Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

NATIONAL CYBERSECURITY SYSTEM (KSC) AUDIT

KSC audit: see if you meet the duties of the national cybersecurity act

A compliance audit against the Polish national cybersecurity system act for operators of essential services and public entities. We assess the security management system, incident handling and duties toward the relevant CSIRT.

Assessment of essential service operator dutiesSecurity and risk management systemReadiness to handle and report incidentsAn action plan ahead of the statutory audit

WHY IT MATTERS

KSC is not a recommendation, it is a statutory obligation with real consequences

The national cybersecurity system act places concrete duties on operators of essential services and public entities: from implementing a security management system to reporting incidents to the relevant CSIRT on time.

The audit shows where you really stand against these duties before the authority checks. We combine knowledge of the act with technical practice, so we assess not just documentation but the real effectiveness of controls.

WHAT WE CHECK

The full scope of KSC duties

01
Management system
We assess the implementation and maintenance of the security management system.
02
Risk assessment
We check the process and currency of risk assessment for the essential service.
03
Incident handling
We verify the ability to detect and report incidents to the CSIRT.
04
Technical controls
We assess the real effectiveness of the security measures in place.

We tailor the scope to the entity’s role and the type of essential service provided.

OUR APPROACH

Knowledge of the act and real practice in one audit

An auditor who only knows the rules will check document compliance. We additionally test whether controls actually protect, because we attack similar environments every day in penetration tests.

The result is a concrete map of gaps with priorities, arranged around the mandatory audit and the authority’s requirements. You know what to close first and why it matters.

ACT SCOPE

From the management system to reporting duties

The audit covers the key duties arising from the KSC act and related regulations.

Management system
Implementation and maintenance of an information security management system.
Incident handling
Detection, handling and reporting of incidents to the relevant CSIRT.
Risk assessment
Regular risk assessment for the essential service provided.
Periodic audit
Readiness for the mandatory security audit.

STANDARDS & CERTIFICATIONS

We work to recognized methodologies, not gut feeling

Every project is run by certified pentesters and based on public standards. That makes the result repeatable, auditable and comparable across vendors.

Team certifications
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
Regulations and standards
KSC ActNIS2ISO/IEC 27001
Team certifications
ISO 27001 Lead AuditorOSCPOSEP

We share the full list of certifications and standards on request, together with a sample test scope.

HOW WE DO IT

An audit run in stages

01
Scope
We establish the entity’s role and the resulting scope of duties.
02
Review
We analyze the management system, risk and documentation.
03
Verification
We check the effectiveness of controls and processes in practice.
04
Gap assessment
We identify shortfalls against the statutory duties.
05
Report
We deliver an action plan ahead of the audit and inspection.

EVIDENCE

Numbers behind every promise

Every test is run by certified pentesters, and we document the result with reproduction steps, evidence and a verified remediation path. Proof, not a promise.

500+
security tests and audits completed
5.0
average score from 10 verified Clutch reviews
20+
offensive certifications across the team
01
Certified team
20+ offensive certifications across the team (OSCP, OSEP, OSWE, CREST). Tests are run by our people, not anonymous subcontractors.
02
Manual testing
We work by hand to PTES and OWASP, chaining seemingly small flaws into a real, proven attack path.
03
Evidence, not a promise
Every finding comes with reproduction steps and a working proof. A report that holds up in front of an auditor.
04
Retest included
After fixes are deployed we confirm in writing that the gaps are closed. We do not vanish once the PDF is sent.

KNOWLEDGE

A National Cybersecurity System (KSC) audit in practice

What the KSC act is and who it applies to

The act on the national cybersecurity system is the Polish legal framework imposing obligations on operators of essential services and digital service providers. It sets out how they must manage risk and cooperate with the relevant response teams.

As NIS2 is transposed, the scope of entities and requirements widens. The first step is to establish whether you fall under the act and what specific obligations follow from it.

What we verify in a KSC audit

We check the implementation of required controls, the handling and reporting of incidents to the relevant CSIRT, and the completeness of required documentation. We assess the actual state, not just declarations.

We also look at the repeatability of processes: whether incident handling will work under pressure or exists only on paper. That is the difference between formal compliance and real readiness.

The link to NIS2

The Polish rules are closely tied to the EU NIS2 directive, so we arrange the audit to put compliance with both in order at once. This way you do not do the same work twice.

We point out areas where the new requirements go beyond current practice, for example in supplier oversight. That lets you prepare ahead of time rather than in a rush.

What you get and when to run the audit

You get a gap report against the act requirements and a concrete plan to close them, ordered by risk and deadlines. We separate what must be done urgently from what can be spread over time.

An audit is worth running when your regulatory status changes, after significant infrastructure changes or periodically to maintain compliance. We also help you prepare for an inspection by the authority.

FAQ

Common questions

Are we an operator of essential services?

It depends on the sector and the authority’s decision. We will help establish your role and the resulting scope of duties under the KSC act.

How does KSC relate to NIS2?

KSC is the Polish implementation of EU rules. As NIS2 is implemented, the scope of duties expands, and the audit accounts for both.

Do you carry out the mandatory statutory audit?

We help you prepare for it and point out gaps. The scope of the formal statutory audit we agree individually, depending on your role.

What do I get at the end?

An assessment of compliance with KSC duties, a map of gaps with priorities and an action plan arranged around the authority’s requirements.

CASE STUDIES

Case studies in this area

REFERENCES

“The project was delivered professionally and on time, with a strong grasp of both technology and business. We were impressed by their cybersecurity expertise and partnership approach.”
M
Mateusz Widenka
Head of Delivery, Order Group
Clutch★★★★★5.0 · 10 reviewsRead all reviews on Clutch

FIRST STEP

Start with a free consultation

Tell us what you want tested. Within 24 hours you get a proposed scope and next steps. You talk to a consultant who understands the technical side, not a salesperson.

Get in touch
No obligation · we reply within 24 h · your data stays confidential
Methodology
PTES · OWASP
Team
20+ certifications
Rating
5.0 on Clutch
What you get
A scope proposal matched to your risk
A report with evidence and reproduction steps
Remediation priorities by real impact
A retest after fixes are deployed
Asia, ElementricaKacper, ElementricaGrzesiek, Elementrica
A member of our team runs the call, and we reply within 24 hours. No bots, no call center.