NIS2 in the public sector. How does the new law impact public institutions?

Cyberthreats have long ceased to be a problem solely for the private sector. Hospitals, offices, and public institutions have all become targets of increasingly sophisticated attacks. From ransomware paralyzing hospitals to the encryption of documents in marshal’s offices, the consequences are not only costly but also threaten the daily functioning of citizens. NIS2 in the public sector is a way to raise cybersecurity standards at every level of public administration.

In response to the growing threat, the European Union has introduced the NIS2 directive, which imposes new obligations for cybersecurity management. Poland, in turn, is working on an amendment to the National Cybersecurity System (KSC) Act, which will clarify and tighten the regulations. This is not just another formality – it is a revolution in the approach to protecting data and IT systems, requiring conscious planning and strategic action.

What steps should public institutions take to adapt to the new requirements? What consequences await those who ignore them?

Cyber threats in the public sector – real examples

According to Check Point data, 2024 saw a sharp increase in the number of cyberattacks on Polish organizations – particularly in strategic sectors. Public utilities (an average of 2,063 attacks per month) and the military and government sector (2,058 attacks per month) were the most common targets. By comparison, approximately 2,200 attacks were recorded in the Czech Republic and Hungary, while Slovakia and Germany saw 1,400 and 1,300 attacks, respectively. This means that Poland is among the top Central European countries in terms of the number of incidents targeting the public sector.

The next most vulnerable sectors in Poland were finance and banking (1,836 attacks per month), communications (1,557), and manufacturing (359). Globally, the scale of attacks in 2024 increased by a staggering 44% compared to the previous year, demonstrating that cyberthreats are growing not only locally but also globally.

If anyone still has doubts about whether cyberattacks pose a real threat to the public sector, just look at several high-profile incidents from recent years and add that the City Hall in Słupsk is attacked on average 1,000 times a day (!).

🔴 Polish Mother’s Hospital in Łódź (2022)
The LockBit 3.0 ransomware attack encrypted files and servers. The hospital was forced to temporarily shut down its systems, impacting patient diagnostics and treatment.

🔴 Central Clinical Hospital of the Medical University of Łódź (2023)
Hackers took control of the facility’s system, and the administration was forced to immediately shut down its IT systems. Although patient data was not leaked, the effects of the attack were felt for several days.

🔴 Tuczna Municipal Office (2021)
Attackers encrypted the office’s data and demanded a ransom in cryptocurrency. The municipality refused to pay, but the lost files could not be recovered. The result? A switch to manual recovery of tax and budget accounting.

🔴 Marshal’s Office of the Mazowieckie Voivodeship (2022)
The encryption of the Electronic Document Management system paralyzed over 300 local government units. This demonstrates that an attack on a single institution can trigger an avalanche of problems across the entire public administration ecosystem.

These cases demonstrate one thing: NIS2 in the public sector is a necessary regulation. Cyber threats in the public sector are real, and their consequences can be catastrophic. Therefore, NIS2 and KSC require a proactive approach to cybersecurity.

Who do NIS2 regulations apply to in the public sector?

Not every institution is automatically subject to NIS2 regulations and the KSC amendment, but their scope is broad.

Entities subject to the regulations are divided into two main groups:

✔ Key entities – these include hospitals, government offices, critical infrastructure operators, the energy and financial sectors, and digital service providers. They are subject to preventive oversight, meaning they can be inspected even without an incident.

✔ Important entities – these include food producers, chemical companies, transportation companies, and postal operators. In their case, follow-up oversight applies – inspections occur after an incident occurs.

Each entity should verify whether it is subject to the new regulations. Failure to act may result in significant financial penalties and legal liability for management.

How to prepare a public institution for new cybersecurity regulations?

Adapting to NIS2 in the public sector isn’t a one-time effort; it’s a process that requires a strategic approach. NIS2 and the revised KSC introduce specific requirements aimed at increasing resilience to cyber threats. To meet these new obligations, organizations must not only implement appropriate technologies but also reorganize their approach to risk management, incident reporting, and data protection. How should they go about it?

The first step is to determine whether an institution is subject to regulation. This may seem obvious for large hospitals or government agencies, but some entities—for example, smaller local government units, water supply organizations, or even companies working with key sectors—may not realize they fall under the new regulations.

Lack of awareness can lead to serious consequences, including significant financial penalties and even management liability for failure to meet obligations. Therefore, organizations should begin by analyzing their operations and relationships with other entities, and if doubts arise, utilize self-assessment tools and consult with experts.

NIS2 Readiness Audit

Once it’s clear that an organization must implement NIS2 requirements, a baseline audit should be conducted to help determine the current security posture and vulnerabilities in its IT systems. This is a key moment when an organization can verify whether its infrastructure is prepared for potential cyberattacks and where the greatest risks arise. The audit should include both a technological analysis—e.g., an assessment of network security, operating systems, authorization methods, and data protection—and a review of procedures.

• Does the organization have a Business Continuity Plan (BCP)?
• What is the incident reporting process like?
• Are there mechanisms in place to mitigate the impact of attacks?

The lack of clear answers to these questions may indicate that the organization is exposed to significant risk.

That’s why we created an NIS2 compliance audit, which addresses the extent to which the organization already complies with the NIS2 directive in the public sector and what steps it should take to fully comply.

Creation of security policies

The audit itself, however, is just the beginning. It’s crucial to create a security policy and implement appropriate procedures that not only meet legal requirements but, above all, provide effective protection against threats. The NIS2 Directive requires the identification of risks and assessment of their impact on the organization, which requires the implementation of access management procedures, an inventory of IT resources, and systematic testing of vulnerabilities to cyberattacks.

Another key aspect is the procedure for handling incidents. In Poland, regulations require organizations to have clear and effective mechanisms for reporting incidents to the sector CSIRT within 24 hours and providing a full report within 72 hours. Without appropriate procedures, meeting these requirements can be difficult, exposing the institution to sanctions.

Security Management and Incident Management

When implementing changes, IT system monitoring and security testing must not be forgotten, as even the best procedures will remain mere theory if they are not tested in practice.

The mandatory audits and security tests required by NIS2 are not just a formal requirement but a way to truly increase an organization’s resilience to attacks. Institutions should implement solutions that actively monitor threats – SIEM systems can analyze logs and detect suspicious activity, while EDR/XDR enable the detection and neutralization of threats at the endpoint level.

At the same time, regular penetration testing will help determine whether the IT infrastructure is truly secure or whether there are vulnerabilities that could be exploited by cybercriminals.

At the executive level, it’s important to determine whether to hire security analysts (and whether you can even afford them) or opt for semi-automated or automated services, such as Cisco XDR (Extended Detection and Response).

Cybersecurity training for management and employees

The human factor also cannot be overlooked. Even the best security systems can be bypassed if employees don’t follow cyber hygiene practices. This is why training and building threat awareness are among the most important pillars of an effective security policy. Phishing, social engineering, and poor password management are just a few of the problems that can be minimized with a well-planned educational program. However, this isn’t about one-time training, but rather about ongoing awareness-raising, regular attack simulations, and ensuring employees are implementing good practices on a daily basis.

Prepare today so you won’t regret it tomorrow

Preparing a public institution for NIS2 and the revised KSC requires a comprehensive approach – from risk identification, through auditing and monitoring, to employee training. Organizations that delay compliance with the new regulations may not only incur financial penalties but, above all, become easy targets for cybercriminals.

Grandmetric offers comprehensive support in implementing NIS2 requirements, from risk analysis and IT tool implementation to team training.

Is your institution ready for the new regulations? Contact us to conduct a compliance audit and avoid threats before it’s too late. 🚀