Polish businesses are grappling with new cybersecurity regulations under the NIS2 directive, facing potential fines of up to €10 million for non-compliance.
Polish Firms on the Radar: Report Reveals Security Weaknesses
Cyber threats are increasingly endangering Polish enterprises. The latest data from the second edition of ESET’s “Cyberportrait of Polish Business” report, prepared in collaboration with DAGMA Bezpieczeństwo IT, reveals that despite growing awareness of threats, the level of preparedness remains inadequate.
Concerning Labor Market Data
A report based on a survey of over 1,000 working Poles – including 283 cybersecurity specialists – highlights systemic problems in the approach to digital protection.
Password and Training Deficiencies
As many as 55% of employees use the same passwords for different accounts, significantly increasing the risk of data breaches. Furthermore, an identical percentage (55%) have not participated in any cybersecurity training in the last five years, indicating a marginalization of education in this area.
Basic Security Measures Lagging
Only 53% of companies report using antivirus software, and only 4 out of 10 businesses implement multi-factor authentication, now considered a fundamental standard for access protection.
Experts Express Doubts About NIS2 Compliance
A surprising finding of the report is that 36% of cybersecurity experts are unsure whether their organization is subject to the requirements of the NIS2 directive. The new regulations are a response to the dynamic increase in the number of cyberattacks, their increasing frequency, and growing sophistication, which increasingly threaten the stability of the economy and the functioning of the market.
Expanded Regulations and Financial Consequences
Current regulations drastically expand the scope of entities subject to restrictions, dividing them into key and important ones. These obligations generally apply to medium and large enterprises in sectors such as energy, transport, banking, healthcare, food production, waste management, and public administration. However, in certain cases, such as trust service providers or public communication networks, company size is irrelevant, and they are subject to the requirements regardless of scale.
Each of these entities must now implement comprehensive risk management measures, including threat analysis, security policies, ensuring business continuity, effective incident response, and supply chain security, according to Karol Witas, an attorney at The Heart law firm.
The use of cryptography, encryption, and regular audits of the effectiveness of measures taken are also becoming essential. Ignoring these requirements will result in severe financial consequences, as the directive provides for administrative monetary penalties of up to €10 million or 2% of total annual worldwide turnover for key entities, and €7 million or 1.4% of turnover for important entities, whichever amount is higher.
Cyberincidents Often Covered Up
The ESET study also reveals a problem of inadequate incident reporting. As many as 17% of people who experienced a cyberattack at work did not report it to anyone. This attitude significantly hinders organizations’ ability to respond to threats and learn from them.