Whether a private company can provide critical infrastructure to ensure public security in the face of the COVID-19 epidemic

The COVID-19 epidemic forces entrepreneurs to analyse whether the assets of the companies they manage constitute or may constitute critical infrastructure of the Republic of Poland, crucial for the security of the state and its citizens in the face of the ongoing crisis.

At the same time, including a given enterprise into the critical infrastructure generates serious limitations and obligations which interfere with the freedom to conduct business activity, however, the owners or holders of such enterprises are obliged to cooperate with public authorities under the rules set out in the analysed Act and in the Regulation of the Council of Ministers on the National Programme for Critical Infrastructure Protection of April 30, 2010.

The provisions of the Crisis Management Act of April 26, 2007 allow for the inclusion of certain enterprises in the so-called „crisis management”. Critical Infrastructure, which should be understood as „systems and their functionally linked facilities, including buildings, equipment, installations, services essential for the security of the State and its citizens and serving to ensure the efficient functioning of public administration bodies as well as institutions and businesses”.

The principles of critical infrastructure protection are regulated by the National Programme for the Protection of Critical Infrastructure adopted by the Council of Ministers.

The list of facilities, installations, equipment and services included in the infrastructure shall be drawn up by the Director of the Government Security Centre. This list is classified. However, if an asset is included in such a list, the Director of the RCB is required to inform the owner, the self-holder or a subsidiary (tenant, lessee, user).

The owners and dependent owners of critical infrastructure facilities, installations or equipment shall protect them, in particular by preparing and implementing critical infrastructure protection plans, as appropriate to the risks anticipated, and maintaining their own back-up systems to ensure the security and sustainability of such infrastructure until it is fully restored.

In addition, the owners, autonomous and dependent holders referred to in paragraph 1 shall be entitled to the following The Commission and the Member States shall, within 30 days of being informed of the inclusion in the list of critical infrastructure, appoint a contact person for entities competent in the field of critical infrastructure protection.

Specific obligations towards owners or holders of critical infrastructure assets also arise from adopted Critical Infrastructure Protection Plans.