Unassessed to NIS 2 Compliant — Grade B+ Across 10 Standards in 10 Weeks

KONKAT IT Division manages shared IT infrastructure and disaster recovery for a conglomerate of ~30 companies across some of the most heavily regulated sectors in Europe — energy, aviation, maritime, and refining. LCM Go Cloud had already built their AWS DR environment: 60+ VMs, 28 TB of critical data, protected using pilot light and warm standby strategies with an RTO of minutes.

But the DR infrastructure itself had never been assessed for security posture or compliance. Misconfigurations, unencrypted volumes, and overly permissive IAM roles had gone undetected. The risk was amplified by the cascading nature of a shared environment — a security incident could propagate across all 30 group companies simultaneously, including those in aviation and maritime where operational disruption carries regulatory and safety consequences.

The decisive pressure: the EU NIS 2 Directive enforcement deadline. KONKAT needed auditable evidence — not just best efforts — that this critical environment met recognised cybersecurity frameworks. And with 100 additional VMs queued for onboarding, the attack surface was growing faster than visibility could keep pace.

LCM Go Cloud deployed a two-layer security architecture across the existing DR environment. Layer 1 established the AWS Security Baseline: multi-region CloudTrail with file integrity validation, AWS Config for continuous resource recording, GuardDuty with all 9 protection features, Inspector v2 running 5 scan types, Security Hub with FSBP and CIS v3 standards, and IAM hardening with MFA and least-privilege — all codified in CloudFormation for repeatable, auditable deployment.

Layer 2 deployed CloudPosture — LCM Go Cloud's GenAI-powered CSPM platform, powered by Amazon Bedrock (Claude). Running 644 security checks via 19 specialised agents across 10 compliance standards with 16,400+ control mappings, CloudPosture delivered the compliance evidence KONKAT needed for NIS 2. Amazon Bedrock generated executable remediation plans in CLI, Terraform, and CloudFormation. Toxic combination detection identified dangerous misconfiguration chains — such as public bucket + no encryption + no logging — with AI-generated explanations of the risk.

Within 10 weeks, KONKAT moved from entirely unassessed to Grade B+ across all primary frameworks — CIS v3 and FSBP at their highest grades — with weekly automated scans, compliance drift detection, and critical finding alerts now running continuously. The first NIS 2-auditable compliance report was delivered to the governance board, with all CRITICAL and HIGH findings resolved.