What consequences apply for failing to conduct an audit in accordance with KRI requirements?

ANSWER

Failure to conduct an audit in accordance with the requirements of KRI (the National Interoperability Framework) constitutes a breach of § 20(2) of the Council of Ministers Regulation of 12 April 2012 on KRI (Journal of Laws 2016, item 1130), which provides: 'An information security audit shall be conducted at least once every two years.'

KRI was issued on the basis of Article 18(1)(1) of the Act on the Computerisation of Entities Performing Public Tasks (consolidated text: Journal of Laws 2023, item 57). Entities obliged to apply KRI — including public finance sector units, public universities, hospitals and local government units — have a legal obligation to conduct audits in accordance with § 20. Failure to do so means a breach of generally applicable law.

KRI itself does not provide for financial penalties; however:

• UODO may impose an administrative fine for the lack of appropriate security measures (Article 32 GDPR) if the absence of an audit resulted in risks not being identified or appropriate measures not being implemented.
• A KRI audit is often a reference document when assessing compliance with the GDPR, ISO 27001 or NIS2. Its absence makes demonstrating compliance more difficult.

In the public sector, consequences may also affect the head of the unit (as the entity responsible for compliance with the regulations).