Srivakula Gov Affairs
IT Infrastructure

NIS2 compliance audit for a Krakow data center

We conducted a full verification of procedures. We detected 12 critical gaps before the official inspection, saving the client potential fines.

0 non-conformities in inspection
ClientKrakowData Hub
IndustryIT Infrastructure
TimelineNovember–December 2024

KrakowData Hub had to adapt to the NIS2 directive before the end of 2024. At Srivakula Gov Affairs, we scrutinized their documentation and real procedures to avoid financial penalties reaching millions of zlotys. We focused on facts, not theory.

NIS2IT AuditCybersecurityLegal ComplianceRisk Management

The challenge

The client was operating on documentation from March 2019, which completely did not fit the new cybersecurity requirements. The biggest problem was the lack of risk management procedures in the supply chain — the company cooperated with 24 external IT providers without any control of their security.

The board feared fines, which according to new regulations can amount to up to 1.4% of global turnover. Time was short because state inspection announced itself for mid-January 2025. Technical systems were efficient, but at the level of papers and procedures there was chaos that disqualified the company in light of the law.

Our approach

We sent a 3-person team to the client's headquarters at ul. Medweckiego in Kraków for 14 days of intense work. Instead of writing general reports, we conducted interviews with 9 key employees, from admins to the HR department.

We applied our principle: we check facts, not assumptions. We analyzed access logs from the last 6 months and compared them with the declared password policy. It turned out that theory diverged from practice in 47% of cases. We worked directly with the IT department to fix these errors on the fly, not just write about them.

The solution

We prepared 8 specific security policies that can actually be implemented, not just signed. We rebuilt the incident reporting scheme so that it fits within the statutory time of 24 hours from attack detection.

We introduced an IT provider evaluation system, dividing them into 3 risk groups. Each of the 24 contractors had to fill out our proprietary compliance survey, which allowed eliminating 2 companies with flagrantly low security levels. We also trained 43 employees in phishing protection, using examples from their daily work, not slides from the internet.

Results

The January state inspection ended with a positive result without any reservations. KrakowData Hub became a compliance leader in the region, which they used to acquire 2 new clients from the financial sector.

12
critical gaps removed
0 PLN
financial penalties
14 days
audit duration
43
trained employees

Timeline

  1. November 2024
    Opening workshops and verification of 24 external providers.
  2. November 2024
    Technical review of access procedures in the data center.
  3. December 2024
    Implementation of 8 new policies and personnel training.
  4. December 2024
    Final report and simulation of official inspection.

"Srivakula Gov Affairs found errors in our contracts with providers that we had no idea about. Thanks to them, we passed the inspection without stress and didn't lose a single zloty on fines."

Marek Brzeziński Technical Director, KrakowData Hub January 2025
← Back to case studies