authentication and trust Services) regulation – known as eIDAS 2.0 – introduces a European digital identity wallet that:

• Allows citizens to securely store and share their identity data,
• It enables public and private institutions to provide secure online services,
• Strengthens authentication standards in digital transactions.

In conjunction with GDPR, eIDAS 2.0 improves users’ control over their identity data and increases the security of online transactions.

Challenges and benefits of new regulations

Adapting to new regulations poses numerous challenges for companies, including:

• The need to invest in modern security systems,
• Employee training in cybersecurity and data protection,
• Implementation of effective incident monitoring and reporting mechanisms.

However, the new regulations also bring numerous benefits, such as:

• Better protection of customer data and greater trust in the organization,
• Increased resistance to cyber attacks,
• Possibility to avoid high fines for violating data protection regulations.

The impact of new regulations on small and medium-sized enterprises (SMEs)

New regulations such as NIS2, DORA, AI Act, CRA, and eIDAS 2.0 can pose challenges for small and medium-sized enterprises (SMEs). Implementing these regulations requires investment in modern security systems and employee training in cybersecurity and data protection. SMEs may face challenges related to limited financial and human resources, which can make it difficult to fully comply with the new requirements.

However, compliance with these regulations also brings benefits, such as better protection of customer data, increased trust in the organization, and the ability to avoid significant fines for violating data protection regulations. Therefore, it is worthwhile for SMEs to consider partnering with external IT service providers and cybersecurity specialists to effectively implement the required security measures.

The future of cybersecurity in the EU

In the coming years, we can expect further development of regulations regarding cybersecurity and personal data protection. The European Union will continue to work on strengthening the legal framework to address growing cyber threats and ensure a high level of data protection. Organizations will need to be prepared to continuously adapt to new requirements and invest in modern security technologies and procedures.

Summary

In 2025, organizations will have to comply with a range of regulations regarding cybersecurity and personal data protection. NIS2, DORA, AI Act, CRA, and eIDAS 2.0, combined with the GDPR, create a modern legal framework aimed at improving data protection and increasing resilience to cyber threats across various economic sectors. Implementing these regulations will be a challenge, but also an opportunity, to build a more secure and digitally resilient business environment in the EU.

Artykuł Cybersecurity and GDPR Compliance in 2025 pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

“New times, new threats”. With this motto we can contextualize the outlook of the latest regulation on cybersecurity in the European Union, the NIS2 Directive. It substitutes NIS1 Directive, the previous EU cybersecurity rules from 2016. This one was reviewed at the end of 2020 and as a result of this review, the proposal for a Directive on measures for high common level of cybersecurity was presented by the Commission on 16^th December 2020. The review showed that NIS1 had certain limitations. In a more digital society, new threats that were previously unnoticed or non-existent appear, and the old regulations, although they provided certain guarantees, are now obsolete. In particular, the Commission highlighted these main issues:

• Insufficient level of cyber resilience of businesses operating in the EU;
• Inconsistent resilience across Member States and sectors;
• Insufficient common understanding of the main threats and challenges among Member States;
• Lack of joint crisis response.

The Directive was published in the Official Journal of the European Union in December last year and entered in force last month on 16^th. Member States have to incorporate the provisions in their national law by 18^th October of 2024 (article 41), that is, they have 21 months from the entry into force of the Directive to make the proper preparations. Luckily, this new regulation is not only built from the ashes of the previous one, some pillars remain and are being built upon. These are:

1. Following the NIS1 strategy on the security of network and information systems, the NIS2 (Article 1) now requires Member States to adopt a national cybersecurity strategy and create national authorities in the matter (SPOC or single point of contact) and CSIRTs teams (Computer Security Incident Response Teams).
2. The NIS2 also continues the NIS1 framework establishing the NIS Cooperation group to support and facilitate strategic cooperation and the exchange of information among Member States, and the CSIRTs Network, which promotes swift and effective operational cooperation between national CSIRTs.
3. It follows as well the focus on the seven sectors taken into account which are vital for our society: energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure. NIS2 expands these points and adds new ones (annex 1).

The NIS2 Directive aims to address the deficiencies of the previous rules, to adapt it to the current needs and make it future-proof.

To this end, the Directive expands the scope (Article 2) of the previous rules by adding new sectors based on their degree of digitalisation and interconnectedness and how crucial they are for the economy and society, by introducing a clear size threshold rule— meaning that all medium and large-sized companies in selected sectors will be included in the scope. At the same time, it leaves certain discretion to Member States to identify smaller entities with a high security risk profile, that the entity is the only supplier in a Member State of a service which is essential for the maintenance of critical societal or economic activities or disruption of the service provided by the entity could have a significant impact on public safety, public security or public health for other reason, for example, that should also be covered by the obligations of the new Directive. Also this Directive does not apply to public administration entities that carry out their activities in the areas of national security, public security, defence or law enforcement.

