Skip to content
Knowledge base Updated: February 5, 2026

How does an OT cybersecurity audit become the key to winning the £1.3 million

The

Łukasz Gil Łukasz Gil

News of the possibility of securing up to 1.3 million zlotys for cyber security from the “Cyber Secure Water Supply” program has caused a huge stir in the industry. The prospect of funding 100% of the cost of security upgrades is extremely enticing. However, as with any grant program, success depends on one key factor: the quality of the prepared application. Grant management institutions do not award money on the basis of general declarations, but on the basis of a concrete, well-founded and precisely calculated investment plan.

This raises a fundamental question: how can we create such a plan without knowing what the real state of our security measures is, where the biggest gaps lie, and what investments will bring the greatest improvements? Trying to answer these questions without hard data is like planning medical treatment without a prior medical diagnosis. We may be asking for expensive drugs, while the real problem is something else entirely.

That’s why conducting a professional operational technology (OT) cybersecurity audit is an absolutely crucial and logical first step on the way to getting a grant. It’s not a cost, it’s an investment in preparing a winning application. The results of the audit provide objective, irrefutable data that underpins the entire application and increases the chances of a successful application many times over.

Shortcuts

Why is a grant application without an audit like building a house without a project?

Imagine that we go to the bank to get a loan to build a house. When asked “what kind of house do you want to build and how much will it cost?”, we answer: “large and modern, it will cost about a million zlotys”. No bank will take such an application seriously. It expects a detailed architectural design, a cost estimate and a work schedule. Exactly the same way grant institutions work. An application is a business plan for an investment. A cyber security audit is its technical design and cost estimate.

📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać

What specific information does the audit provide for the proposal?

A professional OT audit provides all the elements necessary to complete an application. First, a detailed asset inventory, that is, a list of all systems and devices in the industrial network. Second, the identification and assessment of vulnerabilities and risks, which shows where the greatest weaknesses lie. Third, recommendations for specific corrective actions, both technical and organizational. Fourth, an estimate of the budget needed to implement these recommendations. This is ready-made material that you just need to dress up in a formal proposal.

Can the cost of an audit be funded by a grant?

Yes. Most importantly, the cost of conducting an audit is one of the eligible costs in the “Cyber Secure Water Supply” program. This means that the amount the company invests at the outset in conducting a professional diagnosis will be fully reimbursed under the grant awarded. Thus, this is a de facto no-cost investment from the perspective of the entire project, while drastically increasing the chances of its success.

What is the shift in thinking from “cost” to “opportunity investment”?

Traditionally, auditing has been viewed as a cost. In the context of the “Cyber Secure Water Supply” program, this perspective should be completely changed. The small lump sum spent on an audit is not a cost of a consulting service. It is an investment in opening the way to seven-figure financing for yourself. It’s like buying a lottery ticket for a small amount, where the chances of winning are extremely high. It’s a shift in thinking from “how much do I spend” to “how much can I gain from it.”

How does an audit build credibility for the applicant in the eyes of the commission?

Committees evaluating grant applications pay special attention to the maturity and professionalism of the applicant. A proposal based on the results of an objective, external audit is much more credible than a proposal based on internal estimates. It shows that the company takes a strategic approach, that it understands its weaknesses, and that its investment plan is not a wish list, but a well-thought-out strategy based on hard data.

Can the audit results be used for more than just a grant?

Of course. Even in the worst, extremely unlikely scenario, in which the company would not receive a grant, the money invested in the audit is not lost. The result of the audit is an extremely valuable document - a roadmap for improving cyber security. It gives the board and managers invaluable insight into the real state of security and allows them to plan future investments in a much more informed manner, even if they were to be made from their own resources over the long term.

How does an audit help you comply with the NIS2 directive?

The NIS2 directive requires water and wastewater utilities to implement a risk management system, the cornerstone of which is regular assessment of these risks. Conducting an OT cyber security audit is a de facto implementation of this obligation. So, by investing in an audit for the grant, we are simultaneously fulfilling one of the key legal requirements imposed by the new EU regulations.

Why use an external, specialized partner?

OT environments are extremely specific, and conducting a reliable audit in them requires unique niche competencies, combining knowledge of cyber security, industrial automation and standards such as IEC 62443. In-house IT departments rarely have such competencies. Enlisting the help of an external partner that specializes in this field ensures that the audit is conducted in accordance with best practices and that the results are reliable and useful.

What are the key elements of a good OT audit?

A good OT audit is not just a vulnerability scan. It must be a holistic process that assesses three areas: people, processes and technology. It ranges from analyzing network architecture and device configurations to reviewing existing policies, procedures and interviewing employees to assess their awareness. Only such a comprehensive approach can provide a complete picture of the state of security.

How long and cumbersome is the audit procedure?

Contrary to appearances, a well-planned audit does not have to be a lengthy process that paralyzes plant operations. An experienced audit partner can conduct most of the analytical work in a non-intrusive manner, using passive monitoring methods and documentation analysis. Involvement of employees on the company’s side is necessary, of course, but it is concentrated in short, well-planned sessions and interviews.

What is the risk that an audit will disrupt production systems?

When working with a professional partner experienced in OT, this risk is virtually zero. The key is to use passive and non-invasive data collection methods that do not interfere with the operation of the industrial network. Any potential active testing is carried out only during agreed service windows and in a fully controlled manner. The security and continuity of your operations is always a top priority.

How to turn audit findings into a successful grant proposal?

A professional audit report should include not only a list of identified problems, but also a prioritized list of recommendations along with an estimated budget for their implementation. Such a document is almost a ready input to the grant application. An experienced partner will also help “translate” the technical recommendations into the language and structure required by the application forms, ensuring that the entire argumentation is consistent and logical.

OT audit: an investment that opens the door to a grant

StepActionBenefit1. investmentThe decision to conduct a professional OT audit.Taking a strategic first step.2 DiagnosisReceive a detailed security status report and recommendations.Gain objective data and a roadmap for improvement.3. conclusionUsing the results of the audit to create a professional grant proposal.Increase the credibility and chances of success of the application.4 FundingReceive up to PLN 1.3 million in subsidies.Obtaining funds to implement the recommendations.5. returnAccounting for the cost of the audit as an eligible cost under the grant.Closing the cycle of investment, which becomes costless.

How does nFlo standardize and simplify this process with its “Starter Package” offering?

At nFlo, we understand that for many companies, the very procedure of ordering an audit and preparing an application can seem complicated. That is why, in response to the needs of the market and the “Cyber Secure Water Supply” program, we have created a fully standardized service: “Starter Package: Audit and Grant Application. This is a fixed-price, flat-rate offer that comprehensively handles the entire preparation process. As part of the package, our experts conduct a comprehensive OT audit at your company, and then, based on the results, develop a complete grant application ready for submission. This is a simple, transparent and extremely effective solution that minimizes your involvement and maximizes the chances of success, putting into practice the principle “you invest X to open the way to PLN 1.3 million”.

Learn key terms related to this article in our cybersecurity glossary:

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Compliance Cybersecurity Vulnerabilities Network SOC

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Łukasz Gil

Łukasz Gil

Sales Representative

+48 538 238 588lukasz.gil@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist