NIS2 and DORA Compliance for Critical Infrastructure: Lessons from the Polish Water Plant Cyberattacks

Introduction

In 2024-2025, Poland's Internal Security Agency (ABW) reported a surge in cyberattacks targeting industrial control systems (ICS) and operational technology (OT) at water treatment plants. State-sponsored threat actors, including Russian APT groups (APT28, APT29) and Belarusian-linked UNC1151, breached five facilities in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. The attackers gained the ability to modify equipment operational parameters, posing a direct risk to public water supply. Attack vectors included weak passwords and systems exposed to the internet—common OT security failures that remain widespread across critical infrastructure.

These incidents are a stark reminder that cybersecurity hygiene failures can lead to physical disruption. For CISOs and compliance officers in energy, water, and finance, the attacks underscore the urgent need to align with two key EU regulations: the NIS2 Directive (Directive (EU) 2022/2555) and the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554). This guide uses the Polish case study to outline concrete compliance steps, from asset inventory to incident response planning.

Understanding the Polish Attacks: Implications for OT/ICS Security

The Polish water plant breaches are not isolated incidents. They reflect a broader trend of state-sponsored groups targeting critical infrastructure to cause disruption. Key findings from the ABW report include:

• Five water treatment plants breached in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo.
• Attackers gained ability to modify ICS operational parameters, threatening public water supply.
• Primary attack vectors were weak password policies and systems exposed to the internet.
• Attribution to Russian APT groups (APT28, APT29) and Belarusian-linked UNC1151, often using hacktivist personas.
• Supply chain attacks increased, targeting contract data and credentials for downstream access.

These failures highlight critical gaps in OT security: lack of network segmentation, poor access controls, and inadequate monitoring. For critical infrastructure operators, the lesson is clear: compliance with NIS2 and DORA is not just a regulatory requirement—it is essential for operational safety.

NIS2 Requirements for Critical Infrastructure

The NIS2 Directive, which EU member states had to transpose into national law by 17 October 2024, applies to essential and important entities across 18 sectors, including energy, transport, health, digital infrastructure, and public administration. Key requirements include:

Incident Reporting

NIS2 mandates a two-stage reporting process: an early warning within 24 hours of becoming aware of a significant incident, followed by a detailed notification within 72 hours. A final report is due within one month. The Polish attacks demonstrate why rapid reporting matters—early warnings can help other operators defend against similar threats.

Risk Management Measures

Entities must implement proportionate technical, operational, and organizational measures to manage risks to network and information systems. These include policies on risk analysis, incident handling, business continuity, supply chain security, and use of cryptography. The ABW report noted that weak passwords and internet-exposed systems were key enablers—both are basic risk management failures.

Supply Chain Security

NIS2 explicitly requires supply chain security, including security-related aspects of relationships with direct suppliers and service providers. The Polish attacks involved supply chain breaches targeting contract data and credentials. Operators must assess and monitor third-party risks, particularly for OT systems where vendors often have remote access.

DORA's ICT Risk Management and Testing Obligations

DORA applies to financial entities—banks, insurers, investment firms, payment institutions, and crypto-asset service providers—and has been applicable since 17 January 2025. While DORA is sector-specific, many critical infrastructure operators in the energy and water sectors are also financial entities (e.g., through payment services) or may have financial subsidiaries. DORA's requirements are relevant for any organization seeking operational resilience.

ICT Risk Management Framework

DORA requires financial entities to establish a robust ICT risk management framework covering identification, protection, detection, response, recovery, and reporting. This includes regular risk assessments, security monitoring, and business continuity planning. The Polish attacks highlight the need for OT-specific risk assessments, as traditional IT frameworks often miss ICS vulnerabilities.

Digital Operational Resilience Testing

DORA mandates regular testing of ICT systems, including vulnerability assessments, penetration testing, and threat-led penetration testing (TLPT) for larger entities. TLPT simulates real-world attacks like those seen in Poland, testing an organization's ability to detect and respond to sophisticated threat actors.

Third-Party ICT Risk Management

DORA requires financial entities to manage risks from ICT third-party providers, including contractual arrangements, exit strategies, and continuous monitoring. The Polish supply chain attacks underscore the importance of vetting vendors and monitoring their security posture.

