The new cybersecurity regulation – what should companies know?
The new cybersecurity regulation – what should companies know?
The Cabinet of Ministers regulations implementing the NIS2 Directive have already been in force for several months. They set out minimum cybersecurity requirements for providers of essential and important services, as well as ICT providers.
Why does this matter for business?
Even if a company is not directly within the scope of the regulation, the requirements may still apply indirectly – for example, as a part of the supply chain or as a service provider. Non-compliance can lead not only to legal consequences but also affect cooperation with partners and damage market reputation.
Three steps companies should start taking today:
The most common mistake in practice is treating the requirements as a formal registration without creating real processes to mitigate security risks. Don’t wait until the last moment – cybersecurity is not just an IT issue, it is about business continuity and maintaining partner trust.
Why does this matter for business?
Even if a company is not directly within the scope of the regulation, the requirements may still apply indirectly – for example, as a part of the supply chain or as a service provider. Non-compliance can lead not only to legal consequences but also affect cooperation with partners and damage market reputation.
Three steps companies should start taking today:
- Assess compliance with the regulation – determine whether the company falls directly under the requirements or acts as a supplier to those that do.
- Develop cybersecurity policies and processes – registration with the Cybersecurity Centre alone is not enough; companies must create a full set of documents covering cybersecurity policy, risk assessment and management, as well as procedures for incident reporting and response.
- Appoint a responsible person for cybersecurity – this will be mandatory by October 1, 2025, and the appointed individual must meet specific qualification requirements.
The most common mistake in practice is treating the requirements as a formal registration without creating real processes to mitigate security risks. Don’t wait until the last moment – cybersecurity is not just an IT issue, it is about business continuity and maintaining partner trust.