The aim of the event was to provide companies and professionals with direct, practical insight into NIS2 audit requirements, coming straight from an auditor with extensive experience in conducting successful audits under the directive. Participants were able to understand the key compliance points, common pitfalls, and proven approaches through real-life examples.

During the session, János Gyursánszky, CEO of Veritan Kft., shared his experiences from previous audits and gave detailed answers to both pre-submitted and live questions.

Here we summarized the most important topics of the event:

How Does a NIS2 Audit Work?

A NIS2 audit consists of three main stages, during which auditors use various methods to assess whether the organization meets information security requirements.

Pre-Audit:

An initial assessment may take place at the beginning of the process, where the auditor requests documents and interview responses to evaluate the organization's preparedness. If significant gaps are identified, the auditor may make recommendations for improvements, helping to avoid a failed audit. 

Note: the pre-audit is informal and does not influence the final audit report.

Document Review:

Auditors thoroughly review submitted policies, procedures, and other documentation supporting security measures. They also request evidence (e.g., screenshots of executed client-side tests, logs, or system reports). These are typically verified on-site through selected examples.

Interviews and On-Site Testing:

The organization’s actual operations are checked via interviews and on-site assessments. This is especially important where documentation or evidence requires clarification, or where legislation specifically mandates testing or interviews.

The audit process generally spans three weeks:

• Week 1 – collection and initial assessment of documents and evidence
• Week 2 – interviews, clarifications, and on-site testing
• Week 3 – compilation of the audit report and feedback to the organization

A successful audit requires achieving at least 70% compliance. If this threshold is not met, the audit is considered unsuccessful. However, if capacity allows, the auditing firm may offer a follow-up audit, during which previously identified issues can be reassessed after remediation.

How Important Is Documented Regulation?

In a NIS2 audit, documentation is not just a starting point—it’s essential. Auditors evaluate each requirement based on the existence, quality, and content of relevant policies and procedures.

Although it’s helpful if a security measure is already in practice, this alone is not enough. Without written procedures, the issue will be marked as non-compliant. However, documented practices receive a positive evaluation.

Two key regulations guide the assessment:

• Article 1 of the 19 control groups under Government Decree 7/2024 (VI.24.) requires written rules and procedures—even for basic compliance.
• Decree 1/2025 (I.31.) SZTFH outlines the specific technical requirements auditors also reference.

Documents should be clearly identifiable and not mixed in format. For example, combining a policy and a procedure in one document may make evaluation difficult. Whether consolidated or separated, clarity and completeness are key.

A common mistake is having good practices but no documentation. If addressed before the audit, this is easily correctable. Documented regulation is therefore not just a formality—it’s a cornerstone of compliance.

Is Full Compliance Required, or Is an Action Plan Enough?

To pass the NIS2 audit, an organization must reach at least 70% compliance, calculated as part of the resilience index based on evaluated criteria.

But what if some requirements aren’t fully met?

In such cases, a solid action plan with deadlines, responsible persons, resources, and cost estimates—can be accepted as a risk-reduction measure.

For example, a major 10-point non-compliance might be downgraded to 4 points if the organization presents a reliable action plan. This shows the organization is proactively mitigating the risk.

However, an action plan alone doesn’t substitute actual compliance. It helps reduce the impact of smaller gaps—especially when an organization is close to the 70% mark.

If compliance is far below expectations, even the best action plan won’t be enough. Further preparation is necessary.

Does ISO 27001 Replace the NIS2 Audit?

This is one of the most frequently asked questions—and it’s understandable. Many organizations already hold an ISO/IEC 27001 certification and wonder whether that suffices for NIS2 compliance.

The short answer: no, ISO 27001 does not replace the NIS2 audit.

While the goals are similar, ISO 27001 focuses on a management system, while NIS2 emphasizes concrete, verifiable security controls. Based on international experience, only about 30–40% overlap exists between the two frameworks.

ISO 27001 can certainly support preparation. Many documents and procedures may already exist. In some cases, existing ISO documents may be accepted by auditors, if they meet NIS2 content requirements. But a NIS2 audit is still mandatory, and all requirements must be assessed individually.

A Final Tip

If you’re unsure whether your organization is subject to NIS2 or how the rules apply to you, we strongly recommend contacting the competent authority for official guidance.

If there’s any chance you are in scope, registering is a good idea. At worst, you’ll receive a rejection notice. But delaying registration can result in penalties.

Thank You for Attending – Ready for the Next Step?

The consultation made one thing clear: the key to a successful audit lies in early preparation, proper documentation, and cooperation with a qualified auditor—and if necessary, with a consulting partner.

Get in touch with us today and let us help you prepare. Together with our auditor partner Veritan Kft., we’ll make sure NIS2 won’t catch you off guard!