How to strategically implement KSC NIS2 in 3 steps?

The new KSC law implementing NIS2 has put boards in a new and difficult position. On the one hand, personal responsibility and the risk of financial sanctions. On the other, immense time pressure and the technical and legal complexity of the entire project. In the chaos of conflicting information and bids from dozens of suppliers, boards are asking themselves one question: “How do we sort it all out and where do we start to effectively manage these risks?”

The answer is not to buy a single tool, but to implement a strategic process. Based on our experience as an end-to-end integrator, we have developed a three-stage implementation model: START - CORE - RESILIENCE. It’s a logical, modular roadmap that takes an organization from “zero” (risk diagnosis) to full, ongoing resilience. It’s a path designed to give management control of the process and turn a regulatory requirement into a real business advantage.

Shortcuts

• Why does the implementation of KSC/NIS2 need to be a process rather than a one-time project?
• What is the START phase and why is it crucial for management?
• What specific activities does the START Package include?
• What is the CORE phase and what challenges does it solve?
• What key implementations (technical and procedural) does the CORE Package include?
• Why is technology implementation (CORE) not enough to comply with the law?
• What is the RESILIENCE phase and why is it critical to business continuity?
• What permanent programs are included in the RESILIENCE Package?
• Why is the modular model (START-CORE-RESILIENCE) the most cost-effective?
• How does this model help the board prove “due diligence”?
• KSC/NIS2 Strategic Roadmap: START-CORE-RESILIENCE Model.

Why does the implementation of KSC/NIS2 need to be a process rather than a one-time project?

Treating KSC/NIS2 as a “deploy and forget” project is a fundamental management mistake. Cyber threats evolve daily, a company’s infrastructure changes and employees rotate. The compliance status achieved on the day of the audit is fleeting. The law does not require a one-time “certification,” but the implementation of an ongoing risk management process.

The regulator requires regular audits, constant monitoring and continuous improvement. This means that security is becoming a permanent business function, just like finance or HR. Management needs to make sure the system is working, not just on the day of the audit, but every day.

That’s why you need a model that reflects this life cycle. The START-CORE-RESILIENCE model is the answer to this need. The START phase is diagnosis. CORE is the building of the foundation. But RESILIENCE is the operational phase that ensures that the organization remains safe and compliant on a day-to-day basis, fulfilling the duty of oversight.

📚 Read the complete guide: Ransomware: Ransomware - czym jest, jak się chronić, co robić po ataku

What is the START phase and why is it crucial for management?

The START (FIND) phase is the foundation of the entire strategy. Its goal is to enter at the highest decision-making level. It is a diagnostic phase to answer key questions for the board: “Where are we?”, “What are our real risks?” and “What are our personal risks?”.

This phase is crucial for the board because it directly addresses its new responsibilities. It uses the requirement for mandatory board training and mandatory risk analysis as an “opening of the door” to talk about the personal responsibility of managers.

The result of the START Package is not yet compliance, but a clear roadmap to compliance. Management gets an objective report with gaps, and the CISO and CFO get measurable data to budget and prioritize corrective actions. This is the first step to demonstrating due diligence.

What specific activities does the START Package include?

The START package focuses on three key diagnostic elements that give management the full picture. First, the KSC/NIS2 Compliance Audit is implemented. This is a deep gap analysis that shows the organization’s actual status against the Act’s requirements and identifies areas of greatest risk.

Second, a Strategy Workshop for the Board of Directors is being conducted. This is not an ordinary training session. It’s an advisory session that implements the training obligation, presents the audit results to the board of directors, explains legal obligations and helps them understand the scale of business risks.

Third, the suite includes a unique Cyber Insurance Readiness Assessment module. It helps Chief Financial Officers (CFOs) translate identified technical risks into financial risks and optimize policy acquisition costs, a tough business case.

What is the CORE phase and what challenges does it solve?

The CORE (POPRAW) phase is the implementation phase of a complete implementation project. This is the “hard work” that takes place after the diagnosis in the START phase. Its goal is to close the identified gaps and achieve full, auditable compliance.

This phase directly addresses two key challenges of the Act: procedural and technical. It addresses the lack of required documentation (policies, procedures) and the lack of “appropriate and proportionate” security technologies that result from the risk analysis.

The result is an organization in an “audit-ready” state. The company has both formal policies and procedures approved by the board of directors and working, implemented technical safeguards.

What key implementations (technical and procedural) does the CORE Package include?

At the procedural level, the CORE Package includes the development of missing security documentation (ISMS). We are talking about information security policies, incident response procedures, business continuity plans, and key vendor management policies, in accordance with standards (e.g. ISO 27001/2).

In parallel, the integration team implements key technical safeguards resulting from the risk analysis. These may include monitoring systems (SIEM/SOC), multi-factor authentication (MFA) mechanisms, implementation of EDR systems, modern backup systems, or a key IT/OT network segmentation project.

Importantly, the CORE Package is also extended to provide active support in Supply Chain Risk Management (SCRM). Rather than just creating policies, nFlo offers to conduct real audits (procedural and technical) at a client’s key suppliers, putting this difficult requirement of the law into practice.

Why is technology implementation (CORE) not enough to meet the requirements of the law?

Many companies make the mistake of stopping at the CORE phase. They think that purchasing a SIEM and writing procedures completes the project. Meanwhile, KSC/NIS2 makes a requirement that is impossible to meet through a one-time implementation: reporting of major incidents within 24 hours of detection.

