Preparing an organization for KSC 2.0 involves more than drafting security policies and incident response procedures. Only an assessment of how the organization actually operates can show whether documented rules are followed in practice, responsibilities have been clearly assigned and teams can respond effectively under time pressure.
It is particularly important now that the Polish amendment to the Act on the National Cybersecurity System, implementing the NIS2 Directive, is already in force. The provisions took effect on 3 April 2026. Entities that met the criteria for classification as a key or important entity on that date and are not entered ex officio in the KSC Register should submit an application for entry by 3 October 2026. Organizations are therefore no longer preparing for a future regulation; they are implementing specific obligations concerning, among other things, risk management, incident handling, business continuity and supplier security.
Based on gap analyses and compliance audits conducted by TTMS experts in 2026, we have observed that the issue is rarely a single isolated non-compliance. More often, organizations face several interconnected deficiencies that can make it harder to meet statutory requirements and delay incident response. This article presents the five gaps we identify most frequently, their practical consequences and the areas that should be verified first.
1. What Is a NIS2 Audit and Why Does Your Organization Need One?
A NIS2 audit is an assessment process used to determine how effectively an organization meets the requirements of the Directive and the Polish Act on the National Cybersecurity System. In practice, TTMS auditors review IT systems, risk management procedures and incident response plans, and then compare the actual state of operations with the applicable legal obligations. The assessment of security measures is based primarily on Article 21 of the NIS2 Directive and Article 8 of the KSC Act, which requires the implementation of an information security management system. Organizations that verify compliance early gain time to implement improvements in a controlled manner instead of acting under the pressure of an inspection.
1.1 The NIS2 Directive in Brief
The NIS2 Directive is an EU legislative act on the security of network and information systems that replaced the earlier NIS framework. It introduces significantly stricter requirements than its predecessor, particularly for organizations whose operations are important to the functioning of the state and the economy. Its purpose is to harmonize security standards across the European Union and materially strengthen resilience against cyberattacks.
1.2 Purpose and Scope of a NIS2 Compliance Audit
The purpose of an audit is to assess the extent to which an organization meets the Directive’s requirements and to identify specific security gaps together with a remediation plan. The scope covers both technical matters, such as network configuration and access management, and organizational matters, including security policies, risk management procedures and business continuity plans. A well-executed audit produces an actionable implementation roadmap, not merely a list of deficiencies.

2. Who Is Subject to KSC 2.0 and When Is an Audit Required?
The amendment covers key and important entities operating in the sectors listed in Annexes 1 and 2 to the Act, including energy, transport, healthcare, digital infrastructure, selected manufacturing industries and digital services. Whether an organization falls within the scope of the Act depends on its sector, type of activity, company size and specific statutory criteria. Some entities are covered regardless of their headcount or turnover.
2.1 Covered Sectors and Company Size
The threshold of 50 employees or EUR 10 million in turnover should not be treated as a standalone test. In many sectors, medium-sized or large-enterprise status is the starting point, but the Act provides exceptions and separate qualification rules. The first step should therefore be to compare the organization’s actual activities with Article 5 and Annexes 1 and 2 to the KSC Act.
2.2 Key Entities and Important Entities: Differences in Requirements
Key and important entities are generally subject to a similar set of obligations relating to risk management, incident handling and supply-chain security, subject to the exceptions provided for in the Act and sector-specific regulations. The primary differences concern the supervision and audit model. Under Article 15 of the KSC Act, a key entity must conduct a security audit at its own expense at least once every three years. The competent authority may order an external audit of a key entity at any time and of an important entity following a significant incident or another breach of the Act.
3. Is a NIS2 Audit Mandatory and When Should It Be Performed?
Not every gap analysis offered on the market constitutes a statutory audit. The periodic audit obligation under Article 15 applies to key entities, while a voluntary gap analysis can help both key and important entities assess readiness, set priorities and gather evidence of compliance. A statutory audit must be conducted by an organization or by at least two auditors meeting the qualification requirements set out in Article 15(2), while complying with the independence requirement in Article 15(2a).
