NIS2 in practice: how to avoid “firefighting mode” in the face of growing cyber threats?

Damian Surma
21 November 2025
5 min

Did you know that Poland has become one of the main targets for cybercriminals worldwide? The latest data is alarming: we are already responsible for 6% of all ransomware attacks globally – more than the United States. In 2024 alone, as many as 130,000 incidents were reported to NASK.

We’re operating under “double risk” conditions. On one hand, we’re seeing an unprecedented scale of attacks on the energy, logistics, and manufacturing sectors; on the other – legislative chaos related to implementing the NIS2 directive.

Many Polish companies have adopted a “we’ll wait for the law” strategy. At braf.tech we warn: this approach can cost your company not only enormous penalties, but above all operational paralysis.

A false sense of time

The NIS2 directive is already in force in Europe, but the Polish amendment to the National Cybersecurity System (KSC) law is still being prepared. This lulls businesses into complacency. Studies show that as many as 36% of security experts still don’t know whether their organization will be covered by the new regulations at all.

The problem is that once the law takes effect, the clock will start ticking very fast. Companies will have only 30-60 days to register and about six months for full implementation of the requirements.

Why “firefighting mode” won’t work?

Implementing complex security processes under time pressure is a recipe for disaster. 75% of organizations in the EU don’t have a dedicated NIS2 budget, and the job market is suffering from a massive shortage of specialists. If you start looking for experts and solutions only after the KSC law comes into force, you’ll be in line together with as many as 10,000 other entities that suddenly became subject to regulation.

Action plan: 5 steps you must start today

Regardless of what stage Polish legislation is at, hackers don’t take breaks. To avoid chaos, your organization should immediately take the following steps:

Step 1: Verify your status

Don’t wait for an official letter. Independently and critically assess whether your organization falls under NIS2/KSC. This is the most often overlooked and crucial stage.

Step 2: Map your critical systems

Without knowing exactly what in your infrastructure is essential for business continuity, you can’t assess risk.

Step 3: Organize identities and access (IGA)

This is one of the most time-consuming parts of implementation. You need to know who has access to what – and why. IGA-class systems, such as sara.next, automate this process, eliminate so-called “ghost accounts,” and ensure audit compliance. Manual permission management at the scale of NIS2 requirements is practically impossible.

Step 4: Test incident reporting procedures

NIS2 imposes strict timeframes — an incident report must be sent within 24 hours. Is your team ready for that?

Step 5: Review your supply chain

Remember: NIS2 makes you responsible also for the security of your suppliers and partners.

Don’t get caught off guard

Poland’s economy is entering a period of turbulence. Cybercriminals have accelerated, regulators are trying to catch up – and you’re right in the middle of this race. Don’t let your company become an easy target.

Start by putting your own “house” in order – especially in access management, which is the foundation of security (Zero Trust). If you need support with an audit or implementing IGA tools, get in touch with us.

What’s next? Want to see how sara.next can help you meet NIS2 requirements in identity management? Book a free consultation with our expert (link to contact).