---
title: "NIS2 Documentation Audit: Method Overview"
description: Comprehensive overview of the NIS2 compliance documentation audit method. Learn the 6-category model, scoring system, and remediation roadmap approach.
canonical: https://www.aegister.com/en/cms/insights/compliance-documentation-audit-nis2-method-overview/
url: /en/cms/insights/compliance-documentation-audit-nis2-method-overview/
lang: en
---

![](/static/images/header-contact.webp)

# Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview

---

![Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview](/static/images/cms/compliance-documentation-audit-nis2.webp)

## Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview

February 13, 2026

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
[board approval](/en/cms/keyword/board-approval/)
[ACN](/en/cms/keyword/acn/)
+5

**Applies to:** NIS2 entities (essential and important) operating under ACN baseline specifications.

A **Compliance Documentation Audit** is the fastest way to understand whether your NIS2 documentation set is only formally present or actually usable for governance, risk management, and supervisory evidence. In Aegister’s model, the audit maps each required document to applicable NIS2 requirements, measures documentary maturity on a **0–4 scale**, verifies evidence traceability, and checks whether board-level approvals are in place where required.

For organizations already notified by ACN, incident-notification duties run on the **9-month window**, while baseline security measures run on the **18-month window** from the inclusion notice; for first-wave notifications communicated from **12 April 2025**, that timeline lands around **January 2026** and **October 2026** respectively.

## Key Takeaways

- NIS2 documentation quality is a governance issue, not a formatting issue.
- The audit must connect legal obligations (Articles 23, 24, 25) to concrete document evidence.
- Appendix C approval checkpoints should be tested early to avoid late-stage board bottlenecks.
- A practical output is a remediation queue ordered by critical, major, and minor actions.

## Scope of This Article

This article covers:

- What the Compliance Documentation Audit service is.
- Which document families are typically reviewed.
- How the methodology turns findings into a prioritized remediation plan.

This article does not cover:

- Client-specific findings or data.
- Full proprietary templates or full internal scoring sheets.

## Regulatory Anchor Points and Timeline

| Anchor | What it means for documentation | Operational implication |
| --- | --- | --- |
| [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) | Articles **23**, **24**, **25** set obligations for governance, cyber risk measures, and incident notification. | Document sets must be board-aware, risk-based, and incident-ready. |
| [ACN Determination on baseline obligations](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) | Defines baseline specifications and technical annexes for NIS entities. | Requirements must be mapped at measure/point level, not only at policy-title level. |
| [ACN Reading Guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) | Clarifies evidence logic, risk-based clauses (Appendix B), and board-approved documents (Appendix C). | The audit must test documentary evidence, risk linkage, and approvals as separate controls. |
| [ACN NIS portal: baseline modalities/specifications](https://www.acn.gov.it/portale/nis/modalita-specifiche-base) | Provides implementation context for baseline obligations and incident obligations. | Planning should align remediation sequencing with active notification duties and the baseline deadline window. |

## What We Audit in Practice

| Document family | Typical examples in a NIS2 program | What the audit verifies |
| --- | --- | --- |
| Policy set | Domain policies (risk, governance, access control, continuity, incidents, suppliers) | Coverage of applicable requirements and governance ownership |
| Procedures | Access, incident response, logging, backup, monitoring, supplier checks | Operability: roles, steps, timings, escalation paths |
| Plans | Risk treatment, continuity, disaster recovery, incident-management plans | Cross-references, consistency, and review cadence |
| Inventories and registries | Asset, supplier, privileged-access, training, backup, vulnerability records | Evidence existence, traceability, and update discipline |
| Governance evidence | Approval records, revision history, formal accountability points | Readiness for supervisory checks and internal board oversight |

## Aegister Audit Workflow (5 Phases)

1. **Scope and applicability setup**  
   We define perimeter, entity type, and obligations in scope, then normalize the documentary baseline.
2. **Requirement-to-document mapping**  
   Each relevant requirement is mapped to one or more expected documentary controls.
3. **Quality scoring**  
   Each requirement is reviewed across five dimensions with a **0–4** score.
4. **Cross-document coherence and evidence checks**  
   We test whether policies, procedures, plans, and evidence references are mutually consistent.
5. **Remediation planning and executive reporting**  
   Findings are converted into a sequenced action plan suitable for operational teams and board reporting.

## Scoring Model Used in the Audit

| Dimension | Core question | Typical red flag |
| --- | --- | --- |
| Coverage | Is the requirement materially addressed? | Requirement absent or only implicit |
| Specificity | Are roles, steps, and timings operationally clear? | Generic principle statements only |
| Traceability | Is there explicit requirement-level traceability? | Normative references too generic |
| Evidence | Are required supporting records/plans/procedures traceable? | Mentioned evidence not locatable |
| Formal approval (where applicable) | Is governance approval path explicit where required? | Missing approval pathway for board-relevant documents |

### Maturity Scale

| Score | Label | Practical meaning |
| --- | --- | --- |
| 0 | Not addressed | Immediate compliance risk |
| 1 | Partially mentioned | High risk of audit failure |
| 2 | Addressed with gaps | Medium risk; targeted remediation needed |
| 3 | Substantially compliant | Minor refinements needed |
| 4 | Fully compliant | Operationally and evidentially robust |

