On 20 October, Minister of Digital Affairs Krzysztof Gawkowski announced that the draft Act on the National Cybersecurity System (KSC) had been submitted for government deliberation[1], and on 21 October, the government adopted the proposed amendment[2]. As shown by data from the latest report “Cyber Portrait of Polish Business 2025,” the debate on systemic prevention of cyber threats faced by Polish companies can no longer be postponed. Awareness of the regulations in this area remains critically low. As many as 36% of cybersecurity experts are unaware whether the company they work for is subject to the EU NIS2 Directive. The KSC Act is intended to implement this directive.
Key data:
- 36% of cybersecurity specialists do not know if their company is subject to the EU NIS2 Directive
- 53% of companies have updated their cybersecurity policies due to NIS2
- 35% of organizations have so far hired additional cybersecurity experts
What are NIS2 and KSC about?
NIS2 is a key element of the EU’s strategy to strengthen digital resilience. Its goal is to raise minimum security standards among companies providing essential services and digital service providers across the European Union. Companies classified under the new rules as “essential” and “important” are required to implement appropriate policies and procedures, including mandatory reporting of serious cybersecurity incidents within strict deadlines. The directive also places greater responsibility on management boards, obliging them to approve security policies and oversee their implementation, as well as mandating cybersecurity training for executive teams.
The NIS2 Directive obliged all EU Member States to pass national implementing legislation by 17 October 2024. In Poland, the draft Act on the National Cybersecurity System (KSC), intended to meet this requirement, was submitted to the government on 20 October 2025, according to Minister Gawkowski. The regulations are necessary, as evidenced by recent cyberattacks targeting Poland.
According to ESET data, Poland was the most frequently targeted country in the world by ransomware attacks in the first half of 2025, accounting for 6% of all global incidents—surpassing even the United States.
Do companies know about NIS2?
The most significant cybersecurity challenge soon facing Polish companies will be to determine whether they fall into the “essential” or “important” organizations categories. As shown in the latest ESET and DAGMA IT Security report, even IT security professionals struggle with this. A full 36% of cybersecurity experts are uncertain whether their company is covered by the new regulations, which could lead to numerous difficulties. Another challenge is the supply chain aspect: many organizations not meeting the required cybersecurity standards may be effectively “excluded” from the market.
“Companies working with entities subject to NIS2 will also need to enhance security if they want to maintain their contracts. In other words: even if the regulation does not apply to us directly, the market itself may still require us to comply with its provisions,” says Piotr Piasecki, Cybersecurity Services Consultant at DAGMA IT Security.
The high level of uncertainty may indicate challenges in regulatory risk assessment and insufficient cooperation between legal, compliance, and IT departments. The situation is further complicated by complex legal frameworks, lack of clear industry guidance, and low regulatory maturity—especially in the SME sector. Such information gaps may cause delays in implementing required measures and heighten the risk of sanctions.
Companies hesitate while taking action
Despite significant uncertainty among cybersecurity professionals, many companies are already implementing changes mandated by NIS2. The most common action among organizations aware of the directive is updating their cybersecurity policy—53% have already done so, and a further 34% are planning to. Furthermore, 51% of companies have organized additional employee training, and another 38% intend to do so. Policies and training are the two key areas of adaptation to the new rules, and these fields are seeing the fastest pace of change.
More advanced and costly initiatives, such as deploying new security tools or increasing IT security budgets, are also progressing. These steps have already been implemented by 43% of companies, with an additional 40–46% currently preparing to do so. A similar trend is seen in audits and penetration testing—42% of firms have conducted them, while the same proportion plans to. Compared to the overall sample, this is a much better result, as only 25% of companies in Poland perform cyber resilience testing.
The biggest challenge: new talent
The biggest challenge for many organizations remains staffing—specifically, acquiring qualified cybersecurity specialists. According to the data, only 35% of companies have so far hired additional experts in this field, while 43% say they plan to do so soon. This means that for a large part of the market, building adequate in-house competencies is still in the planning phase. Notably, 19% of companies have no plans to hire new specialists at all. This suggests serious barriers linked to limited availability of qualified candidates as well as budget constraints preventing IT team expansion.
The staffing problem is only part of a broader challenge: preparing organizations for new threats and requirements. Mere compliance is not enough—strategic thinking about security is essential.
“It’s worth looking at NIS2 more broadly than just a regulatory ‘must.’ Even if a company is not directly listed under the directive, its requirements can serve as a solid foundation for a Security Management System. It’s not a ‘necessary evil,’ but a set of good practices that genuinely improve business protection. Ultimately, we should ask ourselves: is it better to wonder whether we’re ‘covered’ by NIS2, or to focus on actually being secure? Because in a world of cyberattacks, the consequences of being unprepared can be far worse than any regulation,” adds Piotr Piasecki.
About the report
“Cyber Portrait of Polish Business 2025,” prepared by ESET and DAGMA IT Security, presents an up-to-date picture of cybersecurity in Polish companies. It continues research begun in 2024, aiming to capture changes in how Polish businesses approach digital threats, as well as measure their readiness for increasingly complex technological and geopolitical challenges. The report juxtaposes employee views with those of cybersecurity decision-makers.
The data reveals that businesses face increasingly complex threats, and the gap between declared knowledge and actual action remains alarmingly wide. The report’s authors analyze not only the scale of attacks and security measures but also employee awareness, training effectiveness, and organizational readiness to implement new standards in a rapidly changing environment.
[1] https://cyberdefence24.pl/cyberbezpieczenstwo/ustawa-o-ksc-w-pracach-rzadu-bede-namawial-prezydenta
[2] https://cyberdefence24.pl/polityka-i-prawo/rzad-przyjal-projekt-nowelizacji-ustawy-o-krajowym-systemie-cyberbezpieczenstwa
