← Back to the blog

// blog · Compliance

NIS2 in practice: where to start before the auditor arrives

The amended Polish Act on the National Cybersecurity System has been in force since April 2026. The deadlines are countable: registration in the register of essential and important entities by 3 October 2026, risk-management measures in place by 3 April 2027, the first mandatory audit by 3 April 2028. Below are five steps worth taking in this order.

1. Establish whether you are in scope - and document the analysis

No one will send you a letter saying you are covered. The criteria are your sector (eighteen sectors, from energy to manufacturing) and a size threshold - as a rule, from 50 employees. A detail that is often missed: the analysis must be carried out even if its outcome is that you are not in scope. A documented self-identification is the first piece of evidence an auditor asks for.

2. Inventory what you have

You cannot secure systems no one remembers exist. The minimum scope: a list of systems supporting key services, internet-facing services (including subdomains and test environments), and dependencies on external suppliers. In practice it is precisely the forgotten subdomains and development environments that generate the greatest risk - and surprise boards the most in reconnaissance reports.

3. Start with vulnerability identification

Article 21 requires, among other things, risk-analysis policies and security in system maintenance - including vulnerability handling and disclosure. A perimeter scan with manual validation of findings is the fastest way to move from declarations to measurable evidence of meeting this obligation: a report with a date, scope, prioritisation and a remediation plan.

4. Put the Art. 21 processes in order

Technical testing is only part of the requirements. The Act also requires incident handling, business continuity and backups, supply chain security, training and cryptography. A sensible order: first a gap analysis (current state mapped against the requirements), then a prioritised roadmap - rather than implementing everything at once.

5. Document everything

An auditor cannot assess what they cannot see. Every action - the scoping analysis, the inventory, a scan, a retest, a training session - should leave a trace: a document with a date and scope. Well-kept documentation shortens an audit more than any single technical control.

Summary

The order matters: self-identification → inventory → vulnerability identification → processes → documentation. Detailed deadlines and the full list of Art. 21 measures are on the NIS2 / KSC page. Scope status and a sensible first step for a specific organisation can be established during an initial consultation.

← Back to the blog