---
title: NIS2 Audit Scoring Methodology Explained
description: "How the NIS2 compliance documentation audit scoring methodology works: weighted criteria, maturity levels, gap identification, and remediation priority."
canonical: https://www.aegister.com/en/cms/insights/compliance-documentation-audit-nis2-scoring-methodology/
url: /en/cms/insights/compliance-documentation-audit-nis2-scoring-methodology/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Compliance Documentation Audit: How the Scoring Methodology Works

---

![NIS2 Compliance Documentation Audit: How the Scoring Methodology Works](/static/images/cms/compliance-documentation-audit-nis2.webp)

## NIS2 Compliance Documentation Audit: How the Scoring Methodology Works

February 16, 2026

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
[ACN](/en/cms/keyword/acn/)
[remediation](/en/cms/keyword/remediation/)
+6

**Applies to:** NIS2 entities (essential and important) in baseline-obligation implementation programs.

Aegister’s scoring methodology translates NIS2 documentary quality into measurable decisions. The model evaluates each requirement point on a **0–4 scale**, across **5 dimensions**, then aggregates results into maturity bands and remediation priorities. The objective is practical: separate cosmetic compliance from evidence-ready compliance, and give management a clear execution order.

## Key Takeaways

- Scoring is done at **requirement-point level**, not only at document-title level.
- Every score combines 5 dimensions: coverage, specificity, traceability, evidence, and approval (where applicable).
- Findings are prioritized as critical, major, minor, or observation.
- Appendix B and Appendix C rules require dedicated checks in the scoring logic.

## Scope of This Article

This article covers:

- The scoring architecture used in the Compliance Documentation Audit service.
- How scores become maturity levels and remediation priorities.
- How special NIS2 rules (risk linkage and board approvals) are applied.

This article does not cover:

- Client-specific results.
- Full proprietary checklists and internal templates.

## Regulatory Baseline Used for the Method

| Official source | Why it matters in scoring |
| --- | --- |
| [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG) | Defines obligations in Articles 23, 24, 25 and governance accountability perimeter. |
| [ACN Determination on baseline obligations](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed) | Defines baseline measures and requirement points by subject type and category. |
| [ACN Reading Guide for baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base) | Clarifies evidence expectations, risk-based clauses (Appendix B), and approval-sensitive items (Appendix C). |
| [ACN NIS baseline page](https://www.acn.gov.it/portale/nis/modalita-specifiche-base) | Provides implementation context and timeline framing for baseline obligations. |

For important entities, the ACN framework references **37 measures** and **87 requirement points** in first-application baseline logic.

## Scoring Unit and Calculation Logic

### Scoring unit

The atomic unit is a **single requirement point** (example format: `ID.RA-05:p1`), not a whole policy.

### Requirement-point score

Each requirement point receives a score on 5 dimensions. Final requirement score = average of applicable dimensions.

If one dimension is not applicable, it is excluded from the denominator.

## 0–4 Scoring Scale

| Score | Label | Operational meaning |
| --- | --- | --- |
| 0 | Not addressed | Requirement absent; immediate compliance risk |
| 1 | Partially mentioned | Generic statement without operational depth |
| 2 | Addressed with gaps | Requirement present but materially incomplete |
| 3 | Substantially compliant | Requirement largely covered, with minor gaps |
| 4 | Fully compliant | Requirement fully covered with operational and evidential quality |

## The 5 Evaluation Dimensions

| Dimension | Control question | Typical failure mode |
| --- | --- | --- |
| Coverage | Is the requirement actually treated in the document? | Requirement is absent or only implied |
| Specificity | Are roles, actions, and timings operationally defined? | Principle-only statements |
| Traceability | Is there explicit traceability to NIS2 measure/point? | Generic legal references only |
| Evidence | Are required support artifacts identifiable and usable? | Evidence is cited but not traceable |
| Approval (where applicable) | Is governance approval path explicit where required? | Missing approval workflow for board-sensitive items |

## Evidence-Reference Maturity Sub-Scale

To reduce binary “present/missing” bias, evidence references are also graded for maturity:

| Level | Label | Practical interpretation |
| --- | --- | --- |
| 0 | Absent | No evidence reference |
| 1 | Mentioned without locator | Evidence named, not traceable |
| 2 | Mentioned with locator | Evidence locatable, no explicit NIS2 mapping |
| 3 | Locator + NIS2 mapping | Evidence traceable and mapped to requirement |
| 4 | Evidence available for verification | Evidence traceable and available in controlled corpus |

## Document Maturity Bands

After requirement-point scoring, document maturity is classified as:

| Average score | Maturity level | Executive interpretation |
| --- | --- | --- |
| <1.0 | Inadequate | Substantial rewrite required |
| 1.0–1.9 | Initial | Significant remediation required |
| 2.0–2.9 | Developing | Core coverage present, targeted remediation required |
| 3.0–3.5 | Adequate | Minor completion work required |
| 3.6–4.0 | Optimal | Strong baseline readiness |

## Finding Severity Model

| Severity | Typical score zone | Action expectation |
| --- | --- | --- |
| Critical | 0 | Immediate remediation track |
| Major | 1 | Priority remediation track |
| Minor | 2 | Planned remediation track |
| Observation | 3 | Improvement recommendation |

## Special Rules in the Scoring Engine

### 1) Appendix B risk-linkage rule

The ACN baseline reading logic identifies specific requirement points that must show explicit linkage to risk assessment outcomes. In practical scoring, those items are checked with stricter linkage criteria based on the official baseline interpretation.