3.1 Key KSC 2.0 Deadlines in Poland
Poland implemented the NIS2 Directive through the Act of 23 January 2026 amending the Act on the National Cybersecurity System and certain other acts (Journal of Laws of 2026, item 252). The Act was published on 2 March 2026, and its principal provisions entered into force on 3 April 2026. For entities that met the criteria for classification as a key or important entity on the effective date, self-registration in the KSC Register runs from 7 May to 3 October 2026, unless the entity is entered ex officio. Entities in this group should comply with the obligations in Chapter 3 no later than 3 April 2027. Key entities in this group must conduct their first statutory security audit by 3 April 2028. For entities brought within the scope of the Act at a later date or entered by administrative decision, the applicable deadline must be determined under the provision governing the relevant procedure.
3.2 How Often Should a Compliance Audit Be Repeated?
Under Article 15 of the KSC Act, the statutory audit of a key entity must be conducted at least once every three years. Irrespective of that requirement, we recommend an annual internal compliance review and an additional assessment after any material change, such as an IT infrastructure upgrade, implementation of a new system, a significant incident or a change of a critical service provider. Security cannot be configured once and then forgotten.

4. Consequences of NIS2 Non-Compliance
Failure to perform the obligations arising from the KSC Act implementing NIS2 may have serious consequences. These include supervisory measures, orders to remedy infringements and administrative fines.
4.1 Financial Penalties and Administrative Sanctions
Entities that fail to perform their obligations under the KSC Act may be subject to supervisory measures and administrative sanctions. The Act provides for high maximum penalties and, where an infringement creates a particularly serious threat, a fine of up to PLN 100 million. Under Article 35 of the amending Act, the new penalties specified in that provision may first be imposed two years after the Act entered into force, generally from 3 April 2028. This does not postpone the deadlines for registration, implementation of obligations or incident reporting.
4.2 Management Liability and Reputational Risk
Failure to perform statutory obligations may also result in a personal fine being imposed on the head of a key or important entity. Article 73a of the KSC Act provides for a fine of up to 300% of the person’s remuneration and, for certain public-sector entities, up to 100% of remuneration. The person regarded as the head of a particular entity depends on its legal form and governance structure. Irrespective of sanctions, an incident and disclosed negligence may also undermine the trust of customers and business partners.
5. What Does a NIS2 Audit Cover?
This part of our work as auditors is particularly revealing because it shows precisely where organizations encounter the most common difficulties. Below, we describe the five areas in which we most frequently identify gaps during KSC 2.0 readiness projects, together with practical examples and the consequences of leaving them unresolved.
5.1 Unclear Accountability and Immature Risk Management
The first thing we verify is who formally holds responsibility for cybersecurity within the organization. Our experience shows that unclear accountability is one of the most frequently identified issues. Roles across IT, security and management may be documented, yet in practice there is no unambiguous decision-making path for every type of significant incident. Valuable hours are then spent determining who is authorized to make a decision instead of responding to the incident.
This issue is closely linked to immature risk management. Many organizations have a document entitled ‘Risk Management Policy’, but the assessment was performed only once and has not been updated since. Article 21 of the NIS2 Directive and Article 8 of the KSC Act require appropriate and proportionate technical, operational and organizational measures based on systematic risk management. If an organization cannot demonstrate a recurring process, it also lacks a reliable understanding of where it is genuinely most exposed.
5.2 Incomplete IT and OT Asset Inventory
An incomplete or outdated inventory of IT and OT assets appears very frequently in our assessments. A typical example is a manufacturing company that declares full control over its infrastructure, yet during workshops no one can clearly state how many active servers it operates, which systems are outdated or which OT devices can access the corporate network. Without a reliable inventory, risk assessment becomes largely theoretical: an organization cannot assess the risk associated with an asset it does not know exists. During an incident, the team then loses time determining what has actually been compromised.
