Independent NIS2 Directive Audit

Independent NIS2 Directive Audit


Cyber resilience has gradually moved from a concept with a market value to a regulatory requirement. Under Network and Information Security Directive (EU) 2022/2555 (NIS2), affected organizations are expected to identify and address security vulnerabilities, ensure process traceability, and implement a preventive and risk-based approach to cyber threats, rather than just defensive measures.


The Directive introduces the obligation for an independent assessment of the level of assurance, through which the effectiveness and maturity of the controls implemented are measured. However, for many organizations, especially with an international presence and distributed structures, the audit process remains complex and difficult to manage.

There is a significant uncertainty regarding the actual level of compliance with the requirements of the NIS2 Directive (as transposed into the amended Bulgarian Cybersecurity Act, effective from February 2026). Despite preparatory measures, organizations often lack clarity on the specific audit criteria to be applied and the methods by which performance will be assessed. This creates the perception of an inspection conducted without a sufficiently defined and transparent framework.

This uncertainty is widespread among affected entities. NIS2 represents a substantial evolution of the previous regulatory framework, introducing a broader scope, enhanced regulatory oversight and expanded enforcement mechanisms. For entities within scope, audit preparation is not limited to formal compliance with requirements, but requires clarity in operational processes, mature risk management and consistent, traceable documentation. One of the essential elements of NIS2 is the obligation to conduct periodic cybersecurity audits.


1. What is the essence of the NIS2 audit?

The NIS2 audit is a structured assessment of the implemented cybersecurity measures and processes in organizations falling within the scope of the directive. Its primary objective is to determine the level of compliance with regulatory requirements, as well as the maturity of cyber risk management and incident response capabilities.

The assessment can be performed through an internal or independent audit, depending on regulatory expectations and the organizational model. The audit evaluates the overall security posture, including managerial, technical, and organizational controls.

NIS2 audits are evolving from conceptual assessments into enforceable regulatory inspections with direct legal and financial consequences. They are focused on the actual implementation of measures, rather than their formal documentation alone.

Effective from October 2024, NIS2 introduces mandatory cybersecurity requirements for key and important entities in sectors such as energy, healthcare, finance and digital infrastructure, etc., with an emphasis on accountability, traceability and risk management.

The audit process under the requirements of NIS2 is specified in Articles 20 and 21 (internal governance and security measures) and in Articles 32 and 33 (supervisory and enforcement mechanisms). The technical requirements are further detailed in Commission Implementing Regulation (EU) 2024/2690, which empowers national authorities to conduct regular and ad hoc audits, request access to documentation and systems, and impose binding corrective measures or sanctions in the event of non-compliance.



2. Methodology and stages of the NIS2 audit process

1. Audit planning and definition:

  • Project team and governance structure
  • Audit scope
  • Audit criteria (legal requirements, standards, internal policies)
  • Audit methods (interviews, documentation review, technical validation, evidence sampling)

2. Gap analysis

The process of effective implementation of the NIS2 requirements continues with a precise assessment. Through our specialized GAP analysis, we identify the differences between your existing practices and the legal requirements. The result is a clear roadmap from the current level of protection to the desired target state, ensuring sustainable compliance and high cyber resilience. This process allows you to clearly define your goals and invest resources only in the measures that bring real added value.

ISCS experts initiate the audit process with a comprehensive assessment of organizational cyber resilience, covering all critical domains defined by the NIS2 Directive. Our methodology is designed to identify security gaps and verify alignment with applicable European regulatory standards.

Key areas of inspection include:

  1. Risk management and security policies: Assessment of the overall risk management framework and compliance of internal policies with new regulatory standards.
  2. Incident management and reporting: Verification of mechanisms for detecting, analyzing and responding to cyber threats, as well as readiness for mandatory reporting to national authorities.
  3. Business Continuity Process (BCP): Analysis of disaster recovery plans, backup management, and crisis management strategy.
  4. Supply Chain Security: Audit relationships with suppliers and partners to ensure the security of the entire operational ecosystem.
  5. Cyber hygiene and staff training: Assessment of basic cybersecurity practices and employee awareness level – a key element of NIS2 requirements.
  6. Cryptography and Access Control: Review of encryption practices and identity and access management (IAM) controls.
  7. Verification and Evaluation of Effectiveness: Validation of the actual operation of implemented controls through regular testing, measurement of Key Performance Indicators (KPI) and audits. The goal is to ensure that security measures are not only formally adopted, but also provide reliable protection in a real environment.


3. Post-audit reporting

Upon completion of the audit, you receive:

  1. NIS2 Audit Report: A clear and objective assessment of compliance status and the effectiveness of implemented security measures.
  2. Identified gaps and improvement opportunities: Specifically outlined gaps, as well as practical guidelines on where and how the level of security can be increased.
  3. Strengths and maturity level: Highlighting working practices and realistic assessment of the organization's maturity.
  4. Corrective action recommendations: Focused and actionable recommendations, sorted by priority and risk.
  5. Improvement roadmap: A structured plan to achieve and maintain sustained compliance with NIS2 requirements.


3. Why is the NIS2 audit important?

NIS2 auditing helps organizations meet regulatory requirements and effectively manage information security risks.

  • Regulatory compliance and legal certainty: A mandatory requirement arising from NIS2 is that companies conduct regular information security audits.
  • Risk reduction and resilience enhancement: Identifies security gaps and allows for timely corrective measures.
  • Verifiability and trust: Provides clear evidence for customers, partners, and regulators.
  • Continuous improvement: It creates a basis for the systematic development of security measures.
  • Management insight and decision support: Gives management a clear basis for security priorities and investments.


4. Conclusion

NIS2 auditing is a key opportunity to strengthen cybersecurity resilience and ensure regulatory readiness. With the right preparation, organizations can effectively manage risk and demonstrate compliance with confidence.

If you would like to assess your level of readiness or conduct a regular audit in line with the NIS2 Directive requirements, you may contact us via the contact form for professional consultation and clearly defined next steps.