NIS 2 audit: method, pitfalls and quality criteria for measures

The NIS 2 audit has become in 2026 one of the most frequent requests addressed to Luxembourg cyber firms. Since the entry into force on 10 May 2026 of the transposition law (Memorial A 225), more than 1,200 essential or important entities must prove they comply with the 10 minimum measures of Article 21 of the directive. But behind the word "audit", there is a complex operational reality and many pitfalls. This article details the method, common errors, and most importantly the criteria to distinguish a truly compliant technical measure from a tool simply labelled "cyber" without substance.

Why a NIS 2 audit, and for whom

Directive (EU) 2022/2555 distinguishes two statuses: essential entities (large companies in 11 critical sectors) and important entities (medium-sized companies and 7 additional sectors). Obligations are nearly identical in intensity, only the sanction ceilings differ (EUR 10M vs 7M, or 2% vs 1.4% of worldwide turnover).

A NIS 2 audit typically has three triggers: preparation for an ILR inspection (mock audit before a declared inspection), initial self-assessment at the time of self-registration, and annual review required by the company's governance body whose personal liability is engaged (Article 20 of the directive). See our NIS 2 Luxembourg page for the target obligations.

The 7-phase NIS 2 audit method

1. Scope definition

Before any measure, you must identify what falls under NIS 2. It is less obvious than it seems: NIS 2 covers not only IT but also the ICT supply chain (Article 21 paragraph 2 d), governance, continuity, HR security and access controls. Scope = entire company, not just the IT department.

2. Asset and risk mapping

Inventory of information systems, critical data, services provided, critical ICT providers. For each asset, risk assessment using ISO/IEC 27005 or EBIOS Risk Manager. The mapping must be living (reviewed at least annually).

3. Audit of the 10 minimum measures (Article 21)

The directive imposes 10 minimum technical and organisational measures. The audit walks through them one by one with a maturity assessment (CMMI 0 to 5 typically):

1. Risk analysis and IS security policy
2. Incident handling
3. Business continuity (backups, recovery plan)
4. Supply chain security
5. Security in acquisition, development and maintenance
6. Policies to assess effectiveness of measures
7. Cyber hygiene and training
8. Cryptography and encryption
9. HR security, access control policies
10. Multi-factor authentication, secure communications

4. Incident management test

The auditor runs a real incident scenario (often a simulated phishing or simulated leak) to measure the alert chain > triage > ILR notification within 24h > intermediate report 72h > final report 1 month. Without this practical test, the audit remains on paper.

5. ICT supply chain audit

Identification of critical providers (cloud, MSP, SaaS publishers). Contract review (security clauses, audit rights, incident notification, exit plan). Assessment of residual risks. Article 21 paragraph 2 d.

6. Governance review

The governance body (board of directors or executive management) must prove it actively supervises security: regular cyber committee, training of executives, integration of cybersecurity into strategy. This is the often-forgotten angle.

7. Quantified remediation plan

The final deliverable is not a score but a prioritised and quantified action plan. Without this, the audit only serves to reassure. It needs: priority order (high/medium/low), designated owner, target deadline, estimated budget.

The 5 most common pitfalls

1. Confusing NIS 2 and ISO 27001

ISO 27001 covers 80% of NIS 2 technical requirements, but not executive governance, 24-hour ILR notification (NIS 2 specific), or supply chain obligations with the same precision. An ISO audit is not enough to be NIS 2 compliant.

2. Auditing only the IT department

NIS 2 explicitly demands board-of-directors responsibility. An audit limited to IT misses governance and HR obligations (Article 21 paragraph 2 i). The executive committee must be interviewed.

3. Buying a "SOC" tool without criteria

The most common pitfall in 2026: believing that simply buying a product called "SOC" ticks the incident management box. False. A name-only SOC tool does not guarantee NIS 2 compliance. Validity criteria are detailed in the next section.

4. Documenting without deploying

Having an "incident management policy" in an unread PDF is the error that the CNPD (under GDPR) and the ILR (under NIS 2) spot in 10 minutes during an inspection. You must prove the procedure has been exercised at least once (documented annual exercise).

5. No regular testing plan

NIS 2 requires testing of measures (Article 21 paragraph 2 f). Many companies do one audit then perform no pentest, no access rights review, no continuity exercise. The regulator expects regularity (semi-annual or annual).

How to judge the quality of a technical measure

The SOC case: 6 criteria to verify

A SOC (Security Operations Center) advertised is worth nothing without verification. Here is the grid to distinguish a real SOC from a marketing product:

1. Humans 24/7 or not? A SOC without analysts on duty at night and weekends is a SIEM with a dashboard. Ask for headcount and on-duty calendar.
2. Documented MTTR (Mean Time To Respond)? The SOC must publish detection and remediation times by incident category. Without MTTR, no service guarantee.
3. Contractual SLA? Service level in hours and in financial penalties. A SOC without SLA is a product, not a service.
4. Use cases covered? How many active detection rules? MITRE ATT&CK as reference. If the provider cannot answer, that is a bad sign.
5. Asset coverage? Does the SOC see all endpoints, all servers, cloud, M365, Google Workspace, containers? Partial coverage = blind spot.
6. EU hosting and GDPR compliance? Where do the logs go? Under which law? CLOUD Act US applicable? Important in Luxembourg where the CSSF requires EU localisation.

Our Luxgap managed SOC meets these 6 criteria, but above all: we are able to produce the documentation during an ILR inspection.

EDR: signature is no longer enough

Quality criterion: behavioural detection, not just signature-based. Independent AV-Comparatives or MITRE Engenuity ATT&CK Evaluations tests. Verify that the EDR covers Linux servers and containers, not just Windows endpoints.

MFA: not all second factors are equal

ANSSI and ENISA recommend phishing-resistant factors: FIDO2 passkeys, hardware keys. SMS and TOTP are bypassed by advanced phishing and adversary-in-the-middle. NIS 2 does not specify this explicitly but a serious audit accepts only phishing-resistant factors.

Backups: 3-2-1 + offline + tests

3-2-1 rule (3 copies, 2 media, 1 offsite) extended: add 1 immutable offline copy to resist ransomware. And most importantly, documented restoration tests at least quarterly. Having backups you never restored is having none.

Awareness: measure, not just train

Cyber training without regular simulated phishing and without measured click rate does not have the value expected by the ILR. Criteria: frequency (monthly), populations covered, click rate tracked over time, escalation on repeated failure.

How Luxgap conducts a NIS 2 audit

Our approach: 3 to 4 weeks for a full audit, with a team of lawyers for the legal scope and cyber engineers for the technical measures. Deliverables: article-by-article compliance matrix, executive report for COMEX, quantified remediation plan, provider recommendations if necessary.

For operational management post-audit, we offer an external CISO mandate or more simply a CISO Luxembourg on a monthly basis to implement the remediation plan.

Official sources

• Directive (EU) 2022/2555 (NIS 2) official text
• Luxembourg law of 5 May 2026 transposition
• ILR NIS 2 portal and self-registration
• ENISA: NIS 2 technical guidelines
• MITRE ATT&CK: cyber tactics knowledge base