How to implement KSC / NIS2 – risk management

The key to successfully implementing the NIS2 requirements set out in the Act on the National Cybersecurity System (KSC) is to carry out a proper risk analysis covering both office infrastructure and OT (Operational Technology) environments. This will enable the organisation to identify the main threats, set priorities for action and implement appropriate protective measures. It is precisely this solid foundation in the form of a risk analysis that makes it possible to meet the requirements of the NIS2 Directive while minimising cyber risk and ensuring business continuity.

In the next article in the series on implementing the requirements of the KSC Act / NIS2, we discuss recommendations concerning risk management in essential and important entities, based on ENISA guidelines and the European Commission implementing regulation for the NIS2 Directive.

Risk management – requirements

The NIS2 Directive has been transposed into Polish law through an amendment to the Act on the National Cybersecurity System (KSC). This Act imposes on essential and important entities the obligation to establish and maintain a risk management framework that will effectively identify and eliminate threats to the security of networks and information systems. The main stage of this process is the conduct and documentation of risk assessments, followed by the implementation of risk treatment plans based on the results of those assessments.

This approach not only makes it possible to minimise the risk associated with cyber threats, but also to adapt measures to the specific nature of the organisation and its strategic objectives. It should be emphasised that the results of the risk assessment, as well as the residual risk, must be accepted by the management bodies or persons responsible for and authorised to manage risk. This process requires an appropriate level of reporting, enabling the management board to make informed decisions that take into account both the organisation's security and cost optimisation.

Risk management in the context of the Act on the KSC / NIS2

When implementing the KSC / NIS2 Act, organizations may rely on the risk management frameworks they currently use or adopt new frameworks tailored to the requirements and specifics of their operations. Risk management is a structured approach that enables the identification and assessment of cyber threats, their management, and the mitigation of their impact. As part of this process, a key element is the development of a risk treatment plan that precisely links the identified risk to the organization’s assets and to the appropriate measures for reducing that risk.

The risk treatment plan should include:

• precise definition of the risk and the related assets,
• the objectives to be achieved in the course of risk reduction,
• risk mitigation measures and procedures for assessing the effectiveness of their implementation,
• detailed schedules for the implementation of actions,
• assignment of responsibilities to specific roles,
• an estimate of the costs of implementing the selected measures.

An important aspect is also communication with clients regarding residual risk, which may affect the services provided. In addition, risk arising from the actions of third parties should be taken into account. For example, such risk may result from unpatched security vulnerabilities, non-compliance with legal requirements, or excessive dependence on a single supplier.

Fundamental importance in the risk management process lies in the acceptance of residual risk by the organization’s management or by the persons responsible for risk management. This includes approval of both the results of the risk assessment and the risk treatment plan. Such an approach makes it possible to ensure that the acceptable level of risk remains aligned with the established thresholds. As a result, the risk management process becomes an integral part of conscious and responsible organizational governance.

Documented risk management frameworks

Introducing documented risk management frameworks is essential to meet the NIS2 requirements set out in the Polish KSC Act. Adopting such frameworks makes it possible to structure activities related to the identification, assessment and mitigation of risks. If an organisation does not have documented risk management frameworks in place, it should consider implementing them. It may rely on recognised standards, such as ISO 27005, which provide universal guidelines adaptable to various types of organisations.

It is important to document the results of risk assessments carried out. This makes it possible to analyse previous actions, assess the effectiveness of the measures applied and plan future activities. The basic tool in this process is a risk treatment plan. 

Risk management process flow

The cyber risk management process, as defined in the NIS2 Directive, represents a comprehensive approach to identifying risks related to the security of networks and information systems, analysing and assessing those risks, and treating them. Relevant entities are required to implement procedures that may become an integral part of the organisation’s overall risk management process.

Within this process, an established risk management methodology should be followed and a level of risk tolerance should be defined, aligned with the organisation’s risk appetite. A critical stage is the establishment of appropriate risk criteria, which will allow for a consistent assessment of risk levels and the prioritisation of actions.

This approach requires consideration of all potential threats, including those associated with third-party activities and those that may lead to disruptions in the availability, integrity, authenticity or confidentiality of information systems. It is crucial to identify single points of failure that may pose a critical threat to the operation of the organisation’s infrastructure.

