Skip to content
Knowledge base Updated: February 5, 2026

How to conduct a KSC NIS2 readiness audit? A practical guide for CISOs

The new KSC/NIS2 law is the biggest challenge for CISOs in years. Before you start deploying technologies, you need to conduct a precise diagnosis. We explain how to plan a readiness audit, what a gap analysis must include, and how to build a roadmap to compliance based on that.

Przemysław Widomski Przemysław Widomski

The news of the board’s personal responsibility and KSC/NIS2 sanctions has already reached the highest level. This means that after years of fighting for budget and attention, the CISO finally has full C-level support. However, with this support comes an immediate and pressing question aimed directly at you: “What is our status? Are we in agreement? What do we need and how much will it cost?”.

The answer to this question cannot be based on hunches. It must be the result of a methodical, documented and in-depth diagnosis. Before you buy any new system or commission an implementation, your absolute first and most important task is to conduct a comprehensive KSC/NIS2 readiness audit. This is not another routine IT audit; it’s a horizontal analysis of the maturity of the entire organization - from the board to OT systems - as it collides with new, stringent regulatory requirements.

Shortcuts

Why is a simple security audit not enough in the context of KSC/NIS2?

As a CISO, you are used to periodic audits, such as ISO 27001 compliance reviews or regular penetration testing. A KSC/NIS2 readiness audit, however, is much more than that. Past audits have often focused on verifying specific technical or procedural controls in isolation. The KSC/NIS2 audit is strategic in nature and primarily verifies the adequacy of risk management.

The regulator will not just ask, “Do you have a firewall?” It will ask: “Has your risk analysis shown the need for network segmentation, has the board approved a policy to do so, and is the implemented solution ‘appropriate and proportionate’ to the identified risks?”. This is a fundamental difference.

KSC/NIS2 forces a horizontal view. A normal IT audit rarely touched areas such as operational technology (OT) or in-depth supply chain verification. The new regulations make these areas critical. Therefore, a readiness audit needs to be much broader and deeper than anything you’ve done before.

📚 Read the complete guide: NIS2: Kompletny przewodnik po dyrektywie NIS2 - obowiązki, kary, terminy

Where to start with a KSC/NIS2 compliance audit in an organization?

The first step is not to run a vulnerability scanner. The first step is to formally establish the project and get a mandate from the board. Seize the moment - the board is now aware of their responsibility and ready to act. Present them with a readiness audit as a “START Package” - a necessary diagnosis that will give them answers to questions about risk and cost.

The second step is to establish an interdisciplinary team. As a CISO, you cannot conduct this audit alone. You need representatives from the legal department (to interpret regulations), key business units (to analyze process risks), the purchasing department (to assess the supply chain) and, if applicable, engineers from the manufacturing (OT) area.

The third step is to precisely define the scope (scope). Which company services fall under the definition of “critical” or “important”? Which IT/OT systems support these services? Which companies in the group fall under the scope? Precisely defining the boundaries of an audit is crucial to its effectiveness and the credibility of the results.

What are the key areas that gap analysis must cover?

Gap analysis is the heart of the entire audit. It involves a systematic comparison of the status quo (AS-IS) with the status required by the KSC/NIS2 law (TO-BE). Your audit must meticulously examine at least four key pillars on which the new regulation is based.

The first pillar is Governance. Has the board received the required training? Is there a formal process for approving and overseeing security policies? Is responsibility for cyber risk clearly defined at the C-level?

The second pillar is Risk Management and Procedures (GRC). Does your company have a documented and cyclically executed risk analysis policy in accordance with, for example, ISO 27005? Do you have a complete Information Security Management System (ISMS), including key policies for incident management, business continuity (BCP/DRP) or supply chain security?

The third pillar is Technical Measures (IT/OT). What are the gaps in implemented technologies? Are we using MFA, EDR, encryption, backup systems widely? How is the network segmentation, especially of critical OT infrastructure?

How does KSC/NIS2 change the approach to risk analysis (according to ISO 27005)?

The new KSC/NIS2 law makes systematic and documented risk analysis mandatory. It is no longer an optional “good practice,” but a firm legal requirement. What’s more, the directive promotes a very specific approach, following recognized methodologies such as ISO 27005 or ISO 31000.

No more risk analysis based on intuition. The process must be formalized. A readiness audit must verify that you have: an asset register (inventoried and classified systems, data, processes), an assessment methodology (how do you estimate the probability and impact of an incident?), and a risk register with assigned owners and plans for dealing with risks (acceptance, mitigation, transfer, avoidance).

The most important change is the emphasis on linking technical risk to business risk. The analysis must answer the question, “What will be the financial and operational impact on the business if this particular system stops working?” It is this business impact assessment (BIA - Business Impact Analysis) that becomes the foundation for selecting “appropriate and proportionate” security measures.

How do you inventory and evaluate your technical and organizational resources?

The readiness audit must go down to the technical level and verify what specific safeguards (controls) you have in place and whether they are adequate for the risks identified. The KSC/NIS2 law lists a whole catalog of measures to be implemented, and your gap analysis must address them.

In practice, this means you need to review your security architecture. You need to verify the state of ownership and maturity of implementation of such solutions as authentication mechanisms (especially multi-factor MFA), intrusion detection and response systems (EDR/XDR), monitoring systems (SIEM), vulnerability management tools or backup and encryption solutions, among others.

OT security also becomes critical. If the company has an industrial infrastructure, the audit must include an analysis of the OT network architecture (e.g., for Purdue-compliant segmentation), a passive vulnerability assessment of ICS/SCADA systems, and verification of security procedures for production environments.

How to verify the status of documentation and procedures (SMS)?

Technology will not defend a company on its own. KSC/NIS2 places great emphasis on having a complete and, more importantly, implemented Information Security Management System (ISMS). A readiness audit must consist of an in-depth inventory of your documentation and identification of missing elements.

You need to check whether the organization has (and whether they are up-to-date and approved by the board of directors) such documents as an Information Security Policy, Incident Management Procedure, Business Continuity Plan (BCP), access control policy, supply chain policy or cyber hygiene training program.

Simply having a document in a drawer is not enough. An audit must also verify that the procedures are known to employees and that they are tested. Has a BCP plan ever been tested recreationally? Does the team know how to follow the incident management procedure? Lack of implementation equals lack of compliance.

Key Diagnostic Challenges for CISOs: A Summary Box.

As a CISO, your KSC/NIS2 diagnosis must answer the three most difficult questions that are at the heart of the new regulations:

  • 1 Supply Chain Risk: Do we have a formal ICT supplier risk assessment policy? Do our contracts with key suppliers (e.g., software, hosting, IT services) include security clauses and audit rights? Do we actively review their security levels?

  • 2 Response Capability (24h): Are we operationally capable of detecting, classifying and reporting a major incident within 24 hours of detection? Do we have 24/7/365 monitoring, an Incident Response team and tested response procedures?

  • 3. OT security: has our risk analysis covered manufacturing processes? Are industrial control systems (ICS/SCADA) adequately isolated from the corporate network (IT)? Do we have business continuity plans specific to the OT environment?

What is a supply chain audit and why is it so critical?

The new KSC/NIS2 law makes it clear that an organization’s responsibility does not end with its own infrastructure. You are only as safe as your weakest link, and very often that link is a third-party supplier. That’s why the legislation introduces a tough requirement for ICT supply chain risk management.

A readiness audit must therefore extend to the Purchasing Department and verify how the process of selecting and overseeing technology suppliers works. Is there a SCRM (Supply Chain Risk Management) policy in place at all? Do contracts with cloud providers, software houses or third-party IT service providers include adequate security provisions?

In practice, this means audits of key suppliers - both procedural (do they have policies?) and technical (are their services secure?). As a CISO, you need to be ready for the fact that the outcome of an audit may indicate the need to renegotiate contracts or even change a critical supplier that does not meet standards.

