Brandsit

Tag: NIS2

  • How are NIS2 and DORA changing IT departments? New strategies in IT recruitment

    How are NIS2 and DORA changing IT departments? New strategies in IT recruitment

    Until recently, the IT security debate centred around the number of vacancies, treating the shortage of manpower as a major brake on growth. However, the SANS and GIAC Workforce Research 2026 report sheds a whole new light on this diagnosis. It turns out that it is not empty chairs that account for the fragility of systems, but the invisible to the naked eye gaps in the competencies of the people who already sit in those chairs. 60% of organisations have complete teams that, despite being fully staffed, remain vulnerable to modern threats.

    The dawn of regulatory engineering

    The traditional division between legal departments looking after the letter of the law and technical departments looking after the bits and bytes no longer exists. The exponential increase in the importance of regulatory compliance – from 40 to 95 per cent in just one year – has forced the birth of a new caste of specialists. Directives such as NIS2 or DORA have ceased to be regarded as an onerous bureaucratic obligation, becoming the foundation of job role design. Today’s job market is no longer simply looking for a systems administrator; it covets a regulatory engineer who can translate a rigorous regulatory framework into a cloud architecture.

    In March 2026, there were more than two and a half thousand active advertisements for AI and ML security engineers. This phenomenon shows that the market no longer believes in the versatility of former experts. Almost one in three companies has created dedicated positions for people operating at the intersection of artificial intelligence and data protection. This specialisation is not an aesthetic choice, but a necessity driven by the fact that it is at the intersection of new technologies and the lack of knowledge of how to secure them that 27 per cent of successful attacks occur.

    Foundation erosion and cognitive paralysis

    Automation, which was supposed to be a saviour for overloaded teams, has introduced an unexpected disruption to the HR ecosystem. Artificial intelligence has taken over entry-level tasks that for decades served as a natural testing ground for junior SOC analysts. By cutting out these career tiers, organisations have inadvertently dismantled the early training system for future experts. A generational gap is being created that cannot be bridged by ad hoc hiring, as the market lacks ready candidates to meet the exacting requirements of 2026.

    At the same time, the highest levels of human resources face a phenomenon known as ‘AI Fry’. This is a specific type of burnout resulting from the constant context-switching between numerous tools supported by artificial intelligence. Although these tools reduce manual analysis time, they paradoxically increase stress levels in 61 per cent of employees. The overabundance of data and the need to constantly verify the suggestions generated by the algorithms make even the most experienced professionals work at the limit of their cognitive capacity.

    New currency: Proof instead of a promise

    Competency verification has undergone the most radical transformation in the history of the IT sector. An academic degree, once the gold standard for recruitment, is now in the priorities of only 17 per cent of employers. In a world where technology becomes obsolete in quarterly cycles, a theoretical university foundation has given way to certifications and practical evidence of proficiency. For 64 per cent of leaders, it is the certificate that is the hard currency verifiable during an audit.

    This shift towards pragmatism forces organisations to use structured competency frameworks such as NICE or ECSF. They make it possible to precisely map the gaps in the team, turning the intuitive search for a ‘good IT professional’ into a mathematical operation of filling in the missing links in the security chain. Investing in the development of existing staff ceases to be seen as a benefit and becomes a key element of operational risk management.

    Education as a hard infrastructure component

    A common management mistake is to treat learning time as a resource that can be sacrificed in the name of day-to-day operations. However, the data is inexorable: 60 per cent of companies admit that it is pure workload that prevents necessary training, which in a straight line leads to project delays and weakened incident response. Teams trapped in reactive mode lose their ability to adapt, which, in the context of severe penalties for non-compliance with NIS2, becomes a real financial threat to the entire corporation.

  • Why is NIS2 a revolution in management, not just a change in IT?

    Why is NIS2 a revolution in management, not just a change in IT?

    For decades, there was an unwritten belief in the corporate world that cyber security was the domain of basements and server rooms – an airtight world of zeros and ones in which IT directors acted as isolated gatekeepers. Boards treated digital risk issues as a necessary evil, an operational cost to be minimised, or a technical glitch that could be fixed with the next software update.

    This comfortable distance is just now becoming history. The introduction of the EU’s NIS2 directive is not just another regulatory change; it is a fundamental redefinition of corporate governance that makes information security as much a part of reporting as the bottom line or market strategy.

    Fundamental to this change is the understanding that in the modern economy there is no longer a divide between business and technology. Every business process, from the supply chain to the customer relationship, is inextricably intertwined with the digital infrastructure.

    Thus, any gap in this infrastructure becomes a gap at the heart of the organisation. NIS2 recognises this relationship, shifting the burden of responsibility from administrators directly onto the shoulders of top management. In the new state of the law, lack of knowledge of the state of security is no longer a line of defence, but becomes evidence of gross negligence in oversight.

    A new definition of leader responsibility

    The evolution of regulations introduces a mechanism that can be called personal responsibility for digital resilience. Governing bodies are now obliged not only to approve cyber security budgets, but more importantly to actively oversee the implementation of risk management measures. This is a subtle but crucial difference. It is no longer enough to sign a document prepared by the technical department; what is required is an understanding of how these measures correlate with the business continuity of the company.

    It is worth noting that the sanctions envisaged by the regulator go far beyond severe financial penalties, which can run into millions of euros. The most painful supervisory instrument may turn out to be the possibility of temporarily suspending executives from performing their duties. This signals that the legislator is treating cyber security as an elementary duty of care, just like taking care of liquidity or complying with environmental standards. Risk management therefore ceases to be a project with an end date and becomes an ongoing process that must be reported and monitored at the highest levels of the organisational structure.

    The trap of paper compliance

    Many businesses fall into the trap of creating extensive libraries of policies and procedures that, in theory, make the organisation compliant. However, NIS2 presents businesses with a much more difficult task: demonstrating the real effectiveness of these measures. Documentation that is not reflected in employees’ daily habits and viable defence scenarios is worthless in the face of an incident. Regulators will increasingly ask not whether a company has a security policy in place, but how that policy has stood the test of reality.

    In this context, safety culture, which is an auditable resource, becomes crucial. Since statistics inexorably show that most breaches originate from human decisions – often made under time pressure or as a result of routine – it is the behavioural resilience of staff that becomes the most valuable quality certificate. For management, this means investing in solutions that measure staff preparedness. Evidence of staff’s ability to recognise a threat and react according to protocol becomes much more convincing in the eyes of the auditor than the fact of having the most expensive technical solutions that can be circumvented with one careless click.

    Security as the foundation of market value

    While the new regulations are sometimes seen as an administrative burden, forward-looking leaders see them as an opportunity to build a sustainable competitive advantage. The domino mechanism that NIS2 introduces for supply chain verification makes each company a link in a larger system of interconnected vessels. Companies that can prove their digital maturity become partners of first choice. Transparency in the area of cyber security builds trust not only with counterparties, but also with investors and financial institutions, for whom operational stability is a key indicator of a company’s valuation.

    Modern leadership maturity also manifests itself in the acceptance that absolute network invulnerability is a myth. Instead of striving for impossible technical perfection, the focus is on resilience – the ability of an organisation to survive an incident and return to full operational capability in no time. This approach removes the odium of a technical problem from cyber security and gives it the status of strategic crisis management.

    Horizon of change for modern management

    When facing the enforcement of new regulations, organisations need a clear plan of action that goes beyond IT. The first step is always to educate executives themselves so that they can dialogue with technical experts without feeling excluded from the discourse. Next, there needs to be robust verification of the effectiveness of the safeguards in place through resilience tests that reflect real threats, not just theoretical models. Finally, a shift in the investment vector towards human capital is needed.

    Ultimately, the NIS2 directive promotes a vision of a business that is aware of its vulnerabilities and actively manages them. It is not a bureaucratic hurdle, but a signpost showing how to build an organisation capable of operating in a world where information is the most valuable currency and its loss the greatest threat. True corporate resilience is born where advanced technology meets conscious leadership, creating a system that protects not only the data, but more importantly the value and future of the entire enterprise.

  • Control Architecture: How NIS2 and Data Act regulations have redefined cloud maturity in 2026

    Control Architecture: How NIS2 and Data Act regulations have redefined cloud maturity in 2026

    The fascination with cloud computing technology itself has given way to an era of mature risk management. Until a few years ago, debates in IT directors’ offices oscillated around the dichotomy between on-premises and public infrastructure, treating migration as an end in itself. The year 2026, however, brought a sobering and profound redefinition of priorities. Today, the cloud has ceased to be merely a moving infrastructure and has become a strategic ecosystem in which control is the key currency. Indeed, the real challenge is no longer a question of where a container or virtual machine physically resides, but who is actually in control of cost, operational continuity, legal compliance and the ability to change course when market dynamics demand it.

    The business landscape has been shaped by two powerful regulatory pillars: the NIS2 Directive and the EU Data Act, which took full effect on 12 September 2025. Although initially treated with some reserve, typical of new bureaucratic burdens, in retrospect they appear as catalysts for positive change. They have transformed the European digital services market from a space dominated by the arbitrary rules of global providers to an environment where transparency and interoperability have become a standard rather than a privilege.

    Fundamental to this change is the shift from declarative security to operational resilience. For years, many organisations have relied on so-called catalogue security, trusting that the certifications of the big players automatically solve the problem of protecting assets. The implementation of NIS2 has brutally verified this approach, imposing a common framework that requires real risk management measures and precise incident reporting mechanisms. In 2026, security is seen as a continuous process of monitoring, detecting and actively learning from mistakes. The difference between having control and being protected has become clear: the former requires the ability to demonstrate at any time what happened, what steps were taken and how the failure was mitigated.

    In parallel, the Data Act has introduced a new dynamic in the relationship between the customer and the processing provider. A key element of this regulation is the facilitation of migration between providers, effectively hitting the phenomenon of dependence on a single technical partner. Minimum requirements for cloud contracts and imposed interoperability standards have meant that the concept of exit readiness is no longer just a theoretical provision in business continuity plans. In practice, this means that organisations can today plan their architecture in a modular manner, without fear of economic or technological barriers to a possible change of provider. The ability to seamlessly transfer data and functionality without losing its integrity has become the insurance policy of the modern business.

    Nowadays, there is a clear trend for medium and large companies to seek more customised models. Increasingly, the choice is falling on hybrid environments or private models hosted within established cloud providers. This structure preserves the benefits of consuming resources as a service, while offering a higher level of isolation, traceability and, most importantly, operational proximity. In this context, the naming of solutions goes down the drain. It becomes irrelevant whether the model is labelled public or private, as long as it measurably addresses the fundamental needs of the business.

