Cybersecurity nightmares

The subject of cybersecurity threats and the potential consequences of cyberattacks is the stuff of true horror. However, unlike the horror stories found in Bram Stoker’s *Dracula*, these threats are very real and pose a significant challenge to many organisations.

What types of attacks most frequently keep those responsible for cybersecurity in NIS2-regulated entities awake at night? The European Union Agency for Cybersecurity (ENISA) has taken a closer look at this issue. As part of a survey of 1,080 respondents professionally involved in cybersecurity matters within organisations representing all sectors (subsectors) of high criticality specified in Annex I to the NIS2 Directive, from 27 European Union countries, ENISA asked which cybersecurity threats were causing the greatest concern over the next 12 months. According to a report published in December 2025, respondents identified the following threats (starting with their greatest fear):

• ransomware attacks,
• supply chain attacks,
• phishing,
• the emergence of previously unknown threats (including those related to the use of AI),
• breaches of cloud data security and user accounts,
• internal threats,
• vulnerabilities in mobile/web applications,
• attacks on industrial control systems (OT/ICS),
• vulnerable software/infrastructure components,
• human error,
• DoS attacks.

The consequences of a security incident can be irreversible. In late February 2026, the media revealed that an unprecedented leak of personal data had occurred in the French healthcare sector:

• according to initial media reports, the data breach may have affected as many as 15 million patients, including public figures (though the number of those affected has not been confirmed),
• the source of the leak was an attack on a software provider used by doctors and healthcare organisations,
• the software provider admitted that the incident was detected at the end of 2025, it affected accounts used by 1,500 doctors and included patient data such as: first names, surnames, gender, date of birth, telephone number, address, email address, as well as doctors’ comments regarding, for example, patients’ health conditions and personal circumstances.

The mere disclosure of such data poses a particularly serious threat, as data that has been disclosed cannot be effectively ‘recovered’. It may be exploited by various fraudsters and thieves, as well as by foreign intelligence services or terrorist organisations.

To avoid such nightmares, national and EU legislators are introducing new regulations in the field of information security, such as NIS2. For entities covered by NIS2 – both in the healthcare sector and in other industries – it is crucial to develop and implement an information security management system that ensures, amongst other things:

• assessing the risk of an incident occurring and managing that risk,
• implementation of appropriate technical and organisational measures,
• collection of information on cyber threats and vulnerabilities of the information system used to provide the service,
• incident management,
• application of measures to prevent and mitigate the impact of incidents on the security of the information system used to provide the service.

One of the elements of the process of adapting an organisation to the requirements of #NIS2 and #UKSC is the verification of the organisation’s existing procedures in terms of compliance with statutory obligations and the auditing of vulnerabilities, in which Jarosław Straś, Mikołaj Prochownik, Andrzej Broniewski and Przemysław Strzępek provide support.