As of October 18, 2024, the NIS2 Directive is binding law in all European Union member states. The new regulations adopted by the European Parliament are crucial for ensuring a high, common level of cybersecurity across the EU. For many organizations, this means the need to conduct a comprehensive review of their security status – this is the purpose of the NIS2 audit.
In this article, we explain what the NIS2 audit is, who it applies to, what it involves, and how to carry it out to ensure compliance with the new requirements.
Who is covered by the NIS2 Directive?
According to the provisions of the NIS2 Directive, the obligation to implement and document security measures applies to so-called essential and important entities operating within the EU. The regulation applies to organizations that provide services in critical sectors of the economy and public administration.
Entities covered by NIS2 include, among others:
– Operators of essential services, e.g., in energy, transport, and healthcare
– Providers of digital services and cloud solutions
– Public administration bodies at both national and local levels
– Trust service providers, domain name registrars, and tech companies
– Postal and water management service providers
– Organizations operating in the field of national security
– Other entities qualifying as important or falling under categories defined by national legislation implementing the directive
For each of these organizations, an audit of compliance with NIS2 will be mandatory and regulated by national cybersecurity legislation.
Why is a NIS2 audit necessary today?
With NIS2 now in force, companies and institutions operating fully or partially within the EU must not only implement adequate technical safeguards but also document their effectiveness. This is where the NIS2 audit comes in – a control procedure that allows organizations to assess compliance with cybersecurity requirements and prevent potential violations and penalties.
NIS2 audit – structure and stages
Below are the stages of a comprehensive NIS2 audit carried out in accordance with the directive’s requirements.
Identifying NIS2 obligations
At this stage, the organization is assessed to determine whether it qualifies as an essential or important entity. This includes:
– Reviewing the organization’s service profile and operations
– Assessing the company’s impact on public safety and service integrity
– Identifying relationships with direct suppliers and recipients
The outcome of this stage is a formal classification of the organization as subject to NIS2 compliance obligations.
Assessing cybersecurity risk management
NIS2 requires effective and documented risk management procedures. The audit analyzes:
– The risk analysis policy and approach to implementing risk-reducing measures
– The organization’s approach to handling security incidents from a risk management perspective
Risk assessment is the foundation for planning further security measures to prevent incident impact.
Verifying approach to systems and security layers
This stage examines how the organization manages its security systems and practices, including:
– Management of security layers
– Procedures for using cryptography and multi-factor authentication
– Monitoring and reporting from security systems
– Securing communication channels
The goal is to ensure compliance with the requirements for a high level of cybersecurity.
Incident management and reporting obligations
A key area of the audit is the organization’s readiness to handle cybersecurity incidents. The audit checks:
– Preparedness to report incidents to national single points of contact
– Readiness to act in the event of suspected illegal incidents
– The ability to respond quickly and handle incidents effectively
– Timeliness and quality of reporting within the final report deadline
Effective incident management minimizes threats and supports legal compliance in member states.
Supply chain security and partner relationships
NIS2 introduces additional obligations for managing supply chain security, especially for organizations using third-party solutions or cloud services.
– Verification of requirements in contracts with digital service providers
– Examination of how data exchange and partner communication channels are secured
The goal is to safeguard the organization’s infrastructure beyond its internal boundaries.
Management body involvement
According to NIS2, organizational management is responsible for ensuring compliance. The audit includes:
– Assessing leadership engagement in risk management
– Evaluating decision-making capabilities in acquiring IT solutions
– Reviewing reporting frameworks for regulatory compliance
Leadership accountability for cybersecurity investments is a cornerstone of effective protection.
How does TTSW support NIS2 compliance?
The Transition Technologies–Software team offers comprehensive support for:
– Conducting a NIS2 audit in line with current legislation
– Developing and implementing effective cybersecurity risk management procedures
– Preparing organizations for incident reporting and documentation
– Advising on collaboration with digital and cloud service providers
– Training management boards and IT/compliance teams
With experience working with essential and important entities and a deep understanding of the NIS2 Directive, TT-SW effectively supports organizations in achieving cybersecurity compliance. Our efforts align with the EU’s goal of a high common level of cybersecurity.
Summary
The year 2025 has brought new cybersecurity challenges – the NIS2 Directive is now in force and applies to thousands of organizations in the EU. Today, every NIS2 audit is not just a formal requirement but a strategic tool to protect operations from potential events and major incidents. Institutions can already begin preparations for NIS2 compliance to be ready for future national regulation updates.
With TTSW’s support, your organization can efficiently prepare for NIS2 compliance, minimize risks, and strengthen its digital resilience. Schedule an audit today – check whether you’re ready for full NIS2 compliance.