How to assess operational maturity for incident reporting in 24 hours?

The requirement to initially report a major incident within 24 hours of detection is an operational revolution. It is currently unfeasible for most companies. Your audit must make a brutal and honest assessment of your organization’s real capabilities in this area.

This evaluation must go beyond verifying that a procedure is in place. You need to verify: Do we have 24/7/365 detection capability? (e.g., through a monitored SIEM/SOC). Who will physically receive the alert at 3:00 a.m. on a Saturday? Do we have a defined and tested response process (playbook)? Who is on the response team (IR)? Who has the authority to decide to cut off systems? Who contacts lawyers and management?

The best way to assess this capability is to conduct table-top exercises. A simulation of a major ransomware attack (even if only “on paper”) will instantly expose all gaps in procedures, communications and technology. The result of this simulation will be a key argument for management to invest in SOC services.

What is a cyber insurance readiness assessment and why should you do one?

The introduction of personal liability for boards of directors and rising financial risks are causing boards and chief financial officers (CFOs) to increasingly ask about cyber insurance. The problem is that obtaining such a policy is increasingly difficult and expensive, and insurers are conducting their own very detailed audits.

Including a “cyber-insurance readiness assessment” module in your KSC/NIS2 audit is a strategic move. It allows you to translate identified technical risks into financial risks that the CFO understands well.

Such an assessment answers the question, “With our current level of security (or rather, its deficiencies), do we have a chance of obtaining insurance on acceptable terms?” This provides management with another hard argument for investing in security - not only for legal compliance, but also for optimizing the cost of risk transfer (insurance).

How to turn audit findings into a roadmap for management?

Your board doesn’t need a 200-page technical report full of incomprehensible jargon. They expect a clear roadmap from you as CISO. The result of a KSC/NIS2 readiness audit must be a strategic roadmap to compliance.

Such a document must be visual, concrete and understandable to the business. It should clearly present: 1. Where are we? (Key gaps and risk assessment - e.g., in the form of a “heat map”). 2. where do we need to be? (Target level of compliance with KSC/NIS2). 3. how do we get there? (List of specific remediation projects).

Each project on the roadmap must have a specific priority (derived from the risk analysis), an estimated budget and a schedule (e.g., divided into quarters). This is the document you present to the board for approval. It is no longer an “IT budget request,” but a “regulatory and business risk mitigation plan” for which the board is personally responsible.

What role does an external GRC partner play in the diagnosis process?

As a CISO, you have a mammoth task ahead of you, and your internal resources are limited. Conducting such a wide-ranging audit (from GRC, to IT, to OT and supply chain) on your own is extremely difficult, time-consuming, and fraught with the risk of lack of objectivity.

Engaging an external partner who specializes in KSC/NIS2 brings three key values. First, experience and methodology - such a partner has already performed similar analyses and has ready-to-use tools and checklists. Second, unique competence - for example, in niche areas such as OT security (IEC 62443) or advanced supply chain audits.

Third and most importantly, an external partner brings objectivity and authority. A report from an independent, trusted integrator that can combine the competencies of strategic consulting (GRC), implementation (IT/OT) and maintenance (SOC) has much more clout at the board level. It is no longer “Anna’s opinion from IT,” but an independent expert opinion confirming the severity of the problem and the validity of the proposed roadmap.

Learn key terms related to this article in our cybersecurity glossary:

  • NIS2 — NIS2 (Network and Information Security Directive 2) is an EU directive…
  • Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
  • Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
  • CIS Security Audit — A CIS security audit is a thorough assessment of an organization’s IT systems…
  • NIST Cybersecurity Framework — NIST Cybersecurity Framework (NIST CSF) is a set of standards and best…

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

NIS2 Cybersecurity

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Przemysław Widomski

Przemysław Widomski

Sales Representative

+48 889 051 990przemyslaw.widomski@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist