As CEOs and ministers gather in Karpacz, digital risk looms over energy and inflation. NIS2, DORA, and the AI Act redefine board accountability, turning regulatory compliance into both resilience and a competitive advantage. by Tomasz Janas, Advisory Managing Director, PKF Polska
When CEOs and ministers meet in Karpacz for this year’s Economic Forum, energy and inflation will dominate the agenda, yet the biggest blind spot is digital risk. Cyberattacks, AI-enabled fraud and ransomware now strike faster than a quarterly report, and Brussels is responding even faster. Three EU instruments, NIS2, the Digital Operational Resilience Act (DORA) and the Artificial Intelligence Act, have redrawn the lines of personal liability for directors and raised the bar for operational resilience.
NIS2 had to be transposed into national law by 17 October 2024 and applies from the following day, exposing boards to fines of up to €10 million or 2% of global turnover, as well as potential temporary management bans. DORA, directly applicable from 17 January 2025, gives financial supervisors power to cap services or revoke licenses when ICT risks are mismanaged. The AI Act entered into force on 1 August 2024. Prohibitions apply starting 2 February 2025, governance duties for general-purpose models on 2 August 2025, and high-risk system rules begin in 2026–27, with fines up to 7% of worldwide revenue.
Together, the trio delivers a blunt message: outsourcing or algorithmic complexity does not dilute board accountability. Regulators expect directors not only to approve budgets and appoint a Chief Information Security Officer (CISO), but to actively oversee digital risks—just as they would financial exposure or compliance with anti-bribery laws. This shift places new demands on strategic literacy at the board level and requires deeper engagement from legal, risk, and internal audit teams.
Treating these texts as mere paperwork is a missed opportunity. IBM’s 2025 Cost of a Data Breach Report pegs the average breach at USD 4.44 million. Firms with mature, automated governance cut that figure by nearly a third. Capabilities regulators demand rapid detection, tested playbooks, supplier due diligence, and also trim hard costs and downtime.
In effect, regulatory compliance becomes a blueprint for resilience. Organizations that embrace this mindset do not simply reduce legal exposure – they future-proof operations and accelerate digital transformation. Governance structures built for NIS2 or DORA can also support ISO 27001 certification, investor due diligence, or even streamline AI deployments across critical business processes.
Polish companies are fast adopters of cloud, fintech partnerships and generative-AI pilots. That agility now meets tougher scrutiny. A Wrocław-based manufacturer, classified as an “important entity” under NIS2, must file an initial incident notice within 24 hours, in Polish, irrespective of a German parent’s processes. Banks offering banking-as-a-service must keep a live register of third-party Information and Communication Technology (ICT) contracts to satisfy DORA supervisors.
Non-compliance risks not only fines but supervisory orders that halt digital operations, an existential threat in a real-time economy. In the case of the AI Act, failure to document and monitor high-risk systems (e.g. automated credit scoring, hiring platforms, biometric controls) may lead to sanctions, product bans or litigation, particularly when deployed without proper human oversight.
• Cheaper capital. Private-equity funds and ESG-linked lenders increasingly embed cyber and AI governance metrics into due-diligence checklists, rewarding firms that can show NIS2 alignment.
• Higher resilience. DORA-mandated table-top exercises slash mean-time-to-recover. Every hour saved protects both revenue and reputation.
• Market differentiation. RFPs in banking and industry now ask for NIS2-ready controls alongside ISO 27001 certificates. Vendors that can comply win at a premium.
Moreover, organizations that lead in compliance maturity often become reference cases for regulators and standard-setters, influencing future policy and gaining early access to emerging regulatory sandboxes or pilot projects.
• Map digital risk to financials. It’s important to tie plausible outages, or AI misuse, to EBITDA to frame budgeting debates. Use scenario modeling to simulate impact on supply chain, customer churn or liquidity.
• Integrate third-party oversight. Demand dashboards, key information and data, covering critical suppliers, cloud usage and AI model inventories; insist on right-to-audit clauses and escalation procedures in case of service disruption.
• Rehearse decisions. Simulate a ransomware attack and the 24-hour reporting rule; include legal, PR and finance. These dry runs should be held quarterly—not after a breach occurs.
• Automate the signal. Track unpatched critical vulnerabilities, supplier scores and AI-drift alerts rather than green-red status slides. Real-time automatic collection of performance and security data – is an asset for the board, not just the CISO.
• Report externally. A concise operational-resilience statement in the annual report builds investor confidence and lowers cyber-insurance premiums. It also aligns with evolving ESG disclosure frameworks, where digital governance is fast becoming a core pillar.
Leading CFOs are reallocating – not inflating – spending, by shifting budgets from perimeter tools to analytics, from crisis PR to proactive governance. A €500K investment that averts a single €10 million disruption yields an internal rate of return few growth projects can match.
The costs of compliance are real, but doing nothing can cost even more. Downtime, reputational damage, regulatory scrutiny—these are no longer “IT risks"—they are board-level failures. Turning risk into ROI starts with proactive planning, scenario testing and multi-disciplinary governance.
New mandates are on the horizon: the Cyber Resilience Act will embed security-by-design into every connected product, while revised eIDAS rules aim to standardize digital-identity wallets. Compliance is no longer a one-time project—it is a continuous operational function.
Boards that treat today’s directives as a tick-box will stay on the back foot. Those that embed compliance into strategy will unlock trust, resilience and a competitive edge. The window for early advantage is narrow, but open.
As leaders convene in Karpacz, the question is not whether digital risk belongs in the boardroom. It is whether your board can turn mandatory controls into strategic advantage before your competitors—or the regulator—forces the issue.
Advisory Managing Director at PKF Polska, ISO 27001 Lead Auditor, and expert in cybersecurity and business continuity, Tomasz Janas is a graduate of the Polish-Japanese Academy of Information Technology in Warsaw, where he majored in System, Networking, and LAN/WAN Management. With more than 16 years of experience in IT security audits, risk analysis, and the implementation of systems compliant with ISO 27001, ISO 22301, and DORA, he specializes in preparing organizations for compliance with the NIS2 Directive and Poland’s Act on the National Cybersecurity System (uKSC), as well as conducting audits and developing security policies, BCP/DRP plans, and ISMS documentation.
