Public institutions and critical infrastructure operators reported 1,600 cyberincidents last year, according to the latest CSIRT GOV data.[1] Would the situation have been different if the new EU directives had been effectively implemented a year ago? Experts from Palo Alto Networks confirm that the most heavily regulated sectors exhibit the greatest maturity and resilience to cyberattacks. However, meeting legal requirements is only the first step toward full security. True protection requires strategic risk management, as well as the ability to detect and respond to threats that evolve faster than legislation.
European regulations such as GDPR, NIS2, DORA and the AI Act were created to support digital transformation and mitigate its associated risks. These four directives also demonstrate how dynamic — and often difficult to implement — new EU law can be. Poland is not an exception: similar delays occurred in Germany and more than a dozen other countries.
Everything indicates that in the coming years, Poland will remain among the most frequently attacked countries in Europe. While the private sector remains the top target for organized criminal groups, their operations increasingly focus on military secrets, critical infrastructure information and hospital patient data. Why? This strategy offers criminals diversification — and new revenue streams.
For example, Polish hospitals store vast amounts of sensitive patient data in outdated and unsecured systems — a treasure trove for cybercriminals. Tens of thousands of small and medium-sized companies and local government institutions face similar problems. These are easy targets, rarely ignored by attackers. The new EU regulations aim to strengthen and secure the most vulnerable areas, but debates on their final form under national law are still ongoing.
NIS2 Sparks Concern, But Regulations Alone Are Not Enough
“A significant number of decision-makers and entrepreneurs are sceptical about the scope of obligations introduced by the NIS2 directive. We also hear concerns about potential overregulation — or the opposite, that more regulation is the only way to ensure security. Our experience in more than 150 countries shows that neither regulation alone, nor protective software alone, can guarantee full security. Legislation is a foundation — but building a strong defensive wall depends on how companies implement these guidelines and which cybersecurity partners they choose.”
— Wojciech Gołębiowski, Vice President and Managing Director for Central and Eastern Europe, Palo Alto Networks
A report published this spring by ENISA[2] highlights major differences in digital maturity among businesses — by sector and by size. Moreover, alongside sectors already governed by strict rules (banking, energy, telecommunications), a massive number of entities that have never before faced formal cybersecurity requirements will soon fall under these obligations.[3] ENISA notes that this may complicate the supervisory process at the national level: firms with no prior exposure to strict compliance regimes may struggle to adapt, while public officials will be required to oversee industries they do not yet understand.[4]
Analysts at Palo Alto Networks point out that the sheer volume of new obligations may overwhelm entrepreneurs, leading to reluctance — or outright resistance — toward adopting NIS2 and future regulations.
NIS2 Was Not a Mistake — But Implementation Must Evolve Faster Than Threats
Was NIS2 a mistake?
On the contrary.
NIS2 accurately reflects the shifting risk landscape and the need for organizations to continuously adapt their security measures. It emphasizes that cybersecurity systems must be treated as an integral part of organizational operations, affecting not only a company’s security but also the security of the environment in which it operates — and even the security of the state itself.
At the same time, the NIS2 case reveals a fundamental problem: an overload of regulations can paralyze decision-makers and stall critical reforms. It also exposes the gap between formal compliance and real cybersecurity — a gap that cannot be tolerated in Poland or in any state facing geopolitical risks.
“Maintaining regulatory compliance requires constant monitoring of legal updates and adapting cybersecurity systems to new requirements. Most public institutions and SMEs lack the resources to handle this on their own. Fears about these costly obligations lead some decision-makers to delay NIS2 implementation. Meanwhile, every month of legislative delay increases the risk that the law will need immediate amendment once adopted, because new cyberthreats emerge so quickly. We must also remember that we are entering the quantum era — cyberattacks will soon change dramatically again, and both security vendors and policymakers must be prepared in advance.”
— Wojciech Gołębiowski
Compliance Does Not Equal Security — Zero Trust and Education Are Critical
Experts from Palo Alto Networks emphasize that institutional compliance does not equal effective protection against cyberthreats. Moreover, some vulnerabilities cannot be eliminated through regulations. Cybercriminals are becoming increasingly adept at exploiting human weaknesses — manipulation, social engineering, and psychological tactics.
Therefore, cybersecurity reform must adopt a systemic approach. In a rapidly evolving digital landscape, one of the most important competencies is the ability to operate under the Zero Trust principle — trusting nothing and verifying everything.
Until a unified regulatory framework is established for all sensitive sectors, the only reliable defence for many industries is education: understanding how digital manipulation works and how to recognize potential threats.
References
[1] Raport o stanie bezpieczeństwa cyberprzestrzeni RP w 2024 roku, CSIRT GOV, p.14
[2] ENISA nis360 2024, pp. 8–9
[3] Ibid.
[4] Ibid.
