KSC 2.0: a regulation that changes responsibility for cyber security

KSC 2.0: a regulation that changes responsibility for cyber security

The amendment to the law on the National Cyber Security System has been signed. This is a watershed moment = not because the years-long legislative process ends, but because a new stage of responsibility begins.

The law implementing the NIS2 directive is not just a technical update of the 2018 legislation. It is a profound change in the philosophy of state and economic risk management. Cyber security is no longer an operational domain. It becomes an element of strategic oversight.

The president has referred the law to the Constitutional Court for follow-up review. Regardless of the eventual outcome, however, the legislation will take effect one month after promulgation. For organizations, this means one thing: time to prepare is limited.

What is realistically changing?

The amendment does not boil down to expanding the catalog of entities. Yes – it will cover 18 sectors of the economy and distinguish between key and important entities. But the essence of the change lies elsewhere.

The new KSC means:

• Formal inclusion of boards of directors in responsibility for cyber risk management,

• obligation to take a systemic approach to resilience, not just incident response,

• Strengthening state supervision and new control instruments,

• Establishment of sectoral CSIRTs,

• The possibility of a supplier being considered a high-risk supplier (DWR),

• An extensive system of administrative fines.

In practice, cybersecurity becomes embedded in the organization’s corporate governance.

Novation as a test of organizational maturity

The biggest challenge will not be adjusting documentation. It will be to change the mindset.

The new model requires:

• Identification of critical processes and technological dependencies,

• Reviewing the supply chain for cyber risk,

• Implementation of measurable risk management mechanisms,

• Provide management oversight of cyber security,

• Preparing the organization for inspections and audits.

This is not an IT project. It’s a transformation project.

BTC Security ROADSHOW 2026 – from regulation to implementation

Many organizations today are asking the question not “if” but “how” to implement the new responsibilities in a way that is reasonable and proportionate to the scale of operations.

In response to new challenges, experts at the BTC Security ROADSHOW 2026 will present specific solutions and scenarios for adapting to the requirements of the KSC Law. The program includes:

• Interpretation of regulations and responsibilities,

• Examples of implementations in regulated organizations,

• The role of SOC and incident management,

• supply chain security,

• Board and management accountability.

The KSC amendment is not just another regulation. This is the moment when cyber security becomes an element of state security, market stability and responsibility of business leaders. The legislative stage is over. Now the strategic decision stage begins.

We will answer your KSC-related questions at the BTC SECURITY ROADSHOW 2026. During the event, we will also demonstrate how the eAuditor system can realistically support organizations in complying with the new requirements – from gap identification and risk analysis to reporting and documenting compliance.