In Poland, NIS2 is still talked about as a project from industry presentations. Meanwhile, the directive is no longer theory. The government has just adopted a draft law on the National Cyber Security System to implement it. Looking ahead to the coming months, the real risk for companies is no longer that the regulation will be ‘too harsh’, but that companies will enter into this obligation unprepared.
This is best demonstrated by the data. In the report ‘Cyberportrait of Polish Business 2025’, as many as 36% of those responsible for cyber security cannot answer whether their organisation is covered by NIS2. This is no longer a question of low awareness. It is a signal that half of the market still has not done a basic regulatory risk analysis.
Meanwhile, the directive does not only apply to ‘critical operators’ in a narrow, sectoral sense. The new definition covers not only critical industries, but also a large part of supply chains. If a contractor requires compliance – your company will have to prove it. Regardless of whether the state identifies you on the ‘important’ or ‘critical’ list.
The consequences of ignorance will be businesslike. If retailers, technology distributors, SaaS operators, IT service outsourcers, integrators or software houses cannot show compliance, they will lose contracts. In practice, the market will force NIS2 faster than the supervisor.
At the same time, Polish companies, despite the interpretation chaos, are acting. 53% of organisations that assume NIS2 covers them already have updated security policies. More than half are conducting additional training. These are the actions easiest to do and with the lowest CAPEX – but their mass adoption shows that for many CIOs and CISOs the directive is already a reality.
More effort is required to build operational capacity. The hiring of cyber security experts was confirmed by 35% of the companies surveyed. 43% say they are just planning such a move. The problem is not a reluctance to invest, but the availability of people. The market for specialists is tight. Increasing the workforce will take time. And regulation will not give an extra year to do so.
All this comes at a time when Poland is realistically among the global top targets of cybercriminals. According to ESET, in the first half of 2025, our country was responsible for 6% of global ransomware incidents – more than the United States. Any company that waits for ‘final regulations’ in this context is taking an unnecessary risk.
It is therefore worth reversing the perspective. NIS2 is not a compliance checklist. A set of procedural requirements, higher board accountability, mandatory incident reporting and resilience testing is simply a good security governance framework. Even if a company will ultimately not formally be ‘under NIS2’, implementing its logic is cheaper than recovery from ransomware.
From a business perspective, the question is no longer whether NIS2 covers us. The question is whether we want to have control before the regulator or the market does it for us.
