New obligations for companies. KSC changes the rules of the game

Last week, President Karol Nawrocki signed an amendment to the Act on the National Cybersecurity System (KSC), implementing the EU NIS2 directive. At the same time, he submitted a request to the Constitutional Tribunal for a follow-up review of the provisions relating to high-risk suppliers.

– The signing of the amendment to the KSC Act is not a one-time legislative event for entrepreneurs, but the beginning of a several-year process of real change in the way organizations operate in the digital world – notes Paweł Stapf, general director of Komputronik Biznes, in an interview with “Wprost”.

The expert emphasizes that the practical implementation of KSC is not only about meeting formal requirements or preparing documentation. This is the need to build the ability to constantly understand threats, respond to incidents and maintain business continuity in a business environment that is increasingly dependent on technology.

Challenges for entrepreneurs

According to Paweł Stapf, the biggest challenge for entrepreneurs will not be the technology itself, but understanding the scale of responsibility that comes with digitalization.

– For many companies, cybersecurity remains an abstract area, associated with the IT department, while the Act moves it to the management and operational level. The problem will be the lack of competences, limited availability of specialists and difficulty in translating regulatory requirements into specific business activities. An entrepreneur does not need a list of tools, but an answer to the question: who will actually take constant responsibility for the security of his organization – states Stapf.

The complexity of new responsibilities also remains a significant challenge.

– For many companies, especially outside the technology sector, regulatory language and the scope of expectations may be difficult to interpret – adds the expert.

He is afraid that some organizations may treat KSC only as a formal obligation, instead of using it as an opportunity to build a competitive advantage.

– Meanwhile, real value appears only when security is incorporated into the everyday functioning of the company and does not remain a one-time project – notes Stapf.

“KSC can become a modernization impulse”

Many experts point out that the amendment finally brings order to an area that has so far developed unevenly and often reactively.

– KSC can become a modernization impulse, forcing organization of IT environments, better visibility of processes and greater operational resilience of enterprises. In this sense, regulation acts as a catalyst for digitalization, because security is no longer a cost and begins to act as a foundation for stable development, emphasizes Stapf.

What will the future bring?

According to the expert, the key will be to move from design thinking to a model of permanent operational protection.

– Enterprises will increasingly need specialized services ensuring continuous supervision over the digital environment, event analysis and support in responding to cyber incidents. This is a natural direction of market development, because most organizations are not able to build such competences internally on their own, notes Stapf.

He emphasizes that the KSC should not be treated solely as a safety regulation.

– This is a regulation regarding the ability of enterprises to function in the digital economy. Companies that treat it as an impulse to organize technology, automate processes and modernize operational environments can actually increase their resilience and efficiency. Those that ignore the upcoming change risk not only losing competitiveness, but in extreme cases also limiting their ability to continue operating in a business ecosystem that requires a confirmed level of security, the expert concludes.