Bankowość i finanse
|CS.111
NIS2 Compliance Analysis for a Critical Infrastructure Operator
How we helped a key service operator identify NIS2 compliance gaps and prepare a practical implementation roadmap - with minimal impact on the client's team.
Client
Leading key service operator in Poland of strategic importance to critical infrastructure
Challenge
The amendment to the National Cybersecurity System Act, implementing the NIS2 Directive, entered into force on April 3, 2026 - introducing penalties of up to EUR 10 million and personal liability for management boards for cybersecurity negligence. The client had existing security policies, but the new NIS2 requirements - including supply chain management, 24-hour incident reporting, and advanced risk management - required independent verification. An additional condition was carrying out the entire process with minimal involvement of the client's team.
Approach
Initiation and documentation collection
We identified key stakeholders and collected full documentation - policies, procedures, results of previous NCSA audits, and DORA plans - to maximize the use of what already existed.
Documentation analysis against NIS2
We analyzed existing policies point by point against NIS2 requirements, leveraging DORA and ISMS audit results. Based on this, we formulated hypotheses about specific non-conformities.
Verification workshops
Dedicated sessions only in areas not covered by documentation - risk management, incidents, supply chain, management responsibility, cryptography, and authentication.
Assessment and classification of non-conformities
Each NIS2 area received an individual compliance score. Gaps were classified by criticality with specific examples.
Report with implementation roadmap
Executive summary and compliance roadmap - prioritized recommendations ready to be converted into an action plan.
Results
Precise identification of NIS2 compliance gaps with specific examples of non-conformities
Practical compliance roadmap ready for implementation
Minimal burden on the client's team by leveraging results of previous audits
Executive summary with risk assessment for strategic decision-making
Reduction of financial penalty risk (up to EUR 10 million) and personal liability for management boards
Related case studies
CS.106
Adversary Emulation Security Testing
APT attack emulation against a bank in critical infrastructure - 7 scenarios, SOC collaboration, and 2-day training workshops.
CS.102
AI Deployment Risk and Compliance Analysis in Banking
Comprehensive risk analysis of AI solution deployment (Microsoft 365 Copilot, Azure AI, AWS AI) at a systemically important bank.
CS.112
Cyber Risk Management in Strategic Investments
Supporting the general contractor of a U.S. military base construction in Europe in meeting CMMC 2.0 and RMF requirements for building automation systems.
We'll discuss scope, methodology, and timeline.
Free consultation, no strings attached.