How to prepare your organisation for NIS2 compliance audit?

The NIS2 Directive became law across the European Union on 18 October 2024 (in Poland, legislative work on a draft amendment to the Act on the National Cybersecurity System is still ongoing). The new regulations aim to raise cybersecurity standards across 18 key sectors of the economy and administration by establishing uniform requirements across the EU. This means that medium and large organisations operating in areas such as energy, transport, healthcare, finance, digital services, water supply, public administration and other critical areas must implement appropriate security measures and document their effectiveness. In practice, each such ‘essential entity’ or ‘important entity’ will be subject to supervision in the form of an NIS2 compliance audit. This audit is intended to verify whether the company meets the new requirements and thus contributes to achieving a common, high level of network and information protection in the EU.

The NIS2 compliance audit is not just a formality, but a tool to protect the organisation from cyber threats and potential legal sanctions. The directive introduces strong enforcement mechanisms, with national supervisory authorities gaining the power to carry out regular and random checks, request information, and conduct on-site or remote audits. Importantly, serious violations are subject to severe financial penalties for both essential and important entities. In addition, NIS2 explicitly emphasises the responsibility of senior management for failing to fulfil their cybersecurity obligations. In other words, senior management may face consequences for negligence, which ‘elevates’ cybersecurity to the level of the board of directors. For companies, this means that they must take auditing very seriously, as not only financial penalties are at stake, but also business continuity and reputation. An incident handled in a manner that does not comply with the requirements (e.g. delayed reporting) may result in a loss of trust among customers and partners or a loss of competitive advantage.

The scope of NIS2 requirements and areas of audit control

Before we move on to practical advice, it is worth understanding what exactly is assessed during the NIS2 audit. The new directive imposes a number of requirements on organisations in terms of cybersecurity risk management. The annexe to NIS2 identifies 10 key areas that every covered company must include in its security measures:

– information security policy and risk analysis – formal policies and a process for the continuous identification and assessment of risks to information systems,

– incident handling – procedures and tools for detecting, reporting and responding to security incidents,

– business continuity and crisis management – plans to maintain service continuity (including regular backups, contingency plans, disaster recovery plans),

– supply chain security – verification of the security of suppliers and partners (audits, contract clauses, requirements for subcontractors),

– security in the acquisition, development and maintenance of systems – consideration of security requirements in the design and implementation of new IT solutions,

– testing and evaluation of security effectiveness – regular internal audits, penetration tests, security reviews to verify that measures are working effectively,

– basic cybersecurity hygiene practices and training – including system updates, backups, update and patch management, and regular employee training to raise awareness of threats,

– cryptography policies – rules for the use of encryption and protection of data at rest and in transit, in accordance with best practices,

– access and resource management – access control (e.g. least privilege principle), user identity management, IT asset inventory,

– multi-factor authentication – implementation of MFA where appropriate (especially for privileged access and critical systems).

The above elements are the minimum that every organisation covered by NIS2 must address. Auditors will check the existence and effectiveness of these measures. For example, a company is expected to have an up-to-date risk analysis and security policy, and to be able to demonstrate the implementation of access control mechanisms, data encryption, system monitoring and business continuity plans. It is equally important to prove that the company monitors threats and incidents, including whether it has defined processes for reporting incidents to the competent authorities within the required time limits.

It is also worth noting that the audit will also cover organisational and management aspects. The Directive emphasises the involvement of senior management in cybersecurity oversight. The audit may therefore include interviews with management and verification that the board has formally approved security policies and receives regular reports on risks and incidents. NIS2 places responsibility for ensuring compliance on company boards, as security cannot be treated solely as a problem for the IT or security department. Furthermore, the European Union Agency for Cybersecurity (ENISA) emphasises that the effective implementation of the NIS2 Directive requires more than just new procedures, as it is necessary to actively involve people and clearly define roles and responsibilities within the organisation.

Common issues hindering compliance with NIS2

Even well-prepared companies have gaps that come to light during an audit. Knowing these common errors will help you avoid them in advance. Here are the most common problems observed when assessing compliance with NIS2:

– Lack of formal documentation

Many organisations implement ad hoc security measures but do not describe them in policies, procedures or records. Unfortunately for the auditor, an undocumented process does not exist. For example, if you conduct training or monitor incidents but there is no paper or electronic record of this, it will be considered non-compliant. It is important to emphasise that proper documentation is fundamental to NIS2 requirements.

– Ignoring supplier security

NIS2 requires not only protecting your own systems, but also taking into account supply chain risks. A common mistake is not verifying the security of key IT or cloud service providers. The lack of supplier audits and security clauses in contracts can result in serious non-compliance.

– Outdated risk assessment

Some organisations conduct a one-off risk analysis (e.g. several years ago) and leave it at that. Meanwhile, NIS2 requires continuous risk management, i.e. regular review of threats and adjustment of security measures. The lack of ongoing, cyclical risk assessments constitutes a breach of requirements.

– Insufficient training and awareness among employees

The human factor is critical to cybersecurity, as recognised by NIS2. Despite this, it is a common mistake to limit oneself to one-off, ‘superficial’ training courses or, worse still, to have no evidence that such training has been carried out. The lack of systematic training in cybersecurity (phishing, security policies, incident reporting procedures, etc.) leads to low awareness among employees and increases the risk of incidents. Auditors pay attention to whether the company is building a culture of security and whether it can demonstrate that employees have undergone the required training.

