NIS2 readiness audit

Context and methodology

The NIS2 Directive raises the bar for many organisations in key sectors. Risk management, incident handling, supply-chain security and proof requirements are now front and centre for leadership and oversight. An NIS2 readiness audit is not a checkbox exercise. It is a structured status check: where you stand today, what evidence already exists, and which gaps block clear answers to internal and external stakeholders.

In practice we start by understanding your organisation: industry, size, supplier structure and critical services. We then rank assets and data flows by importance. This is done together with IT, security and business teams. The goal is shared clarity on which systems are truly business-critical and where rules on logging, access control and patch management must be met.

The audit delivers a gap analysis against proven reference frameworks. These include ISO/IEC 27001 Annex A controls, BSI modules and sector-specific rules — all with practical mid-market scope in mind. Instead of abstract target lists, you get a concrete action plan with effort, ownership and order: what to fix first to cut the biggest risk or meet the strongest proof requirement.

Documentation and policies come up in almost every audit. Many companies have put individual measures in place but lack consistent written guidelines. We recommend keeping core topics lean but audit-ready: access, change management, suppliers, emergency procedures and backup. Policies should tie to real day-to-day processes. That avoids paper mountains and creates a working set you can update each year.

Technical spot checks round out the organisational view. We look at access management design, network segmentation, monitoring, vulnerability handling and backup/restore tests. Where needed, we include cloud and SaaS configurations and clarify who owns what in a shared-responsibility model. All findings feed into ranked recommendations. These can later become concrete projects: hardening, access management improvements or SIEM expansion.

For management we summarise risks, regulatory relevance, estimated effort and quick wins. The cost range here covers typical mid-sized IT environments. Multiple sites, subsidiaries or complex OT/IoT setups will increase scope. After the audit we recommend grouping work into quarterly roadmap blocks. Progress is tracked via clear metrics — for example, fewer critical findings or completed control tests.

If you plan to pursue ISO 27001 certification or an external penetration test, the readiness audit is a good first step. Priorities and owners are clear early, so you avoid doing the same work twice. Our security, pentesting and implementation services can follow on directly. Get in touch if you want a full plan from analysis through to delivery.

Supply chains and third-party providers are a key focus in NIS2. Contracts, SLAs, sub-processors and cloud shared-responsibility arrangements must all be traceable. In the readiness audit we check whether the right evidence exists — such as data processing agreements and security measures at partner level. We also review how incident information travels along the chain. Where gaps exist, we define clear requirements for future tenders and vendor onboarding.

Boards, executives and business units often need different depths of information. We deliver an executive summary with clear decision options and a technical annex for IT and security teams. Both draw from the same overall picture, so budget decisions and the roadmap stay aligned. Later, regular updates — for example quarterly status reports — can use the same metrics: reduced critical findings, completed control tests and completed training.

Workshops and guided interviews clarify roles, responsibilities and data classification. Many organisations mix up what counts as internal versus confidential. This has real effects on access design and logging requirements. A simple classification using everyday examples keeps things practical. It avoids complex models that look good on paper but do not fit how the business actually works.

Maturity level and tooling must match. Without solid patch management and access control basics, an expensive SIEM adds little value. We rank each measure by impact and effort — separating quick wins from longer-term investments. We also map each measure to your current tools. The result is a practical programme that fits your team size and budget cycle — not a wishlist.

Under NIS2, incident reporting chains and deadlines are more structured than before. Detecting an incident is not enough — roles, escalation paths and deadlines must be written down and practised. In the readiness audit we review response playbooks, on-call availability and links to internal communications and external partners. Where useful, we also look at how tabletop exercises can sharpen your response without disrupting daily operations.

A readiness audit is not a replacement for legal advice on whether your organisation falls under NIS2. But it often prevents costly wrong investments. It aligns security measures with real risks before you spend money. We clearly separate which questions belong to lawyers, data protection specialists or dedicated auditors. We supply the technical and process detail those experts need to make sound decisions.

Training and awareness are often underestimated. Strong technical controls help little if staff still share sensitive data via personal messaging apps or click on fake invoices. We recommend short, role-based training modules for leadership, IT and business teams. Scenarios should be realistic. Progress can be checked lightly — for example via phishing simulations or short quizzes — without putting pressure on your team.