Cybersecurity evidence: product, OT, organisation

Industrial and product cybersecurity for companies that must show evidence

We help device manufacturers, industrial companies and technology vendors prepare for the CRA, OT customer requirements, KSC/NIS2 and cyber insurance questionnaires.

Book a 20-min call → Check the CRA Snapshot
since 2014 in cybersecurity and regulated sectors
CISSP / GCFE / ISO 27001 LA / ISA qualifications
OT & product security specialisation

Four ways we will prepare your evidence

Choose the path that matches your situation. Each one ends with concrete evidence and a plan for the next 60–90 days.

CRA Snapshot for manufacturers

Product with digital elements

A fixed-price assessment of 1–2 product families against the Cyber Resilience Act: classification, gaps against Annex I, readiness for art. 14, an SBOM-lite and an action plan.

See the CRA Snapshot →

OT / IEC 62443 Mini-Gap

OT/ICS security

A short OT security assessment: remote access, segmentation, updates, vulnerabilities, logging and the evidence required by industrial customers, brokers and auditors.

See OT / IEC 62443 →

Cyber Insurance Evidence Check

Cyber questionnaire for a policy

From declarations in the cyber questionnaire to concrete evidence of controls: MFA, backups, EDR/logs, remote access, an incident procedure and quick wins before the conversation with your broker.

See the Evidence Check →

KSC/NIS2 Exposure Check

Regulatory exposure

Check whether your company falls under KSC/NIS2 and what evidence is worth preparing for the board, a customer, an auditor or an insurer. No scaremongering about penalties.

See the KSC/NIS2 Check →

How we work

Short, concrete and with evidence you can show to a customer, an auditor or an insurer.

1. We check and map

We set the scope, classify the product or entity and map the current state against the requirements of the CRA, IEC 62443, KSC/NIS2 or a cyber questionnaire.

2. We identify the gaps

We show what is missing and what is risky, separate the technical part from the legal interpretation and organise the evidence.

3. We prepare evidence and a 60–90 day plan

You get an evidence pack and a concrete action plan with priorities, ready for a conversation with a customer, a broker or an auditor.

We build our own R&D solutions

In industrial cybersecurity, documentation alone is not enough. We build prototypes to better understand OT/IT separation, event monitoring, compliance evidence and vulnerability handling.

A one-way OT→IT data diode, a local OT monitoring node, a tool for organising product evidence and a local AI assistant for documentation. These are research and development prototypes, proof of practice rather than products for sale.

See the R&D solutions →

About CZ Cybersecurity

We have been operating since 2014. We specialise in industrial and product cybersecurity: OT/ICS, product security, CRA, PSIRT/SBOM and preparing evidence for KSC/NIS2 and cyber insurance questionnaires. We serve manufacturers, industrial companies and the regulated sector, including civil aviation and defence.

We separate the technical part from the legal part so that it is clear what is a technical assessment and what is a legal interpretation. On matters that require a legal opinion, we work with advisers and law firms. On cyber policies we do not broker insurance sales; we help prepare the technical answers and evidence.

CISSP GCFE ISO 27001 Lead Auditor ISA Senior Member

Trusted by, among others

Civil Aviation Authority of Poland
Ministry of Sport and Tourism
Polish Air Force University in Deblin

Book a 20-min call

Briefly describe your situation. We will get back to you and determine whether and how we can help.

Prefer to pick a time straight away?

Book a meeting →
Contact details
Quick qualification (optional)

Frequently asked questions

Who does the Cyber Resilience Act (CRA) apply to?

The CRA (EU Regulation 2024/2847) applies to manufacturers, importers and distributors of products with digital elements, meaning hardware and software that connects to a device or network. Full application and CE marking apply from 11 December 2027, and vulnerability reporting obligations (art. 14) from 11 September 2026.

Is IEC 62443 mandatory in Poland?

IEC 62443 is usually not a legally mandatory standard for every company with OT. It is, however, a recognised language of security evidence for industrial systems and products that industrial customers, auditors and insurers increasingly expect.

Is KSC 2.0 a directive or an act?

KSC is the act on the national cybersecurity system, which implements the EU NIS 2 directive. The obligations of Polish entities stem from the act, not directly from the directive.

What is worth preparing before a cyber insurance questionnaire?

The most commonly needed items are evidence of controls: multi-factor authentication (MFA), backups with a restore test, EDR and logs, management of remote access and privileged accounts, and an incident response procedure. We help prepare the technical answers and evidence; we do not broker insurance sales.

See the full FAQ →