### 2) Appendix C approval-sensitive rule set

Items requiring governing-body approval are evaluated with explicit approval-path controls in document architecture and governance workflow design. In audit planning, we track **11** approval-sensitive checkpoints aligned with Appendix C interpretation in baseline documentation.

### 3) Draft-state handling

When documentation is explicitly in draft state, missing final signatures are treated as a status condition, while missing approval architecture (roles, approval path, revision governance) remains a scored gap.

## Practical Execution Workflow (Audit Side)

1. Define document perimeter and subject type.
2. Map each document to relevant NIS2 requirement points.
3. Score each point on the 5 dimensions.
4. Flag non-applicable dimensions explicitly.
5. Aggregate scores at requirement and document levels.
6. Assign severity class to each gap.
7. Build a remediation queue by dependency and risk impact.
8. Produce executive summary and operational backlog.

## What the Method Produces for Management

- A requirement-level scoring matrix.
- A document maturity map.
- A prioritized remediation queue with critical-path logic.
- A board-ready summary linking documentary risk to governance actions.

## Common Scoring Mistakes to Avoid

- Scoring whole policies without requirement-point granularity.
- Treating citation of a policy title as equivalent to operational evidence.
- Confusing legal mention with measure-point traceability.
- Deferring approval-path design to the final publication phase.
- Ignoring cross-document consistency in incident and continuity flows.

## FAQ

### Is this a legal opinion?

No. It is a compliance-readiness methodology designed to operationalize documentary controls against the official NIS2 baseline framework.

### Can the same model be used for essential and important entities?

Yes, but requirement mapping and expected documentary depth must follow the applicable baseline set in official ACN documentation.

### Does a high score mean no further work is needed?

No. A high score indicates stronger documentary readiness. Technical control validation and implementation testing remain necessary.

### What if some requirements are unclear in source material?

Details are defined in the official baseline documentation and annexes: [ACN Determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN Reading Guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base).

## Conclusion

A robust scoring methodology turns NIS2 documentation review into an execution discipline. By combining requirement-point scoring, evidence maturity checks, and governance-sensitive controls, organizations can prioritize the right remediation sequence and reduce last-mile compliance risk before supervisory scrutiny windows tighten.

## Related reading

- [Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview](/en/cms/insights/compliance-documentation-audit-nis2-method-overview/)
- [NIS2 Evidence Matrix and Board-Approval Readiness: Practical Audit Method](/en/cms/insights/nis2-evidence-matrix-board-approval-readiness-audit/)
- [Prioritizing NIS2 Audit Findings: From Gap List to Remediation Execution](/en/cms/insights/nis2-audit-findings-prioritization-remediation-execution/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/)

## Official Sources

- [Legislative Decree 138/2024 (Gazzetta Ufficiale)](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)
- [ACN – Determination on baseline obligations](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [ACN – Reading Guide for baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)
- [ACN – NIS baseline modalities/specifications](https://www.acn.gov.it/portale/nis/modalita-specifiche-base)

Share this post

## Related News

[![Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview](/static/images/cms/compliance-documentation-audit-nis2.webp)](/en/cms/insights/compliance-documentation-audit-nis2-method-overview/)

[Compliance Documentation Audit for NIS2 Baseline Obligations: Method Overview](/en/cms/insights/compliance-documentation-audit-nis2-method-overview/)

[A Compliance Documentation Audit maps NIS2 documents to baseline requirements, scores maturity on a 0–4 scale, verifies evidence traceability, and checks board-approval readiness. This overview covers the Aegister 5-phase methodology, scoring model, 11 Appendix C checkpoints, and typical gaps.](/en/cms/insights/compliance-documentation-audit-nis2-method-overview/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 vulnerability management plan: practical guide for ID.RA-08 approval](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[NIS2 vulnerability management plan: practical guide for ID.RA-08 approval](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[The vulnerability management plan is mandatory under NIS2 Appendix C (ID.RA-08). This guide covers what an approvable plan must show, a practical structure with SLA matrix and exception handling, common failures, and a 20-day hardening checklist.](/en/cms/insights/nis2-vulnerability-management-plan-id-ra-08/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 Executive Board Reporting: How to Turn Audit Outputs into Governance Decisions](/static/images/cms/compliance-documentation-audit-nis2.webp)](/en/cms/insights/nis2-executive-board-reporting-audit-governance/)

[NIS2 Executive Board Reporting: How to Turn Audit Outputs into Governance Decisions](/en/cms/insights/nis2-executive-board-reporting-audit-governance/)

[Practical executive reporting model for NIS2 audit outcomes with minimum KPI set, traffic-light escalation, and evidence-based closure visibility for board governance.](/en/cms/insights/nis2-executive-board-reporting-audit-governance/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+8

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)