    Three questions are key here, which in 2026 represent a kind of litmus test for any cloud strategy. The first relates to operational peace of mind: does the architecture allow for stable operations without worrying about sudden regulatory or technological changes? The second relates to auditability: is the compliance verification process frictionless, evidence-based and naturally collaborative with the provider, rather than tediously mining data from opaque systems? The third, and perhaps most important, relates to freedom: does the organisation have a viable and feasible exit route if the partnership ceases to meet expectations?

    True business resilience is no longer equated with a simple high availability parameter written into a contract. Mature organisations understand that business continuity does not come from a blanket provision of guaranteed uptime, but from sound design, application-level replication and regularly tested disaster recovery plans. With this approach, businesses stop improvising with each new project, relying instead on repeatable mechanisms and clear recovery objectives. This shift from reactive firefighting to predictable crisis management is one of the biggest successes forced by the new framework.

    The human factor is also not insignificant. The most valuable attribute of a cloud provider turns out to be a stable team that understands the specifics of a particular business, its critical moments and periods of peak demand. The best cloud is not the one that offers the most elaborate management console, but the one that realistically takes the operational burden off the customer’s shoulders. Team continuity on the part of the technology partner is often the only difference between a chaotic response to an incident and a controlled process of system evolution.

    The issue of upgrading applications is also worth noting. The cloud loses its economic efficiency when it is treated merely as expensive hosting for outdated solutions. Excessive resource consumption and the need to manually handle legacy workloads generate layers of exceptions that, over time, become a brake on innovation. True productivity is born out of a step-by-step upgrade towards cloud-native patterns, where automation, scalability and observability are built into the very design of the system. A hybrid model, skilfully designed, allows you to draw the best of both worlds: to benefit from the advanced analytics services or artificial intelligence of global players, while maintaining the core of your business in a secure, sovereign and fully controlled environment.

    The migration process is no longer seen as simply copying machines. It requires precise planning, coordination with the business and the redesign of security policies from day one. When the supplier takes full responsibility for the process, operational risk drops dramatically and deployment timelines become predictable. This is a key element in building a competitive advantage, especially in industries subject to strong regulatory rigour.

    The year 2026 is when cloud maturity is measured not by the number of services available, but by the quality of control over them. European regulations such as NIS2 and the Data Act, while demanding, have laid a solid foundation for a system where security, sovereignty and portability are immanent features of digital services. Businesses that have understood this lesson no longer see the cloud as an expense, but as a platform for growth, providing traceability, proven continuity and, above all, the peace of mind necessary to make bold decisions in a global marketplace. In this new dispensation, the winners are those for whom technology is a servant of strategy, not a constraint on it.

  • Lack of staff is no excuse. How do you build enterprise-class cyber security without an army of IT professionals?

    Lack of staff is no excuse. How do you build enterprise-class cyber security without an army of IT professionals?

    Just a decade ago, cyber security was the domain of basement server rooms – a technical chore that was supposed to ‘stay out of the way’ of business. Today, the situation has reversed dramatically. Faced with increasing regulatory pressure, a chronic shortage of specialists and the hybrid complexity of IT systems, the traditional security model has run out of steam. Managed Security Services (MSS) is ceasing to be an optional outsourcing and is becoming a strategic foundation without which modern companies are unable to innovate.

    Today’s threat landscape resembles a ‘perfect storm’. On the one hand, there is the unprecedented scale and professionalisation of cyber attacks. On the other, market regulators, both at national and EU level (directives such as NIS2 or DORA), are imposing increasingly stringent reporting and risk management obligations on company boards.

    In the middle of this cyclone are IT departments, which are often faced with an impossible task: they have to protect the company’s assets 24 hours a day, with limited budgets and – more painfully – a shortage of manpower. The skills gap in the cyber security market is a fact that is hard to argue with. For many medium and large companies, it is economically and operationally inefficient to independently build, maintain and develop a high-performance security organisation (their own Security Operations Centre). It is at this critical point that Managed Security Services (MSS) enters the scene, redefining the way businesses think about their digital resilience.

    The end of DIY in a hybrid world

    The challenge for internal IT departments is compounded by the architecture. Companies rarely operate in a unified environment anymore. We are faced with a hybrid reality, where classic on-premise systems must securely communicate with cloud platforms and SaaS applications. This multi-layered complexity means that the attack surface is expanding dramatically.

    In-house teams, often overwhelmed by ongoing infrastructure maintenance, lose the ability to proactively monitor such a distributed environment. Trying to ‘patch’ security in-house at some point becomes a brake on growth. Instead of implementing new business solutions, IT professionals put out fires.

    This is why MSS is evolving from being an ‘additional policy’ to being a central component of IT strategy. Managed service providers bring what companies lack most: scalability. They take on the burden of monitoring complex, hybrid environments, allowing internal teams to focus on business goals rather than analysing system logs.

    From reaction to continuous process

    A key change brought about by modern MSS services concerns the security philosophy itself. For years, a reactive approach prevailed: investing in edge security (firewalls, anti-virus) and only reacting when an incident occurred. Today, this is not enough.

    Modern security is an ongoing process that never sleeps. It requires permanent network monitoring, real-time vulnerability management and immediate response to anomalies. MSS providers integrate these elements into a coherent whole. They combine specialised expertise (which is difficult to obtain from the labour market), standardised processes and advanced technology platforms in a service model.

    This gives the company access to enterprise-class competencies and technologies without incurring the cost of building this infrastructure from scratch. Security ceases to be a series of ad-hoc activities and becomes a process built into the DNA of the organisation.

    Security as a foundation for innovation (Business Enabler)

    Perhaps the most important change, however, is at the strategic layer. There needs to be a break with the perception of cyber security as a cost or an obstacle. In the digital economy, security is a prerequisite (enabler) for any modern business model.

    Want to move critical processes to the cloud? You need to ensure identity and data security. Planning to automate production and implement IoT solutions? Without OT network monitoring, you risk factory paralysis. Want to build an advantage on data analytics? You need to guarantee their integrity and confidentiality.

    Managed security services therefore become the guarantor that allows the business to ‘press on the gas’. With the confidence that the back end is secured by a professional partner, management can make bolder decisions about digital transformation. Security becomes an asset that builds trust with customers and business partners.

    Data sovereignty and a return to localism

    In the context of MSS provider selection, we are seeing an interesting market trend. Although the technological world is dominated by global hyperscalers, local and regional providers are growing in importance in the area of security services.

    The reasons are mundane but crucial: regulation and trust. In sensitive sectors such as finance, industry, healthcare or the public sector, the location of data and the legal subordination of the provider is of fundamental importance. German or more broadly European cloud and security providers are gaining ground because they offer full transparency on data residency. The guarantee that data does not leave the EU legal area and is protected according to local requirements becomes a strong competitive argument, often more important than the technology itself.

    Standardisation is the key to flexibility

    Successful implementation of the MSS model depends on finding the golden mean between a ‘boxed’ product and a bespoke solution. Total customisation of security services is an expensive and difficult to maintain mistake. Rigid boxed solutions, on the other hand, may not cover a company’s specific risks.

    The solution that the MSS market leaders are promoting is modularity. The services are based on standardised processes (which ensures high quality, repeatability and lower price), but allow for flexibility to fit into the customer’s IT landscape. The aim is to take the operational burden off the company’s shoulders without compromising its ability to operate. This ‘standardised but not off-the-shelf’ approach allows protection to be deployed quickly while preserving the specific business characteristics of the company.

    Managed Security Services is more than an outsourcing model for selected IT functions. It reflects a fundamental shift in the perception of cyber security – from a technical task to a permanent strategic task.

    Providers that offer clear operating models, transparent processes and locally anchored infrastructure become natural partners for the business. In a world where digital risk is a permanent feature of the market game, those who can manage it systemically rather than incidentally win. MSS is the only way for many companies to meet this challenge – convincing not only technologically, but also regulatorily and organisationally.

  • CISO Hot Chair. Personal responsibility in the age of NIS2 – when digital risk becomes private

    CISO Hot Chair. Personal responsibility in the age of NIS2 – when digital risk becomes private

    Until a decade ago, the biggest professional nightmare for a Chief Information Security Officer (CISO) was losing his or her job as a result of a spectacular hacking attack. It was an acute but purely corporate consequence. Today, the landscape is being dramatically transformed. In the face of new EU regulations such as NIS2 or DORA, as well as precedents from Western markets, what is at stake is no longer just a position within the company structure. The issue of personal legal and financial liability is on the table.

    The transformation of the CISO’s role from a technical gatekeeper of infrastructure to a key business strategist is not only due to the natural evolution of the IT market. It is being forced by a confluence of geopolitical factors, the rapid development of artificial intelligence and the coming quantum revolution. However, it is the legislative layer that is making the security chief’s chair one of the ‘hottest’ seats in the modern enterprise.

    The end of the “technical advisor”

    For years, the role of the CISO was seen through the prism of hard skills: configuring firewalls, managing access or monitoring networks. Risk acceptance decisions were often made at lower levels, away from boardrooms. Current reality is brutally verifying this model. The integration of artificial intelligence with cyber security systems means that the amount of data being processed exceeds human perception. Autonomous systems make decisions to repel attacks in real time, which raises fundamental questions about oversight.

    Who is liable when an AI algorithm makes a mistake resulting in medical data leakage or supply chain paralysis? In light of upcoming regulations, the answer is increasingly less likely to be ‘the software provider’ and more likely to point to the executives who released the system in question.

    The NIS2 Directive or the DORA Regulation are not just sets of technical guidelines. They are pieces of legislation that redefine the concept of ‘due diligence’. They shift the burden of responsibility from IT departments directly to governing bodies. In this arrangement, the CISO ceases to be just an engineer – he or she becomes the guardian of compliance and the guarantor that the company is operating within the boundaries of the law. Unfamiliarity with legislative nuances is becoming as dangerous to security managers as an unpatched software vulnerability (zero-day).

    Scapegoat syndrome vs. real perpetration

    For years, there has been a debate in the cyber security community about the disparity between responsibility (responsibility) and decision-making (authority). Many CISOs fear a scenario in which they become a convenient ‘buffer’ for the board of directors in a moment of crisis. These fears are not unfounded. With cyber attacks supported by foreign governments or advanced ransomware groups becoming a daily occurrence, it is impossible to completely eliminate risk. The goal becomes resilience – the ability to survive an attack and recover quickly.

