The NIS2 Directive, rightly associated with cybersecurity, will come into force in October and will cover a broader group of organizations than before. Additionally, it will introduce severe penalties of up to 10 million euros or 2% of global turnover for key entities, making it of interest also to the boards of companies covered by the regulations. Although the new Minister of Digital Affairs is tasked with urgently preparing guidelines for the implementation of EU regulations, companies should already begin to adapt to the changes. Meanwhile, 25% of them are not even aware that the directive applies to them. What’s more, every third company (32%) will not increase their cybersecurity budget despite higher needs. Organizations also do not perceive new regulations as a priority – only 38% plan to initiate a separate project related to the implementation of NIS2.
With the increasing frequency and sophistication of cyber threats, the EU’s NIS directive, in force since 2016, has become insufficient. The launch of its new version on October 18, 2024, presents an opportunity for many organizations to improve their cybersecurity operations. A report – Waiting for NIS2: State of Preparedness – prepared by CSO Council, EY Poland and Trend Micro, analyzes the readiness of companies in Poland to adopt EU regulations and provides interesting data on this topic, covering a wider group of organizations than before.
Given the significance of the NIS2 regulation for our country, the scale of challenges associated with its implementation, but also the uncertainty related to the lack of detailed national guidelines, we decided to check what stage of preparations companies in Poland are at. For this purpose, we conducted a survey mainly among members of the CSO Council community, which brings together heads of cyber and information security departments in large companies – says Przemysław Gamdzyk, organizer of the CSO Council community.
The main challenge identified by the majority of respondents (60%) was the lack of information on how to implement the regulations in Polish law. The Act on the National Cybersecurity System has not yet been amended, so organizations must rely solely on EU guidelines.
The sooner companies familiarize themselves with the main obligations imposed on them by the NIS2 directive, the greater the chance for effective implementation of changes. The fact that as many as 25% of entities in Poland covered by the new regulations are not aware of this is particularly alarming. When asked whether the organization will be subject to the NIS2 regulations, 13% of the respondents indicated the answer – I don’t know – and another 12% answered – no – although they represent entities, the functioning of which will be influenced by NIS2. At the same time, only 38% of the surveyed companies believe that adapting to the new regulations will be a demanding task and they plan to launch a separate project for this purpose. Meanwhile, half of them (51%) intend to implement changes within the framework of ongoing operations, and almost 10% are not considering undertaking any additional activities related to adapting to NIS2.
The new directive introduces two significant changes, imposing an obligation to ensure compliance with cybersecurity regulations on new entities and enabling the imposition of penalties. Organizations were divided into two groups: key and important. The first group includes those operating in ten key sectors, employing at least 50 employees and with an annual turnover of over 10 million euros. Among these priority areas are the most important areas of the Polish economy – energy, transport, and banking, but also those particularly important for the functioning of the state, such as healthcare, digital infrastructure, sewage, drinking water, or public administration.
Organizations that try to avoid fulfilling new obligations face severe penalties. In the case of key entities, they may amount to 10 million euros or 2% of the total global turnover, which will be particularly burdensome for global companies. On the other hand, important entities (including medium-sized companies from key sectors, digital and postal service providers, and food producers) may face a fine of up to 7 million euros or 1.4% of the total global turnover in the previous year.
The NIS2 Directive is a revolution in building cyber resilience across many sectors of the economy. Taking into account its impact on the existing model of cybersecurity management, every third respondent (36%) has not yet analyzed this issue. Meanwhile, 30% of organizations have already looked at this aspect but have not noticed a significant impact on the adopted way of operation. On the one hand, this may mean that not all entities fully realize the consequences of the NIS2 provisions – including reporting threats, supply chain cybersecurity or the obligation to encrypt. On the other, some larger companies may have already taken steps towards meeting the directive’s requirements. Every fifth respondent (19%) has noticed its impact and is already implementing changes, while 15% believe that NIS2 requires significant improvements in their cybersecurity management model.
Organizations should as soon as possible estimate the scale of changes and adjustments they will have to face. This may be a particular challenge for capital groups or multi-departmental enterprises with different levels of advancement in the field of cybersecurity. To avoid reinventing the wheel, it is worth analyzing the existing security architecture and purchased tools. With their help, new processes can be developed that will meet EU requirements. There is little time left until the end of these actions, so entrepreneurs should already start detecting what kind of gaps occur in their entities and what technical or organizational measures will be most effective in fixing them – advises Patryk Gęborys, Partner EY, Information Security and Technology Team.
According to 45% of respondents, the lack of an adequate number of specialists in this area is a major challenge on the way to the implementation of NIS2. Meanwhile, every fourth organization (28%) believes that it does not have an adequate budget. The survey shows that the introduction of new regulations will cause an increase in funds for cybersecurity only in 34% of companies. Meanwhile, for another 32%, they will remain at the same level despite higher needs. And these may increase, as among the new obligations resulting from NIS2 are mandatory training in cybersecurity for employees and security testing.
Time is running out, so if they want to meet all the requirements, they should focus on the maximum automation and platform solutions. This approach allows modular building of a security environment with the existing infrastructure and, equally important, based on identified risk — summarizes Joanna Dąbrowska, CEE Security Platform Leader at Trend Micro. – NIS2 requires cyber security management based on risk monitoring for all assets continuously – adds Dąbrowska.
The mounting challenges and the lack of company preparedness to implement the directive is not just a Polish specificity. According to German government sources, only 40% of entities out of a total of about 30,000 meet the basic requirements of the new regulation. It is estimated that the one-off costs associated with adjusting existing processes or their implementation will amount to approx. 1.37 billion euros.
NIS2 poses new challenges for both businesses and public administration. Given the lack of amendment to the Act on National Cybersecurity and the impending deadline for the entry into force of the NIS2 provisions, the authors of the report recommend the most important actions that companies should take to start preparing to adapt to the new regulations now.
About the study:
The survey was conducted among 60 CISOs and security managers from the largest companies in Poland in the fourth quarter of 2023. Respondents from various sectors including: IT/telecommunications, finance/banking, trade/e-commerce, and industry answered questions in an online survey form.