Step-by-Step Compliance Checklist for NIS2 and DORA

Based on lessons from the Polish attacks, here is a practical compliance checklist for critical infrastructure operators:

1. Asset Inventory and Classification

Identify all OT/ICS assets, including programmable logic controllers (PLCs), remote terminal units (RTUs), human-machine interfaces (HMIs), and engineering workstations. Classify assets by criticality and impact on operations. The Polish attackers exploited internet-exposed systems—an inventory would have flagged these exposures.

2. Network Segmentation

Segment OT networks from corporate IT networks using firewalls, DMZs, and one-way data diodes. Implement the Purdue model or ISA/IEC 62443 zones and conduits. The Polish breaches could have been contained with proper segmentation, preventing attackers from moving laterally from IT to OT.

3. Access Control and Authentication

Enforce strong password policies, multi-factor authentication (MFA), and role-based access control (RBAC). Remove default credentials and disable unused accounts. The Polish attacks exploited weak passwords—MFA would have blocked many intrusion attempts.

4. Continuous Monitoring and Incident Detection

Deploy OT-specific monitoring tools that can detect anomalous behavior in ICS protocols (e.g., Modbus, DNP3). Implement security information and event management (SIEM) systems with OT correlation rules. AIGovHub's CCM module can provide continuous controls monitoring, automating detection of configuration drift and policy violations across OT environments.

5. Incident Response Plan

Develop and test an incident response plan that covers OT-specific scenarios, including physical impact. Include procedures for isolating compromised systems, preserving forensic evidence, and notifying regulators within mandated timelines (24-hour early warning under NIS2). Regular tabletop exercises should simulate attacks like those on Polish water plants.

6. Supply Chain Risk Management

Assess security practices of vendors and service providers, especially those with remote access to OT systems. Include contractual clauses for incident reporting and security audits. Use AIGovHub's SENTINEL module to monitor geopolitical threats and supply chain risks, including intelligence on state-sponsored groups targeting critical infrastructure.

7. Testing and Exercises

Conduct regular vulnerability assessments, penetration tests, and tabletop exercises. For financial entities under DORA, perform threat-led penetration testing (TLPT) every three years. Use lessons from exercises to improve security controls and incident response.

8. Governance and Training

Assign clear accountability for cyber risk to senior management. Provide regular training for OT staff on cybersecurity hygiene, including password management and phishing awareness. NIS2 requires management to approve risk measures and participate in training.

Common Pitfalls in OT/ICS Compliance

Organizations often stumble on these common issues:

• Treating OT like IT: Standard IT security tools can disrupt OT operations. Use OT-specific solutions that understand ICS protocols.
• Ignoring legacy systems: Many OT environments run outdated software that cannot be patched. Compensating controls like network segmentation are essential.
• Underestimating supply chain risk: Third-party vendors often have privileged access. Monitor their security posture continuously.
• Inadequate incident response testing: Tabletop exercises must include OT scenarios. The Polish attacks showed how quickly a cyber incident can become a physical safety issue.

Frequently Asked Questions

What is the difference between NIS2 and DORA?

NIS2 is a directive covering a broad range of essential and important entities across 18 sectors, focusing on network and information systems security. DORA is a regulation specifically for financial entities, emphasizing operational resilience, including ICT risk management and testing. Both require incident reporting and third-party risk management.

Do the Polish attacks affect my organization if I'm not in Poland?

Yes. The threat actors behind the Polish attacks (APT28, APT29, UNC1151) target critical infrastructure globally. The tactics—exploiting weak passwords and internet-exposed systems—are universal. Any organization with OT/ICS systems should treat these attacks as a wake-up call.

How can AIGovHub help with NIS2 and DORA compliance?

AIGovHub's CCM module provides continuous controls monitoring for OT and IT environments, automating detection of policy violations and configuration drift. The SENTINEL module offers geopolitical threat intelligence, tracking state-sponsored groups and supply chain risks. Both tools help organizations meet monitoring and reporting requirements under NIS2 and DORA.

Next Steps: Building a Compliance Roadmap

The Polish water plant attacks are a clear signal that OT/ICS security can no longer be an afterthought. For critical infrastructure operators, compliance with NIS2 and DORA is not just about avoiding fines—it is about protecting public safety and operational continuity.

Start by conducting an asset inventory and gap analysis against NIS2 and DORA requirements. Prioritize quick wins like enforcing MFA and segmenting networks. Then build a phased plan for continuous monitoring, incident response testing, and supply chain risk management.

To accelerate your compliance journey, explore AIGovHub's CCM and SENTINEL modules. These tools provide the continuous monitoring and threat intelligence needed to stay ahead of evolving threats like those seen in Poland.