    The problem arises when an organisation expects a ‘security guarantee’ from the CISO, while refusing a budget adequate to the risks. In the new legal regime, such asymmetry is dangerous for both parties. If the CISO is held criminally or civilly liable for failing to meet his or her obligations, he or she must have viable tools to block risky business projects.

    The modern labour market is reviewing these relationships. There is a trend where experienced security managers during contract negotiations are demanding that a clear decision-making framework be written in and that they be covered by D&O (Directors and Officers) insurance policies, which were traditionally reserved for board members. This signals a maturing of the industry – professionals are ready to take on the burden of responsibility, provided it goes hand in hand with a mandate to act.

    “Paper Trail” – Bureaucracy as a defence shield

    In the context of legal liability, the approach to documentation is also changing. What was once regarded as burdensome bureaucracy is now becoming a key element of the CISO’s defence strategy. The ‘trust but verify’ principle is giving way to an evidence-based approach.

    In the face of threats from supply chains (Supply Chain Attacks) or advances in quantum computing, which may soon challenge current encryption standards, the CISO must demonstrate that it has taken all possible countermeasures available at a given technological stage. Documenting the decision-making process, including formal Risk Acceptance Forms (RACs) signed by the board, is no longer a formality. This proves that the security manager has reliably informed decision-makers about the consequences of, for example, not migrating to quantum-resilient cryptography or not implementing Zero Trust architecture when integrating OT/IT systems.

    This is because, in legal terms, it is not about being unsinkable – as there are no such strongholds in the digital world – but about proving that the highest standards of professionalism were adhered to and that any damage was not due to negligence.

    CISO at the table, not in the server room

    The evolution of threats is forcing a change in the positioning of the CISO in the organisational structure. Since cyber security touches on ethics (when implementing AI), geopolitics (when selecting cloud providers) and business continuity, the person responsible for it cannot report to the IT director, whose priority is system performance and availability. Conflicts of interest in such an arrangement are inevitable.

    The modern management model involves the CISO being directly at the decision-making table, as a partner to the CEO and the board. His or her job is to translate complex technical issues into the language of business and financial risk. The role is evolving into that of ‘Architect of Trust’. In the digital economy, customer and partner trust is as hard currency as share capital. A company that can transparently communicate its approach to data protection and AI ethics gains a competitive advantage.

    Professionalisation through responsibility

    The spectre of legal liability, while it may seem paralysing, has the potential to heal the business-security relationship in the long term. It will force the professionalisation of the CISO function, breaking it away from the stereotype of a ‘brake’ on innovation.

    In the coming years, the market will be looking for hybrid leaders – combining deep technological knowledge with legal and ethical insight. The ability to navigate between the requirements of NIS2, the challenges of the post-quantum era and the pressures on the bottom line will become the definition of competence in this position. For companies, this means that not only cyber security budgets need to be revised, but more importantly – the responsibility structure. This is because security has ceased to be an IT problem and has become a parameter that determines a company’s existence in the regulated market.

  • NIS2 and AI Act in Poland: Costly obligation or ticket to Western markets?

    NIS2 and AI Act in Poland: Costly obligation or ticket to Western markets?

    Just two years ago, regulatory compliance (compliance) was treated in boardrooms as a necessary evil – a costly item in Excel that had to be minimised. Today, in January 2026, we are waking up to a new reality. The protective periods have passed. “Paper tigers” have taken real shape, and the market is brutally verifying who has done their homework and who was hoping for eternal deferral.

    For Polish companies and their European partners, compliance has ceased to be a matter of avoiding administrative fines. It has become the hardest currency in B2B relationships and a sine qua non for staying in supply chains.

    Two-speed Europe, one unforgiving market

    It is January 2026 and Western Europe is already more than a year after the deadline for full transposition of the NIS2 Directive (October 2024). In Germany, France or Scandinavia, oversight mechanisms are in full swing and the first severe financial penalties and personal consequences for board members have become a media fact.

    Poland is at a peculiar moment. We are fresh from the tumultuous, delayed entry into force of the amendment to the National Cyber Security System Act (UKSC), which implemented EU requirements in mid-2025. Polish companies are still in the ‘post-implementation shock’ phase. While the German contractor treats cyber-security procedures as standard, the Polish supplier is often only just finishing frantically patching gaps so as not to lose the contract.

    This time asymmetry raises concrete business implications. For Polish business, 2026 is a race against time to prove to Europe that ‘Made in Poland’ also means ‘Secure by European Standards’.

    NIS2 knock-on effect: The great purge in supply chains

    The most important economic phenomenon of the beginning of 2026 is not the regulations themselves, but their secondary effect, which we call Supply Chain Hygiene.

    The UKSC amendment has placed thousands of new entities in Poland under scrutiny – from hospitals and water companies to food manufacturers and digital service providers. However, the real pressure is not coming from Warsaw, but from corporate clients.

    We are seeing a massive phenomenon of ‘Vendor Shedding’. Large industrial corporations and SOEs, themselves key players, are being forced to audit their subcontractors. In requests for proposals (RFPs) for 2026, the cyber security section has become a knock-out criteria.

    For Polish business, the situation is zero-sum. A software house from Wrocław or a logistics company from Poznań that wants to cooperate with the German automotive sector must present a “NIS2 compliance passport” (often in the form of an ISO 27001 certificate or a KSC compliance audit). The absence of the document means automatic rejection of the offer, regardless of price attractiveness. Compliance has become a new barrier to entry into export markets.

    AI Act: Race to August 2026

    The situation is equally dynamic in the area of artificial intelligence. We are halfway through the implementation of the AI Act. We are already well past (February 2025) the entry into force of the Prohibited Practices Act and (August 2025) the regulation for General Purpose AI (GPAI) models.

    However, a major milestone lies ahead: August 2026, when the High-Risk AI Systems regulations will be fully applicable. Although the deadline is a few months away, the market is not waiting.

    In January’s IT budgets for 2026, companies are massively demanding ‘AI Act Ready’ status from software vendors. B2B customers are afraid of legal liability for ‘black boxes’. They would rather pay more for a system that guarantees transparency, human oversight and auditable data than risk implementing a cheap algorithm that will become illegal in six months.

    Here lies a huge opportunity for the Polish IT sector. Polish technology companies are starting to use AI Act compliance as their Unique Selling Proposition (USP). In the clash with cheaper competition from Asian or even American markets (where regulations are looser), the Polish code is promoted as a “Safe Harbor” (Safe Harbor). The European stamp of conformity becomes a guarantee of quality and legal security, which attracts investors seeking stability.

    DORA: Lessons one year after ‘zero hour’

    The financial sector is already one step further ahead. The DORA (Digital Operational Resilience Act) regulation has been in full effect since 17 January 2025. A year of operation under the new regime has brought hard lessons.

    The Polish banking sector, regarded as one of the most modern in Europe, has become an absolute verifier for the Fintech industry. DORA has forced banks to rigorously manage third-party supplier risk (ICT Third Party Risk).

    The result? Fintechs and payment gateway providers that have ignored digital resilience requirements have lost access to banking APIs or been terminated from contracts in the last 12 months. DORA has acted as a natural selection tool – only those who can demonstrate not only innovation but also operational indestructibility are left in the market.

    Compliance as a hard financial benefit

    In 2026, the discussion about regulatory compliance has moved from the legal department to the financial department. Data from the market shows concrete figures:

    Insurance (Cyber Insurance): Faced with a wave of ransomware attacks, the cost of 2026 policies is astronomical. However, brokers are offering discounts of 30-40% for companies that demonstrate full KSC/NIS2 compliance. For a large company, this is a saving going into the hundreds of thousands of pounds a year – a direct return on investment in compliance.

    Public Procurement: The new Public Procurement Law in Poland increasingly places a premium on safety. Price is no longer the only determinant. The weight of non-price criteria (including certified information security) in tenders for 2026 has increased significantly. ‘Compliant’ companies are winning tenders, even offering higher prices.

    Mergers and Acquisitions (M&A): Venture Capital and Private Equity funds have changed their checklists. Due diligence in 2026 starts with questions about AI Act and NIS2 compliance. A startup with ‘legal debt’ is unsellable or its valuation is drastically reduced.

    Change your thinking or die

    For Boards of Directors and Officers (CxOs), the conclusion for 2026 is clear: the Compliance department is no longer a ‘brake department’ that says ‘no’. It is a key partner of the sales department.

    In a business landscape dominated by geopolitical and technological uncertainty, trust has become a scarce commodity. A certificate of NIS2 compliance or AI Act readiness is proof in 2026 that a company is a predictable, secure and mature partner.

    Companies that treat regulation merely as an unpleasant bureaucratic chore are already losing the battle for Western markets. Those that have made transparency and security their banner gain a competitive advantage that cannot be copied overnight. In 2026, compliance is not a shield – it is a sword with which to cut out unprepared competitors.

  • DORA, NIS2 and RODO: The end of the ‘handyman’ era in IT

    DORA, NIS2 and RODO: The end of the ‘handyman’ era in IT

    We require IT departments to innovate, implement artificial intelligence and digitise business processes. At the same time, we charge these same teams with an unprecedented amount of regulation and security requirements. In 2026, with increasing geopolitical tensions and the complexity of cyber threats, maintaining full digital resilience and compliance solely with internal resources becomes not only risky, but economically inefficient. It is time to redefine the approach to outsourcing.

    Just a decade ago, the role of the IT department was clear: keep systems alive. Today, CIOs and IT managers stand in an awkward corner. On the one hand, boards expect them to be architects of business growth. On the other, regulators (EU and national) impose stringent frameworks such as DORA, NIS2 or RODO, which require titanic administrative and auditing work. Trying to reconcile these two worlds within a single, internal team, increasingly ends in ‘operational breathlessness’.

    The end of the “Susan-something” era in IT

    The traditional model in which an internal team of administrators takes care of everything from password resets to cloud configuration to advanced anti-ransomware strategies has run out of steam. With the quantitative and qualitative shift in cybercrime that experts are increasingly talking about, the company cannot maintain such a broad spectrum of expertise internally at an expert level.

    The year 2026 promises to be a time of review. Companies that try to do everything themselves will get stuck in the maintenance treadmill, losing sight of innovation. The conclusion of the market analysis is clear: internal IT should become the centre of business strategy. They are the ones who know the specifics of the company, its products and its customers. In contrast, the so-called ‘digital plumbing’ – i.e. maintaining business continuity, backups, patching systems and ensuring regulatory compliance – are tasks that must be handed over to specialists for whom this is core business.

