IT Partner? See how to deliver NIS2 audit-readiness

View partner offer →

What to Expect from Your MSP's NIS2 Audit-Readiness Program

Your MSP has told you they can get your business audit-ready for NIS2 and CyberFundamentals. Great news, but what does that actually look like from your side of the table? This guide walks you through the four phases, what you need to do (not much), what your MSP handles (most of it), and how long each step realistically takes depending on where you are starting from.

What "Audit-Ready" Actually Means

There is an important distinction worth getting right from day one. Your MSP, using the ECP platform, prepares your company for a NIS2 or CyberFundamentals audit. The audit itself is carried out by an independent Conformity Assessment Body (CAB) auditor, not by your MSP and not by us. We do not grant certificates. What we deliver is confidence: when the CAB auditor arrives, your policies are approved, your evidence is collected, your registers are populated, and the Belgian CCB export pack is generated and ready. No scrambling the week before.

  • Your MSP is the quarterback. They own the relationship and the delivery.
  • The platform (ECP) runs quietly in the background, collecting evidence from your Microsoft 365, endpoint protection, and backup tools automatically.
  • You stay focused on running your business. Your involvement is measured in hours, not weeks.
  • The CAB auditor judges the result. We make sure the judgement has the right inputs.

The Four Phases of Your Journey

Here is the full picture, from your perspective. Each phase has a clear purpose, a realistic time commitment, and a short list of what happens.

1

Onboarding and Intake

1 to 2 hours, your time

Your MSP creates your account and walks you (or simply walks themselves, on your behalf) through the CyFun level questionnaire. This short intake determines whether your organisation needs the Basic, Important, or Essential tier of CyberFundamentals. Once confirmed, the platform automatically builds out every policy page, register, and control structure you will need for that tier. You end this phase with a complete, empty-but-structured compliance workspace.

What you do

Answer a few questions about your business: sector, headcount, critical services, and any specific regulatory exposure.

What your MSP does

Run the intake, confirm the tier, and configure your workspace.

2

Platform Setup

1 to 2 days, your MSP does this

This is the fast part, and it is where the platform really earns its keep. In a single working session, your MSP connects your Microsoft 365 tenant, your endpoint protection (such as Sophos, Bitdefender, SentinelOne, or Microsoft Defender), and your backup solution. The platform immediately starts pulling technical evidence automatically. At the same time, your MSP runs eight policy wizards that produce first-draft policies tailored to your business context. By the end of this phase, you have a dashboard showing exactly what would pass, what is at risk, and what would fail an audit today.

What you do

Give your MSP the administrator consent they need to connect Microsoft 365 (a 30-minute approval), then step away.

What your MSP does

Connect every integration, run the wizards, populate your declared estate (headcount, device count, software inventory), and produce the first honest gap picture.

3

Validate and Implement

1 to 6 months, sometimes longer

This is the variable part, and honesty about it matters. The platform has given you a punch list of every item that is missing, weak, or at risk. Your MSP now works through that list with you. For each control, they validate that the evidence matches reality, tailor the draft policy to how your company actually operates, and then chase management sign-off. Registers for suppliers, risks, incidents, training, and backup tests get populated with your real business data. Where you are missing actual security measures, such as multi-factor authentication, immutable backups, central logging, or endpoint protection, your MSP implements them. This is real engineering work, not paperwork, and it is usually the single biggest driver of the timeline.

What you do

Approve policies at management level, provide business data your MSP asks for (employee list, supplier list, key software), and attend a handful of short working sessions.

What your MSP does

Tailor every policy, populate every register, implement the missing security measures, and chase the sign-offs that need to happen at the top of your organisation.

4

Audit Handover

1 to 2 weeks

Your MSP runs an internal dry-run using the official CCB self-assessment export, which is the same Excel workbook your CAB auditor will use. Any last gaps are closed. Then the platform generates either a secure share link that gives your CAB auditor read-only access to your evidence, or a complete ZIP bundle containing every policy, register entry, and linked artefact for an offline review. You and your MSP meet the CAB auditor. The CAB auditor decides the outcome.

What you do

Be available for auditor questions if they come up. Sign off on the final pack.

What your MSP does

Run the dry-run, generate the export, coordinate with the CAB auditor on logistics.

How Long Will This Actually Take?

The platform setup is fixed at 1 to 2 days. The variable is Phase 3, and the honest answer depends on where your security is today. Under-promising leads to a missed audit deadline, so it pays to set expectations realistically at the start.

Well-equipped

1 to 3 months

You already have Microsoft 365 with MFA enforced, a proper endpoint protection product, immutable backups, and reasonable patching. Phase 3 is mostly policy review, management sign-off, and populating registers with data you already have.

