How important is cybersecurity for companies?
ENISA data leave no doubts. 54% of all cyberattacks affect key sectors for Poland and the European Union. Almost 40% of registered incidents last year affected public administration institutions, 7.5% – the transport sector, 5% – digital infrastructure. According to CERT Polska, the most frequently reported incident in 2024 was phishing; 40,120 such incidents were recorded. They often target organizations that do not rigorously manage IT supply chain security.
The paradox is that even those who declare they care about… cybersecurityrarely verify the origin of the software they use. Generational differences are clear: the country of origin is indicated by only 18% of people aged 18 to 27 as a selection criterion, while among seniors over 60 years of age this percentage is 27% – still not even one third.
Choosing a digital tool today is a legal decision, not just a technical one. Organizations covered by the NIS2 directive are obliged to manage risks in the supply chain ICTwhich means, among others, assessment of suppliers in terms of the jurisdiction in which they operate. A supplier based outside the EU is not a disqualification, but a real, additional risk that must be documented and justified to the supervisory authorities.
Are servers in Europe sufficient?
Many organizations assume that because the platform has servers in Europe, the data stays safely in the EU. In the light of applicable law, this is too much of a simplification.
Important
From perspective GDPR and NIS2 what matters is not only the location of the infrastructure, but above all what law the supplier is subject to.
A US-based company – even if it stores data in a European data center – may be subject to the CLOUD Act, which requires it to share data with US authorities regardless of where it is physically stored.
Just signing Standard Contractual Clauses (SCC) does not automatically eliminate this risk. Each organization must independently assess whether the clauses are effective in a specific case – and when the provider is subject to the CLOUD Act and there is no technical possibility to block access to the data, the transfer may simply be illegal.
The practical implications are threefold. The organization must keep up to date with legal changes in a foreign country – which is a real operational challenge for most compliance departments. A supplier from outside the EU may qualify as a high risk entity (HRV) because the country of origin is one of the assessment criteria in the procedures NIS2. Finally, demonstrating compliance before the Personal Data Protection Office, Polish Financial Supervision Authority, National Health Fund or other supervisory authorities is simply more difficult when the supplier operates in a different jurisdiction.
Who does the NIS 2 directive cover and why does the supply chain matter?
NIS2 directive imposes obligations on entities from 18 sectors considered key or important: health care, public administration, energy, transport, banking sector, digital infrastructure and others. The regulations may cover, for example, a district hospital, a university, a municipal office or a company employing over 50 people operating in one of the sectors mentioned above.
Importantly: regulations do not only apply to organizations themselves. include the entire ICT supply chain – including providers of communication platforms that process participant registration data, chat content, recordings, survey results or activity data. For example, a webinar platform that plays an important role in the organization’s processes should be treated as a critical ICT supplier and subject to a formal risk assessment.
The contract with the webinar platform provider should contain much more than standard terms of service. It should include clauses regarding business continuity, reporting incidents within established deadlines, the right to audit, requirements for subcontractors and security standards. These are requirements that can and should be enforced contractually.
Why choose European digital tools?
Organizations that choose a supplier that operates solely within the law EUthey gain several specific benefits. They do not have to analyze the risk of transfers to third countries – the data remains in the EU and the risk is structurally eliminated. Audits are simpler because the supplier operates within the same regulations. A change in regulations in the USA – whether the CLOUD Act, FISA or future regulations – does not affect the level of data protection. It is also simpler to demonstrate compliance to the national supervisory authority as it does not require the translation of complex jurisdictional relationships.
It is worth choosing solutions that:
- have servers in the European Economic Area,
- can present an ISO/IEC 27001:2022 certificate confirmed by an external audit,
- offer a data entrustment agreement in accordance with Art. 28 GDPR and transparent incident response procedures,
- as an electronic communications entrepreneur, they are subject to UKE supervision.
A key or important entity that chooses such a solution may enter the platform in the register of ICT providers with ready-made documentation – without conducting complex legal analyzes regarding jurisdictional risks outside the Union.
Adam Detmer, legal advisor of ClickMeeting, a Polish platform for webinars and online training