The process includes threat analysis taking into account their likelihood, potential impact and level of risk. For this purpose, available information on cyber threats and vulnerabilities is used. On the basis of this data, a risk assessment is carried out and appropriate options and countermeasures are identified. Next, the priorities for implementing these measures should be determined and their effectiveness continuously monitored.

An important stage of the process is assigning responsibility for implementing specific measures and establishing a schedule for carrying out the actions. All selected measures and actions should be documented in the risk treatment plan, together with the rationale for accepting residual risk, in a manner understandable to stakeholders.

Defining Risk Appetite

One of the most important steps in the cyber risk management process is defining the level of risk tolerance. This level determines which threats the organization is able to accept in pursuit of its strategic and operational objectives. This tolerance reflects the organization’s willingness to take risks in exchange for achieving benefits and operational efficiency.

Examples of Risk Tolerance

• Acceptable downtime for critical systems – e.g. a maximum of two hours per month, which helps minimize the impact of outages on operational activity.
• Tolerance for the loss of data of low criticality – e.g. data loss for a period not exceeding 24 hours.
• Maximum financial loss – which will not jeopardize the organization’s financial stability, e.g. up to PLN 100 000 in data recovery costs.
• Readiness to invest a specified percentage of revenue in protective measures – e.g. 5% of annual revenue on security-related activities.
• Compliance with regulatory obligations – even in the event of certain financial penalties or fines resulting from incidents.
• Acceptance of isolated major incidents – e.g. tolerating one major incident every few years, provided that appropriate mechanisms are in place to reduce the risk of recurrence.
• Acceptance of certain security vulnerabilities – e.g. outdated software, provided it is regularly monitored and patched.
• Timeframes for incident response – e.g. a maximum of 48 hours to regain control of an incident.
• Tolerating minor incidents – which may be treated as a natural part of day-to-day operations, provided that higher-priority threats are addressed first.

The definition of risk tolerance should be precisely tailored to the organization’s objectives, structure, resources, and operational specifics. This enables better allocation of resources, increases transparency in the decision-making process, and makes it possible to respond effectively to incidents and threats in a changing cybersecurity environment.

Defining risk criteria in cybersecurity management

Risk criteria are a key element of cybersecurity management, as they make it possible to assess the significance of an identified risk and enable decision-making regarding preventive or mitigating measures. The definition of these criteria must be precisely tailored to the specific nature of the organisation’s operations, its objectives and its risk appetite.

Risk acceptance criteria indicate which threats the organisation is prepared to accept in the course of its operations, taking into account their potential impact and the costs of mitigating them.

Examples of risk acceptance criteria

• Low-severity risks – accepting minor data leaks that do not jeopardise sensitive information and occur with low probability (e.g. rare cyberattacks).
• Risks whose mitigation costs exceed the potential impact – e.g. foregoing system modernisation where the cost of an update significantly exceeds the potential losses.
• Temporary compliance risks – accepting minor non-compliance with regulations, provided that there is a plan to remedy it within a specified period (e.g. within six months).
• Risks in systems or departments with a low level of criticality – e.g. in test environments that do not affect strategic business operations.
• Security vulnerabilities – accepting outdated software for a specified period, provided that a plan for updating it is being implemented (e.g. within three months).
• Minimal financial impact – accepting losses below a specified threshold (e.g. PLN 50,000) without the need for additional measures.
• Stakeholder consent – accepting a risk after informing key stakeholders and obtaining their consent.
• Residual risk – accepting a risk where existing measures (e.g. data encryption) reduce its likelihood or impact to an acceptable level.

By contrast, risk assessment criteria relate to the methodology for assessing threats.

Examples of cybersecurity risk assessment criteria

• The significance of the assets to which the risk relates.
• Impact of threats on systems and the data processed therein.
• Network and system vulnerability to attacks.
• Frequency of cyber incidents in a given environment.
• Concerns or requirements of stakeholders that may affect decisions on how risk is managed.

The application of precisely defined risk criteria enables organisations to allocate resources more effectively, minimise potential losses and make decisions aligned with business and regulatory objectives.

