How to Prepare for an NIS2 Audit Without Spending €10,000
The invoice from the compliance consultant sits on your desk. €10,000 for a two-week NIS2 readiness assessment. They'll produce a gap analysis document, a remediation roadmap, and a binder of evidence templates. Then they leave, and your team has to implement everything anyway.
Most SMBs under NIS2 don't need a consultant for the initial audit preparation. They need a structured process, the right documentation, and automated evidence collection running before the auditor arrives. That's what this guide covers.
Who NIS2 Actually Applies To
NIS2 (EU Directive 2022/2555) replaced the original NIS Directive in January 2023 and expanded scope significantly. If you've been told you're out of scope, verify before assuming.
The directive applies to organizations in the EU — or organizations outside the EU providing services to EU member states — that fall into two categories:
Essential Entities — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.
Important Entities — postal and courier services, waste management, chemicals, food, manufacturing of critical products, digital providers (search engines, online marketplaces, social networks), research.
Size thresholds: medium-sized companies (50+ employees or €10M+ turnover) in these sectors fall under NIS2 automatically. Smaller companies may be included if they're deemed critical by a national authority.
Member states were required to transpose NIS2 into national law by October 2024. Enforcement timelines vary by country, but audits are active. The fines are not symbolic: up to €10,000,000 or 2% of global annual turnover for essential entities, up to €7,000,000 or 1.4% of turnover for important entities.
What Auditors Are Actually Looking For
NIS2 audits are not primarily about technology. They're about documented evidence of ongoing security management. The distinction matters because it changes how you prepare.
An auditor doesn't need to see a perfect security stack. They need to see:
- That you've identified your risks
- That you have controls in place for those risks
- That you're continuously monitoring those controls
- That you can prove all of the above with timestamped documentation
The critical phrase is continuous monitoring. Point-in-time assessments — "we ran a scan last month and everything was fine" — do not satisfy NIS2 requirements. You need evidence of ongoing surveillance with a documented audit trail.
This is where most SMBs fail the first audit cycle. Not because their security is bad, but because they have no proof it's been consistently maintained.
The Seven Control Areas Under Article 21
Article 21 of NIS2 defines the technical and organisational measures required. Here's what each one means in practice for an SMB.
1. Risk Analysis and Information System Security Policies
What auditors want: A written risk assessment that identifies your key assets, threats, and existing controls. Updated at least annually or after significant changes.
Minimum viable approach: A documented risk register in a spreadsheet. For each asset (domain, server, application, employee data), list the threat, likelihood, impact, and current control. It doesn't have to be elaborate — it has to exist and be dated.
Common failure: A risk assessment that was done once during onboarding and never touched again.
2. Incident Handling
What auditors want: A documented incident response procedure. Evidence that it's been tested. A log of past incidents and how they were handled.
Minimum viable approach:
- A written IRP (Incident Response Plan) — even a 3-page document covering detection, containment, notification, and recovery
- Tabletop exercise logs (a simulated discussion counts)
- An incident register — even if it just shows "no incidents in 12 months" with dated entries
NIS2-specific requirement: Significant incidents must be reported to the relevant national CSIRT within 24 hours of detection, with a full report within 72 hours. Your IRP must document this notification pathway.
3. Business Continuity
What auditors want: Backup procedures, disaster recovery plans, crisis management documentation.
Minimum viable approach: Documented backup schedule with verification logs showing backups are tested (not just run). A basic RTO/RPO statement. Business continuity contact list.
4. Supply Chain Security
What auditors want: Evidence that you've assessed the security posture of third-party providers — cloud, SaaS, infrastructure, payment processors.
Minimum viable approach: A vendor register with security assessment notes. For critical vendors, evidence of their certifications (ISO 27001, SOC2) or answers to a security questionnaire.
This is a growing focus area. Auditors know that SMBs rarely compromise directly — they're compromised through a supplier.
5. Security in Network and Information Systems Acquisition, Development, and Maintenance
What auditors want: Secure development practices, patch management documentation, configuration standards.
Minimum viable approach: A documented patch management policy (how quickly critical patches are applied, who is responsible). Evidence of patch application — even a changelog or ticket log.
6. Policies and Procedures to Assess Effectiveness of Cybersecurity Risk Management
What auditors want: Evidence that you're measuring whether your controls work. Vulnerability assessments, penetration test results, or continuous monitoring output.
