Content

    This article covers 8 points on how to prepare for a NIS2 audit:

    1. Define your scope
    2. Assess your security maturity
    3. Organise your documentation
    4. Simulate an incident
    5. Assign responsibilities clearly
    6. Prepare for continuous audits
    7. Common mistakes
    8. How PrivaLex can help and next steps

    With NIS2 in effect across the EU, organisations that provide essential digital services or support critical infrastructure are under pressure to demonstrate that they are secure and can remain so over time. A key part of that responsibility is being ready for an audit or inspection under NIS2. Although NIS2 does not define a single audit process like ISO certifications, national authorities have powers to supervise and audit covered entities.

    This guide explains how to prepare for a NIS2 audit in six steps: scope, maturity, documentation, simulations, responsibilities and continuous preparation. At PrivaLex Partners we help organisations prepare with confidence for NIS2, whether for a first review or as part of a long-term resilience approach. For context, Nis2 and cybersecurity are the foundation; an information security management system (ISMS) or obtain ISO 27001 certification can align many requirements.

    Unlike an ISO certification, NIS2 does not issue a seal: national authorities can request evidence, inspect and require remedial measures. Knowing what they may ask for and having documentation and procedures ready reduces stress and demonstrates good faith to the regulator.

    Step 1: Define your scope

    Before preparing anything, you need to know where you stand. Are you classified as an essential or important entity under the NIS2 transposition in your country? Those categories determine which requirements apply to you and how audits will be run.

    What to verify to define the scope of your NIS2 audit

    To scope the audit properly, verify and document the following:

    • Sector: if you operate in Saas, cloud infrastructure, finance, health, energy or essential digital services, confirm in the national transposition whether you are an essential or important entity.
    • Size and business volume: employee and revenue thresholds that apply in your country; they affect the level of scrutiny and likelihood of being supervised.
    • Clients in critical sectors: if you provide services to clients in critical sectors (hospitals, financial institutions, infrastructure), your scope may be broader even if your sector is not explicitly listed.
    • Systems, services and equipment in scope: define which systems, services and equipment fall within the audit scope. Including “everything” dilutes resources; excluding critical systems creates risk. Document the inclusion criteria so you can explain it to the authority.

    Once you have clarity, define the scope of your audit in writing. Trying to audit “everything” dilutes focus and resources.

    Step 2: Assess your security maturity

    Supervisory authorities want to see that you manage risk in a structured and consistent way. A gap analysis against NIS2 gives you the real picture: where you stand and what to close before an inspection. Without a diagnosis, there is no credible improvement in the eyes of the regulator.

    What your security maturity level should reflect

    Your maturity level should be reflected at least in:

    • Active risk register: an up-to-date risk register covering cyber threats, impact on systems and data, and mitigating measures. A static document is not enough; it should be reviewed periodically.
    • Assigned responsibilities: who is responsible for compliance, who for incident management and who for contact with the authority. Roles must be documented and known to the team.
    • Policies aligned with operations: cybersecurity policies that reflect how you actually work (access, training, incident response, third parties). If policy says one thing and practice another, the inspection will notice.
    • Gap analysis results: a gap report (or equivalent) showing where you comply and where you do not, with an action plan and priorities. It demonstrates that you have done the self-assessment and have a path to improvement.

    Step 3: Organise your documentation

    NIS2 inspections are as much about narrative as technology. Authorities expect a clear, documented story of how you manage cybersecurity across the organisation. Gather and organise everything before they ask: policies, procedures and evidence that they are applied.

    Documentation typically requested in a NIS2 inspection

    Authorities typically request or value documentation in these areas:

    • Incident management: procedures for detection, assessment and escalation; roles and notification deadlines (including 24-hour notification to the authority); minutes of incidents or simulations and lessons learned.
    • Access and privilege control: access policies, permission reviews, use of multi-factor authentication on critical systems and access logs where relevant.
    • Cybersecurity training: training plan, content by role, attendance and evaluation (lists, certificates or equivalent). The directive requires documented and periodic training.
    • Third-party risk: assessment of ICT suppliers, contracts with security clauses and monitoring of their compliance. Includes register of critical suppliers and selection criteria.
    • Types of evidence: besides policies and procedures, prepare minutes (meetings, simulations, reviews), records (incidents, access, training), logs where applicable and current versions of documents. A GDPR audit can illustrate the level of documentation expected in other frameworks.