    Outsourcing 2.0: From technology to processes

    For this model to work, we need to change the way we think about outsourced services. Remote Managed Services (RMS) are no longer a way to make things ‘cheaper’. Today, they are a way to make it ‘safer and legitimate’.

    The modern managed service provider is not limited to providing disk space or a remote desktop. In 2026, it is expected to take responsibility for entire operational processes. Audibility is becoming key here. In the context of directives such as NIS2 or the DORA regulation, a company must not only be secure, but must be able to prove it.

    That is why specialist providers today provide ready-made runbooks (incident response scenarios), regular compliance reports and, perhaps most importantly, cyclical recovery tests. Backup that has not been tested is worthless in light of today’s threats. Transferring these responsibilities externally removes a powerful operational risk from management.

    The trap of the giants and data sovereignty

    The decision to choose a technology partner in 2026 is no longer simply a question of price and technical parameters. It is a strategic and even geopolitical decision. Recent years, including high-profile failures of cloud giants (such as the Microsoft Azure incidents), have brutally exposed the risks of relying on a single global provider (so-called vendor lock-in).

    Companies are increasingly recognising that the convenience of the public cloud can be a pitfall. The risk of downtime or loss of access to critical data is one thing. The other aspect is sovereignty.

    • Data sovereignty: Do you know where your data physically lies and what law it is subject to?
    • Technological sovereignty: do you have the ability to change supplier without paralysing the company?

    In response to these challenges, hybrid and multi-cloud solutions are growing in popularity. These allow you to benefit from the flexibility of the giants, but keep key resources under ‘your own’ local jurisdiction. Here, the role of European IT service providers is crucial. Technical support located in the EU, understanding the nuances of RODO and local regulations, becomes a superior value over a generic call centre in another time zone. Local support is a guarantee that ‘digital autonomy’ is not just an empty slogan in a company’s strategy.

    Backup is now cybersecurity (and a legal requirement)

    The biggest mental shift that needs to take place in the minds of IT decision-makers concerns backups. Until recently, backup was a policy in case of fire, server room flooding or employee error (Disaster Recovery). Today it is the first line of defence against attack (Cyber Recovery).

    Cyber criminals, aided by techniques based on artificial intelligence, have changed tactics. Their aim is no longer simply to encrypt production data. Attacks are now targeting backups directly to prevent the victim from recovering without paying a ransom.

    This necessitates a fusion of the disciplines of backup and cyber security. A modern data protection strategy must be based on three pillars, which are difficult to build alone without a huge investment:

    1. Immutable Storage: Guarantee that once a backup is saved, it cannot be overwritten or deleted for a certain period of time – even with administrator rights.

    2 Air-gap: Physical or logical separation of the copy from the production network.

    3 Clean Rooms: Recovery environments where systems are meticulously checked for viruses before being restored to production.

    This is where the role of an external provider cannot be underestimated. Building an in-house “clean room” and maintaining a second, independent Data Centre is an expensive nightmare for any CFO. Purchasing these competences in a service model (BaaS/DRaaS) is simply more cost-effective and, more importantly, more efficient.

    Stability is the foundation of innovation

    In 2026 and beyond, the winners will be those organisations that understand that security and compliance are team sports. Remotely managed services are not meant to replace internal IT, but to stabilise it.

    Companies that systematically protect their data through professional third-party partners are better prepared for technical failures and hacking attacks. But they gain something even more valuable – the time and resources of their own experts, who instead of fighting the ‘digital plumbing’, can focus on building a competitive advantage for the business. Independent, auditable and resilient backup is thus becoming not just an operational cost, but a key factor in sustainable business processes.

  • NIS2 is not a shopping list for IT. Why is technology alone not enough?

    NIS2 is not a shopping list for IT. Why is technology alone not enough?

    The IT industry likes to think of security in terms of products. New generation firewalls, EDR systems, advanced network segmentation – these are concretes that are easy to price, sell and deploy. However, in the face of the EU’s NIS2 directive, this traditional model of thinking is becoming a trap. Experts analysing the new legislation make it clear: NIS2 is not a technical manual for administrators. It is a management revolution that brutally exposes what many companies have so far ignored – the lack of coherent corporate governance.

    Many companies still live with the belief that compliance with new regulations can be ‘bought’ or achieved by updating their infrastructure. This is a dangerous cognitive error. An analysis of the directive’s assumptions shows that the focus shifts radically from ‘IT operations’ to ‘risk management’. This means that even the most expensive technology will not protect an organisation from the consequences if the people, decision-making processes and accountability structure fail.

    The illusion of a digital fortress

    When a security incident occurs, the first instinct is to look for blame in the technology department. Did the system fail? Was an update overlooked? Meanwhile, security strategists point to another clue. Cyber security rarely falls down because of a lack of technology. Rarely is the problem a physical lack of a firewall or monitoring tools. These are usually in place.

    Systems fail most often because of decisions, priorities and structures that fail to fully map risks. So it is not a question of whether a company ‘has’ the tools, but whether its management structures are configured so that risk is understood and controlled at every level. If the board does not understand what it is protecting and why, even the best-armed digital fortress will have its back door open. Governance therefore becomes, in the light of NIS2, a safety-critical function – a foundation without which technology loses its effectiveness.

    The end of the era ‘is a problem for IT professionals

    One of the biggest changes NIS2 introduces is the redefinition of accountability. For years, cyber security has been treated as a technical domain, relegated to IT departments, away from boardrooms. The new directive ends this approach.

    NIS2 is a management requirement. It obliges management not only to proactively manage security, but also to demonstrate that decisions made are based on a sound assessment of risk in the context of the business model. Boards face the challenge of combining technical correctness with business relevance. They need to be able to assess how a specific digital threat affects finances, the supply chain or reputation.

    Without this classification, technical analysis remains in a vacuum. Companies are required to be able to demonstrate the ‘decision path’ – how decisions are prepared, prioritised and documented. This is a huge challenge for organisations that lack a structured logic for decision-making. In 2026, accountability will be personal and direct, forcing C-level staff to educate themselves and change their mentality.

    Paper accepts everything, hackers do not

    Another misunderstanding that blocks progress in many organisations is the approach to compliance as a set of documents. There is a perception that compliance can be achieved by creating a sufficient number of procedures or security policies. In practice, NIS2 requires the opposite – a living ecosystem.

    The directive calls for the coherent integration of multiple, often siloed areas: technical safety measures, governance, staff competence development, reporting and supply chain management. If these elements do not mesh perfectly, gaps are created. It is in these gaps – between HR procedure and server configuration, between the report to the board and the actual state of the network – that the biggest emergency disasters occur.

    Governance involves more than a formal definition of responsibilities. It is the framework within which risks become visible. If a company fails to connect these dots, it will be left with a cupboard full of documents that in no way increase its real resilience.

    Time – a resource you will not integrate

    The implementation of NIS2 cannot be understood as a one-off legal obligation to be ‘ticked off’. It is a transformation process, and the biggest enemy of companies in this process is time. Many organisations drastically underestimate the timing of the launch, deluding themselves into thinking that they will be in time for the implementation in a few weeks before the deadline.

    Experts warn: even with a good starting point, it takes months to define new roles, coordinate processes and, above all, introduce effective reporting structures in a ‘management language’. For companies with complex supply chains or a distributed structure, this time extends even further. Anchoring security requirements at multiple operational levels is a marathon, not a sprint.

    The coming months are a crucial ‘transfer window’. Those who start the transition process now have the luxury of controlling priorities and allocating resources sensibly. They can take a realistic inventory and determine which measures realistically reduce risk.

    Those who procrastinate will fall into a spiral of time pressure. ‘Last-minute’ implementations usually end up with half-hearted solutions that are not tailored to the company’s individual risk profile. Such a strategy not only increases costs (operating in a fallback mode is always more expensive), but also raises the risk that central requirements remain incomplete.

    Consequences of inaction

    What happens if companies react too late? The consequences go far beyond the regulatory sanctions that are most often discussed. Organisations that fail to implement appropriate governance structures in time lose their ability to manage risks operationally. They become reactive rather than proactive.

    This poses a huge reputational risk. In the new reality, a lack of evidence of effective security management is a straightforward way to lose the trust of customers and investors. What’s more, these companies may be pushed out of the market by their own business partners – as supply chains will require compliance with certain standards that cannot be implemented overnight.

    Turning pointNIS2 is a turning point for the entire industry. The directive moves cyber security from the technical back office to the strategic core of the business. Governance becomes the new firewall – a factor that will determine economic stability and liability risk in the years to come.

  • The end of the ‘lone wolf’. The future of cyber security is managed services

    The end of the ‘lone wolf’. The future of cyber security is managed services

    Statistics can be unforgiving, and in the case of cyber security, they shed new light on the state of modern business. It is estimated that just 0.009 per cent of the world’s one million companies have a chief information security officer, or CISO, on staff. For years, this organisational luxury was reserved exclusively for corporate giants with huge budgets. However, in the face of new regulations such as NIS2 and DORA, and the increasing aggressiveness of cyber gangs, the ‘IT guy for everything’ model in the SME sector is definitely becoming history. Regulatory requirements and market realities are forcing entrepreneurs to radically change their paradigm and move from owning tools to buying competence.

    The IT sector is facing a structural problem that will only get worse in the coming years, with the Bitkom association forecasting a shortage of more than 650,000 experts by 2040. This is not a temporary staffing hole, but a new economic reality in which medium-sized companies stand at a loss in the fight for talent. SMEs rarely have salary budgets or benefit packages that can compete with the offers of global corporations, and even if they do manage to hire a specialist, keeping them within the company borders on the miraculous. Market researchers predict that almost half of current CISOs will change employer by 2025, making recruitment processes drag on for months and consuming resources that smaller players simply do not have.

    The consequences of this are already clearly measurable, with companies with fewer than 500 employees citing a lack of specialists as the second biggest threat to their security. This leads to a paradoxical situation in which company boards are consciously accepting cyber risks. This is not due to ignorance or underestimation of the risks, but to simple helplessness and lack of access to human resources capable of implementing effective protection. In Germany, a sizable percentage of organisations link successful ransomware attacks directly to a lack of internal knowledge and the ability to detect threats in time.

