NIS2 / DORA / KSC gap analysis
We map the regulatory requirements onto the current state of the client's SAP systems. The result is a list of gaps with a risk assessment, priority and recommended action.
We map the obligations arising from NIS2, DORA and KSC onto the client's specific SAP systems: controls, evidence, procedures, documentation and operational responsibilities.
We help prepare the organisation for audit well in advance - before documentation, evidence and processes need to be scrambled together in the final month before inspection.
An audit identifies gaps, assigns them priorities and plans remediation. This allows the organisation to prepare documentation, control evidence and an action plan ahead of an audit, rather than only during it.
Every gap receives a time and cost estimate for remediation. The board can make an informed decision on which actions to take immediately, which to schedule for the next quarter, and which to include in the following budget.
We prepare policies, procedures, registers and control evidence relating to SAP systems. SNOK also supports the preparation of responses, explanations and technical evidence for audit purposes.
NIS2, DORA and KSC introduce obligations covering risk management, business continuity, ICT security, incident handling and supplier oversight. A preventive audit helps reduce the risk of non-compliance, remediation costs and regulatory sanctions.
We map the regulatory requirements onto the current state of the client's SAP systems. The result is a list of gaps with a risk assessment, priority and recommended action.
We identify which actions must be taken immediately, which within the next quarter, and which over a longer horizon. Each action is described with an estimate of time, cost and risk impact.
We prepare or update the documentation required in the SAP domain: SAP security policy, incident response procedures, an asset register, an incident register, a supplier register and control evidence.
We create a table of technical and organisational controls mapped to NIS2, DORA, KSC and the applicable security standards. Within SAP this includes SecurityBridge, bowbridge, authorisations, audit log, monitoring, change management and incident response procedures, among others.
We prepare the organisation for discussions with the auditor, compile technical evidence, and support the client's team in explaining the controls covering SAP systems.
We carry out an annual or half-yearly compliance review. We check whether controls are still working, whether documentation remains current, and whether new requirements or changes to the SAP environment require further action.
A compliance audit begins with a workshop with the client's team. We establish the scale of the SAP landscape, process criticality, data classification, existing controls, documentation and responsibilities across IT, SAP, security and compliance.
We then carry out a two-track gap analysis. The technical track covers SAP configuration, authorisations, audit log, monitoring, transports, custom code, integrations and security tooling. The procedural track covers policies, procedures, registers, control evidence and the incident management process.
The final report contains a map of gaps, a risk assessment, a remediation plan, time and cost estimates, action prioritisation and recommendations for the teams responsible for SAP, security, compliance and risk management.
Technology stack
Partnerships backed by our team's certifications. Full authorisation for delivery and support.
Essential service operator - energy sector
A full NIS2 compliance audit of the SAP landscape and a remediation plan spread across three quarters.
Bank in the financial sector
A DORA audit for SAP and integration of the audit findings with the ICT risk management framework.
Public sector
A KSC audit for SAP within a critical entity, and preparation of technical and organisational documentation for security stakeholders.
Deadlines and obligations should be verified against the current wording of the regulation and the status of the Polish implementation of NIS2. From an SAP perspective, preparation is worth starting well in advance, since organising controls, documentation, evidence and technical remediation usually takes several months.
DORA applies directly to the financial sector, including banks, insurers, investment firms, crypto-asset providers and selected critical ICT suppliers. In SAP environments, particular attention should be paid to controls covering ICT risk management, business continuity, incidents, suppliers and operational resilience testing.
The scope of sanctions depends on the specific regulation, the type of organisation, the nature of the breach and the decision of the competent authority. In practice, a greater operational risk can be the need for rapid remediation, audit pressure, board liability and disruption to critical processes.
An SNOK compliance audit is a gap analysis and action plan. It does not replace an audit by an authorised body or a regulator's decision, but it helps prepare the organisation, its documentation and technical evidence, reducing the risk of critical gaps being found during an external audit.