Agnes investigates a NIS2 document with a magnifying glass at a desk in a small office

NIS2 audit for SMBs: how to prepare before regulators come knocking

NIS2, Compliance, SMB

You've seen the headlines. NIS2 is here, and EU member states are rolling it into national law. For the Netherlands, that means the Cyberbeveiligingswet, expected mid-2026. For other countries, similar deadlines loom.

The question most SMB owners ask at this point: are we actually ready? And the honest answer is usually: we don't know.

That's what a NIS2 audit fixes. Not a bureaucratic exercise, but a structured check of whether your cybersecurity measures, processes, and documentation meet the bar. This article walks you through what a NIS2 audit covers, how to run a self-assessment, and what to do with the results.

What is a NIS2 audit?

A NIS2 audit reviews how well your organisation meets the requirements of the NIS2 directive. You walk through your security measures, incident procedures, supplier management, and documentation to check if they hold up.

Two options exist. An internal audit uses a checklist and your own knowledge of the business. An external audit brings in an independent party who can spot blind spots you've stopped noticing.

For most SMBs, starting with a self-assessment is practical. It surfaces the big gaps fast. If deeper issues appear, you'll know exactly where to bring in outside help.

One audit is not enough. NIS2 expects ongoing compliance, not a one-time check. Annual reviews are the minimum.

Does NIS2 apply to your business?

Before you invest time in an audit, confirm you're in scope. NIS2 targets organisations in specific sectors with more than 50 employees or annual turnover above 10 million euros.

The sectors: energy, transport, healthcare, digital infrastructure, ICT services, water, postal services, chemicals, food, manufacturing, government, and research. For details, see our NIS2 explainer.

Even if you fall below the thresholds, you may still be affected. Clients who are in scope increasingly push cybersecurity requirements down to their suppliers. If you provide IT services to a hospital or an energy company, your contracts may soon include obligations you haven't prepared for.

What does a NIS2 audit cover?

A NIS2 audit goes beyond firewalls and antivirus. The regulator wants to see that your organisation approaches cybersecurity deliberately, and that you can explain your choices.

The audit typically covers these areas:

Risk management. Do you have a current risk assessment? Do you know which systems and data are critical to your operations? Have you taken measures based on that assessment rather than guesswork?

Supplier management. Do you know every third party with access to your systems or data? Are security requirements written into contracts? Do you periodically review supplier risk? More on this in our article on supplier management under NIS2.

Incident response. Do you have a playbook for cyber incidents? Does your team know who to call when something goes wrong? Can you file an initial report with the regulator within 24 hours?

Access control and technical measures. Who has access to which systems? Is multi-factor authentication in place? Are your systems patched and current?

Training and awareness. Do your employees know what phishing looks like? What to do if they receive a suspicious email? Can you prove you invest in this regularly?

Documentation. Possibly the most underestimated part. Everything you do for cybersecurity needs to be recorded. Not because paperwork is the goal, but because without it, you have nothing to show during an inspection.

NIS2 self-assessment checklist for SMBs

Before calling in a consultant, use this checklist for an initial self-assessment. Rate each item: in order, partially in order, or still to do.

1. Risk assessment completed and documented

Have you mapped your critical systems and data flows? Do you know which threats are most realistic for your type of organisation? Have you taken measures based on that analysis?

If you haven't started: begin with an inventory of your systems, the data in them, and what happens when they go down. For an SMB with 20 to 50 employees, this is a few days of work, not a months-long project.

2. Suppliers inventoried and assessed

Do you have a list of every external party with access to your IT environment or processing your data? Have you classified each supplier by risk level? Are security requirements written into your contracts?

Most SMBs discover at this step that they have more suppliers than they thought. Every SaaS tool, every cloud service, every IT partner counts.

3. Incident response process documented and tested

Is there a playbook on paper? Do at least two people in the organisation know what to do during a cyber incident? Have you ever tested it, even as a tabletop exercise?

A playbook that's never been walked through is barely more than a statement of intent. Schedule at least one simulation per year.

4. Employees trained in cybersecurity awareness

Can your employees recognise a phishing email? Do they know how to report a suspicious incident? Is there an onboarding procedure for new hires that covers cybersecurity basics?

This doesn't need to be an extensive training programme. A quarterly update with current threats and clear guidelines for passwords and remote work is a solid start.

5. Everything documented and findable

Are your policies, registers, and logs stored centrally? Could you find and present your risk assessment, supplier list, and incident response plan to a regulator within an hour?

If the answer is "it's somewhere in a shared folder," that's an action item. Documentation that can't be found doesn't exist as far as an auditor is concerned.

Frequently asked questions about NIS2 audits

When should I run a NIS2 audit?

Don't wait for national implementation deadlines. An audit takes time, and the measures that come out of it take even more. Start with a self-assessment now so you know where you stand and what to prioritise.

Who performs the NIS2 audit?

You can do it yourself. An internal audit is a solid starting point. For a more thorough assessment, bring in a cybersecurity consultant or auditor. NIS2 does not require a mandatory external audit for most SMBs, but you do need to demonstrate that you take cybersecurity seriously.

How much does a NIS2 audit cost for an SMB?

It depends on scope. A self-assessment costs a few days of internal effort. An external audit for an SMB with 50 to 100 employees typically runs between 5,000 and 15,000 euros, depending on scope and auditor. Start internal. You'll know exactly where you need external help and avoid paying for things you can handle yourself.

What happens if I do nothing?

NIS2 allows for significant penalties. For important entities, fines can reach up to 7 million euros or 1.4% of global annual turnover. But beyond fines: a client who sends you a cybersecurity questionnaire and gets a weak response may take their business elsewhere.

How often should I repeat a NIS2 audit?

At least annually. Also after any major change: new systems, new suppliers, an incident, or a reorganisation. The regulator expects continuous oversight of your cybersecurity, not a check every few years.

Step-by-step: from self-assessment to audit-readiness

Step 1: Run the self-assessment. Walk through the five points in the checklist above. Note what's in order and what isn't for each.

Step 2: Prioritise the gaps. Not everything needs fixing at once. Focus on the highest-risk items first. No risk assessment? Start there. No incident response plan? That's number two.

Step 3: Sort the documentation. Centralise your policies, registers, and playbooks. Make sure they're current and accessible to the right people.

Step 4: Schedule an internal review. Have someone who doesn't work with the systems daily walk through your documentation and processes. Fresh eyes catch gaps you've stopped seeing.

Step 5: Consider external help. If your self-assessment reveals major gaps, or if you're in a high-risk sector (healthcare, ICT services, energy), an external audit may be worth the investment.

Step 6: Repeat. Put the next assessment on the calendar. Cybersecurity doesn't have an end date.

Start with visibility

The NIS2 audit starts with knowing where you stand. ComplianceHive helps SMBs manage suppliers, software inventory, and security documentation in one place. No scattered spreadsheets, no documents lost in shared drives. A clear overview you can present when it counts.

Try ComplianceHive free for 30 days and start your NIS2 audit preparation today.

Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free