    In response to these staff shortages, the market has turned to automation, and managed security services are gaining popularity as a pragmatic alternative to building in-house. Central to this are MDR, or Managed Detection and Response, services, which combine EDR and XDR technologies with external teams of analysts available around the clock. Using advanced machine learning and artificial intelligence, these teams can detect anomalies and stop attacks in real time, often acting faster and more effectively than any in-house administrator.

    However, there is a dangerous trap of thinking that technology alone will solve all an organisation’s problems. MDR services are great at the operational layer, as they are great at putting out fires, detecting intruders or isolating infected workstations, but they are not designed for strategic thinking. No algorithm will create a RODO-compliant security policy, prepare a company for a complex NIS2 audit and explain to the board why investing in backup systems is more important at any given time than implementing a new ERP system. A clear distinction needs to be made between operational security, which operates in the here and now, and strategic security, which is about managing risks, planning for growth and building a long-term security culture.

    This is where the concept of a virtual CISO enters the scene as an answer to the needs of companies needing to meet stringent regulatory requirements but not needing a full-time director. Both the EU’s NIS2 directive and the DORA regulation for the financial sector require organisations to have a clear allocation of responsibilities and to prove that security strategies are not only in place but also monitored by a qualified body, making paper-based security no longer sufficient. Incorporating the role of a vCISO within managed services allows SME companies to access enterprise-class expertise, as they gain an expert who works with multiple organisations on a daily basis and is familiar with the latest threat vectors.

    The model also brings tangible financial and organisational benefits. Subscription billing is only a fraction of the cost of hiring a full-time expert, while eliminating high recruitment and training costs. What’s more, the solution provides strategic continuity because, while MDR services protect the infrastructure at night, a virtual director by day plans the development of digital resilience, creates procedures and oversees audits. With this approach, the CISO role ceases to be an optional extra and becomes an available service that bridges the gap between complex technology and business objectives.

    The skills shortage is a structural challenge that will not go away in the foreseeable future, so instead of fighting windmills in a tough recruitment market, mid-sized companies should redefine their approach to data protection. The future belongs to a hybrid model that coherently combines modern technology based on artificial intelligence, managed operational services running continuously and external strategic oversight. Such an arrangement achieves a level of cyber resilience that was previously beyond the reach of smaller market players. Cyber resilience must not be the prerogative of the largest corporations, but must become a standard available to every business entity, and managed services with a virtual CISO is currently the most pragmatic and economically viable way to achieve this.

    It is crucial for IT decision-makers and integrators to analyse the current strategy in view of upcoming regulations. It is worth asking whether there is a clearly defined role within the organisation responsible for security strategy, or whether it relies solely on tools and software. An honest answer to this question can define a company’s resilience for years to come and protect it from serious legal and financial consequences.

  • NIS2: chaos and uncertainty in Polish companies. Who does it really cover?

    NIS2: chaos and uncertainty in Polish companies. Who does it really cover?

    In Poland, NIS2 is still talked about as a project from industry presentations. Meanwhile, the directive is no longer theory. The government has just adopted a draft law on the National Cyber Security System to implement it. Looking ahead to the coming months, the real risk for companies is no longer that the regulation will be ‘too harsh’, but that companies will enter into this obligation unprepared.

    This is best demonstrated by the data. In the report ‘Cyberportrait of Polish Business 2025’, as many as 36% of those responsible for cyber security cannot answer whether their organisation is covered by NIS2. This is no longer a question of low awareness. It is a signal that half of the market still has not done a basic regulatory risk analysis.

    Meanwhile, the directive does not only apply to ‘critical operators’ in a narrow, sectoral sense. The new definition covers not only critical industries, but also a large part of supply chains. If a contractor requires compliance – your company will have to prove it. Regardless of whether the state identifies you on the ‘important’ or ‘critical’ list.

    The consequences of ignorance will be businesslike. If retailers, technology distributors, SaaS operators, IT service outsourcers, integrators or software houses cannot show compliance, they will lose contracts. In practice, the market will force NIS2 faster than the supervisor.

    At the same time, Polish companies, despite the interpretation chaos, are acting. 53% of organisations that assume NIS2 covers them already have updated security policies. More than half are conducting additional training. These are the actions easiest to do and with the lowest CAPEX – but their mass adoption shows that for many CIOs and CISOs the directive is already a reality.

    More effort is required to build operational capacity. The hiring of cyber security experts was confirmed by 35% of the companies surveyed. 43% say they are just planning such a move. The problem is not a reluctance to invest, but the availability of people. The market for specialists is tight. Increasing the workforce will take time. And regulation will not give an extra year to do so.

    All this comes at a time when Poland is realistically among the global top targets of cybercriminals. According to ESET, in the first half of 2025, our country was responsible for 6% of global ransomware incidents – more than the United States. Any company that waits for ‘final regulations’ in this context is taking an unnecessary risk.

    It is therefore worth reversing the perspective. NIS2 is not a compliance checklist. A set of procedural requirements, higher board accountability, mandatory incident reporting and resilience testing is simply a good security governance framework. Even if a company will ultimately not formally be ‘under NIS2’, implementing its logic is cheaper than recovery from ransomware.

    From a business perspective, the question is no longer whether NIS2 covers us. The question is whether we want to have control before the regulator or the market does it for us.

  • How to meet NIS2 requirements? ITAM as the foundation of security

    How to meet NIS2 requirements? ITAM as the foundation of security

    The IT landscape in today’s companies resembles a chaotic archipelago. Islands of cloud services drift alongside servers in the company’s server room, hundreds of remote workstations connect to the corporate network and employees deploy SaaS applications on their own, creating uncontrolled‘shadow IT‘. This hybrid model, while flexible, generates a fundamental problem: companies are losing sight of what they actually own. And in this new era of regulation and cyber threats, what you can’t see can hurt you the most.

    New impetus: The NIS2 Directive changes the rules

    For years, IT Asset Management (ITAM) has been seen mainly through the prism of cost optimisation – hunting down unused licences and avoiding unnecessary hardware purchases. This is still the case today, but two much more powerful drivers have come to the fore: .security and compliance.

    The NIS2 directive is becoming a turning point. It requires many companies to implement robust cyber security risk management measures. The foundation of any defence strategy, however, is knowing what we are actually defending. Without a full, automated and constantly updated inventory of hardware, software and cloud services, compliance with NIS2, as well as with RODO or ISO 27001, becomes a sham. Auditors and regulators are no longer content with spreadsheets updated quarterly. They need hard, up-to-date data.

    From chaos to transparency

    The problem of hybrid infrastructure lies in its fragmentation. Manual resource tracking across on-premise, virtual, multi-cloud and end-device environments is not feasible. It is in this operational gap that the risk is born:

    • Shadow IT: Marketing or sales departments buy SaaS tools themselves, often processing sensitive data in them without IT oversight.
    • Security vulnerabilities: A remote employee’s unpatched laptop or a forgotten cloud service become an open door for attackers.
    • Overpaid licences: Lack of a central view leads to duplication of functionality by different tools and maintenance of licences for former employees.

    Modern ITAM platforms respond to these challenges by acting as the central nervous system of corporate technology. By integrating with various systems, they create a single, coherent map of the entire digital ecosystem in real time. When an employee installs a new application or a new cloud service is launched, the system instantly records this, categorises it and assesses it against security policies.

    Business value beyond IT

    Reducing risk and ensuring compliance is one thing, but ITAM’s strategic value lies in its ability to deliver data that drives smarter business decisions. Cost transparency is the most obvious benefit – resource optimisation and tool consolidation directly translate into budget savings.

    However, the real potential is revealed when data from ITAM starts to circulate throughout the organisation. Integration with ITSM or ERP systems creates powerful synergies. Equipment lifecycle information can automatically initiate purchasing processes. Software usage data supports negotiations with suppliers. Insights into owned resources allow precise budget planning and strategic infrastructure development.

    Outlook: ITAM as an analytical platform

    The future of ITAM is further automation and predictive analytics. AI-supported systems will not only show what the company currently has, but will also forecast future needs, identify usage patterns and warn of potential problems before they become critical. Dashboards will cease to be the domain of the IT department and become a resource for finance, purchasing and the board.

    In the hybrid reality, ITAM ceases to be an optional extra and becomes a fundamental element of corporate governance. Companies that ignore the need to centrally manage their digital assets not only risk security breaches and financial penalties. Above all, they lose the ability to consciously and effectively manage the technology that is the lifeblood of their business today. It is no longer an IT project – it is an ongoing, strategically critical process.

  • Beyond your own walls: How to secure the digital supply chain?

    Beyond your own walls: How to secure the digital supply chain?

    Modern cyber security is undergoing a fundamental transformation. The model where the company was like a fortress surrounded by a high wall is becoming a thing of the past.

    Attackers have learnt that the weakest point of a defence is often not the fortress itself, but its extensive network. New EU regulations such as DORA and NIS2 brutally expose this truth, forcing boards to redefine the concept of resilience.

    Today, true digital security does not stop at the border of one’s own network, but extends to the entire supply chain.

    For years, corporations have invested huge resources in securing their own infrastructure, focusing on prevention and incident response within the organisation. This approach, while still fundamental, has become inadequate for the scale and complexity of today’s threats.

    Cybercriminals are increasingly choosing to launch frontal attacks against well-protected targets. Instead, they are choosing the path of least resistance, using less secure suppliers, subcontractors and technology partners as an attack vector. Risks have become diffused, and their sources often lie outside of a company’s direct control.

    In this new landscape, a strategy that relies solely on damage limitation after the fact is untenable. In an age when every hour of downtime can generate losses running into the millions and irreparably damage customer trust, proactive, intelligent prevention becomes key.

    This paradigm shift has also been recognised by the European regulator, which is shifting the burden of responsibility from IT departments directly onto the shoulders of boards of directors and supervisory boards through new regulations.

    Two key legislative initiatives are setting new standards across the continent. The first is the Digital Operational Resilience Ordinance (DORA), which imposes stringent digital risk management requirements on the financial sector and its key IT suppliers from the beginning of 2025.

    DORA’s philosophy is clear: the resilience of a financial institution is inextricably linked to the resilience of its partners. It is no longer enough to respond to incidents; continuity of critical services must be ensured even when an external provider fails.

    In practice, this means in-depth analysis and continuous monitoring of the entire technology ecosystem.

    The second pillar of this revolution is the NIS2 Directive, which radically expands the catalogue of entities covered by similar high standards. Key economic sectors such as energy, transport, healthcare, water management or digital infrastructure are now within its scope.

