Cybersecurity

How to prepare for NIS2 compliance audits

April 2024

If your organization falls within the scope of the NIS2 Directive, you should prepare for the possibility of being visited by the authorities.

If you are an essential entity, you will be subject to regularly scheduled inspections planned randomly, regardless of whether an incident has occurred. You will typically receive a letter from the competent authority about two weeks before the scheduled audit date informing you of the upcoming inspection (and perhaps the specific subject areas they will investigate).

If you are an important entity, you will only be inspected ex-post—i.e., after an incident has occurred.

Regardless of whether your organization qualifies as an essential or important entity, you can take some relevant actions to prepare for the inspection and support its positive outcome.

This blog post will give you recommendations on how to approach a compliance audit – before, during, and after the inspection date.

 

Tips for a successful NIS2 compliance inspection

 

Before the inspection

  1. First, you should inform management and the relevant internal business units of the upcoming audit and its nature, scope, and date.
  2. Then, you should form a team of those who will be responsible for preparing for and participating in this cybersecurity audit.
  3. These people should be appropriately trained to be aware of their role in this upcoming inspection. Moreover, you might want to ensure the availability of additional subject matter experts on the inspection date so that you can involve them should the competent authority wish to discuss their specific areas of responsibility in more detail.
  4. Finally, perform a gap analysis by reviewing your documents and looking for possible deficiencies. If you identify areas in need of improvement, take the necessary measures to do so. If it’s not feasible to fully correct such deficiencies before the inspection date, prepare descriptive documentation of the issues you encountered and the actions you have taken to address them.

 

During the inspection

  1. On the date of the inspection, it’s advisable to agree upfront on the duration of the audit, its scope, and the agenda for the day to ensure alignment and agreement on how to proceed.
  2. Prepare a short and concise presentation to introduce your company and the nature of your business to the competent authority. That’s the first step in helping them understand whether the cybersecurity measures you implemented are appropriate and proportionate to your organization—and, ultimately, whether you are meeting the NIS2 Directive requirements or not. The presentation should show that you have identified the services critical to society that you provide, the assets needed to provide them, the measures implemented to protect them, the vendors you rely on for the provision of your services, the customer segments using your services, and the delivery channels through which you provide them. To help you do that successfully, our Compliance Manager at Secomea prepared a template including all these elements. You can download it here and update it with your company information. If you present the competent authorities with such an overview, you’ll be up to a great start and give a positive first impression. Besides using it as part of your compliance documentation in case of an inspection, you could also rely on it as an excellent instrument to kick off your internal NIS2 compliance project.
  3. Make sure to have at hand all of the documentation you have prepared to present during the audit. This documentation should show how you assess risks, detect threats, protect assets, and respond to incidents – as well as prove the involvement of C-level management in all of your decisions. If you have chosen an international security framework to adhere to, provide documentation on it. That represents a structured approach to working with security and is a good way to show progress. If your gap analysis revealed deficiencies, provide documentation about their identification and your plan to address them.

 

After the inspection

The inspection outcome will vary depending on your preparedness and NIS2 compliance level.

When exercising their enforcement powers, competent authorities will consider the particular circumstances of each case, such as the nature, gravity, and duration of the infringement, the damage caused or losses incurred, and the intentional or negligent character of the infringement.
 

Authorities' findings
Consequences
There is no trace of NIS2 being known within your organization:
You have completely ignored the enforcement of the NIS2 Directive.
You will likely be issued heavy fines.
You have done the bare minimum:
You might have implemented just a few cybersecurity measures, but your overall risk assessment and risk management strategy are still behind in achieving full NIS2 compliance.
You will probably be issued fines proportionate to your infringements and given a deadline to implement the necessary improvements.
You have tried to achieve compliance to the best of your ability, but deficiencies have been uncovered.
The authorities will likely not issue a fine but engage in a dialogue with you to instruct you on the areas needing improvement, and they will establish a deadline for you to implement such improvements. If that happens, make sure to put in place the required measures within the set deadline to avoid the issuance of fines.
You have followed all the necessary steps and implemented best practices
If the authorities assess that you are following industry standards and thoroughly fulfilling the NIS2 objectives and requirements, the audit will be successful.

 

We are here to help you make manufacturing the most secure industry in the world

To support you in achieving full compliance, we have compiled this whitepaper covering everything you need to know about the new cybersecurity legislation.

Download your copy to:

  • Learn what the NIS2 Directive is and why it was needed
  • Understand if you fall into the scope of the Directive and whether your organization is considered an essential or important entity
  • Familiarize yourself with the requirements you need to comply with
  • Discover how you can achieve full NIS2 compliance through 10 steps
  • Get support in fulfilling your NIS2 obligations by using Secomea to improve your cybersecurity

 

All you need to know to ensure NIS2 compliance
Get the PDF now!

Datenschutz & Cookie-Richtlinie // Kontakt: +45 88 70 86 50 // info@secomea.com
© Secomea 2021, Alle Rechte vorbehalten

NIS2 Compliance Roadmap. Stay secure, stay compliant.

X