SaaSFort
NIS2 audit checklist compliance SMB Article 21 evidence

How to Pass a NIS2 Audit in 30 Days: A Step-by-Step Checklist

A 30-day, week-by-week NIS2 audit checklist for companies with no security team. Exactly what auditors check and how to produce the evidence.

S
SaaSFort
· 5 min read · 952 words

Most companies don’t fail a NIS2 audit because their security is bad. They fail because their evidence is disorganized. The auditor asks for proof of continuous monitoring and gets a six-month-old spreadsheet. This checklist fixes that in 30 days — even with no security team.

Do these three first:

  1. Run a free security scan — your A–F grade and top NIS2 gaps in under 60 seconds, no account.
  2. Download the SaaS Security Playbook 2026 — the full evidence framework behind this checklist (free PDF).
  3. See pricing — continuous, timestamped NIS2 evidence from €9/month; 14-day Growth trial, no card.

The German BSI registration deadline passed March 6, 2026 — ~18,500 of 29,000 in-scope companies missed it — and supervisory authorities are in active enforcement. Vendor re-assessments are running through Q2–Q3. Thirty days is realistic if you work the sequence below.

What a NIS2 Auditor Actually Checks

Auditors don’t grade your firewall. They verify that the ten Article 21(2) measures exist as a documented, monitored system. Five evidence categories carry the most weight:

  1. Management-approved security policy — signed and dated, not a draft
  2. Incident response plan — with a tested tabletop exercise on record
  3. Continuous monitoring evidence — timestamped scans, not point-in-time
  4. Supply chain assessment — subprocessor inventory with security notes
  5. Training records — including mandatory management training

Timestamped, automated evidence outweighs manual documentation every time. That single fact shapes the whole 30-day plan.

The 30-Day NIS2 Audit Checklist

Week 1 — Baseline and Scope (Days 1–7)

The goal this week is knowing exactly where you stand.

  • Day 1: Run an external security scan. Document the grade and every finding. This is your baseline evidence and maps directly to Article 21(2)(e/f/h).
  • Day 2: Confirm NIS2 scope (50+ employees / €10M+ revenue / regulated sector). Register with the national authority if not done — late registration is accepted and beats non-registration fines.
  • Days 3–5: Build the subprocessor inventory (Article 21(2)(d)) — every SaaS tool, cloud provider, and payment processor with data-access level noted.
  • Days 6–7: Gap analysis against the NIS2 Article 21 self-audit Excel. Mark each of the 10 measures: in place / partial / missing.

Week 2 — Governance and Policy (Days 8–14)

Auditors open with governance. Weak governance fails the audit before the technical review starts.

  • Days 8–10: Write the information security policy (Article 21(2)(a)). 8 pages, honest, covering risk methodology, roles, review cadence.
  • Day 11: Get written management approval. An unsigned policy is formally invalid — this is the single most common audit failure.
  • Days 12–14: Document business continuity (Article 21(2)(c)) — RTO/RPO per critical system, backup encryption, and run one test restore.

Week 3 — Incident Response and Supply Chain (Days 15–21)

  • Days 15–17: Write the incident response plan (Article 21(2)(b)) with the 24h / 72h / 1-month notification chain. Use the free incident-readiness bundle as the starting templates.
  • Day 18: Run a tabletop exercise. Document participants, scenario, decisions, timing. The record is the evidence auditors want.
  • Days 19–21: Send security documentation requests to critical suppliers; add NIS2 clauses to vendor contracts.

Week 4 — Technical Controls and Evidence Chain (Days 22–30)

  • Days 22–24: Enforce MFA on all admin and privileged accounts (Article 21(2)(j)). Document the policy and exceptions.
  • Days 25–26: Run an access review (Article 21(2)(i)); document the offboarding process.
  • Days 27–29: Set up weekly automated scans. This is what satisfies Article 21(2)(f) — continuous effectiveness, not a one-off. Wire alerts for cert expiry and header changes.
  • Day 30: Compile the evidence package: policy + approval, IR plan + tabletop record, scan history, subprocessor list, training records. One folder, indexed by Article 21 measure.

Why the Evidence Chain Matters Most

A single scan is a starting point, not compliance. NIS2 requires continuous risk management. The difference between passing and failing is usually the same gap: the company has security but cannot prove it over time. Continuous security monitoring produces the timestamped, Article-21-mapped trail auditors accept — automatically, every week, without a security hire. For the German-specific governance angle, see §38 BSIG management liability; for the supply-chain cascade, the NIS2 SaaS vendor checklist.

Frequently Asked Questions

Is 30 days really enough to pass a NIS2 audit?

Yes, if the technical evidence is automated rather than manual. The bottleneck is never the controls — it’s assembling proof. Automated weekly scanning collapses the slowest part of the timeline.

Do we need ISO 27001 first?

No. ISO 27001 helps (70–80% of Annex A maps to Article 21) but is not required. Gaps remain around 24h/72h incident timelines and management accountability regardless.

What’s the most common audit failure?

An unsigned security policy and missing continuous-monitoring evidence. Both are fixable inside this 30-day window — Week 2 and Week 4 respectively.

Can a free scan count as audit evidence?

The initial scan documents your baseline — exactly what auditors want as step one. Compliance requires the ongoing trail. Run a free scan for the baseline, then schedule weekly scans for the chain.

What happens if we registered late with the authority?

Late registration is accepted; authorities prioritize getting entities into the system over penalizing delay. Register immediately, document the reason, and focus energy on the Article 21 evidence — that’s what is actually audited.

Pass the audit by proving your posture, not just having it. Run a free security scan — 60 checks, A–F grade, mapped to NIS2 Article 21 in under 60 seconds. For the complete framework, download the free SaaS Security Playbook 2026. Working through controls manually? Grab the NIS2 Article 21 self-audit Excel.

Share LinkedIn

Ready to put this into practice?

Two ways to start — pick what fits. Free Scan if you want to see your security grade in 60s with no commitment. Free 14-day Growth trial if you're ready to monitor multiple domains, export NIS2 reports, and download Deal Reports — no credit card required.

Start 14-day Free Trial Run Free Scan

No credit card · Cancel anytime · GDPR-ready · EU-hosted

Continue reading

NIS2compliance

NIS2 Checklist: 10 Steps for German SMBs

10-step NIS2 checklist for German SMBs. BSI registration, Article 21 measures, automated evidence — no CISO required.

Read article
NIS2compliance

NIS2 Compliance Guide for German SMBs (2026)

NIS2 guide for German SMBs: BSI registration, Article 21 requirements, and how to prove compliance without a security team.

Read article
securitySMB

SMB Security Checklist: 10 Must-Check Items (2026)

A no-nonsense SMB security checklist. 10 checks you can run today to find gaps before attackers or auditors do — with free tools and automated options.

Read article
Back to all articles