NIS2 and Beyond: Why Cybersecurity is a Smart Business Investment

NIS2 and Beyond: Why Cybersecurity is a Smart Business Investment

The Directive on measures for a high common level of cybersecurity across the European Union, more commonly known as NIS2, is a key legal act that will significantly impact the operations of many organizations. It is an update to the original NIS Directive, in force since 2016 (transposed into Polish law in 2018 through the Act on the National Cybersecurity System). Currently, the transposition of NIS2 into Polish legislation is in its final stages, with the amended act expected to come into effect as early as this autumn. 


Who Does the Directive Apply To?
While NIS2 primarily targets sectors critical and essential to Poland’s economy and national security, its guidelines should be seen as a universal roadmap for any organization aiming to strengthen its cyber resilience. 

What Needs to Be Implemented?
Organizations operating in critical and important sectors are required to self-register. Therefore, the first step should be verifying whether your organization meets the criteria of an operator of essential or important services (based on factors such as company size and sector of activity). The next step is to implement the necessary technical and organizational measures, including: 

  • Risk assessment and risk management policies,
  • Incident response and business continuity procedures,
  • Supply chain security,
  • Cyber hygiene practices and cybersecurity training,
  • Cryptography and encryption policies and procedures,
  • Human resource management, access control, and asset management,
  • Where applicable – use of multi-factor authentication.

In addition, organizations covered by the directive will be required to undergo a cybersecurity audit at least once every three years. It’s worth emphasizing that this list is not exhaustive — every company should tailor its policies and procedures to the specific nature of its operations and the actual threats it faces.

Cybersecurity as an Investment, not a Cost
The introduction of the amended act presents an excellent opportunity to review your organization’s cybersecurity framework — including assets, risks, capabilities, and knowledge levels. Cyber resilience offers a range of benefits:

  • Minimizes the risk of potential penalties due to regulatory violations or data breaches,
  • Reduces the likelihood and cost of successful attacks,
  • Strengthens trust among customers and business partners,
  • Provides a competitive advantage.

Instead of asking, “Can I afford cybersecurity solutions?”, entrepreneurs should ask, “Can I afford to handle an incident, rebuild operations, manage a reputational crisis, and pay regulatory fines?”

Fortunately, businesses are not left alone in facing these challenges. Experts will discuss the complexities of implementing the new regulations, current trends, and modern technologies during Poland’s largest cybersecurity event —  CYBERSEC EXPO & FORUM , taking place on June 11–12 in Kraków.