Having the technology (SIEM) means nothing if no one is looking at the alerts it generates at 3:00 a.m. on a Saturday. The 24-hour requirement is an operational challenge, not a technical one. Implementation in the CORE phase gives you the tools and plans, but does not guarantee the ability to respond within the statutorily required time.

This is why the CORE phase is insufficient. What is needed is another phase that ensures the continuous, round-the-clock operation of these mechanisms and the ability to respond immediately.

What is the RESILIENCE phase and why is it critical to business continuity?

The RESILIENCE phase is the most advanced stage of the model. It is the transition from “compliance design” to “cyber security as a continuous process.” Its goal is to ensure continuous maintenance of compliance and viable operational resilience, which is the essence of business continuity.

A key element is the 24-hour response requirement. This package includes 24/7 continuous security monitoring (SOC service) and guaranteed incident response service (Incident Response). This is a direct response to the critical requirements of continuous monitoring and reporting.

In practice, the RESILIENCE phase allows management to focus on strategic business development, while a specialized partner (like nFlo) takes on the operational burden of watching over security, responding to threats and maintaining compliance.

What permanent programs are included in the RESILIENCE Package?

Resilience (Resilience) is not just technological SOC monitoring. Risk comes from three sources: technology, people and suppliers. The RESILIENCE package addresses all three through ongoing, cyclical programs.

The first is the aforementioned technical monitoring (SOC 24/7). The second is the Continuous Security Culture Building Program - managing the “human firewall” through regular phishing tests and training. The third is Continuous Supplier Risk Management (SCRM), consisting of periodic audits of the supply chain.

The whole process is complemented by regular control audits and tests, such as quarterly vulnerability scans and annual penetration tests, which verify that the implemented safeguards are still effective in the face of new threats.

Why is the modular model (START-CORE-RESILIENCE) the most cost-effective?

Management, especially the CFO, must have control over the budget. The modular model ensures this. Instead of buying “blindly” expensive technologies that may not be needed, this model ensures cost optimization.

The START phase is a precise diagnosis that ensures that the budget in the CORE phase is spent only on measures that are “appropriate and proportionate” to the real, identified risks. The customer can start with a basic diagnosis (START) and then flexibly expand to include implementation (CORE) and maintenance services (RESILIENCE) as needed.

What’s more, during the RESILIENCE phase, using managed services (Managed SOC, Managed SCRM) is many times cheaper and more effective than trying to build the same specialized competencies 24/7 in-house.

How does this model help the board prove “due diligence”?

This is the ultimate management goal. KSC/NIS2 places the responsibility for “oversight” on the board. The START-CORE-RESILIENCE model is essentially a documented oversight process. Each phase generates specific reports and evidence.

The START phase provides evidence of risk analysis and management training. The CORE phase provides evidence of implementation of approved policies and technologies. The RESILIENCE phase provides continuous reports on SOC monitoring, BCP testing and supplier audits.

In the event of an audit, management does not present chaotic memos, but a coherent story of working with a single, trusted end-to-end partner. A partner that has combined the competencies of strategic consulting (GRC), implementation (IT/OT) and maintenance (SOC) to guide the company through the entire, complex process of regulatory adaptation. This is the very definition of “due diligence.”

KSC/NIS2 Strategic Roadmap: START-CORE-RESILIENCE Model.

The following table synthesizes the customer’s three-step path to achieving and maintaining compliance and business resilience.

Model PhaseMain ObjectiveKey Actions for the BoardThe main KSC/NIS2 Challenge that is being addressed is.1. START

(Explore)Diagnosis and Accountability. Establish board awareness and create a road map.* Implementation of mandatory management training.

• Conduct KSC/NIS2 compliance audit (gap analysis).

• Insurance readiness assessment (for CFO).Management (Personal responsibility)

Analytical (Mandatory risk analysis)2. CORE

(Corrected)Implementation and Compliance. Achieve an “audit-ready” state.* Approval of policies and procedures (ISMS).

• Allocation of budget for implementation of technical measures.

• Launch of supplier audit program (SCRM).Procedural (Missing documentation)

Technical (Implementation of measures)3. RESILIENCE

(Sustain)Continuity and Maintenance. Ensure continued resilience and operational capability.* Provide budget for continuous monitoring (SOC 24/7).

• Approve permanent programs (culture building, SCRM audit, BCP testing).Operational (24-hour reporting requirement and business continuity)

---

Related Terms

Learn key terms related to this article in our cybersecurity glossary:

• Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
• Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
• SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
• Backup — Backup, also known as a backup copy or safety copy, is the process of creating…
• Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…

---

Learn More

Explore related articles in our knowledge base:

• SZBI and the KSC NIS2 supply chain: How should the CISO build and implement procedures and manage supplier risk?
• KSC and NIS2: why is the board now personally responsible for cyber security?
• KSC NIS2 and cyber insurance: How compliance with the act becomes key to lowering the cost of risk.
• KSC NIS2 and the human firewall: How must a CISO build an ongoing security culture program?
• KSC NIS2 as a program: How should the Project Manager manage compliance implementation?

---

Explore Our Services

Need cybersecurity support? Check out:

• NIS2 Compliance - NIS2 directive compliance
• NIS2 Readiness Check - NIS2 readiness assessment
• Security Audits - comprehensive security assessment