The new Directive also eliminates the distinction between operators of essential services and digital service providers. Entities would be classified based on their importance, and divided into two categories: essential and important entities, which will be subjected to different supervisory regime (Article 3). Some essential entities are qualified trust service providers and top-level domain name registries as well as DNS service providers, regardless of their size; a public administration entity of central government as defined by a Member State in accordance with national law; or the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities; these are only a few examples. Important entities are the ones that do not qualify as essential but still are identified by Member States as important.

The new law strengthens and streamlines security and reporting requirements for companies by imposing a risk management approach, which provides a minimum list of basic security elements that have to be applied. Includes a list of 10 key elements that all companies have to address or implement as part of the measures they take, including incident handling, supply chain security, vulnerability handling and disclosure, the use of cryptography and where appropriate, encryption (Article 21).

The new Directive introduces more precise provisions on the process for incident reporting, content of the reports and timelines (Article 23 et seq.). Affected companies have 24 hours from when they first become aware of an incident to submit an early warning to the CSIRT or competent national authority which would also allow them to seek assistance if they request it. The early warning should be followed by an incident notification within the 72 hours of becoming aware of the incident and a final report no later than one month later.

Furthermore, NIS2 addresses security of supply chains and supplier relationships by requiring individual companies to address cybersecurity risks in the supply chains and supplier relationships. At European level, the Directive strengthens supply chain cybersecurity for key information and communication technologies (Articles 23, 26, 27 & 28). Member States in cooperation with the Commission and ENISA, may carry out Union level coordinated security risk assessments of critical supply chains, building on the successful approach taken in the context of the Commission Recommendation on Cybersecurity of 5G networks (Articles 29 & 30).

The Directive introduces more stringent supervisory measures for national authorities, stricter enforcement requirements and aims at harmonising sanctions regimes across Member States (Article 31 et seq.). For example, Member States shall ensure that the competent authorities, when exercising their supervisory tasks in relation to essential entities, have the power to subject those entities at least to: on-site inspections and off-site supervision; regular and targeted security audits; security scans based on objective risk assessment criteria; or request for information and to access data. In addition, NIS2 indicate a list of the parameters that should guide the regulation of fines.

It also enhances the role of the Cooperation Group in shaping strategic policy decisions and increases information sharing and cooperation between Member State authorities. It also enhances operational cooperation within the CSIRT network and establishes the European cyber crisis liaison organisation network (EU-CyCLONe) to support the coordinated management of large-scale cybersecurity incidents and crises (Articles 14 to 19).

NIS2 also establishes a basic framework (Article 22) with responsible key actors on coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU and creates an EU vulnerability database for publicly known vulnerabilities in ICT products and ICT services, to be operated and maintained by the EU agency for cybersecurity (ENISA).

Furthermore, NIS2 works in a larger spectrum. It is closely related with the Critical Entities Resilience Directive (CER) and the Regulation for the Digital Operational resilience for the financial sector (DORA).

The scope of NIS2 is largely aligned with the Critical Entity Resilience Directive (CER Directive) to ensure that the physical and cyber resilience of critical entities is comprehensively addressed. Entities identified as critical entities under the CER Directive, will become also subject to the cybersecurity obligations of NIS2 Directive. Furthermore, national competent authorities under the CER and NIS2 Directives have to cooperate and exchange on a regular basis relevant information such as on risks, cyber threats and incidents as well as on non-cyber risks, threats and incidents. The Collaboration Group under NIS2 shall meet regularly and at least annually with the Key Entities Resilience Group established under the CER Directive.

Regarding the financial sector, while the new NIS2 directive applies to credit institutions, trading venue operators and central counterparties, DORA will apply to these entities in terms of cybersecurity risk management and reporting obligations. At the same time, it is also important to maintain strong information-sharing relationships between the financial sector and other sectors covered by NIS2. To this end, within the framework of DORA, European Financial Supervisory Authorities (ESAs) and National Competent Authorities of the financial sector can participate in the discussions of the NIS Cooperation Group. In addition, DORA authorities can consult and exchange relevant information with the Single Point of Contact (SPOC) and CSIRT established under NIS2.The competent authorities, SPOCs or the CSIRTs established under NIS2 would also receive details of major ICT-related incidents from the competent authorities under DORA. Moreover, Member States should continue to include the financial sector in their cybersecurity strategies and national CSIRTs may cover the financial sector in their activities.

In conclusion, we expect the European states to get their act together because they have a lot of work to do, not only in cooperating with other member states but also within their own borders. In a period of a little less than two years they have to elaborate a national cybersecurity strategy, establish authorities and procedures to control the implementation of this strategy by both public and private entities. They must create a cybersecurity threat notification system. They must develop a system of sanctions. In other words, the list of tasks is not short.

However, despite the amount of work, the conclusion will bear great fruit. States and non-governmental groups outside the European Union are increasingly focusing on the development of equipment and electronic subterfuge techniques to infiltrate and alter electronic infrastructures and the data contained therein for their own purposes and benefit. Normally this is usually the opposite of our countries so we are subjected to constant “anonymous” attacks to alter and damage our security. The digital world has opened the door to new actions that allow us to avoid the consequences of the classic consequences of actions in the real world. We cannot allow our stability to be threatened in this way. So every grain of sand that is put in place will help to make the European and national landscape more secure.

Artykuł The future of Cybersecurity in the European Union: New NIS2 Directive framework pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

As for service procedure of documents in Poland until present, the common form was a paper letter that had to be sent with an acknowledgement of receipt. The changes introduced by the 2019-2021 amendments to the Polish administrative procedure, particularly the 2021 amendment on electronic service, are intended to effectively change the way parties are informed about the stages in the procedure. The changes move correspondence with government entities to an electronic level. From 5 October 2021, there have entered into force the changes which concern, among others, the principle of written documents (Article 14 of the Code of Administrative Procedure), provisions on the power of attorney (Article 33 of the Polish Code of Administrative Procedure ), time limits (Article 35 of the Polish Code of Administrative Procedure), reminders (Article 37 of the Code of Administrative Procedure), service (Articles 39-49 of the Code of Administrative Procedure), summons (Articles 50, 54 of the Code of Administrative Procedure), time limits (Article 57), or commencement of proceedings (Articles 61, 63 of the Code of Administrative Procedure).

ELECTRONIC DELIVERY – DEFAULT DELIVERY METHOD

The electronic delivery system will become the primary default delivery channel. Firstly, the service will be made via public service of registered electronic delivery. If delivery via this system is not possible, then the so-called public hybrid service will be used whereby the postal operator converts letters from electronic to paper form and delivers them that way. Paper letters will be served only as an exception, in strictly defined cases. At the same time, the system will replace the ePUAP system.

MAIN OBJECTIVES OF THE PROJECT

The Act on Electronic Deliveries introduces rules for the operation of electronic registered deliveries in legal transactions. Electronic delivery is intended to allow delivery of mail with legal effect equivalent to traditional mail delivery. The e-delivery service will make it possible to receive and send correspondence between citizens and the public administration electronically, without the need for paper documents.

Important features of the e-Guarantee project include:

• electronic communication under the introduced system will be initiated not only by a public authority (office), but also by the citizen – it will not be a unilateral receipt of deliveries sent by the administration, but also sending documents in electronic form to the relevant offices;
• covering digitally excluded people, i.e. those who do not use the Internet and Internet-enabled devices – the e-Delivery project envisages the so-called hybrid service, which makes it possible to receive traditional postal items, despite the fact that all correspondence has been digitalised.

IMPLEMENTATION SCHEDULE

The e-service law went into effect in October 2021; however, there are many transition periods of several years.

Offices and other public entities will start using e-Guarantees gradually. As of July 5, 2022, this obligation will apply to government administration bodies and budgetary units serving these bodies, the Polish National Health Fund (NFZ), the National Social Insurance Authority (ZUS), state control and law protection bodies and budgetary units serving these bodies.

The obligation to have an e-delivery address will also apply to companies and corporations. According to the information provided by the Chancellery of the Prime Minister, from July 5, 2022 it will apply to new entrepreneurs registering in the Polish National Court Register (KRS) that will receive e-delivery address automatically, and from October 1, 2022 to entrepreneurs who have been registered in the National Court Register before July 5, 2022, from 30 September 2025 to entrepreneurs changing their entry in the Central Register of Business Activity, and from 1 October 2026 to companies registered in the Central Register of Business Activity before 31.01.2023.

The e-Delivery address, once activated and entered in the database of electronic addresses, will become the address for official correspondence of a given company. This means that offices using e-delivery will send correspondence to a given company only electronically.

Companies can already set up a free account on the Entrepreneur’s Account on the gov.pl website. All they need to do is apply for eDelivery address and then activate the address and mailbox.

Further institutions will join the system from 2023: from 1 January 2023 – universities and the Polish Academy of Sciences, from 1 January 2024 – local government units and their unions, from 1 January 2025 – other public entities, and from 1 October 2029 – courts and tribunals, bailiffs, prosecutors, law enforcement agencies and the Prison Service.

