Insights

Writing on our work

Observations from current engagements, opinion on industry developments, and the occasional longer essay.

2026-03-28 · Anna Kowalska · Regulation

NIS2 — what is actually different, and what is repackaged

A practical reading of the directive for organisations that already had a working ISMS, and where the genuinely new requirements bite.

Read post →

2026-02-14 · Tomasz Lewandowski · Regulation

DORA's supplier register is the workstream most projects underestimate

Of all the obligations DORA imposes, the ICT supplier register and contractual review consistently consumes the most effort. Why, and what to do about it.

Read post →

2026-01-08 · Anna Kowalska · Standards

ISO 27001:2022 transition — what to know one year before the deadline

The transition deadline from ISO 27001:2013 to ISO 27001:2022 lands on 31 October 2025. Where remediation work tends to land in practice.

Read post →

2025-12-02 · Dr Magdalena Wójcik · Awareness

Awareness training that survives the second year

Why most awareness programmes peak in year one and decline thereafter, and what to do about it.

Read post →

2025-10-15 · Pavel Novák · Regulation

The 24-hour incident-notification clock — what "becoming aware" actually means

NIS2 starts the early-warning clock at the moment of awareness. The definition has substantial interpretation latitude and high-stakes consequences.

Read post →