NIS2 inspections in 2026: what auditors look for
NIS2 inspections in 2026: what auditors actually look for.
The supervision phase of NIS2 has begun across the EU. The conversation has shifted from "are we in scope?" to "can we show evidence?". This piece is the operational guide we run with clients when they have a competent authority on the calendar — what gets asked first, what documents to keep ready and where teams trip up.
NIS2 is no longer a planning exercise — it is an inspection regime. The Directive (EU) 2022/2555 entered into force in January 2023 and the transposition deadline was 17 October 2024; the supervisory framework described in Articles 31–33 became applicable in each Member State through national transposition measures. What was acceptable as "we are preparing" in 2024 now needs to be "here is the evidence" in 2026.
This is not a legal article (I am not a lawyer and I will not pretend) and it is not a fear-marketing piece. It is the operational checklist we walk through with clients who have either had a notification from their authority or who simply want to be inspection-ready before one arrives. If you already know what NIS2 is and how Wazuh maps to Article 21, our existing piece on NIS2 compliance with Wazuh covers that ground. This one is about the visit itself.
An NIS2 inspection focuses on evidence, not intent. Expect the competent authority to ask for: (1) the security policy approved by the management body (Art. 20), (2) the risk assessment, (3) the asset and supplier inventory, (4) SIEM telemetry and a real incident timeline showing the 24h / 72h / 1 month reporting process (Art. 23), and (5) proof of executive training. Documents undated, MFA absent on privileged access or notifications missed are the red flags that trigger deeper audits.
Article 21(2)
timeline (Art. 23)
essential entities (Art. 34)
From preparation to evidence
2024 was about scoping. 2025 was about building. 2026 is about showing. Once national transposition laws came into force, the supervisory regime described in Articles 31 to 33 of NIS2 became operational. Competent authorities can now request information, perform on-site inspections and apply the administrative measures in Article 32 — including, in serious cases for essential entities, the temporary disqualification of an individual from management functions (Art. 32.5).
The good news: the criteria have not changed. Article 21 is still Article 21. The bad news: you can no longer answer "we are implementing it" with a smile. Inspectors want documented, dated, version-controlled artefacts.
The UK is outside NIS2's direct scope (post-Brexit) and operates its own NIS regulations, with a proposed Cyber Security and Resilience Bill intended to update them — its status may have evolved by the time you read this. UK organisations with EU subsidiaries, however, are still in scope through those EU entities, and many follow NIS2 as a de facto baseline regardless.
For reference, the ten minimum measure areas the directive requires (verbatim short-form): risk analysis and information system security policies · incident handling · business continuity (backups, disaster recovery, crisis management) · supply-chain security · security in network and information system acquisition, development and maintenance (incl. vulnerability handling) · policies to assess the effectiveness of risk-management measures · basic cyber hygiene practices and training · cryptography and, where appropriate, encryption · human-resources security, access control and asset management · multi-factor or continuous authentication and secured communications.
Identifying your competent authority
Article 8 requires each Member State to designate one or more competent authorities for NIS2 supervision. In practice, the model varies by country: some have a single national agency for all sectors, others split supervision between the national cybersecurity agency, the financial regulator, the energy regulator, the health regulator, etc. Banking and financial-market entities also intersect with DORA (Regulation (EU) 2022/2554), where DORA generally prevails as lex specialis for what it covers.
Before anything else: confirm who supervises you and how they communicate. Most authorities have published an entry portal — find it now, not on the day the email lands.
Five things an inspector typically checks first
While supervisory practices vary by Member State and sector, these are the artefacts most commonly requested in readiness reviews and regulatory audits — and the ones that, in our experience, tend to make the rest of the conversation much shorter when in order.
The 24 / 72 / 1 timeline you will have to demonstrate
Article 23 sets three reporting steps for significant incidents. Inspectors do not just ask whether the policy exists — they ask to see a real timeline: when the incident was detected, when the early warning was filed, when the notification was filed, and how you got there. Without centralised telemetry, that timeline is unreconstructable.
Detection without analysts is theatre. We typically combine Wazuh deployment (open-source SIEM/XDR with NIS2-mapped dashboards, zero licence cost) with 24/7 emergency support attended in English, Spanish and French — that combination is what materially sustains the Article 23 timeline. If you need an enterprise commercial SIEM with deeper integrations, we also deploy IBM QRadar.
The "inspection-ready" folder
Keep these in a single, controlled repository — not in someone's personal mailbox. Dated, versioned, owner assigned.
Information security policy (board approved)
Risk assessment and treatment plan
Asset inventory with criticality
Critical ICT supplier register + NIS2 clauses
Incident response procedure + runbooks
Business continuity and DR plans
Backup strategy + last restore test record
Vulnerability management policy and reports
MFA enforcement evidence on privileged access
Executive training records (Art. 20.2)
Recent incident notifications filed
Latest internal or third-party audit report
Mapped against Article 21(2) measure areas of the Directive (EU) 2022/2555.