5.3 Untested Incident Response Procedures
Our observations indicate that, in most organizations assessed, the incident response procedure existed only as documentation and had never been tested in practice. Article 23 of the NIS2 Directive and Article 11 of the KSC Act provide for multi-stage reporting: an early warning must be submitted without undue delay and no later than 24 hours after detecting a significant incident, followed by an incident notification no later than 72 hours after detection. The required reports must then be submitted, including a final report generally within one month of the incident notification. The procedure must therefore work at night, at weekends and when key personnel are unavailable.
5.4 Inadequate Business Continuity Plans
An incident response procedure is not sufficient if the organization cannot maintain or restore critical services. In practice, we verify whether business continuity and disaster recovery plans cover critical dependencies, suppliers, backups, crisis communications and realistic recovery times. Article 21(2) of the NIS2 Directive and Article 8 of the KSC Act identify business continuity, backup management, disaster recovery and crisis management as elements of cybersecurity risk-management measures. A plan that has never been tested remains an assumption rather than evidence of resilience.
5.5 No Systematic Supplier Risk Assessment
Supplier security management remains one of the greatest challenges. In the vast majority of organizations assessed by TTMS, there was no systematic evaluation of risks associated with service providers or partners that had access to the organization’s systems. Article 21(2)(d) of the NIS2 Directive and Article 8 of the KSC Act expressly cover supply-chain security. A typical example from our work is an external IT provider with remote access to company systems whose security controls have never been verified. An attack on such a partner can directly threaten the organization using its services.
5.6 Summary of the Five Most Common Gaps
| Area | Observation from TTMS Projects |
| 1. Accountability and risk management | Frequently identified issue |
| 2. IT and OT asset inventory | Very frequent |
| 3. Testing of incident response procedures | Most organizations assessed |
| 4. Business continuity | Often requires additional testing and clarification |
| 5. Supplier risk assessment | The vast majority of organizations assessed |
| High-risk gaps identified in a single audit | Usually between one and several |
The data in the table consists of anonymized qualitative observations from gap analyses and audits conducted by TTMS in 2025–2026. It is not a representative market study.

7. How a NIS2 Audit Works: Step by Step
Below, we explain how we conduct a NIS2 audit for a client, step by step, from the initial contact through to the completed remediation roadmap.
Step 1: Determine Whether the Organization Is Subject to KSC 2.0
The first step is to establish whether the organization is subject to the KSC Act and whether it qualifies as a key or important entity. This determination defines the subsequent scope of the assessment and the obligations that must be considered.
Step 2: Questionnaire and Baseline Data Collection
We then conduct a detailed questionnaire and collect baseline information from the IT, security and management teams. This allows us to build an initial picture of the organization’s security posture before examining the documentation in detail.
Step 3: Review of Documentation and Processes
The next stage involves reviewing the documentation and existing processes, comparing what is written on paper with what actually happens within the organization. This is where the discrepancies described earlier most often become visible, such as an incident response procedure that exists but has never been tested.
Step 4: Workshops and Team Interviews
We conduct workshops and interviews with employees from different departments because documentation rarely tells the whole story. A conversation with a network administrator or the person responsible for supplier relationships often reveals more than a formal review of documents.
Step 5: Findings and Recommendations Report
At the end of the assessment, we prepare a detailed report presenting the findings and specific remediation recommendations in language that is understandable not only to IT, but also to the organization’s management. The head of the entity and the relevant governing bodies are responsible for approving and overseeing implementation of the measures to the extent required by the Act and the entity’s governance structure.
Step 6: Remediation Roadmap
The final report includes a prioritized remediation roadmap. In practice, we typically identify between one and several high-risk non-compliances during a single audit. The roadmap is therefore not about implementing every recommendation at the same time, but about sequencing activities to reduce the most significant business risks as quickly as possible.

8. How to Prepare Your Organization for a NIS2 Audit
Preparing for a NIS2 audit requires involvement from every department, not only IT. It is worth collecting current security policy documentation, a list of systems and external suppliers, and appointing a person to act as the auditors’ primary point of contact. The better prepared the organization is at the outset, the faster and more efficiently the process can be completed, reducing both cost and pressure on the team.
