NIS2 raises cybersecurity-risk-management obligations for essential and important entities across the EU, and — unusually — places personal accountability on the management body. This guide covers what evidence demonstrates the Article 21 measures, how to test incident reporting against NIS2's staged deadlines, and the management-accountability evidence auditors routinely forget to ask for.
Frame the audit around the Article 21 measures
NIS2's core obligation (Article 21) is a defined set of cybersecurity risk-management measures. Use them as the audit's backbone — each measure is an auditable unit with a documented basis and evidence that it operates. The list includes, among others:
risk analysis and information-system security policies;
incident handling;
business continuity, backup and crisis management;
supply-chain security;
security in acquisition, development and maintenance, including vulnerability handling;
policies to assess the effectiveness of the measures;
basic cyber hygiene and training;
cryptography; access control and asset management;
multi-factor authentication and secured communications.
Risk management — the controls must trace to the risks
NIS2 is built on risk management, so the first test is whether the controls actually flow from an assessment of risk, or were bolted on generically.
Obtain the risk assessment and check it's current, covers the in-scope network and information systems, and is owned.
Trace controls back to risks — pick three identified risks and confirm each has a corresponding control; pick three controls and confirm each addresses an identified risk. Orphan controls and unaddressed risks are both findings.
Check there is a process to assess effectiveness of the measures (Article 21 requires it) — not just that controls exist, but that someone checks they work.
Incident handling and the staged reporting clock
Incident handling is where NIS2 has sharp, testable deadlines. The reporting obligation (Article 23) is staged:
Stage
Deadline
Content
Early warning
Within 24 hours of becoming aware
Initial notification to the CSIRT/authority
Incident notification
Within 72 hours
Assessment, severity, indicators of compromise
Final report
Within 1 month
Root cause, mitigation, impact
Obtain the incident-handling procedure and confirm it encodes these staged deadlines and the correct national channel.
Walk through a real incident end to end against the plan (see audit techniques): when was awareness, when was each report sent, do the timestamps meet the deadlines?
If there have been no reportable incidents, test the process against a tabletop scenario and confirm staff can identify a reportable incident and know the clock starts at awareness.
Business continuity, supply chain and training
Business continuity & backup — don't accept the plan; ask for evidence of the last test, including a restore test. An untested backup is a finding waiting to happen.
Supply-chain security — supplier risk assessments and security requirements in contracts. Sample key suppliers and check the security terms are real and monitored, not boilerplate.
Cyber hygiene & training — training records for staff, with completion tracked. And — see below — for the management body specifically.
Vulnerability handling — evidence of a process to receive, triage and remediate vulnerabilities, with timelines that track to risk.
The responsible person — management-body accountability
NIS2 is unusual and strict here. Article 20 places accountability explicitly on the management body: they must approve the cybersecurity risk-management measures, oversee their implementation, and undergo training to gain enough knowledge to identify risks and assess management practices.
Tech-only audit
The audit covers the technical controls thoroughly and concludes "largely compliant" — but never asks the board for anything. The single most distinctive NIS2 obligation went untested.
Includes Art. 20
The auditor obtains the board minutes approving the risk-management measures (dated), and the training records showing directors completed cyber-risk training. Finding: measures approved, but no management-body training on record — a direct Article 20 gap, graded major.
EU-level scope and national transposition
NIS2 is a directive, transposed into each member state's national law. The substance of Article 21/23 is harmonised, but the precise reporting channel, the supervising authority, registration duties, and some thresholds are set nationally. This guide and the checklist track the EU-level directive; for any specific entity, confirm the national transposition that applies for country-specific channels and deadlines before relying on the generic timeline.
The NIS2 audit checklist
Everything above is the method. The
NIS2 audit checklist
applies it across the whole regulation — every obligation as a scored
question, with suggested evidence and a finding level on each, and a
Regulatory Compliance Matrix mapping every paragraph to the questions that
cover it. Download the matrix and the sample free from the product page to
see the coverage before you decide.