    For many companies operating in these industries, NIS2 means the need to build mature third-party risk management processes from scratch. Both regulations share a common denominator: they introduce clear reporting obligations and personal liability for managers.

    Digital resilience is ceasing to be a technical issue and is becoming a key element of corporate governance and business strategy.

    In this new legal and operational reality, traditional methods of assessing partners, such as audits or security surveys, are proving insufficient. A static picture obtained once a year is useless when confronted with threats that evolve in daily cycles.

    Companies need a dynamic, almost live picture of the threat landscape to identify, prioritise and neutralise risks early, before they materialise.

    The answer to this challenge is threat analytics, known as Threat Intelligence. It is a continuous process of collecting data about cyber attacks, malware and criminals’ tactics, then analysing it and turning it into actionable intelligence.

    Effectively implemented analytics allows an organisation to understand what campaigns are targeting its industry, whether there has been an incident at any of its key suppliers, and whether employee credentials are circulating online after a leak from another service.

    The effective use of this knowledge relies on a coherent defence process. It starts with analysis and prioritisation, i.e. understanding which threats are most viable for the specifics of the company and its supply chain.

    The knowledge gained is then used for preventive measures, such as proactively strengthening security, implementing multi-component authentication or blocking communication with servers identified as malicious.

    The third element is early detection, which involves continuous monitoring of the company’s own systems and partners’ networks for indicators of compromise (IoC) provided by Threat Intelligence platforms. This is rounded off by automated response, which allows rapid action to be taken in response to an incident, for example by automatically resetting hijacked accounts or isolating infected machines.

    However, it is important to remember that regulations such as DORA and NIS2 only set a minimum level. The threat landscape is evolving much faster than any legislative process. Achieving compliance is only a starting point, not an end in itself.

    True long-term resilience requires more than that: building a security culture in which third-party risk management is firmly integrated into the company’s business strategy, supplier selection process and day-to-day operations.

    The time for preparation and theoretical considerations is irretrievably over. Organisations that understand today that their stability and security depend directly on the digital hygiene of their smallest partners will not only meet the requirements of the law but, above all, build a sustainable competitive advantage in an increasingly unpredictable digital world.

  • Cyber security is moving from the server room to the boardroom. How do you talk about DORA and NIS2 with your board?

    Cyber security is moving from the server room to the boardroom. How do you talk about DORA and NIS2 with your board?

    Imagine this scene, so familiar to every IT professional: you’re standing in front of the board of directors. You have five minutes to explain why the company needs a significant budget for “something” that, at best, will make nothing will happen. For years, the struggle for cyber security funding resembled Sisyphean work. It has now come to an end.

    The advent of new pan-European regulations – DORA (Digital Operational Resilience Act) and the NIS2 directive – is not another technical innovation that can be ignored. It is a powerful business argument that permanently moves the security discussion from the server room straight into the boardroom.

    They give IT professionals the language and tools to finally break through to C-level awareness. It’s no longer a conversation about technology, it’s a conversation about the survival and future of the business.

    New rules of the game

    Until now, many decisions on cyber security could be postponed. Now it is no longer a request, it is a firm legal obligation. DORA, targeting the financial sector, and NIS2, extending requirements to key sectors of the economy, introduce fundamental changes.

    Above all, the new regulations establish personal liability of executives for any negligence, an argument that effectively attracts attention. Moreover, the aim of the regulations is not to avoid attacks per se, but to ensure business continuity even during a major crisis.

    The biggest revolution, however, is in the approach to partners. Securing only your own company is today like installing a titanium door in a house with paper walls. Both directives make it clear: you are only as secure as your weakest supplier.

    It is in the supply chain that today’s biggest, often invisible risks lurk, which management must understand and manage.

    How do you translate technical language into benefit language?

    The key to success is to abandon technical jargon in favour of language that every board member understands: the language of risk, money and strategy.

    The first step is to change perspective and start talking about the risk, not the technology. Management does not need to know the difference between EDR and XDR. Instead, it needs to understand what business risks it is accepting by not investing in modern tools.

    Rather than asking for a ‘sophisticated log correlation system’, present a business scenario: “If our key supplier is hacked, we will find out about the leak of our customers’ data from the media.

    It’s a risk of reputational damage and fines in the millions. We need a tool that gives us early warning.”

    Secondly, use the language of money, not percentages. It is worth replacing abstract concepts such as ‘uptime’ with concrete financial losses. Instead of talking about ensuring server availability of 99.99%, it is better to ask: “Every hour our sales platform is out of order is a loss of £50,000 in revenue. DORA requires us to have a contingency plan. How much loss can we afford before we react?”.

    Thirdly, the discussion should be about real threats, not hypothetical possibilities. Thanks to modern threat analysis tools (threat intelligence), it is no longer necessary to rely on assumptions. Instead of warning of a “theoretical phishing risk”, hard data can be presented: “Our analytical systems show that a hacking group specialising in attacks on companies in our industry is now extremely active. Last month they attacked our main competitor. It’s not a question of ‘if’, but ‘when’ they will try it on us.”

    Action plan in 3 steps

    Theory is important, but action is what counts. Instead of presenting the board with a problem, come with a plan ready to go. An effective approach starts with preparing a ‘risk map’. On it, identify three to five key suppliers without whom the company cannot function, and briefly describe how the failure of each one affects finances and operations.

    The next step is to create an ‘argument sheet’ for each identified risk. This should be a one-page summary in business language, explaining the problem, its financial implications and the proposed solution along with the cost.

    Finally, rather than asking for a general budget increase, propose specific, measurable targets, such as conducting a security audit of key partners by the end of the quarter to reduce operational risk by a certain percentage.

    A great opportunity

    DORA and NIS2 is not another problem to be solved. It is a unique opportunity. It’s a moment when IT professionals, armed with hard business arguments, can finally take the strategic seat at the table they deserve.

    The doors to the boardroom are now open wider than ever before. Don’t wait for someone to invite you in. Prepare your arguments, speak the language of business and lead your company towards true cyber resilience.

  • Cloud in the strategy trap. Why are Polish companies losing out on migration and how to change this?

    Cloud in the strategy trap. Why are Polish companies losing out on migration and how to change this?

    The cloud computing market in Poland is growing at an impressive rate and analysts forecast further dynamic growth. However, behind the enthusiastic statistics lies a complex reality: many cloud migration projects fail to deliver the expected benefits and often end in failure. Problems with cost, security and lack of competence mean that, for many companies, the cloud becomes a strategic trap instead of an opportunity. The key to success is not the technology per se, but a thoroughly considered approach.

    Migration to the cloud, although seemingly a simple transfer of resources, in practice represents one of the most serious challenges for today’s IT departments. The complexity of the process, the multitude of pitfalls and the regulatory pressures take even experienced organisations by surprise. In an era of increasing geopolitical uncertainty and tightening regulations such as the EU Data Act and the NIS2 Directive, the issue of data localisation and sovereignty has come to the fore. Companies today must not only protect data, but also demonstrate precisely where and how it is being processed – otherwise they risk not only financial penalties but, even worse, the loss of customer trust.

    The most common mistakes on the way to the cloud

    Analysis of failed implementations shows that problems almost always originate in a few repetitive areas. Understanding these is the first step to avoiding costly mistakes.

    1 Security and regulatory compliance: Many companies, especially when using global hyperscalers, have doubts about their ability to ensure compliance with European data protection standards. Concerns include the US CLOUD Act, which potentially gives US authorities access to European companies’ data. This is prompting organisations to look for providers with data centres within the EU.

    2. lack of competence and resources: Small and medium-sized companies rarely have in-house teams of cloud architects or DevOps specialists. Without external support, they lack the knowledge to design secure and efficient architectures and implement automation, which is the foundation of an effective cloud.

    3. opaque costs: The cloud was supposed to be cheaper, but unclear pricing models often lead to ‘accounting shock’. Misconfigurations, reserving resources exaggeratedly or failing to monitor costs can sharply increase expenses and undermine the economic sense of the entire project.

    4 Technical complexity and legacy systems: applications that were not designed with the cloud in mind (so-called monoliths) require deep modifications or re-writing. Fear of potential downtime for critical systems that must be available 24/7 often paralyses migration decisions.

    5 Organisational barriers: Migration is not just an IT project – it is a change that affects the processes, responsibilities and culture of the entire company. If management treats it as a purely technical task rather than a strategic business decision, the project lacks priority and acceptance in other departments, leading to its failure.

    6 Supplier selection and the risk of ‘dependency’: The variety of offers – from global giants to local specialists – can be overwhelming. At the same time, companies fear so-called vendor lock-in, i.e. dependence on a single supplier, which will make it difficult or drastically increase the cost of a possible change of platform in the future.

    How to make a successful migration?

    The experience of companies that have successfully exploited the potential of the cloud shows that a methodical and strategic approach is key.

    Firstly, the migration must be preceded by a readiness assessment (cloud readiness assessment). IT and business departments should jointly analyse the current state of applications and infrastructure in order to realistically assess what can be moved to the cloud and how, and what needs to be upgraded.

    Secondly, a strategy of small steps. Instead of moving everything at once, it is worth starting with pilot projects with a clearly defined scope. This allows you to test your processes, detect errors early and gain valuable experience that can be applied to migrating key systems.

    Thirdly, the conscious use of external know-how. Migration is a task for specialists. It is worth engaging experienced partners who not only know the technology, but also understand the business processes and can manage the change in the organisation.

    Fourthly, cost and security planning from the outset. The budget, monitoring tools and security concept must be an integral part of the migration plan, not an add-on implemented after the fact. This is the only way to avoid unpleasant surprises.

    Finally, and most importantly, the cloud strategy must be linked to business objectives. Migration is not an end in itself. It must realistically contribute to tangible benefits, such as greater flexibility, better scalability, innovation or higher levels of security.

  • Cyber security is not a sprint. Companies need to stop putting out fires and start planning

    Cyber security is not a sprint. Companies need to stop putting out fires and start planning

    The increasing number of cyber attacks, new regulatory obligations and limited human resources make cyber security one of the key challenges for Polish companies – regardless of their size or industry. Dawid Zięcina, Technical Department Director at DAGMA Bezpieczeństwo IT, discusses what threats dominate today’s business environment, to what extent SOC-as-a-Service is becoming a viable alternative and what mistakes and organisational barriers companies most often face when building security systems.

    Klaudia Ciesielska, Brandsit: What cyber threats are currently dominating the Polish corporate environment? Are you really seeing an increase in advanced attacks (APTs), or are phishing incidents and malware still prevalent?

