How companies can master the NIS2 audit in 7 steps — including tips for multinational organizations

“Cyber resilience” has become one of the buzzwords of our time. What was once merely a competitive advantage has now become a legal necessity. The NIS2 Directive requires essential and important organizations to close security gaps, make processes verifiable, and prevent — not just defend against — cyberattacks. As part of this regulatory framework, organizations must undergo an independent audit that assesses the effectiveness and maturity of their security measures. Yet many companies find the audit process highly challenging — especially in multinational environments.

Our guide explains how to successfully pass the NIS2 audit in 7 steps and how to establish compliance as a continuous process within the organization.

#1 Project team and governance

Every project begins with assembling the right team — and the same applies to the NIS2 audit. The perfect mix is what matters: companies should set up a steering group consisting of e.g. IT, legal, information security, compliance, and HR. It is essential to define the role of a dedicated audit lead, who also acts as the link to the executive leadership.

Under NIS2, affected organizations are required to appoint a (Chief) Information Security Officer who must be registered with the relevant authorities. This individual will serve as the primary point of contact for authorities and will be responsible for overseeing and ensuring the effective functioning of the relevant security areas. In most cases, this role corresponds to the traditional CISO function. To avoid conflicts of interest, the position must be independent and granted sufficient authority — for example, it should not be part of the IT department.

Once responsibilities are assigned, roles and ownership must be clearly defined. Internal responsibilities and tasks can be mapped quickly using the RACI model.

To-dos:

Appoint an Information Security Officer
Assemble an interdisciplinary steering group (IT, Security, Legal, Compliance, HR)
Define roles, responsibilities, and internal ownership

What is the RACI model?

RACI stands for Responsible, Accountable, Consulted, and Informed — a common project management tool. Its value lies in visually mapping tasks and stakeholders: the x-axis lists tasks, the y-axis the project members. Whether in small or large projects, this approach helps make work more transparent and manageable.

#2 Timeline

Are we already required to comply? By when must the NIS2 audit be completed? These questions cannot be answered universally. Implementation of the NIS2 Directive varies by EU Member State — and depends on how and when the directive is transposed into national law. Even though the deadline for implementation has already passed, many Member States are lagging behind in transposing the directive into national legislation. This means that uncertainty persists in several jurisdictions. However, once national laws enter into force, organizations are expected to comply immediately, leaving very limited room for last-minute action. Organizations therefore should stay alert.

A realistic timeline should also account for preparation time — including gap analysis, implementation of security measures, and the compilation of evidence. Starting early is crucial to avoid regulatory, financial, and reputational risks.

Tip: Multinational organizations can designate a lead jurisdiction and conduct one single NIS2 audit the result of which apply to all EU locations. This is a strategic decision requiring thoughtful planning.

To-dos:

Check the national implementation status of NIS2 in your Member State
Involve legal and compliance early to meet legal deadlines and audit requirements
Create a timeline with milestones
Define a lead jurisdiction

#3 Gap analysis

Before planning specific actions, companies must understand where they currently stand — and what their target state should be. A gap analysis compares the current state with NIS2 requirements.

The project team first reviews the NIS2 requirements against existing technical and organizational measures. But it doesn't stop at policies and processes — operational implementation must also be assessed.

Tip: A structured, risk-based approach helps set priorities. Not every gap is equally critical. Focus on those that pose the greatest risk to business continuity and compliance.

To-dos:

Compare NIS2 requirements with existing security measures and organizational controls
Document existing evidence, processes, and policies
Prioritize findings and potential measures based on impact on compliance and operational stability

#4 Operational requirements

Next, the identified actions must be embedded into existing processes and structures — such as policies, change management workflows, and incident response plans. Each adjustment should clearly demonstrate how the organization translates legal requirements into practice.

This process is supported by an internal “NIS2 narrative”: a shared understanding of how the organization interprets regulatory requirements, assigns priorities, and operationalizes them. Consistency is not only valuable internally — it also matters during the audit when auditors ask about real-world implementation.

To-dos:

Integrate NIS2 requirements into existing policies, security, and emergency processes
Update change management processes according to the new guidelines
Train relevant teams regularly to reinforce awareness and accountability, strengthening a NIS2-conscious corporate culture
Check whether new processes are being implemented in a traceable and auditable manner

#5 Documentation and evidence

The NIS2 audit does not only assess the security measures — it places high emphasis on transparency and evidence. Documentation of all activities contributing to cyber resilience is critical.

Security guidelines, risk assessments, training records, process descriptions, and communication paths should all be clearly documented early and maintained consistently. Good documentation reduces audit time and avoids last-minute stress.

Tip: Auditors often request a substantial amount of supporting documentation to validate statements during an official assessment. A dedicated data room for the NIS2 audit — accessible to internal and external stakeholders — simplifies the process. Engage is an ideal solution for this purpose.

To-dos:

Maintain all security-relevant policies, procedures, and controls
Keep evidence of tests, training, and process changes up to date
Use a dedicated data room to facilitate auditor access
Implement document management that tracks changes and versions automatically

#6 NIS2 audit

Preparation is half the work. If the previous steps have been completed, the path to a successful NIS2 audit is clear — now comes the final stretch.

Although each audit differs slightly, the process generally follows the same phases. It typically begins with an extensive questionnaire covering hundreds of points across policies, processes, technical controls, and organizational practices. This is followed by document uploads, interviews, opening and closing meetings, and finally the audit report including the assessment and recommendations.

Tip: Organizations should take auditors’ feedback seriously. It usually contains valuable insights for refining processes and improving evidence practices. This turns a compliance obligation into an opportunity to strengthen the organization’s security culture.

To-dos:

Schedule interviews and review sessions with all relevant stakeholders (IT, compliance, anagement)
Keep in mind that auditors have different areas of focus — adjust your explanations accordingly
Use the audit as a feedback loop to continuously improve security and compliance processes

#7 Continuous compliance

After successfully completing the NIS2 audit, organizations shouldn’t simply file the topic away for the future. Compliance is not a one-off project — it is an ongoing responsibility and a process of continuous development.

The formula is simple: continuous monitoring, improvement, and internal audits ensure long-term readiness — and ultimately long-term cyber resilience.

To-dos:

Establish processes for ongoing review of NIS2-related topics
Promote a compliance-driven corporate culture: NIS2 is an ongoing necessity for security and cyber resilience

NIS2 audit mastered!

The NIS2 Directive demands more than technical security measures — it requires tangible and verifiable cyber resilience. The 7-step roadmap shows that the path doesn’t have to be daunting. In the end, there’s only one thing left to say: “We successfully passed the NIS2 audit!”