Identifying threats in cybersecurity management

The first step in risk management in accordance with the NIS2 requirements, as incorporated into the KSC Act, is to prepare a detailed list of the main threats to the security of networks and information systems. This list should take into account not only the specific threats related to the assets within the scope of the analysis, but also threats that may affect the availability, integrity, authenticity and confidentiality of systems.

Each identified risk must be linked to at least one risk treatment option or a combination of such options. Importantly, these options should be based on the results of the risk assessment carried out and be consistent with the policy of the essential or important entity concerning the security of networks and information systems.

Developing a risk treatment plan

A risk treatment plan is an operational document containing detailed information on how to deal with threats. The plan should include:

• identified risks,
• appropriate measures and procedures to mitigate the threat,
• implementation schedule for the measures,
• assignment of responsibilities to the relevant individuals or teams,
• measures for assessing the effectiveness of the implemented actions.

Assigning responsibility for implementing corrective measures

Implementing risk treatment plans requires a clear definition of responsibilities. Tasks should be assigned to specific individuals or teams who will be responsible for implementing corrective measures. Such assignment of responsibility ensures clarity in the implementation of actions and enables more effective monitoring of progress.

For risk management to be effective, it is necessary to continuously monitor threats and adjust risk treatment plans in response to changing conditions and new threats.

Documenting the cybersecurity risk management process

Cybersecurity risk management in accordance with the requirements of the KSC / NIS2 requires precise documentation of the entire process, taking into account all the key elements set out in the regulations. The documented process should be detailed, transparent and consistent with the risk management methodology adopted by the organisation.

Key Elements of Risk Management Process Documentation

1. Risk management procedure

The documentation should include a detailed description of the risk management process, taking into account its stages, such as identification, analysis, assessment, risk treatment, as well as monitoring and review.

2. Methodology and tools

The organisation should define and document the methodology and tools used in risk management. The documentation should cover:

• identification and analysis of threats,
• assessment of the risk level,
• prioritisation of remedial actions,
• monitoring and review of the effectiveness of the measures implemented.

3. List of main threats

The risk analysis should include a list of the main threats to network and service security, such as vulnerabilities or dependencies on third parties. This list should be described at a high level, taking into account the potential impact of threats on the organisation’s operations.

4. All-threats approach

Essential and important entities should apply a comprehensive approach to risk management, covering not only cyber threats but also natural, accidental or deliberate human actions. The key point is that the risk assessment should cover a broad range of potential threats, regardless of their source.

5. Residual risk related to third parties

Essential and important entities should have evidence that the residual risk arising from dependencies on third parties has been identified and assessed, and that appropriate measures have been taken to minimise its impact.

Importance of risk management process documentation

Documenting the risk management process is not only a regulatory requirement, but also a practical tool ensuring transparency, consistency and effectiveness of actions. This enables organisations to respond more effectively to emerging threats and to ensure compliance with the NIS2 requirements set out in the Act on the National Cybersecurity System. It is essential for building stakeholder trust and increasing resilience to cyber incidents.

Setting priorities and selecting risk mitigation measures in accordance with the National Cybersecurity System Act / NIS2

In cybersecurity risk management, the fundamental step is identifying and prioritising measures to prevent threats. The provisions of the National Cybersecurity System Act / NIS2 indicate that remedial measures should be the result of a sound risk assessment and analysis of the effectiveness of existing procedures. The ultimate objective is to create a coherent protection system that addresses the organisation's current needs and allows for optimal use of resources.

Basic principles for identifying and prioritising actions

1. Grounding actions in the results of the risk assessment

When setting priorities, organisations should rely on the results of previously conducted risk assessments. It is necessary to take into account:

• an assessment of the effectiveness of the existing risk management measures,
• an analysis of the impact of potential threats on operations,
• an asset classification that makes it possible to determine their criticality.

2. Analysis of implementation costs and benefits

When selecting mitigation measures, the ratio of implementation costs to expected benefits should be carefully analysed. For example, if the costs of introducing advanced tools exceed the potential losses resulting from the threat, the organisation may consider alternative solutions.

