NIS2 Audit: Preparation Guide & Checklist
A NIS2 audit verifies that your security measures actually meet the requirements. Whether you face a mandatory third-party audit or a self-assessment, preparation is key. This guide walks you through what to expect, what auditors look for, and how to get audit-ready.
What Is a NIS2 Audit?
A NIS2 audit is an external verification by a Conformity Assessment Body (CAB) that your organization's security measures meet the requirements of the NIS2 directive. In Belgium, this means demonstrating compliance with the CyberFundamentals framework developed by the Centre for Cybersecurity Belgium (CCB).
- CAB auditors are accredited by BELAC (Belgian Accreditation Body)
- The audit covers your policies, procedures, technical controls, and evidence of implementation
- It is not a one-time event — ongoing compliance is expected
- The audit confirms you are "audit-ready," not that you are 100% risk-free
Learn more about the NIS2 framework: NIS2 overview.
When Do You Need an Audit?
Essential Entities
Mandatory third-party audit by an accredited CAB. You must achieve CyFun Important or Essential tier certification. There is no way around this — external verification is required.
Important Entities
Self-assessment is sufficient for CyFun Basic tier. However, an external audit is strongly recommended. It gives you credibility with clients, partners, and regulators. Many organizations choose to audit voluntarily.
Supply Chain Pressure
Even if you are not legally required to be audited, your clients may demand proof. Large enterprises increasingly require NIS2 compliance evidence from their suppliers. An audit certificate makes this simple.
Not sure which category you fall into? Check who must comply.
What Auditors Look For
Auditors do not just check boxes. They look for evidence that your security measures are real, tested, and maintained.
Documentation & Policies
Written security policies, approved by management. Not templates — documents that reflect your actual operations.
Risk Assessment
A structured risk assessment methodology with documented results. Auditors want to see that you identified risks and acted on them.
Incident Response
An incident response plan that has been tested. Tabletop exercises, simulation results, and lessons learned from real incidents.
Business Continuity
Backup procedures, disaster recovery plans, and evidence of regular testing. Recovery time objectives must be defined and realistic.
Supply Chain Security
Contracts with security clauses, supplier assessments, and a list of critical suppliers with their risk ratings.
Staff Training Records
Proof that employees received security awareness training. Dates, attendance lists, and content covered.
Self-Assessment vs External Audit
Both have their place. The right choice depends on your NIS2 classification.
| Self-Assessment | External Audit | |
|---|---|---|
| Who performs it | Your own team | Accredited CAB auditor |
| When required | Important entities (CyFun Basic) | Essential entities (CyFun Important/Essential) |
| Cost | Internal time only | Auditor fees (varies) |
| Credibility | Limited — self-reported | High — independently verified |
| Client confidence | Moderate | Strong — certificate as proof |
| Preparation needed | Moderate | Thorough documentation required |
How to Prepare for a NIS2 Audit
Step 1: Gap Analysis Against CyberFundamentals
Start by mapping your current security posture against the CyberFundamentals controls. Identify what you have, what is missing, and what needs improvement. This gives you a clear picture of the work ahead.
Step 2: Document Everything
Auditors need evidence. Write down your policies, procedures, and processes. Document who is responsible for what. Keep logs of security activities. If it is not documented, it did not happen.
Step 3: Test Your Incident Response
Run a tabletop exercise. Simulate a security incident and walk through your response plan. Document the results and any improvements you make. Auditors love seeing tested plans.
Step 4: Review Supply Chain Contracts
Check that your supplier contracts include security requirements. Ensure you have assessed your critical suppliers. Document the results and any follow-up actions.
Step 5: Brief Your Team
Everyone should know the basics: your security policy, how to report incidents, and their individual responsibilities. Training records prove your team is prepared.
Use our NIS2 compliance checklist to structure your gap analysis, and follow the implementation steps for a detailed plan.
How MSPs Help Clients Prepare for Audits
Managed Service Providers play a crucial role in NIS2 audit preparation. Most SMEs do not have dedicated security staff. An MSP fills that gap.
Managed Compliance
MSPs handle the ongoing work: monitoring, patching, backup testing, and documentation. This keeps clients audit-ready at all times, not just before the audit.
Evidence Collection
The right tools automatically log security activities — patches applied, backups verified, incidents handled. This evidence is exactly what auditors need.
Continuous Monitoring
Security is not a one-time project. MSPs provide continuous monitoring that demonstrates ongoing compliance, a key requirement for NIS2.
Easy Cyber Protection gives MSPs the tools to make every client audit-ready. Automated evidence collection, structured compliance tracking, and clear audit reports.
NIS2 Audit Timeline
Key dates for Belgian organizations:
See all NIS2 deadlines.
Get Audit-Ready Today
Easy Cyber Protection guides you through every step of NIS2 audit preparation. From gap analysis to evidence collection, we make compliance manageable.
Frequently Asked Questions
What is a NIS2 audit and who performs it?
A NIS2 audit is a formal assessment of your cybersecurity measures against the CyberFundamentals framework. It is performed by a Conformity Assessment Body (CAB) accredited by BELAC. The audit verifies that your policies, procedures, and technical controls meet the requirements of the NIS2 directive.
How do I check if my organization needs a NIS2 audit?
Essential entities (large organizations in critical sectors) need a mandatory third-party audit. Important entities can use self-assessment for CyFun Basic tier. Use the CCB's online tool or check the NIS2 scope criteria to determine your classification. When in doubt, consult the CCB or a qualified advisor.
What is the difference between a NIS2 self-assessment and a full audit?
A self-assessment is an internal review where your organization evaluates its own compliance with CyberFundamentals controls. A full audit involves an independent, accredited CAB auditor who verifies your compliance externally. Essential entities must have the external audit; important entities can self-assess.
How long does it take to prepare for a NIS2 audit?
Typically 3 to 6 months for organizations starting from scratch. If you already have good security practices and documentation, it could be 1 to 3 months. The key is starting early — last-minute preparation creates gaps that auditors will find.
How much does a NIS2 audit cost?
Costs vary based on organization size, complexity, and CyFun tier. Self-assessment costs are mainly internal time. External CAB audits typically range from a few thousand to tens of thousands of euros. The cost of non-compliance (fines up to 10 million euros or 2% of global turnover) far exceeds audit costs.