POSSIBLE DIFFICULTIES

The Act on Electronic Service has significantly changed the provisions of the Code of Administrative Procedure on service of letters. However, given that the operation of the electronic register will not be implemented immediately (with the effective date of the amendment), the application of the provisions may be significantly impeded.

SOURCES:

https://www.gazetaprawna.pl/firma-i-prawo/artykuly/8325213,zmiany-2022-e-doreczenia-w-urzedach.html

https://biz.legalis.pl/e-doreczenia-juz-dzialaja/

https://samorzad.pap.pl/kategoria/aktualnosci/w-2022-r-urzedy-zaczna-korzystac-z-e-doreczen-samorzady-pozniej

Artykuł E-DELIVERY IN PUBLIC ADMINISTRATION IN POLAND – CHANGES ALSO FOR CORPORATE ENTITIES IN POLAND pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

KIEŁTYKA GŁADKOWSKI KG Legal | POLISH LAW FIRM
rated in LEGAL 500 EMEA 2019

specialising in cross border cases with its focus on life science, biotech, medtech, IT, new technologies and investment processes in Poland.

Artykuł IT specialisation – French language version pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

KIEŁTYKA GŁADKOWSKI KG Legal | POLISH LAW FIRM
rated in LEGAL 500 EMEA 2019

specialising in cross border cases with its focus on life science, biotech, medtech, IT, new technologies and investment processes in Poland.

Artykuł IT specialisation – Turkish language version pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

KIEŁTYKA GŁADKOWSKI KG Legal | POLISH LAW FIRM
rated in LEGAL 500 EMEA 2019

specialising in cross border cases with its focus on life science, biotech, medtech, IT, new technologies and investment processes in Poland.

Artykuł IT specialisation – Finnish language version pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

The event is dedicated to biotechnology, ICT and new technologies, which are the sectors of specialization of KG Legal. BIAT aims to promote innovative products and services from Italy by matching suppliers (start-ups, innovative SMEs) and demanding entrepreneurs (large companies, investors).The event will be attended by ICT companies from Convergence Regions (Campania, Calabria, Apulia, Sicily), international large companies, research centres interested in technology transfer and venture capitalists.

The main goal is to foster forms of international cooperation at various levels and the opportunity to matchmaking with other companies interested in running projects from IT sector. You can find list of projects at this link: http://innovationlab2017.ice.it/list-of-projects.

The information was prepared by Kamil Trzaskoś of KG Legal Polish Law Firm. KG Legal provides specialised legal assistance to IT, Life Science as well as investment processes in Poland and organises networking between Polish and international companies and research centres.
See our specialisations

Artykuł BIAT – Innovation and High Technology Lab – Possibility of cooperation in 50 new IT Projects – Opportunities for Polish software developers pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

The article prepared by KG LEGAL KIEŁTYKA GŁADKOWSKI based in Cracow, Poland, specialising in cross border cases, with focus on new technologies, IT and life science, discusses the possibilities of software patenting, the procedure of patent application in case of software, the concept of Espacenet within the European Patent Office, patent search and examination, patentability of software under Polish law, procedure in case of refusing a patent, the European Patent Convention, Vicom case in computer-related invention case, the so-called further technical effect, programs as machine and software-related patent cases.

See the link to the article in Polish: http://mojafirma.infor.pl/prawo-autorskie/patent/748727,Ochrona-patentowa-i-prawnoautorska-software-przepisy-europejskie-i-polskie-a-orzecznictwo-w-zakresie-patentu-na-oprogramowanie.html

Artykuł Patentability of software – practical comments on patent protection in IT under the EU and Polish law pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

On the 17th November 2016 KG LEGAL participated in the Festival of Innovation and Technology in Gliwice, which consisted of two events: International IT fairs and IV International Forum of Innovation. The Festival was organized by Upper Silesian Agency for Entrepreneurship and Development and the Gliwice City Hall.

During the Forum speakers were discussing about the use of new technologies in everyday life and medicine e.g. telemedicine, medical robotics, biomedical engineering. Business from software and medicine sector had their stands on the International IT fairs i.a. KAMSOFT – the company providing specialized software for the medical and pharmaceutical sector; Zbigniew Religa Foundation for the Development of Cardiac Surgery dedicated to implement innovations in artificial organs, biomaterials and medical robotics; AGH University of Science and Technology presented personalized system of human tele-supervisor; WASKO and IT Quality Ltd – software developers.

KG LEGAL participated in both events, since they concerned the IT sector, medicine and new technologies in which our law firm is specialized. We present video and photos from Festival below.

Artykuł Festival of Innovation and Technology (Gliwice, Poland, IT Market) pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.