SaaSFort
nis2 audit compliance evidence saas-security vendor-assessment

NIS2 Audit Preparation: Evidence SaaS Vendors Must Have Ready

Regulators are auditing NIS2 supply chains now. Here's exactly what evidence SaaS vendors need, organized by audit domain, with templates.

ST
SaaSFort Team
· 7 min di lettura

Germany’s BSI sent its first NIS2 audit notifications in January 2026. Italy’s ACN started inspections in Q4 2025. When a regulator audits your customer, they don’t stop at your customer’s perimeter — they pull the thread on every SaaS vendor in the supply chain.

Your customer’s auditor will ask one question about you: “Show me the evidence.”

Not a marketing page. Not a promise. Timestamped, structured proof that your application meets specific NIS2 security controls. This guide covers exactly what evidence you need, how to organize it, and where most SaaS vendors fail.

How NIS2 Audits Actually Work for Vendors

NIS2 audits follow a predictable structure. The regulator audits the covered entity (your customer), who must demonstrate supply chain security under Article 21. Your customer’s compliance team then cascades evidence requests to every vendor classified as critical.

Three audit scenarios you’ll face:

  1. Direct evidence request — Your customer forwards a structured questionnaire mapping to NIS2 articles. You fill it out and attach evidence files. This is the most common scenario today.

  2. Third-party assessor review — An auditor hired by your customer reviews your security documentation directly. They may schedule a call to walk through your controls. Expect this for vendors handling sensitive data.

  3. Regulator passthrough — The BSI or equivalent authority requests your customer’s vendor evidence package as part of their inspection. Your documentation ends up in the regulator’s hands, unfiltered.

In all three cases, the evidence requirements are identical. The difference is who reads it — and how forgiving they are about gaps.

The 7 Evidence Domains NIS2 Auditors Check

NIS2 Article 21 defines security measures across several domains. For SaaS vendors, these translate into seven evidence categories that auditors consistently request. Based on SaaSFort’s analysis of vendor compliance checklists across German and Dutch procurement teams, here’s what they actually verify:

1. External Security Posture

Auditors start here because it’s independently verifiable. They can scan your domain themselves — and many do before they even contact you.

Evidence required:

  • Current security scan report with A–F grade (SaaSFort generates these with 60 checks across 21 categories)
  • NIS2 compliance PDF mapping findings to Article 21(2) controls (generate one in 7 seconds)
  • SSL/TLS configuration details (protocol versions, cipher suites)
  • HTTP security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy)
  • DNS security records (SPF, DKIM, DMARC)

Common failure: Vendors submit a scan from 3 months ago. Auditors expect evidence dated within 30 days. Automated continuous monitoring solves this — schedule recurring scans instead of point-in-time snapshots.

2. Access Control and Authentication

The #1 area where SaaS vendors fail NIS2 audits. Article 21(2)(i) specifically requires “human resource security, access control policies, and asset management.”

Evidence required:

  • MFA enforcement policy + proof it’s active (admin console screenshot with timestamp)
  • Role-based access control documentation
  • Privileged access management (who has admin access, how it’s reviewed)
  • Employee offboarding process with access revocation SLA

What auditors flag: “MFA available” is not the same as “MFA enforced.” If your product offers MFA but doesn’t require it, that’s a partial control — and auditors score it accordingly.

3. Incident Response

Article 21(2)(b) requires “incident handling.” Your customer needs proof that you can detect, respond to, and notify them about security incidents affecting their data.

Evidence required:

  • Written incident response plan with defined roles
  • Notification SLAs (NIS2 requires 24-hour early warning, 72-hour full notification)
  • Incident log from the past 12 months (even if empty — “no incidents” with a monitoring proof is valid)
  • Post-incident review process documentation

Pro tip: An empty incident log paired with monitoring evidence is stronger than no log at all. It shows you have the process, not just the promise.

4. Business Continuity

Article 21(2)(c) covers “business continuity, such as backup management and disaster recovery.”

Evidence required:

  • Backup policy (frequency, retention, encryption, geographic distribution)
  • Disaster recovery plan with documented RTO/RPO
  • Last DR test date and results
  • Uptime SLA and historical uptime data (past 12 months)

What auditors reject: A backup policy document with no test evidence. If you haven’t tested your recovery process in the past 12 months, that’s a finding.

5. Encryption and Data Protection

Article 21(2)(h) requires “policies and procedures regarding the use of cryptography and, where appropriate, encryption.”

Evidence required:

  • Encryption at rest (algorithm, key management process)
  • Encryption in transit (TLS version, certificate management)
  • Data classification policy
  • GDPR-relevant data processing documentation (if handling EU personal data)

Your external security scan already captures TLS configuration and certificate details. That scan report covers the “in transit” half. For encryption at rest, you need internal documentation.

6. Supply Chain Security (Your Own Vendors)

Yes, the cascade goes deeper. Article 21(2)(d) requires “supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers.”

