How to Prepare for a NIS2 Audit: Documentation, Evidence, and Compliance Verification Guide (2026)

The NIS2 Directive (Directive (EU) 2022/2555) does not merely require entities to implement cybersecurity measures — it requires them to prove they have done so. Article 32(1) gives competent authorities broad powers to conduct on-site and remote audits, request any documentation, and interview personnel. For the approximately 30,000+ entities newly brought into scope across the EU, the question is no longer whether they will be audited, but when.

Germany’s BSI has already announced it will audit all ~29,000 in-scope entities on a rolling basis through 2028 (Source: BSI Lage- und Entwicklungstand der Informationssicherheit in Deutschland, 2025). France’s ANSSI is building a dedicated NIS2 inspection unit. Italy’s ACN has published its audit methodology for essential and important entities. The enforcement wave is building.

For cyber insurance underwriters, an insured’s audit readiness is a direct proxy for their actual cybersecurity maturity. An entity that cannot produce documentation on demand is an entity that has not implemented the measures the documentation describes. This guide covers what a NIS2 audit looks like, what documentation is required, how to collect evidence, and what underwriters should ask when evaluating a risk.

What Triggers a NIS2 Audit

NIS2 audits fall into three categories, each with different implications for the insured entity and its insurers:

1. Scheduled Compliance Audits

Competent authorities are required to conduct regular audits of essential entities (Article 32(2)). The frequency varies by member state but typically ranges from every 2 years for critical infrastructure to every 3–5 years for important entities. These are planned, calendar-driven inspections.

2. Incident-Triggered Audits

When an entity reports a significant incident under Article 23, the competent authority may launch an immediate audit to determine whether the incident resulted from a compliance failure. These audits are more intrusive and focus on the specific controls that failed. For underwriters, an incident-triggered audit that reveals systemic gaps is a strong signal of elevated risk.

3. Random Sampling and Risk-Based Selection

Authorities may also select entities based on risk profiling — sector, size, previous incident history, or intelligence suggesting inadequate measures. This is particularly relevant for entities in sectors with elevated threat levels (healthcare, energy, transport).

The Audit Process: What to Expect

A typical NIS2 compliance audit follows this timeline:

Phase	Duration	Activities
Notification	2–4 weeks before	Authority sends audit notice with scope, timeline, and document request list
Document Review	2–4 weeks	Auditors review submitted documentation remotely
On-Site Inspection	1–5 days	Interviews with management, CISO, IT staff; review of technical configurations
Technical Testing	1–3 days	Verification of security measures through vulnerability scans, configuration checks, access reviews
Draft Findings	2–4 weeks after	Preliminary report with findings and preliminary assessment
Entity Response	2–4 weeks	Entity can respond to draft findings, provide additional evidence
Final Report	4–8 weeks after response	Final audit report with recommendations or enforcement orders
Remediation	Varies (typically 3–6 months)	Entity must address findings within specified timeframe

For NIS2 compliance, the key insight is that the audit process is evidence-based, not aspirational. Having policies is not enough. Auditors will verify that policies are implemented, tested, and maintained.

Documentation Requirements by Article

The NIS2 Directive requires documentation across multiple Articles. Here is what auditors will request, organized by requirement:

Article 21: Security Measures

The core technical, operational, and organizational measures. Documentation must cover all 10 areas listed in Article 21(2):

1. Risk analysis and information system security policies — risk assessment methodology, risk register, treatment plans
2. Incident handling — incident response plan, playbooks, post-incident review reports
3. Business continuity and crisis management — BCP, DR plan, testing results, RTO/RPO definitions
4. Supply chain security — vendor risk assessment methodology, contractual security requirements, audit rights in contracts
5. Security in network and information systems — network diagrams, segmentation policies, encryption standards
6. System and facility security — physical security policies, access logs, CCTV retention schedules
7. Access control and asset management — identity management policies, access reviews, asset inventory
8. Cryptography — key management policies, encryption standards, certificate management
9. Employee training and awareness — training curriculum, completion records, phishing test results
10. Multi-factor authentication — MFA deployment documentation, exception logs, coverage metrics

Each measure must be documented with: policy → implementation → testing → maintenance evidence. A policy without evidence of testing is a compliance gap, as outlined in the NIS2 gap analysis guide.

