Skip to content
Security incident? Call: +48 732 059 711
Cydefen
pl en
NIS2 compliance

NIS2 without the panic

Gap analysis, remediation roadmap and evidence pack for essential and important entities. No theatre — just the 10 obligations of Art. 21, done properly.

Who is it for?

  • Essential entities (energy, transport, banking, healthcare, water, digital infrastructure)
  • Important entities (postal, waste, manufacturing, food, digital providers)
  • Management board (personal liability under NIS2)
  • Risk and compliance teams
  • CISO and security teams
What you get

Outcomes

Clear scope decision

We determine whether you are an essential or important entity — and what that means in practice for your obligations.

Gap analysis vs. Art. 21

All 10 risk-management measures mapped to your current controls, with gaps prioritised by impact and effort.

24-hour reporting playbook

NIS2 requires notification to CSIRT within 24 hours. We build the playbook and drill it in a tabletop.

Supply-chain mapping

Art. 21(2)(d) — we map and assess your critical ICT suppliers and build a supplier risk management policy.

Board-level responsibility

Management board must approve and oversee cybersecurity measures. We brief your board and document the approval.

Audit-ready evidence

Policies, procedures, training logs, incident records, supplier assessments — packaged the way your regulator expects.

How we work

From scope to evidence pack

  1. 01

    Scoping workshop

    2-hour workshop — are you essential or important? Which sectors? Which entities of your group? Personal board liability?

  2. 02

    Gap analysis

    Document review, interviews, technical sampling. Deliverable: a gap report against Art. 21 with prioritised findings.

  3. 03

    Remediation

    We close the gaps with you — policies, training, supply-chain assessment, incident playbook, tabletop exercise.

  4. 04

    Maintenance

    Annual risk review, updates to policies, new supplier assessments, incident report support.

FAQ

Frequently asked questions

Is NIS2 in force in Poland?
NIS2 transposition into Polish law is ongoing. Essential and important entities should already be preparing — the regulator will not accept "we were waiting for the law".
How long does NIS2 alignment take?
Gap analysis: 3–4 weeks. Full remediation: 3–9 months depending on your maturity.
We already have ISO 27001 — is that enough?
A big head start. Roughly 60–70% of NIS2 Art. 21 overlaps with ISO 27001:2022. We do a delta analysis and fill the rest.
What are the fines?
Up to EUR 10 million or 2% of global turnover for essential entities, EUR 7 million or 1.4% for important entities. Plus personal liability for the board.
Do we need to notify CSIRT within 24 hours?
Yes — early warning within 24 hours, full notification within 72 hours, final report within 1 month. We build the playbook for you.

Start with an NIS2 scoping call

30 minutes — we determine your obligations and propose a concrete timeline and cost.

Book a consultation Back to compliance