    Dawid Zięcina, Dagma IT Security: Polish companies are still exposed to the same, well-known types of cyber attacks. The most common threat remains classic phishing, based on fake phishing websites. Although the number of phishing campaigns is slightly decreasing compared to previous years, it is still the most commonly used technique by cybercriminals.

    In the case of malicious software (malware), our observations are consistent with data from industry reports – the scale of its use is growing, with data theft being the main target.

    It is also worth noting the increasing activity of APT (Advanced Persistent Threats) groups, which is closely linked to the current geopolitical situation. These are usually groups linked to foreign states, operating for intelligence and disinformation purposes. Importantly, their activities are increasingly extending beyond the public sector or large state-owned companies – smaller companies in the supply chain are also becoming victims of attacks. Individuals associated with employees or owners of these companies are also sometimes targeted.

    “Polish companies are still exposed to the same, well-known types of cyber attacks.”

    Brandsit: The NIS2 Directive and the amendment to the KSC Act introduce significant obligations in the area of cyber security. What challenges do companies most often face when trying to implement compliance with these regulations?

    D.Z.: Currently, the biggest challenge for Polish companies in implementing NIS2 compliance is the lack of an unambiguous, officially adopted Polish interpretation of the national regulations to be included in the amended Act on the National Cyber Security System (KSC). Although most of the guidelines contained in NIS2 have a relatively clear interpretation, it is the implementation details in the Act that may, in practice, determine the direction of change in the area of cyber security. For this reason, many organisations are adopting a wait-and-see attitude.

    Despite the lack of a final law, we have seen a significant increase in interest in services supporting the implementation of information security management systems (compliant with ISO/IEC 27001) and business continuity systems (compliant with ISO 22301). This is a good direction that allows organisations to prepare in a systemic way for the upcoming requirements and to plan specific actions.

    A common problem is a lack of awareness of how much in-depth analysis of one’s own operations these processes require, and how much time and resources need to be devoted to effectively implement solutions to increase the cyber resilience and resilience of the organisation – particularly against the risk of downtime caused by, for example, a cyber attack.

    Brandsit: Is security outsourcing – e.g. in the form of SOC-as-a-Service – becoming a viable alternative for companies without in-house security teams?

    D.Z.: Managed cyber-security services are gaining popularity not only among companies that do not have their own teams of specialists, but also as a support for existing security departments. With services such as SOC-as-a-Service, the customer gets access to an efficient, highly specialised team, ready to operate in the customer’s environment within a short time of the service launch.

    Importantly, the contracting authority gains a wide range of competences necessary to handle security at various stages – without the need to employ narrowly specialised experts regardless of whether an incident occurs and, if so, of what type.

    Maintaining and managing such extensive teams internally would require significant human and financial resources – in an outsourcing model, this responsibility shifts to the service provider, making this solution particularly attractive in terms of flexibility and cost-effectiveness.

    Brandsit: What strategic mistakes do companies most often make when building an IT security management system?

    D.Z.: The most common mistakes made by companies during the implementation phase of security systems are the lack of a prepared transformation plan based on a sound risk analysis, a piecemeal approach to the problems identified and underestimation of the resources – both human, time and financial – required for successful implementation.

    “Cyber security is an ongoing process that has no endpoint and requires creating the right environment for growth.”

    Very often organisations approach the process as a sprint, assuming that once the goal is reached quickly, the project will be completed. Meanwhile, cyber security is an ongoing process that has no endpoint and requires the right environment to be created for development.

    Such an environment can be built by, among other things, implementing an information security management system and a business continuity system – even if the organisation does not plan to formally certify compliance with the chosen standard.

    Brandsit: Are you seeing a change in the approach of boards and a shift in budgets towards cyber security, or is it still treated as a duty rather than a real business need?

    D.Z.: In companies where experienced professionals are responsible for the area of cyber security, boards demonstrate a high level of understanding of both the responsibility and the positive impact of well implemented security processes on the business as a whole.

    “Far more often than not, it is the downplaying of risks or ignoring previously identified problems that leads to costs that are disproportionately higher than investments that could have been made in advance – before the incident occurred.”

    However, we still encounter an approach in which cyber security is seen as an unnecessary constraint – something that hinders operations and generates costs without generating direct revenue.

    Building awareness of the risks, analysing the impact of IT on business operations and identifying scenarios where the organisation could be paralysed or suffer significant losses as a result of business disruption are key elements in changing this perspective.

    It is worth emphasising that ensuring the security of systems and networks does not have to involve huge expenditure. Far more often, it is the downplaying of threats or ignoring previously identified problems that leads to costs that are disproportionately higher than investments that could have been made in advance – before the incident occurred.

  • Cyber security OT: Why is the industry still standing still?

    Cyber security OT: Why is the industry still standing still?

    Despite growing cyber threats and increasing regulatory pressure, the industrial sector continues to delay the integration of cyber security into control systems (ICS). Is the slow pace of change the result of a cautious strategy – or a costly omission?

    In recent years, industrial infrastructure operators have come under intense pressure from two sides: on the one hand, increasingly sophisticated attacks on OT (Operational Technology) systems, and on the other, stringent regulations such as NIS2, which require increased levels of digital resilience. Despite this, security integration at the heart of control systems remains surprisingly slow.

    ABI Research data shows that industrial organisations are 10-15 years behind IT in terms of cyber security maturity. And while there is increasing talk of the need for trusted hardware and software in ICS environments, deployments of viable, sustainable security solutions are still rare.

    OT versus IT: different worlds, different priorities

    Although IT and OT are increasingly intersecting, the way the two areas approach security remains radically different. Industrial environments have traditionally focused on availability and stability – systems are expected to run continuously for many years, and any disruption represents potentially millions in losses.

    In this context, cyber security – especially those requiring interference with the hardware layer – is often pushed to the background. It is not a lack of awareness of the risks, but inertia and a limited window for change. For many industrial organisations, security is important but not critical – until something happens.

    Practical minimum: network instead of hardware

    Instead of investing in new, secure ICS equipment, many companies are turning to network solutions. Segmentation, firewalls, anomaly detection systems – these are technologies familiar to IT that can be implemented relatively quickly, without replacing the production infrastructure.

    This approach works on an ad hoc basis – it reduces the risk of an external attack, improves network visibility and allows basic regulatory requirements to be met. However, perimeter protection is not enough when an attacker gains access to the device itself or exploits a vulnerability in the firmware. Without trusted hardware, secure boot or cryptographically verified updates, ICS remain vulnerable to insider attacks and advanced persistent threat techniques.

    Costly transformation

    Implementing secure ICS solutions is not just a technical problem – it is also a huge financial, organisational and logistical challenge. The life cycles of equipment in industry are counted in decades – many have been in continuous operation for several years and will not soon be replaced.

    Upgrading OT infrastructure often means stopping production, changes to master systems and even training for operational staff. This all translates into costs that many companies find difficult to accept – especially in times of economic uncertainty and tight supply chains.

    When will equipment become the norm?

    Despite the barriers, there are a growing number of suppliers investing in the development of integrated security in ICS. Companies such as Siemens or HMS offer controllers with trusted boot, encrypted communication or logical application separation features. On the other hand, start-ups – such as RDDL or Veridify – are proposing approaches based on blockchain or post-quantum cryptographic algorithms that can significantly enhance hardware security in distributed environments.

    In the long term, it is the generational replacement of ICS equipment that will drive change. Every production line upgrade, plant expansion or implementation of Industry 4.0 systems will be an opportunity to replace obsolete components with new, more resilient ones.

    Inevitable pace

    Regulations such as NIS2, IEC 62443 or the European Cyber Resilience Act are already forcing change – not only on operators, but also on component suppliers and system integrators. Responsibility for the supply chain, the need to document software security and verification of hardware manufacturers will soon become the norm.

    For many industrial companies, this means going beyond the bare minimum and starting to plan strategic upgrades – not just for regulatory compliance, but to remain competitive and maintain customer trust.

    The foundation for Zero Trust in industry

    Finally, integrated ICS security is not just about defence against attack – it is a prerequisite for implementing a Zero Trust model in an OT environment. Without trusted hardware, secure communications and device integrity checks, it is impossible to effectively manage access, segmentation or real-time threat detection.

    Zero Trust in industry is still the buzzword of the future, but every step towards secure ICS – even if slow – brings companies closer to a model where there is no room for implicit trust.

    Will the industry have time?

    The industry cannot afford any further delay. On the one hand – attacks are becoming more sophisticated and targeting OT devices directly. On the other – regulators are no longer going to tolerate security compromises.

    Integrated, hardware-based ICS security is not a luxury – it is becoming an essential foundation of modern manufacturing, logistics and infrastructure. The question is no longer ‘if’, but ‘when’ companies will decide to take the step forward.

  • Segura opens Europe’s first Center of Excellence PAM in Katowice and establishes partnership with Dagma

    Segura opens Europe’s first Center of Excellence PAM in Katowice and establishes partnership with Dagma

    Managing privileged access is such a complex task that getting the right support in this area should not be another challenge. That is why DAGMA IT Security and Segura – a global leader in identity management (PAM) – are entering into a strategic partnership and opening Europe’s first Centre of Excellence. The centre, located in Katowice, Poland, is designed to support organisations in faster implementation of PAM solutions and compliance with regulations such as RODO or NIS2. It is the third location of its kind in the world after the US and Saudi Arabia.

    The Verizon Data Breach Investigations Report 2024 shows that as many as 86% of security breaches involved stolen login credentials, phishing or abuse of privileges. In the face of growing threats and tightening compliance requirements, Segura and DAGMA IT Security give European cyber security teams what they need most: expert support, intuitive tools and full regulatory compliance.

    “Center of Excellence is the next step in our mission to support organisations around the world, this time with a strong local base in Europe. We believe that fast access to technical support, simplified implementations and compliance with European regulations are the key to successful identity security.” Marcus Scharra, CEO of Segura, said at the opening of the Centre of Excellence in Europe.

    A European response to global challenges

    Katowice is not only the industrial heart of Poland, but also a rapidly growing centre for new technologies and IT services. It is here that Segura has created a centre that will serve as a regional technology hub, supporting both the private and public sectors across Europe.