    Organise it for quick access. If an authority asks how you manage risk with providers, showing a real example is better than improvising.

    Step 4: Simulate an incident

    One of the most scrutinised areas in NIS2 assessments is your incident response: how you detect, manage and notify incidents. Because NIS2 requires significant incidents to be reported within 24 hours, you need a clear, tested internal procedure. A well-prepared and documented tabletop is strong evidence to the authority.

    How to prepare and document a simulation exercise (tabletop)

    For the exercise to be useful and demonstrable, include at least:

    • Breach scenario: define a realistic scenario (e.g. data leak, ransomware, service outage) that forces activation of detection, containment and notification.
    • Steps with the team: walk step by step with the team who does what: detection, severity assessment, decision to notify, drafting and submission to the authority. Time it if possible to see if you fit within 24 hours.
    • Documentation produced: minutes of the exercise with date, participants, scenario, decisions taken and gaps found (outdated contacts, unclear criteria, etc.). These minutes are evidence you can show in an inspection.
    • Roles and notification deadlines: verify that roles are clear and that the notification flow (who drafts, who approves, how it is sent) is defined and rehearsed. Document internal deadlines so the 24 hours are not lost in internal debate.

    These exercises find weaknesses and show authorities that you take preparation seriously. Improvising in a real incident increases regulatory and reputational risk.

    Step 5: Assign responsibilities clearly

    Authorities want to see clear accountability. NIS2 requires senior management to be involved in cybersecurity management and roles to be traceably assigned. Without an owner for compliance, coordination with the authority and internal consistency suffer.

    NIS2 requirements on accountability

    The directive and national transpositions typically require or value the following:

    • Senior management involvement: management must be informed of cyber risk and measures taken, and must support resource allocation and compliance priority. Delegating without oversight is not enough.
    • Identifiable person: one person (or role) identifiable who leads NIS2 compliance, risk management and the relationship with the authority. Can be CISO, compliance officer, IT lead or an external adviser like PrivaLex.
    • Compliance coordination: that person must coordinate policies, procedures, training and incident response, and act as point of contact with the competent authority when required.
    • Traceability: responsibilities must be documented (organisational chart, role descriptions, designation minutes) so an inspection can verify who does what. That shows organisational maturity and makes dialogue with regulators easier.

    Step 6: Prepare for continuous audits, not just one

    NIS2 is not a one-off. It is an evolving framework; authorities can carry out further reviews or request evidence at any time. Your preparation must be continuous, not just for a fixed date.

    What to include in preparation for continuous audits

    Include at least these elements in your continuous preparation approach:

    • Continuous monitoring: monitor that controls (access, incident response, training, third parties) remain active and documented. Implementing them once is not enough.
    • Periodic internal reviews: reviews (internal or with external support) periodically of NIS2 compliance: risk register, policies, procedures and evidence. They help find deviations before the authority does.
    • Documentation updates: keep policies and procedures up to date when systems, teams or risks change. Outdated versions raise questions in an inspection.
    • Evidence of improvement: act on audit or incident findings (non-conformities, lessons learned) and document improvements. It shows the system evolves and that you take continuous improvement seriously.

    Organisations that embed NIS2 in their day-to-day operations, not just in the audit calendar, adapt best and stay up to date. Preparation is not only technical: it is strategic.

    Mistakes that can undermine preparation for a NIS2 audit

    Avoiding these mistakes saves you sanctions, remedial measures and reputation with the regulator.

    Not having documentation ready

    If policies, procedures and evidence are not organised and up to date, the inspection may find gaps you could have closed. Authorities can ask for concrete examples on the spot (e.g. a notification procedure or a training record). Having everything findable and current is the basis of good preparation.

    Not simulating incidents

    Without a tabletop or response exercise, you do not know if your 24-hour procedure works or if the team knows their roles. Authorities value your having rehearsed and documented the response. Simulation minutes are strong evidence of maturity.

