IT Partner? See how to deliver NIS2 audit-readiness

View partner offer →

NIS2 Readiness: What Your IT Partner Needs to Know

One of your clients is preparing for NIS2 compliance and needs your help. This guide cuts through the noise and gives you, as their IT partner, exactly what you need to know to support them — from the regulatory basics to practical delivery steps.

As an IT partner, you need to understand the NIS2 directive and its specific requirements. The CyberFundamentals framework defines different compliance levels for your clients.

NIS2 in 2 Minutes (for IT Pros)

NIS2 is the EU directive on network and information security that Belgium has transposed into national law. It applies to essential and important entities across sectors like energy, healthcare, digital infrastructure, manufacturing, and more.

  • Applies to medium and large organisations, plus smaller entities in critical sectors
  • In Belgium, compliance is verified through the CyberFundamentals (CyFun) framework developed by the CCB
  • CyFun has 4 assurance levels: Small, Basic, Important, and Essential
  • Most SMEs fall under the Basic or Important level
  • Non-compliance can lead to fines up to 2% of annual global turnover
  • Management is personally liable — this is not just an IT issue

What Your SME Clients Are Looking For

When an SME client approaches you about NIS2, they typically need help with:

Gap assessment

Understanding where they stand today versus what CyberFundamentals requires

Technical controls

Implementing firewalls, MFA, endpoint protection, backups, network segmentation — the controls you likely already manage

Policy documentation

Creating security policies, acceptable use policies, incident response plans — documented and maintained

Evidence collection

Proving that controls are in place and working. Screenshots, configs, logs, test results.

Audit preparation

Getting everything organised so a CAB auditor can verify compliance efficiently

Ongoing maintenance

Annual reviews, policy updates, continuous monitoring — compliance is not a one-time project

How CyberFundamentals Maps to Your Work

CyberFundamentals is structured around 5 functions from the NIST framework. As an IT partner, you are already delivering much of this:

Identify

Asset inventory, risk assessments, business context. You know their infrastructure — document it.

Protect

Access control, MFA, encryption, firewalls, endpoint protection, patch management. This is your core business.

Detect

Monitoring, logging, anomaly detection. Set up alerts and review them.

Respond

Incident response plans, communication procedures, containment strategies. Help them plan before something happens.

Recover

Backup and restore procedures, business continuity plans. Test those backups regularly.

Practical Steps to Deliver NIS2 Readiness

1
1. Run a gap assessment

Map your client's current state against CyberFundamentals controls. Identify what is in place, what is partially done, and what is missing entirely.

2
2. Prioritise quick wins

Enable MFA everywhere, verify backups work, ensure endpoint protection is current. These are high-impact, low-effort controls most clients need.

3
3. Document existing controls

Many clients already have good practices but no documentation. Write down what is already being done — this counts for the audit.

4
4. Create required policies

Help clients draft security policies, acceptable use policies, and incident response plans. Keep them practical and short — 2 pages per policy is plenty.

5
5. Collect evidence systematically

For each control, gather proof: configuration screenshots, policy documents, test results, training records. Organise by CyFun control number.

6
6. Prepare for the audit

The audit is done by a CAB-accredited auditor, not by you. Your job is to make your client audit-ready — everything documented, evidence organised, controls demonstrable.

The Business Case for Your Practice

NIS2 compliance is not a one-time project — it is an ongoing service. For IT partners, this represents a significant and sustainable revenue stream:

  • Initial gap assessment and remediation project (one-time)
  • Monthly managed security services covering required controls
  • Quarterly policy reviews and evidence collection
  • Annual audit preparation support
  • Clients need this for years, not months — compliance is continuous

Deliver NIS2 Readiness at Scale

Easy Cyber Protection is built for IT partners who want to deliver NIS2 audit-readiness to multiple clients efficiently. One platform to manage gap assessments, track controls, generate evidence, and prepare clients for their CyberFundamentals audit.

Frequently Asked Questions

Do I need to be certified to help clients with NIS2?

No. You do not perform the audit — that is done by CAB-accredited auditors. Your role is to help clients implement controls and prepare evidence. Your existing IT expertise is exactly what clients need. However, familiarising yourself with the CyberFundamentals framework is essential.

What if my client only needs the Basic CyFun level?

Basic level covers approximately 50 controls and is sufficient for most SMEs. Many of these are standard IT practices you already deliver: endpoint protection, backups, MFA, patch management. The main gap is usually documentation and formal policies.

How long does it take to make a client audit-ready?

Typically 3-6 months for an SME at the Basic level, depending on their starting point. If you already manage their IT, the technical controls may be 70% done. The remaining effort is documentation, policies, and evidence collection.

Can I use Easy Cyber Protection for multiple clients?

Yes. The platform is designed for MSPs and IT partners managing multiple client environments. You get a single dashboard to track compliance status across all clients, with per-client evidence and reporting.

Related Articles