The latest report “Cyber Portrait of Polish Business 2025”, prepared by ESET and DAGMA Bezpieczeństwo IT, highlights a significant lack of awareness among Polish companies regarding the EU’s NIS2 directive, which aims to strengthen cybersecurity across essential and important service providers in the European Union. Although Poland is working on implementing NIS2 through the National Cybersecurity System (KSC) Act—recently submitted for government consideration—the report reveals that 36% of cybersecurity specialists do not know whether their organization is subject to the directive. This uncertainty poses major risks, as companies must comply by implementing appropriate cybersecurity policies, incident reporting procedures, and management-level oversight.

NIS2 affects not only organizations directly classified as key or important but also their supply chain partners, which means many businesses will be required to elevate security standards to maintain contracts. The report suggests that difficulties in assessing regulatory impact stem from complicated legislation, limited internal coordination between legal and IT teams, and generally low regulatory maturity, particularly among small and medium-sized enterprises.

Despite this ambiguity, many companies have already started adapting. 53% have updated cybersecurity policies, and 51% have conducted additional employee training. More resource-intensive measures—such as increasing security budgets, implementing new tools, or conducting penetration testing—are also progressing, though at varying speeds. However, the greatest challenge remains staffing. Only 35% of companies have hired additional cybersecurity experts, while 43% plan to do so, indicating a widening talent gap and budget constraints.

Experts emphasize that NIS2 should not be viewed solely as a mandatory compliance burden, but as an opportunity to systematically strengthen organizational resilience. Even companies not formally covered by the directive can benefit from adopting its standards, particularly given the rising frequency and severity of cyberattacks, with Poland identified as the world’s most targeted country by ransomware in the first half of 2025.

(WBJ)