3. A holistic approach to threats

The regulations of the National Cybersecurity System Act / NIS2 recommend that risk assessment should not be limited solely to cyber threats. The analysis should also take into account other types of threats, e.g. incidents resulting from human error, infrastructure failures or natural disasters.

Actions worth taking as part of implementing the National Cybersecurity System Act / NIS2

The guidance set out in KSC / NIS2 highlights the importance of clear procedures and documentation. Organisations should:

• develop detailed guidance for staff on risk assessment,
• document decisions regarding the prioritisation of actions,
• carry out cost-benefit analyses for each countermeasure,
• prepare a detailed classification of assets together with the protection measures assigned to them.

Review of the results of the risk assessment and the risk treatment plan

Organisations required to comply with the NIS2 requirements set out in the Act on the National Cybersecurity System must regularly review the results of the risk assessment and the risk treatment plan, and also – where necessary –  update those results. The review process should take place at planned intervals, no less than once a year. In addition, updates are required where there are significant changes in the organisation’s activities or in the nature of the risks, as well as serious incidents that may affect the security of networks and IT systems. Thanks to regular reviews, risk management plans remain adequate to current challenges and to the dynamically changing threat environment.

How to carry out a review of the results of the risk assessment and the risk treatment plan

A regular review of the results of the risk assessment and the risk treatment plan, conducted at least once a year, is a prerequisite for effective information security management within the system provided for in the KSC / NIS2 Act. This process should take into account various aspects that may affect the level of risk and the effectiveness of preventive measures.

The review should be based on an analysis of the results of previous audits and reviews, which provide information on the extent to which planned actions have been implemented. It is also necessary to take into account the implementation status of the measures identified in the risk treatment plan and any changes in IT systems and in the organisation’s operational environment.

Findings arising from post-incident reviews are also important. Such findings make it possible to identify gaps in current procedures and to implement improvements. It is also important to monitor trends related to new threats and vulnerabilities in order to adapt mitigation measures to a dynamically changing environment.

Documenting the review of risk assessment results and the risk treatment plan

Documenting the review of risk assessment results and the risk treatment plan is fundamental to maintaining transparency and ensuring compliance with the NIS2 requirements set out in the Act on the National Cybersecurity System. Particular attention should be paid to recording key information and the outcomes of reviews. This makes it possible to systematically monitor changes and assess the effectiveness of the measures implemented.

The documentation should include details concerning:

• comments and change logs relating to the risk assessment results and the implementation of the measures planned in the risk treatment plan,
• review findings, including audit conclusions, the status of action implementation and changes in systems and the operational environment,
• results of trend analysis, such as new threats, identified weaknesses and potential risks arising from the evolution of the technological environment.

The documentation should be maintained systematically so as to ensure easy access to records and enable their verification. This approach to documentation enables the organisation not only to effectively manage risk, but also to prepare for possible compliance inspections with the NIS2 requirements set out in the KSC. In addition, it enables a swift response if changes need to be made to the security strategy.

Mapping to standards

Compliance monitoring – requirements

In accordance with the provisions of the NIS Act / NIS2, essential and important entities are required to regularly review the compliance of their network and information systems security policies, as well as their thematic policies. This process is intended to ensure the ongoing alignment of the adopted documents with current requirements and the actual needs of the organization. The results of these reviews are presented to management bodies in the form of regular reports, which provide a comprehensive overview of the state of network and information security within the organization. Regular reporting enables management to make informed decisions regarding the further enhancement of the security strategy.

Recommendations concerning compliance monitoring

To effectively report on the state of system security, organizations should create a uniform report template for the management board. The report should include the most important security indicators, information on compliance with policies, a description of identified threats, and proposed actions. This enables the management board to make informed decisions regarding further risk management.

Management board reports should be prepared and presented at least once a year. Such periodicity ensures regular review of the situation and enables a swift response to changing threats and the needs of the organization. A standard reporting format not only facilitates comparison of results over time, but also supports transparency in communication at management level.

Documenting the compliance monitoring process

Current compliance review reports are a key element of the organisation’s security management process documentation. These reports should include detailed information on the level of compliance with the adopted policies, principles and standards regarding network and information systems security. Regular reviews and updates of the reports not only make it possible to identify areas requiring improvement, but also to present management with a complete picture of the organisation’s security status. In this way, management is supported in making strategic decisions.

