NATIONAL CYBERSECURITY SYSTEM (KSC) AUDIT
KSC audit: see if you meet the duties of the national cybersecurity act
A compliance audit against the Polish national cybersecurity system act for operators of essential services and public entities. We assess the security management system, incident handling and duties toward the relevant CSIRT.
WHY IT MATTERS
KSC is not a recommendation, it is a statutory obligation with real consequences
The national cybersecurity system act places concrete duties on operators of essential services and public entities: from implementing a security management system to reporting incidents to the relevant CSIRT on time.
The audit shows where you really stand against these duties before the authority checks. We combine knowledge of the act with technical practice, so we assess not just documentation but the real effectiveness of controls.
WHAT WE CHECK
The full scope of KSC duties
We tailor the scope to the entity’s role and the type of essential service provided.
OUR APPROACH
Knowledge of the act and real practice in one audit
An auditor who only knows the rules will check document compliance. We additionally test whether controls actually protect, because we attack similar environments every day in penetration tests.
The result is a concrete map of gaps with priorities, arranged around the mandatory audit and the authority’s requirements. You know what to close first and why it matters.
ACT SCOPE
From the management system to reporting duties
The audit covers the key duties arising from the KSC act and related regulations.
STANDARDS & CERTIFICATIONS
We work to recognized methodologies, not gut feeling
Every project is run by certified pentesters and based on public standards. That makes the result repeatable, auditable and comparable across vendors.
We share the full list of certifications and standards on request, together with a sample test scope.
HOW WE DO IT
An audit run in stages
EVIDENCE
Numbers behind every promise
Every test is run by certified pentesters, and we document the result with reproduction steps, evidence and a verified remediation path. Proof, not a promise.
KNOWLEDGE
A National Cybersecurity System (KSC) audit in practice
What the KSC act is and who it applies to
The act on the national cybersecurity system is the Polish legal framework imposing obligations on operators of essential services and digital service providers. It sets out how they must manage risk and cooperate with the relevant response teams.
As NIS2 is transposed, the scope of entities and requirements widens. The first step is to establish whether you fall under the act and what specific obligations follow from it.
What we verify in a KSC audit
We check the implementation of required controls, the handling and reporting of incidents to the relevant CSIRT, and the completeness of required documentation. We assess the actual state, not just declarations.
We also look at the repeatability of processes: whether incident handling will work under pressure or exists only on paper. That is the difference between formal compliance and real readiness.
The link to NIS2
The Polish rules are closely tied to the EU NIS2 directive, so we arrange the audit to put compliance with both in order at once. This way you do not do the same work twice.
We point out areas where the new requirements go beyond current practice, for example in supplier oversight. That lets you prepare ahead of time rather than in a rush.
What you get and when to run the audit
You get a gap report against the act requirements and a concrete plan to close them, ordered by risk and deadlines. We separate what must be done urgently from what can be spread over time.
An audit is worth running when your regulatory status changes, after significant infrastructure changes or periodically to maintain compliance. We also help you prepare for an inspection by the authority.
FAQ
Common questions
Are we an operator of essential services?
How does KSC relate to NIS2?
Do you carry out the mandatory statutory audit?
What do I get at the end?
CASE STUDIES
Case studies in this area
REFERENCES
“The project was delivered professionally and on time, with a strong grasp of both technology and business. We were impressed by their cybersecurity expertise and partnership approach.”
















