What to Consider When Choosing a NIS 2 Auditor?
What to Consider When Choosing a NIS 2 Auditor?
Under the current regulations of the Cybersecurity Act effective since January 16, 2023, businesses affected by the NIS2 directive must sign a contract with an auditor registered with the SZTFH by December 31, 2024. Given the tight deadline, it is advisable to take steps toward selecting a qualified expert as soon as possible. Here are some tips to simplify the decision-making process.
Assurance level is Key
Registered auditing firms are authorized to evaluate the NIS2 compliance of electronic information systems (EIRs) at various assurance levels. According to the SZTFH registry:
- Five firms are authorized to audit only systems at assurance level „basic”.
- Two firms handle „substantial” assurance levels.
- Only one firm deals with high assurance levels.
Organizations with high-security classified systems have no worries about decision-making; only one auditor is available. For substantial assurance levels, there are only two alternatives. Those with basic classifications have more flexibility but should choose wisely. Higher-classified auditors can handle basic clients, but they may lack the capacity due to demand. Therefore, selecting an auditor aligned with your assurance level is recommended.
Uncertain about the assurance level of your EIR? Consult our advisors for assistance!
Don't Get Stuck on Competitive Bidding
Procurement processes often involve competitive bidding, collecting multiple offers, and choosing based on predefined criteria. However, the tight timeline for NIS2 audits requires abandoning such traditional processes. Engaging auditors, conducting preliminary discussions, and evaluating offers can become lengthy, risking missing the statutory deadline and facing penalties. Instead, identify one or two suitable auditor firms and move directly to contract negotiations. Costs will largely depend on the characteristics of your systems and business rather than the chosen auditor.
Location is Irrelevant
All registered auditing firms are based in Budapest. For businesses outside the city, frequent in-person meetings are unlikely. Given the large number of affected companies and the limited number of auditors, preparing for digital communication and submitting evidence electronically is more practical.
Start Early!
Auditors can only assist those who reach out to them. Engaging early helps businesses gain valuable insights and share ideas in this still-developing field. Use the contact details of the auditor firms listed in the SZTFH registry to initiate early registration, so you are ready to finalize a contract when the time comes.
Timing is Critical
With tight deadlines, numerous affected companies, and few auditors available, timing is crucial. Companies that secure contracts early will likely have more flexibility in scheduling audit dates, giving them more time to prepare.
Need help preparing for the NIS2 audit? Choose our NIS2 preparation services!
Regulations are Evolving
While the current deadline for signing auditor contracts is December 31, 2024, regulations for auditors are still pending. Details about pricing, audit structures, and precise deadlines remain unclear. However, ISO audit practices might serve as a model. Non-compliance during the audit may lead to corrective action plans instead of immediate penalties, provided improvements are made on time.