NIS2 Compliance Audit
Support in implementing NIS2 in line with the requirements of the National Cybersecurity System.
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Security) is a European Union legal act aimed at increasing the cybersecurity level across the EU. It introduces new obligations for organizations operating in essential and important sectors such as energy, transport, banking, digital infrastructure or healthcare. Its goal is to establish a common, high level of network and information systems security across all Member States.
The amendment to the Polish National Cybersecurity System (NCS), which implements the NIS2 Directive in Poland, introduces new cybersecurity management requirements for public institutions, local government units, operators of essential services and public utility entities starting 3 April 2026.
NIS2 - new oglibations
The new regulations require a systemic approach to cybersecurity management, including:
- ICT risk management
- an incident reporting system
- adequate security procedures
- access control to systems and data
- employee and management training
Lack of preparation may result in a high risk of cyberattacks, management liability and regulatory sanctions.
Crowe experts support public sector entities in fully aligning with NIS2 and NCS requirements - from diagnosing the current security level to implementing effective procedures and technological solutions.
See how we can support your NIS2 implementation
Who does the NIS2 Directive apply to?
Our offer is designed for organizations that will be covered by the new cybersecurity regulations.
Public sector entities
- government administration
- local government units
- municipal and city offices
- public institutions and state agencies
Public utility entities
- water and energy utilities
- water and energy utilities
- public transport
- critical infrastructure operators
Organizations covered by NIS2
- operators of essential services
- digital service providers
- institutions managing IT systems for the public sector
Check whether your organization falls under NIS2
NIS2 - How we support public institutions
Many public institutions face similar cybersecurity challenges.
Lack of preparation for NIS2 and NCS requirements
Organizations often do not yet fully understand the scope of new obligations and the necessary organizational and technological changes.
Lack of a coherent cybersecurity management system
IT security may be decentralized, with no formal risk management system or incident response procedures.
Insufficient security procedures
Missing security policies, incident response plans, access management rules or system resilience testing.
Limited resources and competencies
Many public sector units do not have internal cybersecurity teams.
Growing risk of cyberattacks
The public sector remains one of the most frequently targeted areas of digital infrastructure.
Our support helps identify risks, streamline processes and implement solutions compliant with regulatory requirements and cybersecurity best practices.
What does our support include?
We provide comprehensive cybersecurity services for the public sector - from audits to implementation and ongoing development of security systems.
1. Cybersecurity audit and NIS2 compliance assessment
We begin with a detailed diagnosis of the organization’s current security level.
Audit scope includes:
- NIS2 and NCS compliance assessment
- evaluation of IT systems and infrastructure
- cybersecurity risk analysis
- review of security procedures and policies
- organizational maturity assessment
The result is a report with recommendations and an implementation roadmap.
Order a cybersecurity audit and assess your organization’s readiness for NIS2.
2. Building a cybersecurity management system
We help organizations create a comprehensive information security management system aligned with best practices and standards.
Scope includes:
- development of security policies
- incident response procedures
- cybersecurity risk management
- identity and access management
- business continuity procedures
The system may be based on standards such as ISO 27001, NIST or NIS2 guidelines.
3. Implementation of technological solutions
We support the selection and deployment of tools that enhance an organization’s security level.
This includes:
- security monitoring
- incident detection systems
- IT infrastructure protection
- identity and access management
- critical data and system protection
4. Training and cybersecurity awareness building
Employee and management awareness is one of the key security elements.
We run training for:
- public administration employees
- IT teams
- management
Training covers:
- identifying cyber threats
- incident response procedures
- NIS2-related obligations
See also:
Why public institutions choose Crowe:
| Our strengths | What it means to your organization |
|---|---|
| Experience in regulated sectors | We understand regulatory requirements and public sector specifics. |
| Comprehensive 360° approach | From audit and risk assessment to procedures and technology implementation. |
| Proven audit methodologies | Proprietary checklists, compliance matrices and maturity models. |
| International standards | Projects aligned with ISO and Crowe Global standards. |
| Interdisciplinary team | Cybersecurity, IT audit, risk management and regulatory experts. |
Our experts
Projects are delivered by specialists in:
- cybersecurity
- IT audit
- risk management
- public sector regulations
- information security system implementation
We combine technological, regulatory and audit competencies, enabling effective support for organizations adapting to NIS2 requirements.
NIS2 and NCS - Frequently Asked Questions (FAQ)
When do the new NCS regulations implementing NIS2 come into force?
The amendment to the National Cybersecurity System implementing NIS2 enters into force on 3 April 2026.
The new rules expand the scope of entities subject to cybersecurity obligations and introduce more stringent risk management and incident reporting requirements.
What are the key obligations under NIS2?
They include:
- cybersecurity risk management
- implementation of adequate technical and organizational measures
- incident reporting
- security documentation
- employee training
Do local government units fall under the NIS2 Directive?
Yes. Many public sector entities - including municipal offices, municipal companies, and organizations providing public services - may be subject to the obligations arising from the NIS2 Directive and the amended Act on the national cybersecurity system.
How long does NIS2 preparation take?
It depends on the organization’s cybersecurity maturity. In many cases, the adaptation process takes from several weeks to several months, including audit, procedural development and implementation of organizational and technological changes.
Is ISO 27001 certification required?
Not always.
However, ISO 27001 is often used as a proven framework for building an information security management system aligned with NIS2.
Prepare your organization for NIS2
The new cybersecurity regulations will require a systematic approach to risk management and IT security in the public sector and other entities covered by the NIS2 Directive.
Crowe experts will help your organization:
- assess its cybersecurity level.
- prepare for NIS2 requirements
- implement an effective security management system
Contact our team and start preparing for NIS2 today.
See also:
