Implementing the National Cybersecurity Law in Practice: Where Should Companies Start?

For many companies, the requirements of the National Cybersecurity Law and the NIS2 Directive are no longer just a theoretical issue. Increasingly, they involve very practical work: understanding the current situation, assessing risks, assigning responsibilities, organising documentation and implementing processes that also work in day-to-day operations.

In Primend’s webinar “Implementation of the National Cybersecurity Law: Practical Experience and Challenges”, we discussed what companies are currently experiencing in the compliance process, which mistakes tend to repeat in practice and where companies should start so that cybersecurity management does not become only a formal exercise.

Compliance is not a one-time project

One of the most important takeaways is simple: implementing the requirements of the National Cybersecurity Law and NIS2 is not a project with a clear beginning and end. It is an ongoing cybersecurity management process that must be integrated into the company’s everyday operations.

Documents can be prepared, a responsible person can be appointed and a technical solution can be purchased, but that is not enough. If processes are not reviewed regularly, risks are not assessed and employees do not understand their role, compliance remains only on paper.

Cybersecurity must be a living process. It should help the company understand where the most significant risks are, which resources need to be protected and how to respond if an incident occurs.

Management involvement is critical

Cybersecurity cannot remain only the responsibility of an IT specialist. It affects business continuity, reputation, customer trust, supplier relationships and the company’s ability to fulfil its obligations even in a crisis.

In practice, companies where management is involved and actively supports cybersecurity governance tend to move through the implementation process much more smoothly. Management involvement helps make decisions about resources, priorities and risk reduction.

However, when cybersecurity is treated only as a technical IT issue, the process often stops at documentation or individual technical tools. This can create a false sense that the requirements have been met, even though the company’s actual readiness for incidents remains insufficient.

The first step is to assess the current situation

Before choosing new tools or starting to write policies, the company first needs to understand where it currently stands. This means reviewing the IT environment, systems, access rights, data, suppliers, existing processes and potential risks.

Self-assessment and risk assessment help determine priorities. Not all risks can be reduced at once, so it is important to understand which risks are the most significant for the company and where faster action is needed.

At this stage, it is important not to purchase technology simply because it seems necessary. Tools can be very useful, but they should support a clearly defined process and specific risks, not replace the understanding of those risks.

Documentation alone does not reduce risks

Cybersecurity policies, risk registers, incident response plans, backup procedures and other documents are important, but they only provide value if they reflect the company’s actual situation.

A common mistake is preparing documents only for formal compliance. If a policy is too long, too complicated or does not match everyday processes, employees will not use it and management will not gain practical value from it.

A good document helps clarify:

• who is responsible for what within the company;
• how access rights are managed;
• how incidents are identified and recorded;
• how backups are created and tested;
• how supplier and outsourcing risks are assessed;
• what evidence is needed to show that requirements are being followed in practice.

Documentation should be clear, usable and regularly updated.

Incident readiness must be built before incidents happen

Another important topic is incident readiness. Companies must be able not only to describe in writing how they would respond to an incident, but also to test that readiness in practice.

This means regularly testing backups, reviewing the business continuity plan, assessing access rights, training employees and making sure that the incident recording and reporting process actually works.

Suppliers and external service providers are also important. Many companies depend on partners, systems and services that are outside the company’s direct control. That is why supply chain risks and security requirements defined in contracts are an essential part of cybersecurity management.

Where to start?

Companies that are only beginning to implement the requirements of the National Cybersecurity Law and NIS2, or want to understand how prepared they currently are, should move step by step:

1. Clarify whether and to what extent the requirements apply to the company.
2. Assess the current situation.
3. Identify the most important systems, processes, data and suppliers.
4. Assess cybersecurity risks and define priorities.
5. Define responsibilities and appoint a cybersecurity manager.
6. Organise documentation so that it reflects real processes.
7. Implement and regularly review controls, training and testing.

The goal of compliance is not only to meet requirements. Its real value lies in the ability to better manage cyber risks, reduce the impact of incidents and build more secure and resilient business operations.

If you would like to understand where your company currently stands and what the next practical steps should be, sign up for an introductory cybersecurity consultation with Primend. We can help assess the situation, define priorities and make the compliance journey clearer.

Contact us