Method of reporting compliance to management

Organisations must implement a compliance reporting system that is tailored to their structure, operations and the nature of the threats they face. Such a system is not merely a formality – it is the basis for effective risk and security management. Its purpose is to provide management with a clear picture of the situation, enabling decisions to be made based on facts. The system should be practical and flexible so that it can respond to changing threats, while at the same time avoiding unnecessary bureaucracy.

Procedures relating to reporting

Establishing effective compliance monitoring procedures is a key element of security management within an organisation. These procedures should be clearly defined and cover both the objectives and the overall approach to monitoring compliance with the adopted security policies.

Requirements under reporting procedures

• Objectives and approach – clearly defined monitoring objectives, such as identifying risk areas or ensuring regulatory compliance, and the overall approach that the organisation intends to adopt in carrying out this process.
• Policies covered by monitoring – a list of security policies that are critical to the organisation’s operations and that should be regularly reviewed.
• Frequency of reviews – a compliance review schedule taking into account the nature of the business and the degree of risk,
• Responsibility for reviews – determining who conducts the reviews (these may be internal teams of the organisation or external auditors, depending on the organisation’s needs and complexity).
• Report templates – standardised compliance review report formats that ensure transparency and consistency of findings.

After carrying out the reviews, it is necessary to analyse and assess the results obtained. This stage makes it possible to identify areas requiring improvement and to develop corrective actions that will increase the organisation’s security level.

Documenting procedures related to compliance monitoring

Effective compliance monitoring requires thoroughly documented procedures that set the framework for the organisation’s activities in the area of risk management. This documentation should include not only a description of the monitoring process itself, but also the results of analyses and assessments of the compliance status and current risk management.

An important element of the documentation is detailed compliance monitoring plans, which define the organisation’s long-term objectives and the manner in which they are to be achieved. These plans, developed at a high strategic level, enable a systematic approach to monitoring and improving compliance with internal policies and external regulations.

Regularly updating the documentation and analysing the results of compliance reviews ensure that the organisation is able to respond quickly to changing threats and operational conditions. As a result, the documentation becomes not only a formal requirement, but also a practical tool supporting decision-making processes and building resilience to threats.

Frequency of compliance monitoring

Compliance monitoring should take place in the organisation at least once a year. This is the minimum standard required within cyber security risk management. In the compliance monitoring process, it is crucial to take into account factors such as significant incidents, changes in the operational environment, the evolution of the threat landscape, and new legal and regulatory requirements. In addition, changes to policies concerning the security of networks and information systems – both general and thematic – are also important.

Monitoring cannot be limited to the analysis of past incidents. It should also include an assessment of the effectiveness of the implemented protective measures and their adjustment to current threats and the organisation’s needs. Examples of evidence of effective monitoring may include remedial actions resulting from assessments and tests, including modifications to existing protective measures introduced following an analysis of their effectiveness.

Independent review of information and network security

Key and important entities are required to carry out independent reviews of their approach to managing network and information systems security. These reviews include an analysis of all the key elements: people, processes and technologies that together form the security management system.

The purpose of such a review is to provide an objective assessment of the effectiveness of the solutions implemented, identify potential gaps and assess compliance with applicable regulations and internal policies. This process also makes it possible to verify whether the practices applied correspond to the organisation's current threats and operational requirements.

The independent nature of the reviews – carried out by internal or external auditors – ensures objectivity and reliability of the conclusions. This is an essential condition for implementing remedial actions and improving the security system. These reviews are not only a regulatory requirement, but also a practical tool that supports organisations in maintaining a high level of protection.

Requirements for auditors

Conducting an independent review of network and information systems security management requires the involvement of people with appropriate competences. Only then can the review provide valuable and reliable conclusions that will help improve the risk management system.

The basis of auditors' competence is their professional experience in implementing projects related to cybersecurity, risk assessment and regulatory compliance. Practical knowledge of these areas makes it possible to effectively identify threats and assess the effectiveness of the security measures implemented. Equally important is education in the field of computer science, information security or risk management. Thanks to their theoretical preparation, auditors rely on best practices and international standards such as ISO/IEC 27001 or NIST in their work.