– Delays in incident reporting

Failure to develop clear incident response procedures results in chaos in a crisis situation. A typical mistake is the lack of a mechanism for immediate reporting of an incident to the relevant authorities. If a company learns of a serious attack but does not report it within 24 hours, it is in breach of NIS2 regulations. Quite often, many organisations still do not have rehearsed response plans, which the audit will quickly pick up on.

The above-mentioned shortcomings are common, but at the same time relatively easy to eliminate, especially if we approach the issue methodically and with sufficient advance notice.

‍

How to prepare for a NIS2 audit – action plan

Effective preparation for NIS2 compliance audit is not just a matter of formalities, but also of building real resilience to threats within the organisation. The following action plan will help you organise your activities, engage the right people and minimise the risk of non-compliance.

1. Conduct a preliminary analysis and internal audit

Identify whether your organisation is actually subject to NIS2 regulations (sector and size criteria) and then conduct an internal compliance audit. A gap assessment will allow you to compare your current practices with the requirements of the directive. It is also good practice to map these requirements to existing processes and policies, which will allow you to identify where the actual gaps are (e.g. missing policies and procedures, risks that were not included in the initial assessment).

2. Organise your documentation, policies and procedures

Auditors expect not only real actions, but also evidence in the form of documents (both paper and electronic). Therefore, verify the completeness and currency of your security policies, business continuity plans, incident management procedures, risk analyses, access management and backup policies. Additionally, supplement and update your documentation to reflect the reality of your organisation and the requirements of NIS2.

3. Strengthen the technical and organisational parts of your company

Identified deficiencies (i.e. identified gaps and missing security measures) should be addressed in accordance with the organisation’s risk profile. This may include implementing MFA, expanding security monitoring (e.g. SIEM, EDR), clarifying agreements with suppliers, auditing cloud services, or implementing a formal and documented vulnerability and update management process. At the same time, ensure that all technical measures are correctly configured and ready when the time comes for the audit (the auditor may request access to logs, configurations, and test reports).

4. Define roles, engage management, and build a security culture

Ensure that a person has been appointed to take the lead in the area of security (e.g., CISO or NIS2 coordinator) and that their responsibilities are clearly defined. At the same time, ensure the formal involvement of the management board, which should participate in risk reviews, approve policies, and receive regular security status reports. At the same time, put cybersecurity on the agenda for management meetings. Next, prepare a training and exercise programme for the entire organisation, covering several levels, i.e. training for management (on new legal obligations and decisions that may be required during an incident), specialised technical training for IT/security teams (security system operation, response procedures, supply chain security), as well as regular training for all employees on the basics of cyber hygiene (recognising social engineering attacks, rules for safe use of IT and the obligation to report incidents). It is also worth organising periodic incident simulations (e.g. table-top exercises for management, technical response tests for the IT team) to test in practice whether the procedures work and the team responds efficiently under time pressure.

5. Test operational capability and reporting readiness

Organise test alerts, check the team’s response to an incident (e.g. a simulated ransomware attack), the correctness of communication (both internal and with CSIRT) and the effectiveness of contingency plans. Prepare incident reporting templates for CSIRT and test the ability to deliver the required data within 24 hours. Also, make sure that everyone knows who to notify in the event of a serious incident (within the company and on the part of external institutions). Verify failure scenarios on the supplier’s side as well. At the same time, record all conclusions from tests and simulations and use them to improve procedures.

6. Monitor compliance on an ongoing basis

Additionally, think about maintaining continuous compliance and a high level of security after the audit is complete. To this end, it is worth implementing indicators and metrics to measure progress, e.g., the percentage of trained employees, incident response time, number of incidents detected in a given month, average time to implement critical fixes, etc. At the same time, regularly review these metrics at management meetings – they show whether security is actually working or just looks good on paper. Together, determine a schedule for further actions, including regular internal audits, risk reviews, regular testing of contingency plans, and employee training to raise awareness of cybersecurity. Also, follow announcements from regulators and ENISA, which provide recommendations specifying technical requirements for certain sectors, as well as other practical studies and explanations.

7. Consider experts’ support

If you are unsure about how to interpret the requirements or lack internal resources (including expertise), seek help from specialists. External experts conducting a preliminary audit will identify weaknesses before the official auditor does. Legal and technical consultants will also help you correctly interpret unclear requirements and prepare missing documents. It is important to note that working with experts does not exempt you from the involvement of your internal team, but it can speed up the process and ensure that nothing is overlooked.

Summary

Preparing an organisation for an NIS2 audit is a considerable challenge, but also an opportunity to streamline processes and significantly improve security. Proactive measures are key – the earlier you start, the more peace of mind you will have and the less stress you will experience when the auditor arrives. It is worth remembering that the aim of the NIS2 Directive is not to complicate life for companies, but to strengthen the resilience of the entire economy to digital threats. Good cybersecurity is now a fundamental part of business, comparable to sound finances or the quality of services or products offered. Management boards that understand this treat the implementation of NIS2 not as a cost, but as an investment in business continuity, customer trust and competitive advantage.

So approach the audit not as an obligation, but as an opportunity to streamline processes, engage people and build a culture of security. With well-planned preparations, the NIS2 audit can become not only painless but even valuable, and your organisation will emerge from it better prepared for the challenges of the digital reality.