In 2024, Poland ranks second in the European Union in terms of the number of cyber attacks on companies, with as many as 32% of businesses affected. To make matters worse, attacks increasingly no longer affect only the IT sphere, but industrial (OT) and critical infrastructure – water supply systems, power grids, hospitals. This phenomenon shows that cyber security is no longer the domain of IT professionals – it has become a matter of national importance.
During the year, the number of confirmed incidents increased by 23% in Poland. Experts emphasise that in the absence of implementation of the NIS2 Directive – still awaiting implementation in Polish legislation – the risk of further escalation is real. The new legislation is expected to cover up to 38,000 entities, which radically expands the circle of companies considered relevant to national security. Many of them may not be aware of this.
Unsecured OT infrastructure becomes an easy target – and by extension, the entire organisation. Meanwhile, many companies still do not know what devices and industrial systems they have, who has access to them or whether they are adequately protected. There is a lack of integrated security architecture, incident management processes and competence of OT/IoT teams. These are real gaps that can be identified and addressed, including using international standards (such as NIST) and CERT tools.
The EY report indicates that companies need to move away from a reactive approach and implement a culture of cyber resilience – including through employee training and change management. Collaboration with technology manufacturers and integrators and a ‘security by design’ approach are now a necessity, not an add-on.
Conclusions? Poland is facing a crucial moment: on the one hand, exposed to increasingly sophisticated attacks, on the other, without full regulation and prepared defence structures. The future of cyber security requires not only an update of the law, but also a change of mentality. Because in a digital war – it is not the wall, but the weakest link that determines the outcome.
