SaaSFort
NIS2 Article 21 audit preparation

What Evidence Does a NIS2 Auditor Ask For?

NIS2 Article 20(1) requires management bodies to approve and monitor cybersecurity risk measures. Article 21 lists 10 categories of technical and organisational measures. An auditor checking NIS2 compliance wants evidence that those measures exist and are working, not a written policy saying they will exist.

Get the €39 Audit Pack Run free scan (60s)

The 10 categories under Article 21 and what evidence satisfies each

Article 21(2) lists the required measure categories. The ones auditors check most closely for technical evidence are: (a) risk analysis and information system security policies, (b) incident handling, (c) business continuity, (d) supply chain security, (e) network and information system security, and (h) basic cyber hygiene and cybersecurity training.

For category (e), auditors expect technical evidence: scan results, vulnerability assessments, or penetration test reports. A dated external scan result covering TLS, headers, DNS, and certificate hygiene covers the observable technical hygiene items in (e). It is faster to produce than a pen test and covers the external-posture portion that auditors can independently verify.

What counts as acceptable external-posture evidence

BSI auditors accept third-party scan results as evidence for Article 21(2)(e) if the result shows: a dated scan of the registered domain, a per-control breakdown (not just a summary score), and a mapping to the relevant NIS2 control category.

A SaaSFort audit pack produces all three as a single PDF: a dated scan with 60 per-control results, an A-F grade, and a table mapping each control to NIS2 Article 21 and ISO 27001 Annex A. The cover letter in the PDF is addressed to your auditor. €39 one-time, no subscription.

For the internal controls (access management, incident response procedures), you still need written policies. The scan covers what is externally observable. For a full picture of what an Article 21 audit expects, check the NIS2 audit cost guide.

The documentation auditors ask for in writing

Beyond the technical scan, auditors want: a named person responsible for information security (does not have to be a CISO), a written information security policy signed by management, a business continuity plan, a supply chain risk assessment covering significant suppliers, and records of cybersecurity training for management under §38 BSIG.

§38 BSIG is the German-specific obligation that makes managing directors personally liable for cybersecurity oversight. The managing director must be able to show they approved the security measures and received training at least every three years. A board-level one-pager showing the current external grade and remediation history satisfies the oversight documentation requirement.

How to prepare in the week before an audit

Run a fresh external scan and compare it to any previous scan. Auditors want to see that findings are tracked and addressed, not just that the current score is clean. If your grade improved since your last scan, include both results.

Collect: the latest scan PDF (from the audit pack), your information security policy (one or two pages is enough), your incident response contact details, the list of significant suppliers and how you assessed them, and the training records for management.

For an overview of which scan findings map to which Article 21 requirement, the security-scan use-case hub walks through ISO 27001, NIS2 registration, and enterprise procurement scenarios in detail.

Related use cases

The security scan by use case hub maps each common scenario to the relevant scan controls: SOC 2 prep, NIS2 registration, ISO 27001 audit, enterprise procurement, cyber insurance, and more. Pick the one that matches your situation.

Frequently asked questions

Does NIS2 require a formal penetration test or is an external scan sufficient?
NIS2 Article 21 does not mandate penetration tests. It requires appropriate technical measures proportionate to risk. For most important entities (50-250 employees), a regular external scan with a control-mapped report satisfies the auditor's request for technical evidence of network and information system security. Essential entities (250+ employees, critical sectors) may be expected to supplement with annual penetration tests.
How recent does the scan evidence need to be for a NIS2 audit?
BSI guidance does not set a specific expiry for scan evidence. In practice, auditors ask for evidence dated within the previous 12 months. Scans older than six months prompt a re-scan request. The €39 audit pack includes 90 days of re-scans so your evidence stays current through an audit process.
What is the difference between Article 21 and Article 23 in NIS2?
Article 21 covers the 10 categories of security measures you must have in place. Article 23 covers incident reporting: you must notify BSI within 24 hours of becoming aware of a significant incident, with a full report within 72 hours. The scan addresses Article 21 technical hygiene. Article 23 requires a separate incident notification process and contact registered with BSI.
Can a subsidiary or product company use its parent company's NIS2 evidence?
Only if the subsidiary operates under the same domain and the parent's scan covers that domain. If the subsidiary has its own public-facing domain, it needs its own scan. The €39 one-time audit pack covers one domain. The Growth plan at €19/month covers up to five domains if you need ongoing evidence for multiple entities.

Need the evidence document this week?

The free scan shows your A-F grade in 60 seconds. The €39 audit pack adds the dated PDF mapped to NIS2 Article 21 and ISO 27001 Annex A, ready to attach to a questionnaire or auditor file.

Get the €39 Audit Pack Run free scan

One-time payment, no subscription, no account on the first scan.