## Board-Approval Checkpoints (Appendix C Focus)

The ACN reading framework highlights specific items that require formal approval by governing/management bodies (Appendix C context). In practice, we test at least the following **11** checkpoints during documentary audit design:

| Measure point | Audit checkpoint area |
| --- | --- |
| GV.RM-03:p1 | Cyber risk management strategy/policy approval path |
| GV.PO-01:p1 | Security policy approval path |
| GV.PO-01:p2 | Policy review and update approval path |
| ID.RA-06:p1 | Risk-treatment plan approval path |
| ID.IM-04:p1 | Business continuity plan approval path |
| ID.IM-04:p2 | Disaster recovery plan approval path |
| ID.IM-04:p3 | Crisis-management plan approval path |
| PR.AT-01:p1 | Cyber training plan approval path |
| RS.MA-01:p1 | Incident-management plan approval path |
| GV.SC-07:p1 | Supply-chain risk assessment approval path |
| GV.SC-07:p2 | Supply-chain risk-treatment approval path |

Official interpretation remains defined in ACN baseline documentation and annexes.

## Typical Gaps We Detect (Anonymized)

- Policies with limited operational depth (roles/timings/escalation missing).
- Missing or weak cross-references between incident lifecycle documents.
- Evidence cited in text but not traceable in the controlled document set.
- Inconsistent review frequencies across related documents.
- Late governance formalization (approvals treated as end-stage paperwork).

## Service Deliverables

- **Audit matrix**: requirement-to-document traceability and scoring.
- **Finding register**: critical/major/minor prioritization with rationale.
- **Executive pack**: board-ready summary with risk-oriented language.
- **Remediation roadmap**: phased backlog (quick wins + structural fixes).

## FAQ

### Is this only a document quality review?

No. It is a compliance-readiness assessment that connects obligations, documentary controls, and governance evidence against the NIS2 baseline framework.

### Can we run this before all documents are final?

Yes. Running the audit on draft sets is typically more efficient because structural gaps can be fixed before formal approval cycles.

### Does this replace technical security testing?

No. It complements technical assessments by validating documentary governance, process design, and evidence traceability.

### Why check approvals so early?

Because approval requirements can become a late blocker if governance workflow is not built into document architecture from the beginning.

### What if some facts are unclear in source material?

Details are defined in the official call and baseline documentation: [ACN Reading Guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN NIS baseline page](https://www.acn.gov.it/portale/nis/modalita-specifiche-base).

## Conclusion

A Compliance Documentation Audit gives organizations a practical control point between “documents exist” and “documents are audit-ready.” For NIS2 baseline obligations, this distinction is decisive: the effective target is not only producing policies, but proving governance ownership, operational applicability, and evidence readiness in a timeframe aligned with ACN baseline obligations.

## Related reading

- [NIS2 Documentation Audit Checklist: Operational Method for Baseline Readiness](/en/cms/insights/nis2-documentation-audit-checklist-baseline-readiness/)
- [NIS2 Compliance Documentation Audit: How the Scoring Methodology Works](/en/cms/insights/compliance-documentation-audit-nis2-scoring-methodology/)
- [NIS2 Requirement-to-Document Mapping: Building a Defensible Audit Structure](/en/cms/insights/nis2-requirement-document-mapping-audit-structure/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/)

## Official Sources

- [Legislative Decree 138/2024 (Gazzetta Ufficiale)](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)
- [ACN – Determination on baseline obligations](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [ACN – Reading Guide for baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)
- [ACN – NIS baseline modalities/specifications](https://www.acn.gov.it/portale/nis/modalita-specifiche-base)

Share this post

## Related News

[![NIS2 Compliance Documentation Audit: How the Scoring Methodology Works](/static/images/cms/compliance-documentation-audit-nis2.webp)](/en/cms/insights/compliance-documentation-audit-nis2-scoring-methodology/)

[NIS2 Compliance Documentation Audit: How the Scoring Methodology Works](/en/cms/insights/compliance-documentation-audit-nis2-scoring-methodology/)

[Aegister’s scoring methodology evaluates NIS2 documents at requirement-point level across 5 dimensions on a 0–4 scale. This guide covers the scoring architecture, maturity bands, evidence sub-scale, Appendix B/C special rules, and finding severity model.](/en/cms/insights/compliance-documentation-audit-nis2-scoring-methodology/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+8

[![NIS2 vulnerability management plan: practical guide for ID.RA-08 approval](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[NIS2 vulnerability management plan: practical guide for ID.RA-08 approval](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[The vulnerability management plan is mandatory under NIS2 Appendix C (ID.RA-08). This guide covers what an approvable plan must show, a practical structure with SLA matrix and exception handling, common failures, and a 20-day hardening checklist.](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[The incident management plan is mandatory under NIS2 Appendix C (RS.MA-01). This guide covers what an approvable plan must include, a practical template with CSIRT notification workflow and timing logic, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+8

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)