    Unclear scope

    Trying to audit “everything” or not knowing whether you are an essential or important entity creates confusion and waste. Define scope before preparing documentation and evidence, and document it so you can explain it to the authority.

    Not assigning a clear lead

    NIS2 requires traceable accountability and oversight at management level. Without an owner for compliance, coordination with authorities and internal consistency suffer. Inspections often ask explicitly who is responsible.

    How PrivaLex can help you prepare for a NIS2 audit

    At PrivaLex Partners we help organisations prepare with confidence for NIS2 audits and inspections, whether for a first review or as part of a long-term resilience approach. We offer gap assessments against the directive’s requirements, risk mapping, policy and procedure design, incident simulations (tabletops) and preparation of documentation and evidence so you can respond clearly when the authority asks.

    We work with you to define scope (checking whether you are an essential or important entity and which systems to include), assess your maturity with a gap analysis, organise the documentation authorities typically request and assign responsibilities in a traceable way. With experience in EU regulatory compliance and in NIS2, ISO 27001 certification and cybersecurity, we guide you so you know how to prepare for a NIS2 audit without surprises.

    Schedule a strategic session with PrivaLex and get your organisation ready for a NIS2 inspection with confidence.

    Frequently Asked Questions (FAQs)

    How do I prepare for a NIS2 audit step by step?

    In six steps: (1) define your scope by verifying sector, size, business volume, clients in critical sectors and systems/services/equipment in scope; (2) assess your maturity with a gap analysis (active risk register, assigned responsibilities, policies aligned with operations); (3) organise the documentation typically requested (incident management, access and privileges, training, third-party risk, evidence such as minutes, records and logs); (4) simulate an incident (tabletop) with scenario, steps with the team and documentation produced, including roles and notification deadlines; (5) assign clear responsibilities (senior management involvement, one identifiable person to coordinate compliance, traceability); (6) prepare for continuous audits with monitoring, periodic internal reviews, documentation updates and evidence of improvement.

    Does NIS2 require an audit like ISO 27001?

    No. NIS2 does not define a single certification process like ISO 27001. National authorities have powers to supervise and audit covered entities; they can request evidence, carry out inspections and require remedial measures. Being ready for those reviews is key to demonstrating compliance.

    What documentation do I need for a NIS2 audit?

    Documentation on incident management (procedures, roles, notification deadlines); access and privilege control; staff training on cybersecurity; assessment and management of third-party risk; an up-to-date risk register; and evidence that policies are applied (minutes, records, logs). Organise it for quick access.

    What if I am not ready for an NIS2 inspection?

    Authorities can request evidence (policies, procedures, simulation minutes, training records), visit on site or in writing and, in case of non-compliance, impose sanctions (up to €10 million or 2% of global turnover for essential entities) and require remedial measures. Preparing in advance —defined scope, gap analysis, organised documentation, documented simulations and assigned lead— reduces risk and demonstrates good faith and maturity to the regulator.

    How often can NIS2 audits or inspections happen?

    NIS2 does not set a single frequency. Authorities can carry out reviews or request evidence when they see fit. So preparation must be continuous: monitoring, periodic internal reviews and up-to-date documentation, not just for a fixed date.

    Can PrivaLex help me prepare for a NIS2 audit?

    Yes. PrivaLex offers NIS2 gap assessments, risk mapping, policy and procedure design, incident simulations and preparation of documentation and evidence for inspections. We support you so you know how to prepare for a NIS2 audit and can respond clearly when the authority asks.

    Next step

    Knowing how to prepare for a NIS2 audit is the first step; the next is to define your scope and close gaps before the authority knocks. Schedule a strategic session with PrivaLex and turn preparation into advantage.

    Avatar photo

    Javier Castellano

    Javier leads the certifications practice at PrivaLex Partners, specializing in technical compliance, risk management, and the full lifecycle of security and privacy certifications. He supports companies through the preparation, implementation, and audit of frameworks including ISO 27001, ISO 42001, ENS, NIS2, and DORA, transforming complex regulatory demands into practical, structured action plans. Javier’s approach goes beyond box-ticking: he helps clients turn certification into a genuine competitive advantage, building internal capabilities that strengthen their security posture for the long term.