The combination of experience and academic knowledge enables auditors to conduct an in-depth analysis of technical, procedural and organisational aspects during the review process. As a result, audit findings not only identify security gaps, but also provide practical recommendations that organisations can effectively implement.

Auditors’ competencies

• Technical knowledge in the field of cybersecurity – including familiarity with frameworks such as ISO/IEC 27001 or NIST, which define best practices in this area.
• Knowledge of industry-specific characteristics – which makes it possible to take into account the unique operational aspects and risks characteristic of a given sector.
• Risk assessment skills – enabling the identification,
  

  GDPR e-learning is already the standard!

  Employees gain knowledge about data protection in an accessible and practical way. Final tests confirm the training outcomes, and the certificate documents them.

  SEE MORE
  analysis and evaluation of threats in a manner consistent with regulatory requirements and the organisation’s needs.
• Knowledge of laws and regulations – such as the Act on the National Cybersecurity System (KSC), the NIS2 Directive, GDPR or DORA, in order to ensure compliance with legal requirements and industry standards.
• Knowledge of audit best practices – which allows for a systematic and objective approach to conducting reviews.

Auditors’ fulfilment of these criteria is necessary in order to obtain reliable review results. Only then can they form the basis for corrective actions and further development of the security system. Selecting a competent audit provider is therefore the foundation of effective security management within an organisation.

Auditors’ independence

Key and important entities are required to develop and maintain processes for conducting independent security management reviews. If reviews are carried out by employees of the organisation, they must act independently of the area that is being reviewed. This means that they cannot be subordinate to the authority of the persons whose work they will assess. This helps avoid conflicts of interest and ensures the objectivity of the assessment.

In the case of smaller entities, where a full separation of reporting lines may be difficult, alternative measures should be implemented, such as engaging external experts or applying internal procedures ensuring impartiality. This approach makes it possible to carry out reliable reviews, regardless of the organisation’s structural constraints.

Key elements of the audit process

To ensure effectiveness and objectivity in the management of network and information systems security, organisations must develop a clearly defined process for conducting independent audits.

Audit process elements ensuring its effectiveness and regulatory compliance

• Scope and purpose of the audit – the organisation should clearly define whether audits are to focus on regulatory compliance, risk assessment, adherence to security policies, or other aspects important to the entity’s operations.
• Audit methodology – the audit process may be based on a standard checklist, industry standards (e.g. ISO/IEC 27001), or take an ad hoc form in response to current needs.
• Audit committee – in the case of larger organisations, an audit committee may oversee the audit process, ensuring its compliance with policies and regulations.
• Audit frequency – audits should be conducted regularly, and the schedule for their implementation must take into account the specifics of the business and the level of risk.
• Independence of audits – it should be precisely determined whether reviews will be carried out by internal teams or external auditors, while it is essential to ensure the independence of the persons conducting the audit from the area subject to their assessment.
• Report templates – standardized audit report templates make it possible to present findings and recommendations in a clear and transparent manner.

Documents necessary in the audit process

In order for independent network and information security audits to be effective and credible, organisations must ensure proper documentation of the entire process. It is necessary not only to describe the procedures, but also to include elements that ensure transparency and impartiality of the activities.

The basic document is a detailed description of the audit process. This description defines the scope of activities, methodology and schedule. A clearly defined process helps avoid inconsistencies and ensures a uniform approach to all audits carried out.

An important part of the documentation are declarations of no conflict of interest submitted by persons involved in the review. Such declarations eliminate doubts as to the independence of the assessment and strengthen the credibility of the results.

If the organisation uses the services of external providers, it is necessary to prepare formal agreements specifying the rules of cooperation, the scope of responsibilities and expectations towards the auditors. Such documents guarantee that the external review will be carried out in accordance with regulatory requirements and the organisation's internal standards.

Detailed review plans are also necessary. They should include objectives, a list of resources involved, the schedule of activities and the expected outcomes. These plans serve as a practical audit management tool, ensuring timeliness and consistency with the intended objectives.

