Preparing a public organization to meet NIS2 requirements.

Sector: Public Administration (City Hall)

Context: NIS2 / KSC / Cybersecurity for Public Institutions

Scope: Testing → Training → Materials → Audit Preparation

Status: Ongoing Process (Next Stage: Audit)

Context

Due to increasing cybersecurity demands and the implementation of the NIS2 directive, the city hall has initiated efforts to enhance organizational security and prepare the team for new responsibilities.

The key challenge was:

• raising team awareness,
  
  
  

• embedding regulatory requirements in real threats,
  
  
  

• preparing the organization for further stages of NIS2 implementation.
  
  
  

The city hall was not looking for a one-off training but a partner to guide them step by step.

Challenges

• varying levels of cybersecurity knowledge among employees,
  
  
  

• formal NIS2 and KSC requirements difficult to translate into everyday practice,
  
  
  

• need for team engagement beyond merely ticking off obligations,
  
  
  

• lack of reference materials for future work (policies, procedures).
  
  
  

SPIREE's Approach

SPIREE proposed a process-based approach where training is grounded in reality and stems from genuine organizational challenges.

SPIREE's Actions – Step by Step

1. Penetration Testing Before Training

Before training began, SPIREE conducted penetration tests to:

• identify real gaps and vulnerabilities,
  
  
  

• understand the environment's specifics,
  
  
  

• base further actions on facts rather than theories.
  
  
  

This ensured the training addressed actual challenges instead of general examples.

2. Team Training

Based on test results, SPIREE conducted training for the city hall team, covering:

• current threats (phishing, user-targeted attacks, infrastructure weak points),
  
  
  

• employees' roles in the context of NIS2 and KSC,
  
  
  

• practical scenarios and examples,
  
  
  

• discussion of real errors and best practices.
  
  
  

Trainings were tailored to the audience and delivered in straightforward, understandable language.

3. Materials for Policies and Procedures

Post training, SPIREE prepared:

• materials to support the creation of security policies,
  
  
  

• organizational recommendations,
  
  
  

• guidelines for further actions aligned with NIS2.
  
  
  

These materials became the starting point for further cybersecurity organization within the city hall.

4. Next Stage: Audit

Based on completed actions, the next step — an audit — was planned, which will:

• formally assess compliance with requirements,
  
  
  

• verify implemented changes,
  
  
  

• highlight priorities for further stages of NIS2 implementation.
  
  
  

Results of Actions So Far

• increased team awareness of cyber threats,
  
  
  

• training based on real rather than theoretical problems,
  
  
  

• better preparation of the organization for NIS2 and KSC requirements,
  
  
  

• an organized plan for future steps,
  
  
  

• a solid foundation for a formal audit.
  
  
  

Why This Case Is Important

This example demonstrates that:

• preparing for NIS2 is a process, not a one-time action,
  
  
  

• training is effective only when it stems from real tests,
  
  
  

• regulations can be implemented calmly and sensibly,
  
  
  

• cybersecurity in the public sector begins with people, not documents.
  
  
  

SPIREE's Conclusion

Compliance with NIS2 starts with understanding real threats and the people who manage them.
At SPIREE, we help organizations navigate regulations step by step — without chaos and without fear.

CTA Under Case Study

👉 Preparing your organization for NIS2? Let's discuss the next steps.

*“The case study presents a real action scenario based on SPIREE's team's experience, anonymized for client security.”