NIS2 readiness audit

Context and methodology

The NIS2 Directive tightens obligations for many organisations in essential and important sectors: risk management, incident handling, supply-chain security and demonstrability move centre stage for management and oversight. An NIS2 readiness audit is not a box-ticking exercise but a structured stocktake: where you stand today, which evidence already exists, and which gaps block credible answers to internal and external stakeholders.

In practice we start by framing your organisation: industry, size, supplier structure and critical services. We then prioritise assets and data flows—typically aligned with IT, information security and business units—so everyone agrees which systems are truly business-critical and where regulatory expectations (logging, access control, patch management, and more) must be met in concrete terms.

The audit produces a gap analysis against sensible reference frameworks—such as ISO/IEC 27001 Annex A controls, BSI modules or sector-specific requirements—with mid-market feasibility in mind. Instead of abstract target catalogues you get a remediation plan with effort, ownership and sequencing: what to close first to reduce the greatest risk or unlock the strongest evidence lever.

Documentation and policies are a recurring theme: many companies have implemented point solutions but lack consistent guidelines. We recommend keeping core topics (access, change, suppliers, emergency, backup) lean yet audit-ready and tying them to real processes. That avoids paper mountains and yields a living set you can use daily and refine each year.

Technical spot checks complement the organisational view—for example IAM design, segmentation, monitoring, vulnerability management and backup/restore tests. Where needed we include cloud and SaaS configurations and shared-responsibility ownership. Findings feed prioritised recommendations that can later become concrete projects (hardening, IAM modernisation, SIEM expansion).

For management we summarise risks, regulatory relevance, estimated effort and quick wins. The cost range here reflects typical scope for mid-sized IT estates; many sites, subsidiaries or deeply integrated OT/IoT environments increase complexity. After the audit we recommend bundling work in quarterly roadmap slices and measuring progress—for example fewer critical findings or completed control tests.

If you are pursuing ISO 27001 certification or planning an external penetration test, the readiness audit works well as a precursor: you avoid duplicate effort because priorities and owners are clear early. Our security, pentesting and implementation services can follow seamlessly—contact us if you want an end-to-end plan from analysis to delivery.

Supply chains and embedded service providers matter for NIS2: contracts, SLAs, sub-processors and cloud shared responsibility must be traceable. In the readiness audit we check whether evidence (e.g. data processing agreements, technical and organisational measures at the partner) exists and how incident information flows along the chain. Where gaps remain, we spell out concrete requirements for tenders and onboarding new vendors.

Supervisory boards, executives and business units often need different levels of detail. We provide an executive summary with clear decision options and a technical annex for IT/security so budget and roadmap derive from one coherent picture. Later, cyclic updates (e.g. quarterly status reports) can reuse the same KPIs—reduced critical findings, completed control tests, rolled-out training.

Workshops and guided interviews clarify roles, RACI ownership and data classification. Many organisations underestimate how often “internal public” and “confidential” are mixed—with consequences for access models and logging duties. A lean classification with everyday examples keeps requirements practical and avoids academic models that do not fit operations.

Maturity and tooling belong together: without basic patch and entitlement management, an expensive SIEM adds little. We rank measures by impact versus effort (quick wins vs. strategic investments) and map them to your current toolchain. The result is an actionable programme aligned with staffing and budget cycles—not a theoretical target catalogue.

Reporting chains and timely notification to competent authorities are more structured under NIS2 than many legacy routines: it is not enough to detect an incident—roles, escalation paths and deadlines must be documented and practised. In the readiness audit we review playbooks, on-call reachability and interfaces to internal comms and external partners—and, where useful, how tabletop exercises sharpen workflows without blocking day-to-day operations.

A readiness audit is not a substitute for external legal advice on entity qualification, but it often prevents costly mis-investment by aligning technical and organisational measures with real risk first. We clearly separate which questions belong to legal counsel, privacy specialists or dedicated auditors, and provide the technical and process substance those stakeholders need for sound decisions.

Training and awareness are an underrated lever: hardened systems help little if staff still share sensitive data via private messengers or click fake invoices. We recommend short role-based modules (leadership, IT, business units) with realistic scenarios and light-touch validation through phishing simulations or quiz checks—without demotivating teams.