Article 32: Policies and Procedures

Essential entities must adopt and document cybersecurity risk-management measures as part of an overall risk-management framework. This includes:

• Cybersecurity strategy document approved by the management body
• Risk management framework with clear governance structure
• Roles and responsibilities matrix (RACI) for cybersecurity functions
• Change management procedures for significant changes to systems
• Document retention and version control showing policy evolution over time

Article 23: Incident Reporting Records

Auditors will verify the entity’s incident reporting compliance:

• Incident register with all incidents, not just reportable ones
• Reporting timeline documentation for each significant incident (initial report within 24 hours, intermediate within 72 hours, final within 1 month)
• Communication with competent authority — all correspondence, including acknowledgments
• Post-incident review reports — lessons learned, root cause analysis, remediation actions taken

See the NIS2 incident reporting guide for detailed timeline requirements.

Article 20: Management Body Liability

This is the Article that makes NIS2 fundamentally different from NIS1. Management body members must:

• Approve cybersecurity risk-management measures
• Oversee their implementation
• Undergo training to recognize risks and assess practices

Auditors will request: board meeting minutes showing cybersecurity discussions, training certificates for management, and approval records for cybersecurity policies. Failure here triggers personal liability — fines up to €10M or 2% of global turnover for essential entities, as detailed in the NIS2 penalties guide.

Evidence Collection Best Practices

Technical Evidence

Auditors expect to see live evidence, not screenshots from months ago:

Evidence Type	Format	Retention
Network diagrams	Current architecture diagrams with data flow	Updated quarterly
Vulnerability scan results	Exported reports from scanning tools	Last 12 months
Penetration test reports	Full reports with remediation tracking	Last 3 years
Access logs	SIEM exports or log management system	12–24 months
Configuration baselines	Hardened configuration standards with deviation tracking	Current + change history
Encryption inventories	List of systems, algorithms, key lengths, certificate expiry	Updated monthly
MFA enrollment rates	Dashboard exports showing coverage percentage	Current

Governance Evidence

• Management body minutes — evidence that cybersecurity is a standing agenda item
• Risk register updates — showing active review and treatment of cybersecurity risks
• Training completion records — per-employee records with course content and assessment results
• Vendor assessment reports — completed risk assessments for all critical ICT suppliers
• Policy review dates — showing policies are reviewed at least annually

Supply Chain Evidence

The NIS2 supply chain requirements are a frequent audit failure point. Evidence must include:

• Complete inventory of ICT service providers
• Risk-tiered classification of all providers
• Contractual security requirements (SLAs, audit rights, notification obligations)
• Results of provider security assessments
• Monitoring and review records

Common Audit Failures and How to Avoid Them

Based on enforcement patterns from NIS1 supervisory authorities and early NIS2 audits:

1. “Paper Compliance” — Policies Without Implementation (40% of findings)

Failure: Comprehensive policies exist but no evidence of implementation. Example: an incident response plan that has never been tested.

Fix: Every policy must have corresponding evidence of execution. Test incident response plans at least annually. Document BCP/DR tests with results.

2. Incomplete Supply Chain Documentation (30% of findings)

Failure: Entity cannot demonstrate it has assessed and monitored its ICT service providers.

Fix: Maintain a live vendor register with risk assessments. Include audit rights in contracts. Review critical providers annually.

3. Management Body Not Involved (15% of findings)

Failure: Cybersecurity decisions are delegated entirely to IT without management body oversight.

Fix: Schedule quarterly cybersecurity briefings at board level. Document attendance and decisions. Complete Article 20 training.

4. Incident Reporting Gaps (10% of findings)

Failure: Incidents are logged internally but not reported to the competent authority within required timelines.

Fix: Automate reporting triggers. Practice the 24-hour initial notification process. Maintain a template pre-filled with entity information.

5. Stale Risk Assessments (5% of findings)

Failure: Risk assessment was conducted once and never updated.

Fix: Risk assessments must be reviewed at least annually and after significant changes (mergers, new systems, major incidents).

