The Act on the National Cybersecurity System (UKSC) implements the NIS2 Directive and introduces new obligations for critical and important operators.
A Zero Audit provides an organization with a clear picture of where it stands today, what is missing, and what needs to be done to meet the Act’s requirements.
Is your organization subject to the UKSC?
The UKSC applies to organisations operating in the sectors listed in Annex 1 (key) or Annex 2 (important) of the Act that exceed the threshold for a medium-sized enterprise. For some categories, the threshold is lower or does not apply, in particular for managed security service providers (MSSPs).
The first step is the organization assessment, which we provide as a separate service or as part of a zero audit.
entry in the list of key and important operators
implementation of the procedures set forth in Article 8 of the UKSC
a compliance audit for key entities (Article 15 of the UKSC)
Starting at 3 800 EUR net.
Additional work outside the agreed-upon scope is billed on a time-and-materials basis.
8 working days of a cybersecurity consultant’s time spent reviewing the provided documentation (policies, procedures, BCP, supplier contracts). We review up to 300 pages as part of the standard scope.
A series of 4 meetings (up to 2 hours each) with individuals responsible for IT, security, and business processes to verify the assumptions in the documentation against actual practice.
UKSC compliance map, prioritized list of gaps, and implementation schedule. We identify which areas require improvement and which need to be created from scratch.
Estimated workload and cost of the implementation phase. A starting point for planning the budget to achieve compliance.
We verify whether the entity is subject to the UKSC and whether it qualifies as a significant or critical entity.
We identify gaps and create a roadmap along with a work schedule.
Together with the client’s team, we create or adapt policies and procedures, support management, prepare for integration with the S46 system, and advise on the implementation of technical measures.
This phase is priced separately — based on the results of the baseline audit..
Q:
An assessment of compliance with UKSC requirements, broken down by area, a compliance map, gap priorities, and an implementation roadmap. It is a technical and organizational document that outlines what needs to be implemented, modified, or supplemented.
Q:
No. The zero audit involves identifying gaps and providing recommendations. The development of policies and procedures is a separate phase (implementation), which is priced separately after the audit is completed.
Q:
Security policies, incident management procedures, an asset inventory, a risk analysis, business continuity plans (BCP/DRP), supplier contract templates, reports from previous audits, and information identifying the entity (KRS, NIP, organizational structure). We will confirm the full list after the contract is signed.
Q:
The initial audit is the first stage. The client receives an action plan that must be implemented (policies, procedures, technical measures, training, integration with the system under Article 46(1) of the UKSC). Full compliance with the requirements is achieved once all recommendations have been implemented within the timeframe specified by law.
Q:
Key operators are subject to stricter oversight and more severe penalties. Their status depends on the sector (Appendix 1 or 2 of the UKSC) and the size of the entity. We verify this as part of the qualification process.
Q:
Yes, in terms of compliance with the NIS2 Directive. Classification under local implementations of the Directive in other member states requires a case-by-case assessment.