Minimum viable approach: Automated scanning output with timestamps. Vulnerability assessment results with documented remediation. This is where continuous DNS and email security monitoring becomes direct audit evidence.
7. Basic Cyber Hygiene Practices and Cybersecurity Training
What auditors want: Employee security training records. Evidence that staff knows what phishing is, how to report incidents, and what the security policies are.
Minimum viable approach: Training attendance records or completion certificates. Annual security awareness program. Phishing simulation results are a strong positive signal.
The Evidence Collection Problem
The reason NIS2 audit preparation costs €10,000 when you hire a consultant is that 60–70% of that time is spent on evidence collection — pulling logs, chasing down configuration screenshots, compiling historical records that should have been captured automatically.
If you build the evidence collection process before the audit cycle starts, you eliminate most of that cost.
Here's what continuous evidence looks like per control area:
| Control Area | Evidence Type | Collection Method |
|---|---|---|
| Risk Assessment | Dated risk register | Version-controlled document |
| Incident Handling | Incident log, IRP version history | Ticketing system or spreadsheet |
| Business Continuity | Backup verification logs | Automated backup tool output |
| Supply Chain | Vendor register, security questionnaire responses | Spreadsheet, email archives |
| Network Security | Patch logs, config audit trails | IT management tool exports |
| Control Effectiveness | Scan results, monitoring alerts | Continuous monitoring platform |
| Cyber Hygiene | Training records | LMS export or attendance sheets |
The control effectiveness column is where most SMBs have the biggest gap. You need timestamped, automated output showing that your network and information systems are being monitored — not a screenshot taken the week before the audit.
Step-by-Step: The 8-Week NIS2 Audit Prep Plan
This assumes you have 8 weeks before your audit and no existing compliance program. Adjust timelines if you have more time.
Week 1–2: Scoping and Gap Analysis
Day 1–3: Confirm scope. Are you an essential or important entity under your member state's transposition? Which services and infrastructure does NIS2 cover for your organization?
Day 4–7: Run a gap assessment against Article 21. For each of the seven control areas, rate your current state:
0 = Nothing exists
1 = Informal practice, undocumented
2 = Documented but not maintained
3 = Documented, maintained, no continuous evidence
4 = Fully documented, continuously monitored, audit-ready
Anything below 3 is a gap. Anything below 4 in the network security and control effectiveness areas is a significant gap for NIS2.
Day 8–14: Prioritize gaps by audit risk. Undocumented incident response and missing continuous monitoring evidence are the two highest-risk gaps. Start there.
Week 3–4: Policy Documentation Sprint
Write the minimum viable versions of:
- Information Security Policy (1–2 pages): scope, objectives, roles, responsibilities
- Incident Response Plan (2–3 pages): detection → containment → notification → recovery, including CSIRT notification pathway
- Business Continuity Plan (1–2 pages): backup schedule, RTO/RPO targets, contact tree
- Patch Management Policy (1 page): classification of patch severity, response timelines, owner
These don't need to be elaborate. They need to exist, be dated, be signed by management, and be versioned.
Use a shared document system (Google Workspace, Confluence, SharePoint) so version history is automatic. The version history itself becomes audit evidence.
Week 5–6: Technical Controls and Continuous Monitoring
This is the phase most SMBs underestimate. You need automated, continuous monitoring in place — not just a one-time scan.
DNS and email security monitoring:
NIS2 Article 21 explicitly includes network security. For most SMBs, DNS is the most exposed and least monitored layer. Your DNSSEC validation status, SPF/DKIM/DMARC configuration, blacklist standing, and NS record integrity all need continuous monitoring with a documented history.
Manual checks don't satisfy the "continuous monitoring" standard. You need a system that runs automatically, logs results with timestamps, and sends alerts when something changes.
ZeroHook was built specifically for this — continuous DNS and email security monitoring with compliance-mapped reports for NIS2, ISO 27001, and GDPR. The audit log is tamper-proof and hash-verified, which is exactly the kind of evidence an NIS2 auditor is looking for: zerohook.org
Vulnerability scanning:
At minimum, a monthly external vulnerability scan of your public-facing assets. Most SMBs can use a lightweight tool here — Tenable Nessus Essentials (free), OpenVAS, or the vulnerability scanning features built into many cloud platforms.