    “The need for effective identity security management is growing at an unprecedented rate. The opening of the CoE is not only important from the point of view of our overseas expansion. It is also important because Segura is expanding its offering beyond classic PAM solutions, adding areas such as IGA (Identity Governance & Administration) or AM (Access Management). According to industry reports, this is one of the fastest growing areas of cyber security, which we are also strongly betting on. We are confident that this strategic partnership will significantly strengthen the deployment capabilities and support for our customers across the region.” – explains Mikołaj Sikorski, Chief Strategy Officer at DAGMA IT Security.

    The Centre of Excellence in Europe includes:

    • technical and expert support for customers throughout Europe
    • rapid implementation with adaptation to regional realities
    • Regulatory compliance support, including RODO, NIS2 and other European regulations

    The opening of the CoE in Katowice is another step in the development of DAGMA Bezpieczeństwo IT, which has been focusing on growth in the area of cyber security services for many years. The company’s entry into foreign markets (DACH) in 2022 has significantly strengthened its market position and translated into an increase in the number of protected organisations. Among the recent deployments was the provision of Segura solutions to support the entire IT environment of one of the world’s largest automotive companies. The CoE will serve as a regional technology resource, supporting both the private and public sectors across Europe.

  • Not just NIS2, or the new cyber security certification regulations

    Not just NIS2, or the new cyber security certification regulations

    At the beginning of May 2025, a government bill on a national cyber security certification system was submitted to the Sejm. This is not only a reaction to European regulations (specifically – EU Regulation 2019/881), but also an opportunity to sort out a market that today tends to be opaque and based on trust in ‘logos’.

    Why do we need a cyber security certification scheme?

    To date, there has been no legislation in Poland that regulates cyber security certification. Yes, the market offers the possibility to obtain various types of cyber certificates, but these are private certificates, where each owner of the “certification programme” sets its own rules. Without questioning the sense and merit of such certificates, it must be remembered that the lack of uniform certification rules/criteria may – at least in some cases – raise questions as to how much reliance can be placed on such certificates. It is therefore welcome that there will soon be statutory provisions in this area.

    What will change in practice?

    The entry into force of the Cyber Security Certification Regulations will not mean that private certificates can no longer be issued. They will still remain and interested persons/entities will be able to continue issuing or applying for them. In addition to private certificates, however, there will be the additional possibility of certification by accredited bodies within the legal framework established by the state. Importantly, the new provisions do not impose any additional obligations on entities not interested in participating in the certification scheme.

    What will the certification levels be?

    Certificates can be granted under European certification schemes (we currently have the EUCC or the European Cybersecurity Scheme on Common Criteria, which can be applied to ICT products such as hardware or software; further schemes are under development for 5G and cloud services) and – in addition – national certification schemes, which will be created by means of regulations by the minister responsible for IT. At the European level, a three-tier classification will apply (according to levels of trust: basic, significant/significant and high), while at the national level the classification is to be single-tier.

    European certification programmes will focus on ICT products, services and processes, and certificates issued under them will be automatically recognised throughout the European Union.

    National certification will be possible not only for ICT products, services and processes, but also for the entity’s cyber-security management system (as a whole) or the personal qualifications of individuals.

    What will the certification system look like?

    The bill stipulates that the certification scheme will involve:

    • Minister responsible for IT (responsible, inter alia, for the creation of national schemes, supervision and control),
    • Polskie Centrum Akredytacji (responsible for granting accreditation to conformity assessment bodies),
    • assessment bodies, i.e. certification bodies, including private companies,
    • entrepreneurs and individuals who wish to undergo certification.

    When will the certification regulations come into force?

    Although the draft law on the national cyber-security certification system was ahead of the planned amendment to the law on the national cyber-security system (implementing the NIS2 directive) in the legislative race, we will have to wait a while longer for its enactment. It has now been referred to parliamentary committees and must then go through the entire legislative procedure in the Sejm and the Senate. Realistically, it should appear at the turn of Q2/Q3 2025.

    Author: r.pr. Piotr Grzelczak, GFP_Legal Law Firm (Grzelczak Fogel and Partners sp.p.)

  • Sustainability in IT? Only if you don’t lose data in an attack – Dariusz Szwed, Canon

    Sustainability in IT? Only if you don’t lose data in an attack – Dariusz Szwed, Canon

    Recent years have seen a sharp rise in cyber threats, with ransomware being one of the most acute. Dariusz Szwed – an expert at Canon Polska who deals with office digitisation and cyber security issues – points out that the problem no longer affects only global corporations, but also small and medium-sized enterprises, which often do not have adequate resources to effectively counter cyber attacks.

    “There is no longer a lower limit to the size of companies where ransomware can be applied. Sometimes we find that it is easier for hackers to take control of a smaller company, lock it down and demand payment, than to risk an attack on a large player with much more resources.”

    Dariusz Szwed, Canon Polska

    In the context of data protection, the role of modern technologies such as cloud computing is increasingly being pointed to. This solution not only enables faster recovery after an attack, but also improves security thanks to built-in security mechanisms. However, there is still a lack of full trust in the cloud in Poland, which, as Szwed points out, generates the need to raise awareness in this area.

    The cloud as the key to security

    One of the key strengths of the cloud is the ability to quickly recover from an attack, which significantly minimises downtime for a company. Dariusz Szwed points out that with cloud solutions, companies can not only quickly restore data after an attack, but also gain confidence that it is constantly monitored and protected by the best available technology.

    However, there is still a noticeable caution in the adoption of cloud technologies in Poland, which is mainly due to concerns about security and trust in providers.

    “Polish organisations, both in the private and public sector, are far less trusting of the cloud environment than is the case in other European countries. In our country, the largest institutions are still tied to on-premise solutions, which involves building additional server rooms and managing them with their own resources.”

    Dariusz Szwed, Canon Polska

    Meanwhile, global data clearly shows that organisations using cloud solutions are better prepared for cyber attacks than those relying solely on traditional IT infrastructure. Another important aspect is the scalability and flexibility of the cloud. It allows companies to adapt IT resources to changing needs, which is particularly important in the context of remote working and distributed teams.

    Cyber security education

    Cyber security education is becoming one of the most important elements of an effective data protection strategy. Dariusz Szwed points out that the biggest threat to companies is not the technologies themselves, but the lack of proper knowledge and awareness among employees. It is human error, stemming from ignorance or unawareness, that is the most common reason for the success of social engineering attacks such as phishing. Modern attacks are increasingly based on manipulation of the human psyche rather than technical vulnerabilities in systems. Education in this area should not be limited to basic training, but should also include regular reminders and simulations that help consolidate correct habits and responses to threats. Swede notes that traditional training that takes place once in a while is no longer sufficient. Cyber security should be integrated into the daily operation of the company and be an integral part of the organisational culture. This is an approach that, in the long term, minimises the risks associated with attacks. Education should apply not only to employees, but also to management, whose responsibility for data security is particularly relevant in the context of legislation such as the NIS 2 directive.

    NIS Directive 2: New challenges and responsibilities

    The NIS 2 Directive, which came into force in 2023, is a significant step towards increasing the level of cyber security in the European Union. It introduces new security requirements across a range of sectors, including critical infrastructure, information and communication technology and digital services. One of the key aspects of this directive is the adoption of the principle of accountability at all levels of an organisation, meaning that managers and business owners must be personally involved in digital security issues. The Canon Poland expert emphasises that the NIS 2 directive has a significant impact on the way cyber security is managed in companies, especially in terms of the responsibility of those in managerial positions. It changes the approach to risk management, as the directive explicitly places the responsibility on managers to respond to threats and monitor the company’s cyber security situation. Dariusz Szwed also notes that while the NIS 2 directive imposes obligations on companies, it is also a good opportunity to start considering cyber security as an integral part of a growth strategy.

    Remote working and digital security

    The COVID-19 pandemic has significantly accelerated the transition to remote working, which has introduced new digital security challenges. Many companies were forced to rapidly adapt their structures to the new mode of working, and this meant implementing new technology solutions and data protection procedures. In response to these changes, cyber threats related to remote working have become an important topic in the area of risk management. Dariusz Szwed notes that while remote working is not a threat in itself, its implementation without proper protection procedures can lead to serious security vulnerabilities. However, remote access to company resources, without adequate protection measures, creates an opportunity for cybercriminals who can exploit these vulnerabilities to launch attacks, such as phishing attacks, on poorly secured devices and user accounts. To counter the risks associated with remote working, Swede emphasises the importance of investing in security technologies.

    Ecology and sustainability in printing technologies

    Dariusz Szwed points out that ecology is becoming an important factor in technology selection, also in the context of office equipment. The expert notes that companies are increasingly paying attention to environmental issues when choosing technology, including printing devices. Sustainability is becoming one of the criteria that influence purchasing decisions. In this context, particular attention is being paid to energy efficiency, consumption of consumables, as well as the life cycle length of equipment, thus reducing waste and environmental impact. With increasing environmental awareness, many print device manufacturers, including Canon, are betting on sustainability and eco-friendly innovations.

    “An environmental approach is a very important part of Canon’s strategy. As a Japanese organisation, we operate with the mindset of Kyosei, which means we work, we build business for the common good. Canon has for years taken measures to minimise the environmental impact of its production. This includes not only taking care with consumables, but also designing devices to have the longest possible life cycle and minimising energy consumption.”

    Dariusz Szwed of Canon Polska.

    These measures include, among other things, the production of energy-efficient equipment, as well as the implementation of recycling programmes that allow the reuse of spare parts and consumables. It is also worth noting that sustainability in the context of printing does not end with the production of devices and consumables alone. Canon is already implementing solutions to optimise office printing processes, resulting in lower paper, ink and energy consumption. Such solutions allow companies to continuously monitor their operations and make improvements that are both environmentally and economically beneficial.

    Confidence and innovation in printing equipment technology

    Confidence in printing equipment technology underpins companies’ purchasing decisions. Today’s printing market places increasingly demanding expectations on equipment manufacturers, both in terms of performance and security. Customers are guided not only by price, but also by the quality, reliability and innovation of the solutions offered when deciding on a particular piece of equipment. Trust in equipment is directly linked to its durability, energy efficiency, as well as the ever-increasing requirements for data protection and digital security. Dariusz Szwed notes that trust in printing equipment is crucial to the decision-making process in companies.

    “Trust in printing equipment is essential because if it fails or has print quality issues, a company can suffer serious losses. Companies expect not only functionality, but also longevity of equipment that will be reliable for many years.”

    Dariusz Szwed of Canon Polska.

    For this reason, it becomes crucial to design equipment with durability and stability of operation in mind, which affects the long-term satisfaction of users. Innovations in printing technology also play an important role in improving the quality of equipment and increasing confidence in devices.