Evidence required:

  • List of critical subprocessors (cloud hosting, payment, email, monitoring)
  • Security assessment evidence for each subprocessor
  • Contractual security requirements with subprocessors
  • Vendor monitoring cadence

The trap: Many SaaS vendors document their customer-facing security controls but have zero documentation about their own vendor stack. Auditors catch this consistently.

7. Vulnerability Management

Article 21(2)(e) covers “vulnerability handling and disclosure.”

Evidence required:

  • Vulnerability scanning schedule and results (external + internal)
  • Patch management policy with defined SLAs by severity
  • Responsible disclosure policy (public URL)
  • Dependency update process (especially for open-source components)

SaaSFort’s vulnerability management guide breaks down exactly which DDQ questions map to this domain.

Building Your Audit-Ready Evidence Package

Knowing what auditors check is half the problem. Organizing evidence so it’s findable under time pressure is the other half. Here’s the folder structure that works:

FolderContentsUpdate frequency
/01-external-posture/Scan reports (PDF), header configs, DNS recordsMonthly (automate)
/02-access-control/MFA policy, RBAC docs, admin access review logsQuarterly
/03-incident-response/IR plan, notification templates, incident logAnnually + per incident
/04-business-continuity/Backup policy, DR plan, DR test results, uptime dataAnnually + per test
/05-encryption/Crypto policy, TLS configs, key management docsAnnually
/06-supply-chain/Subprocessor list, assessment evidence, contractsAnnually
/07-vulnerability-mgmt/Scan schedules, patch policy, disclosure policyMonthly

When your customer’s auditor asks for evidence, you zip the relevant folders and send them within hours — not weeks. The security evidence package guide covers the full folder structure and buyer-tier expectations.

For a step-by-step framework, download our SaaS Security Playbook — it covers the full evidence folder structure and auditor expectations for each NIS2 Article 21 domain.

The 3 Mistakes That Fail NIS2 Audits

After analyzing vendor assessment responses across the DACH market, three patterns account for 80% of audit failures:

1. Stale evidence. A penetration test from 2024 doesn’t prove your security posture in 2026. Auditors check dates first. Any evidence older than 12 months (6 months for external scan reports) gets flagged. Solution: automate your external scanning on a monthly cadence and regenerate reports before each audit window.

2. Policy without proof. A document that says “we enforce MFA” without a screenshot, configuration export, or audit log proving it is worth exactly nothing. For every policy, attach implementation proof. SaaSFort’s Deal Reports combine policies with live scan evidence specifically for this purpose.

3. Missing supply chain documentation. Your AWS shared responsibility model understanding, your Stripe PCI compliance inheritance, your monitoring vendor’s SOC 2 report — auditors expect you to have assessed your own vendors, not just promised you’re secure.

FAQ

How far in advance should I prepare for a NIS2 audit? Start 90 days before your expected audit window. Most evidence can be compiled in 30 days, but DR testing, vendor reviews, and access audits take time to schedule. See our 90-day NIS2 action plan for a week-by-week timeline.

Do I need ISO 27001 certification to pass a NIS2 audit? No. ISO 27001 provides strong overlap with NIS2 requirements, but it’s not mandatory. What matters is demonstrable controls with evidence. An ISO 27001 certification accelerates the process significantly, though — roughly 70% of NIS2 evidence requirements map directly to ISO 27001 controls.

What if I have no incidents to report? That’s fine — and actually preferable. Document that you have monitoring in place (scan reports, uptime monitoring, SIEM or log aggregation) and that no incidents met your notification threshold. An empty incident log with monitoring proof beats an undocumented claim of “nothing happened.”

Can SaaSFort help me prepare audit evidence? Yes. Run a free security scan to generate your external posture report immediately. The scan covers 60 checks across 21 categories and produces an A–F grade with a detailed Deal Report you can attach directly to audit responses. For continuous monitoring, SaaSFort tracks posture changes over time so your evidence stays current.

Which EU countries are actively enforcing NIS2? Germany (BSI) and Italy (ACN) are actively auditing as of Q1 2026. France’s transposition is in final parliamentary stages. The EU Commission’s January 2026 amendments expanded supply chain obligations, signaling accelerated enforcement across all 27 member states by October 2026.

Condividi questo articolo
LinkedIn Post

Dalla lettura all'azione

Scansionate il vostro dominio gratuitamente. Primi risultati in meno di 10 secondi — senza registrazione.

Scansione gratuita

Continua a leggere

product-updatenis2

SaaSFort Now Exports NIS2 Compliance PDFs — Audit Evidence in 7 Seconds

New feature: generate a branded NIS2 compliance PDF mapping your scan results to all 10 Article 21(2) controls. Free for any domain, no account required.

Leggi articolo
bsigrundschutz

BSI IT-Grundschutz for SaaS Vendors: NIS2 Path

BSI Grundschutz maps to 85% of NIS2 Article 21. How SaaS vendors use it for supply chain compliance — vs ISO 27001.

Leggi articolo
nis2compliance

NIS2 October 2026: Your 90-Day SaaS Action Plan

29,000 EU entities must comply by October 2026. B2B SaaS buyers will require NIS2-mapped security evidence. 90-day plan inside.

Leggi articolo
Torna a tutti gli articoli