Applies to: NIS2 entities (essential and important) operating under ACN baseline specifications.
A Compliance Documentation Audit is the fastest way to understand whether your NIS2 documentation set is only formally present or actually usable for governance, risk management, and supervisory evidence. In Aegister’s model, the audit maps each required document to applicable NIS2 requirements, measures documentary maturity on a 0–4 scale, verifies evidence traceability, and checks whether board-level approvals are in place where required.
For organizations already notified by ACN, incident-notification duties run on the 9-month window, while baseline security measures run on the 18-month window from the inclusion notice; for first-wave notifications communicated from 12 April 2025, that timeline lands around January 2026 and October 2026 respectively.
Key Takeaways
- NIS2 documentation quality is a governance issue, not a formatting issue.
- The audit must connect legal obligations (Articles 23, 24, 25) to concrete document evidence.
- Appendix C approval checkpoints should be tested early to avoid late-stage board bottlenecks.
- A practical output is a remediation queue ordered by critical, major, and minor actions.
Scope of This Article
This article covers:
- What the Compliance Documentation Audit service is.
- Which document families are typically reviewed.
- How the methodology turns findings into a prioritized remediation plan.
This article does not cover:
- Client-specific findings or data.
- Full proprietary templates or full internal scoring sheets.
Regulatory Anchor Points and Timeline
| Anchor | What it means for documentation | Operational implication |
|---|---|---|
| Legislative Decree 138/2024 | Articles 23, 24, 25 set obligations for governance, cyber risk measures, and incident notification. | Document sets must be board-aware, risk-based, and incident-ready. |
| ACN Determination on baseline obligations | Defines baseline specifications and technical annexes for NIS entities. | Requirements must be mapped at measure/point level, not only at policy-title level. |
| ACN Reading Guide | Clarifies evidence logic, risk-based clauses (Appendix B), and board-approved documents (Appendix C). | The audit must test documentary evidence, risk linkage, and approvals as separate controls. |
| ACN NIS portal: baseline modalities/specifications | Provides implementation context for baseline obligations and incident obligations. | Planning should align remediation sequencing with active notification duties and the baseline deadline window. |
What We Audit in Practice
| Document family | Typical examples in a NIS2 program | What the audit verifies |
|---|---|---|
| Policy set | Domain policies (risk, governance, access control, continuity, incidents, suppliers) | Coverage of applicable requirements and governance ownership |
| Procedures | Access, incident response, logging, backup, monitoring, supplier checks | Operability: roles, steps, timings, escalation paths |
| Plans | Risk treatment, continuity, disaster recovery, incident-management plans | Cross-references, consistency, and review cadence |
| Inventories and registries | Asset, supplier, privileged-access, training, backup, vulnerability records | Evidence existence, traceability, and update discipline |
| Governance evidence | Approval records, revision history, formal accountability points | Readiness for supervisory checks and internal board oversight |
Aegister Audit Workflow (5 Phases)
- Scope and applicability setup
We define perimeter, entity type, and obligations in scope, then normalize the documentary baseline. - Requirement-to-document mapping
Each relevant requirement is mapped to one or more expected documentary controls. - Quality scoring
Each requirement is reviewed across five dimensions with a 0–4 score. - Cross-document coherence and evidence checks
We test whether policies, procedures, plans, and evidence references are mutually consistent. - Remediation planning and executive reporting
Findings are converted into a sequenced action plan suitable for operational teams and board reporting.
Scoring Model Used in the Audit
| Dimension | Core question | Typical red flag |
|---|---|---|
| Coverage | Is the requirement materially addressed? | Requirement absent or only implicit |
| Specificity | Are roles, steps, and timings operationally clear? | Generic principle statements only |
| Traceability | Is there explicit requirement-level traceability? | Normative references too generic |
| Evidence | Are required supporting records/plans/procedures traceable? | Mentioned evidence not locatable |
| Formal approval (where applicable) | Is governance approval path explicit where required? | Missing approval pathway for board-relevant documents |
Maturity Scale
| Score | Label | Practical meaning |
|---|---|---|
| 0 | Not addressed | Immediate compliance risk |
| 1 | Partially mentioned | High risk of audit failure |
| 2 | Addressed with gaps | Medium risk; targeted remediation needed |
| 3 | Substantially compliant | Minor refinements needed |
| 4 | Fully compliant | Operationally and evidentially robust |
Board-Approval Checkpoints (Appendix C Focus)
The ACN reading framework highlights specific items that require formal approval by governing/management bodies (Appendix C context). In practice, we test at least the following 11 checkpoints during documentary audit design:
| Measure point | Audit checkpoint area |
|---|---|
| GV.RM-03:p1 | Cyber risk management strategy/policy approval path |
| GV.PO-01:p1 | Security policy approval path |
| GV.PO-01:p2 | Policy review and update approval path |
| ID.RA-06:p1 | Risk-treatment plan approval path |
| ID.IM-04:p1 | Business continuity plan approval path |
| ID.IM-04:p2 | Disaster recovery plan approval path |
| ID.IM-04:p3 | Crisis-management plan approval path |
| PR.AT-01:p1 | Cyber training plan approval path |
| RS.MA-01:p1 | Incident-management plan approval path |
| GV.SC-07:p1 | Supply-chain risk assessment approval path |
| GV.SC-07:p2 | Supply-chain risk-treatment approval path |
Official interpretation remains defined in ACN baseline documentation and annexes.
Typical Gaps We Detect (Anonymized)
- Policies with limited operational depth (roles/timings/escalation missing).
- Missing or weak cross-references between incident lifecycle documents.
- Evidence cited in text but not traceable in the controlled document set.
- Inconsistent review frequencies across related documents.
- Late governance formalization (approvals treated as end-stage paperwork).
Service Deliverables
- Audit matrix: requirement-to-document traceability and scoring.
- Finding register: critical/major/minor prioritization with rationale.
- Executive pack: board-ready summary with risk-oriented language.
- Remediation roadmap: phased backlog (quick wins + structural fixes).
FAQ
Is this only a document quality review?
No. It is a compliance-readiness assessment that connects obligations, documentary controls, and governance evidence against the NIS2 baseline framework.
Can we run this before all documents are final?
Yes. Running the audit on draft sets is typically more efficient because structural gaps can be fixed before formal approval cycles.
Does this replace technical security testing?
No. It complements technical assessments by validating documentary governance, process design, and evidence traceability.
Why check approvals so early?
Because approval requirements can become a late blocker if governance workflow is not built into document architecture from the beginning.
What if some facts are unclear in source material?
Details are defined in the official call and baseline documentation: ACN Reading Guide, ACN NIS baseline page.
Conclusion
A Compliance Documentation Audit gives organizations a practical control point between “documents exist” and “documents are audit-ready.” For NIS2 baseline obligations, this distinction is decisive: the effective target is not only producing policies, but proving governance ownership, operational applicability, and evidence readiness in a timeframe aligned with ACN baseline obligations.
Related reading
- NIS2 Documentation Audit Checklist: Operational Method for Baseline Readiness
- NIS2 Compliance Documentation Audit: How the Scoring Methodology Works
- NIS2 Requirement-to-Document Mapping: Building a Defensible Audit Structure
- Aegister NIS2 Compliance Service
- Aegister Virtual CISO Service