In this article, you will learn what to focus on when developing the required regulatory documentation, where companies unnecessarily lose points during audits, and how to quickly build a structured and verifiable system to ensure all common requirements are consistently met.

At the end of the article, we also provide a free downloadable checklist to help you organize these requirements.

Why do well-functioning organizations still lose points?

Many organizations face the same situation during a NIS2 audit: their operations are in place, processes are established, and often even documented – yet the audit still results in significant point deductions.

At first glance, this seems contradictory. If operations work well, where does compliance fail? In most cases, the issue is not the operation itself, but the completeness of the documentation. 

The 1/2025. (I. 31.) SZTFH Decree clearly defines, as a legal requirement, what elementary criteria auditors must assess and score during compliance audits. These requirements largely apply to the content of the expected documentation, which is therefore reviewed in detail during the audit.

If mandatory elements are missing, it is considered a deviation – resulting in point deductions.

Recurring issues across policies and procedures

As the saying goes, small things add up. Since NIS2 defines 19 requirement groups, each requiring policies and procedures, omitting mandatory content elements does not result in a one-time issue. 

If the same elementary requirements are missing across multiple documents, the issue compounds, leading to repeated point deductions for each affected document.
This is how organizations with otherwise well-functioning operations can still lose a significant number of points purely due to formal documentation gaps.

Elementary requirements: small details that add up

The SZTFH Decree clearly defines the basic elements that every policy or procedure must include. These typically include:

• scope of the document
• definition of the affected parties
• designation of responsible persons
• approval and version control
• rules of application and implementation

These often seem like “administrative” details, which is why they are frequently overlooked – especially when documentation is created with a strong operational focus rather than audit logic. However, these elements are not optional, and each missing item results in a separate point deduction.

Audits are no longer fully manual – AI is involved

There is another important factor that many organizations are not yet aware of, but which is increasingly influencing audit outcomes. In reality, auditors must review a vast amount of documentation: dozens of policies, procedures, and records – often across multiple organizations simultaneously. To manage this, AI-based tools are increasingly being used in the audit process.

This creates a new situation.

In AI-supported audits, certain elementary requirements may be assessed not only based on interpretation, but also through text-level matching. In other words, it is not enough that a requirement is conceptually present – it also matters how it is formulated.

This is especially relevant for elements marked with “P”. In such cases, it is advisable to include the actual wording, keywords, or variables from the requirement directly in your documentation. In other words, if the auditor (or their supporting system) searches for specific expressions, it is important to ensure that these are explicitly present.

This is not about “gaming the system” – it is about aligning with real-world audit practices.

What’s the good news?

The key takeaway is that these issues do not require complex development efforts. Elementary requirements are clearly defined, easy to verify, and relatively quick to implement. A large portion of unnecessary point loss can therefore be easily prevented.

Free checklist for NIS2 documentation review

This is exactly why we created a practical checklist focusing specifically on elementary requirements. It helps you to:

• quickly review your existing policies
• identify missing mandatory elements
• and build documentation that is compliant and audit-ready

This way, you can prepare not only in terms of content, but also from an audit logic and verifiability perspective.

Need help? We know this inside out.

If you don’t want to lose time and points, it’s worth approaching NIS2 preparation holistically – not just at the documentation level, but across your entire operation.

NIS2 compliance is not a simple checkbox exercise, but a complex system where documentation, processes, and day-to-day operations must work together. This is exactly where most organizations struggle.

Let our experts show you where you are currently losing points, align your operations with your documentation, and help you build a system that works not only on paper, but also in audits.

The first consultation is completely free – we’ll review your current status and show you the fastest path to compliance.