Reporting the results of independent reviews and taking corrective action

The results of independent reviews concerning the state of compliance with the requirements of NIS2, set out in the Act on the national cybersecurity system, together with information on the status of implementation of these requirements, must be communicated to the management board. This gives it a complete picture of the organisation's security posture and enables it to make informed decisions.

On the basis of the presented results, the management board may decide to take remedial actions in order to eliminate the identified gaps and threats. Alternatively, if the risk is assessed as acceptable in accordance with the established risk acceptance criteria, it may be formally accepted as residual risk.

Such a process not only increases the transparency of the organisation’s activities, but also enables effective risk management based on actual data and the results of independent analyses. Regular reporting to management bodies forms the foundation of a responsible and proactive approach to network and information systems security.

Report structure for management bodies

The analysis and assessment of the results of independent reviews of the management of network and information systems security is the most important stage of the audit process. These results should be systematically reported to management bodies. This enables the organisation to ensure transparency and make informed decisions.

In order for reports to be clear and useful, they should have a standardised format. The structure of such a document consists of the following elements:

• summary – a concise description of the scope of the review and the most important findings requiring the management board’s attention,
• methodology – information on the standards and audit methods adopted, which lend credibility to the results,
• detailed findings – a description of the identified gaps, non-compliances and their potential consequences for the organisation’s security,
• recommendations – specific remedial actions that will enable the identified issues to be eliminated,
• conclusions – a summary of the results and their significance for strategic risk management.

Frequency of review reporting

Reports from independent reviews should be generated and submitted to management bodies at least once a year. Such regularity provides continuous insight into the security status and allows for a prompt response to changing threats and the organisation’s needs.

Remedial actions and residual risk

On the basis of the report, the organisation should take remedial actions aimed at removing the identified non-compliances and gaps. Where the risk cannot be eliminated, it must be formally accepted as residual risk, in accordance with the established risk acceptance criteria. These decisions should be properly justified, and their documentation should form an integral part of the risk management process.

Documenting the Results of Reviews and Remedial Actions in Security Management

As part of independent security management reviews, organisations are required to document precisely the results of those reviews as well as the actions taken in response to identified threats.

Contents of the Documentation of Review Results and Remedial Actions

1. Analysis and Assessment of Review Results

The review results must be described in detail, taking into account any remaining threats and their potential impact on the organisation. The documentation should clearly specify which areas require improvement and what actions are recommended.

2. Minutes of the Audit Committee Meetings

The minutes contain records of the discussions and decisions made during audit committee meetings. They constitute formal evidence of the decision-making process. They should include the necessary recommendations and actions approved by the committee.

3. Evidence of Remedial Actions Taken

All remedial actions arising from reviews and tests must be documented. This includes describing:

• changes introduced to security measures,
• the implementation schedule,
• the assessment of the effectiveness of those actions.

4. Latest Monitoring and Compliance Audit Results

The results of ongoing monitoring activities and audits must be retained and updated regularly. They constitute an important element of the review, as they make it possible to assess the effectiveness of the implemented measures and to identify new threats.

Frequency of Independent Security Reviews

Independent reviews of the management of network and information systems security should be conducted regularly, at least once a year. This frequency may be increased in the event of significant incidents, such as:

• major security incidents,
• changes in the operating environment,
• new threats in the cybersecurity landscape,
• changes in legal and regulatory requirements,
• modifications to network and information systems security policies.

Evidence of independent security reviews

To confirm that independent reviews have been conducted, organisations should document:

• review reports – containing detailed findings, recommendations, and a description of the actions taken in response to the review results,
• summaries of previous reviews – showing their scope, frequency, and key conclusions,
• incident logs – including documentation of significant security events that occurred over the past year, together with the analyses performed and remedial actions taken,
• annual review plans – specifying the scope, schedule and measures covered by the assessment as part of the independent reviews.

Regular and well-documented audits not only ensure compliance with the NIS2 requirements set out in the Act on the National Cybersecurity System (KSC), but also enable the organisation to manage risk proactively, respond quickly to changes and effectively eliminate security gaps. Such practice builds confidence in the organisation's systems among both stakeholders and regulators.