Some gaps

4 to 6 months

The tech is mostly there but with holes: MFA is patchy, backups are not immutable, logging is not centralised, or endpoint protection is consumer-grade. Your MSP runs policy work in parallel with the engineering project to close those gaps. The engineering work is the real timeline driver.

Starting fresh

6 to 9 months or more

You rely on consumer-grade backup, have no enforced MFA, no endpoint protection, and no logging retention. Most of the timeline is your MSP building the security foundation. Compliance paperwork rides along for free once that foundation is in place, but do not skip the conversation about the foundation itself.

How the Platform Saves Your MSP (and You) Months

A traditional NIS2 readiness project involves writing policies from scratch, chasing technical evidence by email, and hoping nothing was missed when the auditor arrives. The platform replaces most of that with automation:

Auto-verifies technical controls

Your Microsoft 365 and endpoint protection tools are connected once. From then on, the platform checks things like MFA enforcement, password policy, device encryption, and patch status automatically. No screenshots, no spreadsheets.

Drafts your policies

Eight guided wizards produce first-draft policies and procedures that match your business context. Your MSP tailors them. You approve the finals. No more staring at a blank Word document.

Tracks evidence expiry

Training records, phishing test results, and backup test logs all have validity windows. The platform flags them before they go stale, so the next audit does not catch you out.

Generates the CCB export

When the CAB auditor asks for the official Belgian CyberFundamentals self-assessment file, your MSP produces it with one click. All evidence linked, all answers filled, ready to share.

Shows the punch list honestly

You always know exactly what is ready, what is at risk, and what would fail an audit today. No surprises, no hidden gaps.

What You Actually Need to Do

Your total time commitment across the whole journey is usually measured in hours, not days. Here is the realistic list:

  • Approve the tier choice after the intake (one short conversation).
  • Give your MSP the administrator consent they need to connect Microsoft 365 and your endpoint protection tools.
  • Provide basic business data when asked: employee list, key suppliers, critical software, physical locations.
  • Sign off on each finalised policy. Your MSP does the drafting; you confirm it reflects how your business actually operates.
  • Attend the quarterly review (60 to 90 minutes) to see progress, re-run the punch list, and plan the next quarter.
  • Communicate material changes: new office, new critical supplier, significant change in headcount, any security incident.

After the Audit: Staying Ready

NIS2 compliance is not a one-off project. Threats evolve, evidence expires, your business changes, and the CCB periodically publishes new versions of the CyberFundamentals workbook. Your MSP keeps you audit-ready continuously. Integrations keep the technical evidence fresh automatically. Manual evidence, such as training completion and backup test logs, is re-collected on its schedule. Once a quarter, you and your MSP review everything together. When the CCB issues a framework update, your MSP re-runs the export. The next audit is just another Tuesday, not a crisis.

Work With an MSP Who Uses the Right Tools

If your MSP already uses ECP, you are in good hands. If they do not yet, share this page with them. Either way, being audit-ready should feel like a steady walk, not a sprint the month before the auditor arrives.

See How ECP Helps MSPs

Frequently Asked Questions

Will I get a NIS2 certificate at the end?

Your MSP and the ECP platform do not issue certificates. That is the role of an independent Conformity Assessment Body (CAB) auditor. What your MSP delivers is everything that auditor needs to judge you favourably: approved policies, linked evidence, populated registers, and the official CCB export. The CAB auditor then audits you and, if satisfied, issues the certificate.

How much of my own time will this take each week?

During Phase 2 (platform setup), about one morning to grant Microsoft 365 administrator consent and answer context questions. During Phase 3, expect roughly two to four hours a month in short review sessions, plus whatever it takes to sign off policies. Once you are audit-ready, it drops to a 60 to 90 minute quarterly review. Your MSP absorbs the rest.

What if my MSP says it will take six weeks to be fully ready?

Ask them to walk you through the punch list first. Six weeks is realistic only if your security foundation is already excellent, which means enforced MFA everywhere, immutable backups, a proper endpoint protection product, and central logging already in place. If any of those are missing, the timeline needs to include the engineering work to put them in place. An honest MSP will show you the punch list and set a realistic date together.

Do I need to understand the technical details of every control?

No. You need to understand your business, your processes, and the policies that reflect them. Your MSP translates the technical controls into business decisions when they need your input. Everything else is handled in the background.

What happens if I change MSPs later?

The platform exports your complete compliance state, including policies, evidence, and registers, as a portable ZIP bundle. Your next MSP can import it directly. You do not start from zero.

Does the CAB auditor see the ECP platform?

Only if you or your MSP choose to share it. Your MSP can generate a read-only share link that gives the CAB auditor access to your evidence and punch list, or a complete ZIP bundle for offline review. Most audits accept either. It depends on the CAB auditor's preference.

Related Articles

TARS AI