What Auditors Mean by “All Appropriate and Proportionate”

Article 21(1) requires measures that are “appropriate and proportionate.” Auditors evaluate this through a multi-factor test:

• Entity size and complexity — a 50-person healthcare provider is not held to the same standard as a 10,000-employee energy operator
• Risk exposure — entities handling critical infrastructure face higher expectations
• Sector-specific threats — healthcare entities must demonstrate resilience against ransomware; financial entities must address DORA overlap
• State of the art — measures must reflect current best practices, not 2015 standards
• Cost-benefit analysis — documented assessment showing proportionality between cost of measures and risk reduction

For underwriters, this proportionality assessment is valuable. An entity that has documented its proportionality analysis demonstrates mature risk thinking.

The Underwriter’s Audit Readiness Assessment

When evaluating a NIS2-exposed risk, the underwriting questions should probe audit readiness specifically:

1. Has the entity been audited under NIS2 or NIS1? If yes, request the audit report (or at least the summary). If no, ask about preparation status.

2. Can the entity produce documentation within the audit notice period? Most authorities give 2–4 weeks. If the entity needs 3 months to assemble evidence, they are not audit-ready.

3. When was the last penetration test, and were all findings remediated? A pen test with open critical findings is worse than no pen test from an auditor’s perspective.

4. What is the MFA coverage rate? Below 95% is a red flag for auditors and should be for underwriters too.

5. Has the management body completed cybersecurity training? If not, the entity is in direct violation of Article 20.

6. What is the average time from incident detection to competent authority notification? If it exceeds 12 hours, the 24-hour deadline is at risk.

7. Is there a documented vendor risk management program? This is the most commonly failed area.

30-Day Pre-Audit Preparation Checklist

If you receive an audit notification, here is the priority order for preparation:

Days 1–5: Foundation

• Confirm audit scope and document request list with authority
• Appoint audit coordinator (single point of contact)
• Assemble documentation team with clear responsibilities
• Review and update entity registration information
• Confirm Article 20 management body training records are current

Days 6–15: Documentation Assembly

• Compile all Article 21 measures documentation
• Gather incident register and reporting records (Article 23)
• Assemble cybersecurity risk management policies (Article 32)
• Collect supply chain security documentation
• Prepare evidence of management body involvement (minutes, approvals)

Days 16–22: Technical Evidence

• Run current vulnerability scan and document results
• Verify MFA enrollment rates across all systems
• Confirm encryption standards are documented and current
• Review and document network segmentation
• Verify backup and recovery testing records

Days 23–27: Gap Remediation

• Identify and address any obvious documentation gaps
• Ensure all policies have current review dates
• Verify training records are complete for all staff
• Prepare physical evidence for on-site inspection (access logs, visitor records)
• Brief all staff who may be interviewed by auditors

Days 28–30: Final Preparation

• Conduct internal mock interview with key personnel
• Prepare presentation summarizing cybersecurity posture
• Review all submitted documentation for consistency
• Prepare logistics for on-site visit (meeting rooms, system access)
• Final review of entity’s compliance cost documentation

Post-Audit: Remediation and Follow-Up

After receiving the final audit report:

1. Prioritize remediation based on severity and risk exposure
2. Document all remediation actions with evidence of completion
3. Report remediation progress to the competent authority within specified deadlines
4. Update risk register to reflect audit findings
5. Review and improve audit preparation processes based on lessons learned

Implications for Cyber Insurance Coverage

NIS2 audit findings have direct implications for cyber insurance:

• Non-compliance findings may trigger policy exclusions related to regulatory failure
• Remediation costs following an audit can be substantial — ensure policy covers regulatory response costs
• Fine coverage varies by jurisdiction and policy wording — verify whether NIS2 penalties are insurable in the insured’s member state
• Business interruption during remediation may be covered, but only if the policy includes regulatory trigger events

For a complete walkthrough of how audit readiness fits into the broader claims process, see the cyber insurance claims process guide.

Summary

NIS2 audit preparation is not a one-time exercise. It is an ongoing discipline that requires:

• Living documentation that is updated, tested, and reviewed regularly
• Evidence-based compliance — policies backed by implementation proof
• Management body engagement — the single biggest differentiator between audit-ready and audit-vulnerable entities
• Supply chain visibility — the most common audit failure point
• Practiced response — the ability to produce evidence within audit timelines

For underwriters, an entity’s audit readiness is the most reliable indicator of whether their NIS2 compliance is real or theatrical. Ask the right questions, verify the documentation exists, and price accordingly.