Document what you scan, when you scan it, what findings came back, and what you did with them.
Patch verification:
Start keeping a simple patch log. For each patch applied: date, system, patch ID or CVE number, applied by. A spreadsheet is sufficient.
Week 7: Vendor and Supply Chain Assessment
Pull your vendor list. For each vendor that has access to your systems or data, document:
- What data or systems they have access to
- What security certifications they hold (ISO 27001, SOC2, etc.)
- When you last reviewed their security posture
- Your contractual data processing terms with them
For critical vendors, request their latest security certification or send a basic questionnaire. The fact that you asked — documented in an email thread — is itself evidence of supply chain due diligence.
Week 8: Audit Readiness Review
Compile your evidence package:
/NIS2-Evidence/
/01-Risk-Assessment/
risk-register-v3-2024-10-15.xlsx
/02-Policies/
information-security-policy-v2.pdf
incident-response-plan-v1.pdf
patch-management-policy-v1.pdf
/03-Monitoring-Logs/
dns-monitoring-export-Q4-2024.pdf
vulnerability-scan-october-2024.pdf
patch-log-2024.xlsx
/04-Incident-Register/
incident-log-2024.xlsx
/05-Training-Records/
security-awareness-completions-2024.pdf
/06-Vendor-Register/
vendor-security-register.xlsx
Date and version everything. Auditors look for consistency across documents — if your policy says patches are applied within 7 days for critical vulnerabilities, your patch log should confirm that.
Run a mock interview. Have someone unfamiliar with the day-to-day security operations ask the questions an auditor would ask. Where you stumble is where you need more documentation.
What Continuous Monitoring Evidence Looks Like to an Auditor
This is worth dwelling on because it's the part most SMBs get wrong.
A PDF report generated on the day before the audit does not demonstrate continuous monitoring. An auditor knows you can produce a clean point-in-time scan whenever you want.
What demonstrates continuous monitoring:
- Timestamped alert history — showing that when something changed (an NS record, a blacklist status, an SSL certificate approaching expiry), you were notified and responded
- Trend data — 90 days of email deliverability scores showing consistent SPF/DKIM/DMARC compliance, not just a clean result on audit day
- Remediation records — evidence that when monitoring flagged an issue, it was investigated and resolved with a documented timeline
This is the gap that automated monitoring platforms close. The output isn't just operational value — it's audit evidence in the form auditors actually recognize.
The Costs of DIY vs. Consultant, Broken Down
| Task | Consultant | DIY (this guide) |
|---|---|---|
| Gap assessment | €2,000–€3,000 | 8–12 hours internal |
| Policy documentation | €2,000–€3,000 | 12–20 hours internal |
| Evidence collection setup | €1,500–€2,000 | €49–€499/month tool cost |
| Technical monitoring | €1,000–€2,000 | Included in monitoring tool |
| Audit readiness review | €1,000–€2,000 | 4–6 hours internal |
| Total | €7,500–€12,000 | €500–€2,000/year |
The consultant is delivering a time-compressed version of what a structured internal process produces over 8 weeks. If you have the time, the process is learnable.
Where a consultant genuinely adds value: if you're a large essential entity with complex infrastructure and multiple business units, or if you're facing an enforcement action and need independent verification. For a 50–200 person SMB doing first-time NIS2 preparation, the consultant is mostly billing for documentation work your team can do.
TL;DR
- Confirm your scope first — NIS2 applies to medium-sized companies in covered sectors; size thresholds catch more organizations than expected
- Auditors want continuous evidence, not point-in-time snapshots — a scan done the week before your audit proves nothing; automated monitoring with historical logs does
- Article 21 has seven control areas — risk assessment, incident handling, business continuity, supply chain, system security, control effectiveness measurement, and cyber hygiene training
- 8 weeks is enough time to get audit-ready — gap assessment → policy sprint → technical controls → vendor register → evidence package
- Evidence collection is where the cost lives — automated DNS, email, and infrastructure monitoring produces the timestamped audit trail you need without manual effort
- The consultant invoice is usually documentation labor — with a structured process and the right tools, most SMBs can prepare in-house for under €2,000 in tool costs
*Part of an ongoing series on compliance and DNS security.
Top comments (0)