9. NIS2 Audits and Other Security Audits: Key Differences
A NIS2 and KSC 2.0 compliance assessment differs from other security reviews because it addresses specific regulatory obligations arising from the Act on the National Cybersecurity System. ISO/IEC 27001 certification is generally voluntary, while a GDPR compliance audit focuses on personal data protection obligations. These scopes may partially overlap, but none of them automatically replaces an assessment of compliance with KSC 2.0.
10. Benefits of Commissioning a NIS2 Audit from TTMS
TTMS is a global IT company specializing in the implementation and maintenance of bespoke IT systems, business process automation and outsourcing services. With experience in systems integration, Salesforce, Microsoft and AEM implementations, as well as IT service management, our consultants understand not only regulatory requirements but also the real-world IT infrastructure architectures our clients operate.
10.1 Scope and Delivery of Our Service
We provide a comprehensive NIS2 and KSC 2.0 readiness and gap assessment covering all the areas described above: from asset inventory, risk management and incident response procedures to supply-chain security. We follow a proven process, starting with an initial questionnaire, continuing through team workshops and concluding with an actionable roadmap. If the engagement includes a statutory audit under Article 15, the scope, auditor qualifications and independence requirements must be confirmed separately.
10.2 Support with Implementing Post-Audit Requirements
The real value of an audit lies in implementing its recommendations, not merely producing a report. After completing projects, we observe that clarifying accountability, updating documentation and implementing remediation measures shorten incident response times, improve asset records and reduce the number of non-compliances found during subsequent reviews. Our support includes security process automation, integration of monitoring systems and development of procedures that work in teams’ day-to-day operations.
11. Contact a TTMS Expert and Prepare Your Organization for a NIS2 Audit
11.1 Make Sure Your Organization Is Ready for KSC 2.0
KSC 2.0 readiness is difficult to assess from documentation alone. The key is to verify whether responsibilities, processes and safeguards work in practice and whether the organization can demonstrate compliance during an audit or inspection. If you would like to discuss your organization’s situation, contact TTMS experts. We will help determine which areas require verification, what audit scope is appropriate and where preparations should begin. We will tailor the engagement to the entity’s status and its obligations under KSC 2.0.

12. Legal Basis and Sources
Directive (EU) 2022/2555 of the European Parliament and of the Council (NIS2), in particular Articles 20, 21, 23, 32 and 33; the Act of 5 July 2018 on the National Cybersecurity System, as amended by the Act of 23 January 2026 (Journal of Laws of 2026, item 252), in particular Articles 5, 8, 11, 15, 73 and 73a and Annexes 1 and 2; Articles 33–35 of the amending Act; and communications from the Polish Ministry of Digital Affairs concerning the KSC Register and the S46 System. The legal status and implementation timeline were verified on 13 July 2026.
13. FAQ
Is a Gap Analysis the Same as a Statutory KSC Audit?
No. A gap analysis is a voluntary readiness assessment that helps identify deficiencies and prioritize actions. A statutory security audit under Article 15 of the KSC Act must meet the requirements relating to scope, auditor qualifications and independence.
What Is a NIS2 Compliance Audit?
A NIS2 compliance audit is a market term for an assessment process that verifies an organization’s readiness for the requirements of the NIS2 Directive and the KSC Act. It may cover IT systems, risk management and incident response. However, not every such review constitutes a statutory security audit under Article 15 of the KSC Act, which must meet the applicable requirements concerning scope, auditor qualifications and independence.
What Does NIS2 Involve?
NIS2 is an EU directive that introduces rigorous network and information systems security requirements for organizations in key and important sectors. Its purpose is to harmonize security standards across the European Union and strengthen resilience against cyberattacks.
How Much Does a NIS2 Audit Cost?
The cost of a NIS2 audit depends on the size of the organization, the number of systems and locations covered by the review, and the scope of support required to implement the recommendations. An accurate quotation can be provided after a short initial discussion in which we establish the actual scope of work.