With the implementation of the NIS-2 directive at the European Union level, cybersecurity requirements will significantly expand also in Poland from October 2024. Thousands of small and medium enterprises (SMEs) will fall under these new regulations. However, for these companies to effectively increase their digital security in practice, and not just on paper, pragmatism will be required from all – believes Przemysław Kania, General Manager of Cisco in Poland.
It is estimated that even several tens of thousands of companies in Poland will fall under the “Directive on measures to achieve a high common level of cybersecurity”, otherwise known as the NIS-2 directive. Therefore, they will be subject to particularly strict requirements in the field of IT security. From postal and courier services, through energy and banking, to the chemical sector – all entities classified as key will need to modernise their IT protections and document it starting from autumn 2024. The issue is that few companies are aware of it, and even fewer know how it will be achieved.
On one hand, with the implementation of the NIS-2 directive in Polish law, cybersecurity will become a mandatory pillar of conducting business. This is necessary because, according to a Cisco study from last year, only 7% of Polish companies have fully mature cybersecurity systems, placing our country at the bottom of the global ranking.
On the other hand, there is the question of what solutions can be proposed that are easy for SMEs to implement and at the same time help raise their IT security to the NIS-2 level. The new rules include risk management measures, the introduction of information security guidelines, ensuring emergency resources or measures to ensure the integrity and authenticity of their own systems and processes.
While the previous directive only applied to a few thousand larger organisations in Poland, the new rules will cover the SME sector to some extent. The threshold of applicability has been set at companies employing at least 50 workers with an annual turnover of at least 10 million euros. Micro-businesses and small businesses that meet the criteria indicating their key role for society, the economy or specific sectors or types of services will also be obliged to apply the new directive.
One of the first challenges these companies will face is a lack of appropriate staffing: there are very few companies of this size that employ a person responsible for IT security. Only a few SMEs have resources that allow for the transfer of new cybersecurity requirements to the company and meeting them. Therefore, when the directive comes into effect in October 2024, the market will need a pragmatic approach to achieve the highest possible level of cybersecurity in companies.
There is also a challenge in front of the Polish legislator related to the implementation of the directive’s regulations. In this context, it is particularly important that four crucial aspects be reflected in the new rules: minimal bureaucracy, clear guidelines, a pragmatic approach, and the use of modern solutions for digital security. Let’s briefly discuss them.
Limited Bureaucracy
Polish companies could greatly benefit from a de-formalised, easy-to-manage incident reporting process, especially since some may be subject to mandatory reporting under other EU regulations. It should be taken into account that the security measures to be taken by the companies already consume an enormous amount of time and resources.
Clear Guidelines on Implementation
The basis is proportionality – both in terms of technical, organisational, and implementation costs in relation to risk. SMEs cannot be left alone in assessing what is proportional. What is needed here are understandable, transparent frameworks.
A Pragmatic Approach to Making Quick Progress
Equally essential are pragmatic guidelines aimed at ensuring an appropriate level of security without over-burdening companies. For small and medium enterprises, this may mean starting with easy-to-implement solutions.
Thanks to basics such as: a contingency plan in the event of an attack, backups, appropriate email and network security, identity verification and a zero-trust approach to access to company resources, a large portion of cybersecurity breaches can be eliminated. Maintaining the final regulations at a level close to the direction set by the EU will also reduce pan-European friction, as cyber attacks usually do not stop at national borders.
Cloud Security and Managed Services
Currently, modern security concepts come from the cloud and help companies, especially those with a small number of employees, improve their cybersecurity. On the one hand, they offer the most modern technical solutions. On the other, they allow for the use of services from external providers. Especially smaller companies struggle to find IT security specialists, therefore, they must rely on so-called managed services. For this purpose, the legislator should clearly define cloud security as an appropriate instrument.
In conclusion: the coming months are crucial for shaping the appropriate regulatory framework to protect the digital economy. The NIS-2 directive will be an asset if its requirements can be realistically implemented. A practical approach with a low level of bureaucracy is required. After all, a vast majority of companies are already targets for cybercriminals and need targeted, realistic requirements and effective tools to protect themselves against this threat.
Przemysław Kania, General Manager of Cisco in Poland
