As many as 96% of medium and large companies in Poland analyze cybersecurity issues when implementing AI-based tools.
According to the third edition of EY’s study How Polish Companies Implement AI, investments are beginning to catch up with declarations. Within a year, the share of enterprises deploying AI in digital protection increased by 12 percentage points (from 28% to 40%). During the implementation process itself, 38% of organizations introduced additional safeguards to limit operational, legal, or security risks, while more than half (53%) implemented formal AI usage policies.
Cybersecurity is one of the main areas reviewed by medium and large enterprises in Poland when introducing artificial intelligence tools. As many as 60% conducted a detailed analysis of cybersecurity, while 36% carried out a partial review. These results are consistent with findings from previous editions of EY’s annual How Polish Companies Implement AI study, conducted over the past three years. At the same time, 39% of respondents indicated that concerns about digital security were the biggest barrier to starting AI initiatives.
Importantly, this is the first time investments are clearly catching up with intentions. Over the past year, the proportion of companies deploying AI specifically in cybersecurity rose by 12 percentage points (from 28% to 40%).
Polish companies are trying to assess how AI models process data, what risks they generate, and how to reduce organizational vulnerability to incidents. This shows that AI is not being implemented blindly — security is treated as a control checkpoint rather than an afterthought. The significant growth in AI adoption in cybersecurity suggests that more companies recognize that hackers are actively investing in AI-powered tools. Failing to respond appropriately is essentially inviting trouble. An attack is inevitable — the only question is when, not if,” says Piotr Ciepiela, EY Partner and Technology Consulting Leader.
Additional safeguards
Polish companies most often respond to AI-related risks by building employee awareness and skills, followed by technological measures. In practice, organizations begin AI implementation by introducing the easiest protective measures, while technical tools serve as complementary support.
The most frequently declared action was updating security policies and providing additional employee training, indicated by 38% of companies. Another 34% implemented technical security solutions, while over one fifth (22%) combined both approaches. Only a very small percentage (2%) took no action.
“We observe that companies are increasingly intensifying initiatives aimed at employees. This is the right direction, because humans remain the primary attack vector. This is especially relevant when raising awareness about the use of publicly available tools which, although sometimes more advanced than internal corporate technologies, may pose a threat to organizational confidentiality. However, awareness alone is not enough. Users must also be supported by technical tools that help distinguish real people, voices, and information from content generated or distorted by AI models,” adds Leszek Mróz, EY Partner responsible for cybersecurity services in Poland.
More than half of organizations (53%) have implemented formal AI usage policies covering both internal and public systems — an increase of 13 percentage points compared to 2023. Nearly one third (30%) have policies specifically addressing public tools, and only 11% are still considering introducing such rules. Year-to-year comparisons show a dramatic decline (from 30% to 11%) in the share of companies that have not implemented any policies.
Concerns related to AI
The most frequently cited risk slowing or preventing AI implementation is data security and cybersecurity (39%). Other major concerns include technological challenges (34%), regulatory uncertainty (32%), and process or organizational difficulties (32%). More than one quarter of organizations (26%) consider excessive costs the main barrier, while 23% question the quality of results and the maturity of AI technology.
The effectiveness of AI tools depends directly on the data provided. At the same time, data remains the primary target of cybercriminals. It is therefore encouraging that businesses show high awareness of the need to protect this resource. However, a cybersecurity strategy should not end with implementing protective tools. Only a small fraction of enterprises have a response plan in case a cyberattack succeeds. This is a serious mistake, because without preparation, organizational chaos is amplified rather than minimized,” emphasizes Piotr Ciepiela.
About the study
The study How Polish Companies Implement AI was conducted for EY by CubeResearch. The survey included 499 Polish companies: 45% from manufacturing, 33% from services, and 22% from trade. Medium-sized enterprises accounted for 56% of respondents, and large companies 44%. The third edition of the study was carried out in the final quarter of 2025.
