Examination Methods Applied

During and prior to a NIS2 audit, organizations can expect different types of assessments as part of a review process that typically lasts a few weeks. These assessments include:

Document Review

Auditors review the organization's regulations, procedures, records, and other regulatory documents. The list of required documents, known as the "evidence list," is usually defined in advance, and it is the organization's responsibility to provide these documents to the auditor firm.

Do you need help compiling the documentation requirements? Check out our Documentation Service Packages!

Interview

As part of the audit, in-person or online interviews may be conducted. During these interviews, the auditor firm, in the presence of the CISO, may consult with any stakeholder involved in NIS2 compliance to confirm specific matters or obtain further relevant information.

Testing

The testing process aims to determine whether the NIS2 requirements are fully met in practice. Auditors conduct targeted, typically on-site, investigations involving the organization's employees and gather evidence to verify compliance with the requirements.

Audit Process

Security Classification Review

During a NIS2 audit, the auditor firm first reviews the classification of electronic information systems (EIRs) as determined by the organizations within their own authority. To verify this, the classification table in Annex 1 of the regulation is completed to confirm whether each EIR has received the appropriate classification.

It is important to note that if the auditor identifies discrepancies and believes an EIR should be classified differently, they will propose a reclassification. However, the audit itself is conducted based on the classification established and approved by the organization's leadership.

Therefore, it is crucial that the classification of EIRs is a well-considered, professionally grounded decision that does not disadvantage the company.

Not sure about the security classification of your company's EIR? Seek assistance from our consultants!

Defining Applicable Requirement Groups

In the initial phase of the audit, the protective measures and requirements applicable to the organization are determined, along with those that are not applicable or may be replaced by alternative measures. These fall into two main categories: organizational-level requirements, which apply to the entire company, and EIR-specific requirements, which pertain to a particular electronic information system. These protective measures are further categorized as either "Supporting" or "Ensuring" measures, which play a role in the scoring system used during the assessment.

The categorization of the available requirements is illustrated in the diagram below.

The compliance assessment is conducted only on the requirements marked as applicable by the organization and on the alternative measures deemed valid and appropriate by the auditor firm.

Evaluation Methods of Requirements

The assessment of applicable requirements follows the methodology outlined in the table in Annex 6 of Decree 1/2025 (I. 31.) SZTFH. This annex specifies the examination methods the auditor firm must apply for each requirement and the protective measures that cannot be excluded from the assessment — meaning they must be mandatorily reviewed.

In general, organizational-level requirements are primarily assessed through document review and corroborating interviews. In contrast, EIR-specific requirements often require testing as a mandatory assessment method. For instance, user account management, logging processes, EIR backups and recoveries, and monitoring procedures must be demonstrated practically during the audit, whereas verifying various policies and procedures may suffice through document review.

Elements That Cannot Be Omitted from the Evaluation

The relevant regulation clearly defines which requirement groups must be examined by the auditor firm, ensuring that these aspects are not overlooked in the evaluation.

The following areas require special attention during the NIS2 preparation process, as they are fundamental parts of the review process:

• Risk management and risk analysis, including the supply chain
• Security settings for failed login attempts
• Security awareness training and anti-fraud training
• Proper functioning of the logging system (event logging and mandatory content), searchability, and management of log data
• Description and management of EIR default settings and configurations
• Business Continuity Plan (BCP) and its practical testing
• Regulation of access to data storage devices
• Security measures in place when an employee’s contract is terminated
• List of unsupported system components and associated protective measures
• Cryptographic key generation and management

A comprehensive checklist covering all mandatory elements is essential to ensure compliance with all minimum requirements.

Have you already contracted an auditor firm for the NIS2 audit? Choose Veritan Ltd. to conduct your cybersecurity audit!

How to Successfully Pass the Audit?

A common question is how perfectly an organization must comply during the audit to pass. The regulation provides a precise answer.

Compliance is determined based on two key indicators:

• SZEKI (Organizational Resilience Index) – determined through the examination of organization-specific protective measures.
• VMI (Protective Compliance Index) – based on the assessment of EIR-level protective measures.

Compliance scores are calculated using complex formulas, but it is clear that "Supporting" and "Ensuring" protective measures are weighted differently.

What Is the Compliance Threshold?

For both organizational and EIR-level requirements, a score below 70 points is considered non-compliant. Therefore, the audit is deemed successful if the organization achieves or exceeds this threshold.

What Happens if Some Protective Measures Are Not Fully Met?

Compliance indices are calculated at the requirement group level, meaning if certain protective measures within a group are not fully met, the audit outcome depends on the extent of these discrepancies.

When evaluating compliance, the following factors are considered:

• How many protective measures received a "non-compliant" rating within the requirement group?Do these discrepancies affect EIR security?
• To what extent are the objectives of the affected requirement group met despite the shortcomings?
• What attack opportunities do the non-compliances create?

Focus Areas in Compliance

Annex 7 of Decree 1/2025 (I. 31.) SZTFH precisely defines the fundamental requirements that the auditor firm must examine when reviewing protective measures. While these requirements encompass various expectations for the organization’s operations, certain recurring elements can be identified.

For most protective measures, the fundamental requirement list includes:

• The assignment and definition of responsible individuals
• The implementation and operation of review and control processes

When establishing NIS2 compliance, special attention must be paid to ensuring that each security area has an assigned responsible party. These individuals must fully understand their tasks and responsibilities, which should be documented in a job description. Additionally, all employees must clearly understand their cybersecurity-related responsibilities and how they contribute to maintaining the company’s security.

It is also essential that all policies—whether business continuity plans, information security policies, or security incident handling procedures—specify the frequency of reviews and audits. Besides regulatory documents, security measures such as backup and recovery processes must also be regularly tested and rehearsed. The protection of electronic information systems requires continuous monitoring, making it crucial to work with up-to-date information and updated procedures to maintain security.

Source: Decree 1/2025 (I. 31.) SZTFH