Reaching the far bank

Raft

You have crossed the river (domonstrated compliance). Security measures are implemented, tested, and operational. Unlike climbing a mountain, where you plant a flag at the summit, NIS2 compliance is demonstrated through ongoing evidence and verified through supervisory oversight. There is no certificate ceremony; compliance is operational reality.

Organise your documentation

Your ISMS framework provides the foundation:

  • Board-approved information security policy

  • Risk assessment methodology and current results

  • Risk treatment plan showing how identified risks are addressed

  • Statement of Applicability mapping controls to NIS2 requirements

  • Policies and procedures covering all mandatory measures in operational detail

Governance evidence demonstrates board accountability:

  • Meeting minutes showing security oversight and decisions

  • Management training records

  • Organisational charts with clear security responsibilities

  • Budget allocations showing resource commitment to security

Technical evidence demonstrates that controls actually work:

  • System inventories and network diagrams

  • Evidence of security control implementation from audits and assessments

  • Configuration documentation for critical systems

  • Vulnerability scan results with remediation tracking

  • Penetration test reports

  • Patch management logs showing timely updates

Operational evidence shows daily practice:

  • Incident logs with response and resolution details

  • Business continuity test results

  • Backup and recovery test logs

  • Security awareness training completion and test results

  • Access reviews and audit trails

Supply chain evidence addresses third-party risk:

  • Supplier assessments and risk classifications

  • Contractual security requirements in place

  • Supplier monitoring records

  • Documentation for alternative suppliers

Incident reporting records demonstrate regulatory compliance:

  • Submitted notifications to authorities with timestamps

  • Internal incident reports with detailed analysis

  • Post-incident reviews and lessons learned

  • Corrective actions implemented after incidents

Prepare for supervisory interactions

Some member states require registration with supervisory authorities. Organisations should check national implementation for registration deadlines, required information, update procedures, and any fees. Register promptly to avoid penalties for procedural non-compliance.

Supervisory authorities may conduct inspections and audits:

  • On-site inspections of facilities and systems

  • Requests for documentation and evidence

  • Personnel interviews to verify understanding

  • System access with appropriate safeguards

  • Issuance of recommendations or corrective actions

Respond professionally:

  • Designate a point of contact for authority communications

  • Establish internal response procedures

  • Maintain organised evidence for rapid access

  • Respond within required timeframes

  • Be transparent about challenges or gaps rather than hiding problems

Treat supervisory interactions as collaborative:

  • Seek guidance when uncertain

  • Report challenges honestly

  • Demonstrate good faith efforts

  • Show continuous improvement over time

  • Participate in sector forums and information sharing

Demonstrate proportionality in practice

NIS2 requires “appropriate and proportionate” measures. Be prepared to explain:

  • Why measures are appropriate: alignment with specific risks, sector best practices, mandatory requirements, and where you have gone beyond minimum standards

  • Why measures are proportionate: consideration of organisation size, available resources, service criticality, potential impact, likelihood and severity of risks, cost-benefit analysis, and alternative controls where standard approaches are not feasible

Understand enforcement and penalties

NIS2 includes significant penalties for non-compliance:

  • Essential entities may face up to €10 million or 2 per cent of total worldwide annual turnover, whichever is higher

  • Important entities may face up to €7 million or 1.4 per cent of total worldwide annual turnover, whichever is higher

Management liability adds personal consequences. Management bodies can be held personally liable for:

  • Failure to approve security measures

  • Failure to oversee implementation adequately

  • Inadequate training or participation in security governance

  • Gross negligence in security responsibilities

Factors affecting penalties include severity and duration of non-compliance, intentionality or negligence, level of cooperation with authorities, prior infringements, and mitigation actions taken after incidents.

Self-assess before claiming compliance

Run through a checklist honestly. Example:

  • All mandatory measures from Article 21 implemented and operational

  • Board approval and active oversight of security measures

  • Risk assessment completed, documented, and current

  • Incident detection and response capabilities tested and working

  • Incident reporting procedures established with successful test notifications

  • Supply chain security programme implemented with supplier assessments

  • Business continuity plans documented and tested successfully

  • Security awareness training deployed with completion tracking

  • All evidence organised and accessible for audit

  • Supervisory authority registration completed where required

  • Regular review cycles established and functioning

If any item cannot be checked, document the reason and the plan to address it. Proportionality may justify some gaps, but reasoning must be clear.

Output

The output of this stage is a compliance evidence package organised logically, supervisory authority registration confirmation where required, audit-ready documentation, and a self-assessment report showing an honest evaluation of compliance status.

Connect with us to explore what happened and make ready for an audit.