Are you inspection-ready? Three quick questions
A rough self-check based on the three issues we see most often in pre-audit reviews. It is indicative, not a formal assessment.
Inspection-readiness check
3 questions · instant result · no tracking
1. Has your management body formally approved the information security policy in the last 12 months — with a minute or attestation on file?
2. If a significant incident happened today, could you produce a SIEM timeline with timestamps for the 24h / 72h / 1-month reporting steps?
3. Is MFA enforced on all privileged and remote access, with evidence in your IAM or SSO logs?
You look inspection-ready on the basics.
The three areas inspectors check first are in order. Worth investing the next round in tabletop exercises, supplier-clause review and refining the incident timeline templates.
Visible gaps to close before an inspection.
The pieces are there but not inspection-grade. Typically a focused two-month sprint — formalising the policy sign-off, rehearsing the incident timeline and completing MFA coverage — gets you across the line.
Material risk in an inspection today.
Missing board approval, no SIEM timeline and patchy MFA together are exactly what triggers a deeper audit. Prioritise these three before anything else — the rest of the artefacts matter less if the basics aren't there.
What SIXE puts on the table
NIS2 inspection-readiness is about disciplined instrumentation and documented operation. Each of the seven pillars below has a concrete piece we deploy in client engagements:
- Gap assessment against Article 21 — mapping existing ISO 27001 / NIST CSF / ENS controls and producing the inspection-ready artefacts.
- Governance and executive training — wording for the board approval minute, training content for management bodies (Art. 20.2 evidence).
- SIEM / XDR. Wazuh deployment with NIS2-mapped dashboards is our default — open source, zero licence cost. If you need a commercial enterprise platform with deep integrations we also deploy IBM QRadar.
- 24/7 incident response. Detection without analysts cannot hold the 24h clock. Emergency 24/7 support attended in English, Spanish and French — no intermediaries, no ticket carousels.
- MFA enforcement. Particularly painful in IBM Power estates — PowerSC for AIX and IBM i covers that layer with compliance integration.
- Supplier register and contract clauses. Critical ICT provider inventory and NIS2-aligned clauses — the supply chain measure (4) is where most teams fall short.
- Tabletop exercises and incident timeline rehearsal. The first time you reconstruct a 24h / 72h timeline shouldn't be during an actual incident.
If your sector is industrial (energy, water, transport, manufacturing or any OT-heavy environment), there is an extra layer that does not appear in generic ISO frameworks: OT visibility. We use Claroty for OT network monitoring and industrial device auditing with Tenable.
Quick questions
Who is my competent authority under NIS2?
Each EU Member State designates one or more competent authorities per sector (Article 8). The authority depends on your sector and country — in some countries a single national agency covers everything, in others supervision is split between the national CSIRT, the financial regulator, the energy regulator, etc. Check your national NIS2 transposition law or the national CSIRT's website. ENISA publishes consolidated information on national contact points and supervisory authorities across Member States.
How does an NIS2 inspection typically start?
For essential entities, supervision is proactive (Art. 32): the authority can launch an inspection without prior indication of non-compliance. For important entities, supervision is reactive (Art. 33), usually triggered by an incident report or a complaint. In both cases the authority gives written notice, requests an initial information package and may schedule on-site visits.
What documents should I have ready before an inspection?
At a minimum: information security policy approved by the management body, risk assessment, asset and supplier inventory, incident response procedures, BCP/DR plans, evidence of management training, records of recent incidents and their notifications, and the latest audit report. Everything dated, version-controlled and signed off where required.
Does the inspector ask for SIEM evidence?
Yes. Expect requests for: list of monitored assets, sample alerts and how they were triaged, log retention configuration, integrity of audit trails, dashboards mapped to NIS2 controls, and the timeline of a real incident showing the 24h/72h reporting steps from Article 23. Wazuh covers this with NIS2-aligned dashboards.
What are the red flags that trigger a deeper audit?
No documented risk management framework. Management body has not formally approved security policies (a direct breach of Art. 20). No MFA on privileged access. Incident notifications missing the 24h/72h deadlines. No incident drill in the past 12 months. Supplier inventory missing critical ICT providers. Audit evidence sitting in personal email instead of a controlled repository.
Is ISO 27001 enough to pass an NIS2 inspection?
ISO 27001 is a strong base — most Article 21 measures are covered — but it is not an automatic NIS2 conformity mark. You need to map your existing controls to Art. 21, document the gaps (typically 24h/72h notification process, supply chain clauses, executive training) and produce inspection-ready evidence for each.
We help you walk into the inspection prepared
From the readiness review against Article 21, to the SIEM evidence that holds the 24/72h timeline, to a 24/7 team for when something breaks at three in the morning. Fifteen-plus years in critical-infrastructure cybersecurity, IBM Business Partner, attended in English, Spanish and French — no intermediaries.
