Bezpieczeństwo cyfrowe małych i średnich przedsiębiorstw a Dyrektywa NIS2
Digital security of small and medium-sized enterprises and the NIS2 Directive

Summary/Abstract: The aim of this article is to analyse the impact of the NIS2 Directive on the digital security of small and medium-sized enterprises (SMEs), with particular emphasis on the new obligations concerning risk management, the responsibility of top management and supply chain security. The article situates this issue in the context of SMEs’ increasing vulnerability to cyberattacks and their role as links in the supply chains of larger organisations; it argues that NIS2 extends the scope of regulation beyond traditionally understood critical infrastructure and turns cybersecurity into an element of corporate governance also in medium-sized firms. The main part of the paper discusses the catalogue of minimum cyber risk management measures laid down in Article 21 NIS2, the nature and extent of boards’ liability (including sanctioning mechanisms), and the indirect impact of supplier-security requirements on the smallest entities that formally remain outside the scope of the directive. To address the research objectives, the following research question was formulated: how do the solutions introduced by NIS2 shape the level of digital security in the SME sector, and what practical implications do the new regulatory obligations have for small and medium-sized firms? The research problem focuses on identifying the scope of direct and indirect obligations imposed on SMEs, assessing their impact on risk management systems and supply-chain functioning, and indicating the key implementation barriers faced by enterprises. In line with the adopted research problem, the author formulated the research hypothesis that NIS2 – by introducing harmonised minimum requirements in the field of cybersecurity and by assigning formal responsibility to company boards – will contribute to an increase in SMEs’ digital resilience, provided that these entities receive adequate institutional and financial support; otherwise, the new requirements may prove an excessive burden for the smallest firms, threatening their exclusion from supply chains. The study is based on a detailed analysis of the provisions of the NIS2 Directive and related legal acts, ENISA reports and the relevant literature, complemented by case studies of high-profile cybersecurity incidents and an examination of practical recommendations for the SME sector. The findings made it possible to develop a set of recommendations for small and medium-sized enterprises, including, inter alia, elevating cybersecurity to board level, conducting gap analyses against NIS2 requirements, implementing basic cyber-hygiene mechanisms, developing employee competences and making use of external expert support, which in the long term may turn SMEs into more resilient and trustworthy links in the European digital ecosystem.

• Details
• Contents