NIS2 compliance checklist for IT managers: what your audit expects

Belgium’s NIS2 law has been active since April 2024, and enforcement is no longer theoretical. Essential entities must obtain at least a Basic or Important CyberFundamentals (CyFun) verification by 18 April 2026. Important entities can undergo the same process voluntarily to gain a presumption of conformity. If you are the IT manager responsible for getting your organisation through that audit, this checklist covers what the Centre for Cybersecurity Belgium (CCB) and accredited conformity assessment bodies (CABs) actually expect to see.

This is not a legal summary. It is a working document you can use to prepare your team, your evidence, and your technical controls for the audit ahead.

How to prepare for a NIS2 audit in Belgium

1. Determine your entity classification (essential or important) and required CyFun assurance level.
2. Run a CyFun self-assessment to identify gaps in your current controls.
3. Document governance, risk analysis, and board approval of security measures.
4. Implement technical controls for access, segmentation, logging, and incident response.
5. Prepare evidence packs with policy versions, change logs, and test results.
6. Engage an accredited CAB for verification or certification before 18 April 2026.

Who falls in scope, and what that means for your audit

NIS2 applies to organisations in 18 sectors that meet certain size thresholds, generally 50 or more employees or annual turnover above EUR 10 million. Belgium uses a self-registration model. If your organisation meets the criteria, you are expected to register on the Safeonweb@Work portal and comply without waiting for formal notification.

The distinction between essential and important entities determines the intensity of supervision. Essential entities in sectors such as energy, healthcare, transport, and digital infrastructure face proactive (ex ante) audits and mandatory periodic conformity assessments. Important entities in sectors like manufacturing, food production, and postal services are primarily supervised reactively (ex post), but can voluntarily undergo the same assessments to demonstrate compliance.

Penalties reflect this distinction. Essential entities face fines up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities face up to EUR 7 million or 1.4%. Both categories carry personal liability for board members who fail to approve and oversee security measures, a point explored in more detail in our analysis of NIS2 board liability in Belgium.

The CyberFundamentals framework: your audit benchmark

The CCB developed the CyberFundamentals (CyFun) framework as the practical translation of NIS2 into technical and organisational controls. It defines four assurance levels: Small (for micro-organisations), Basic (34 controls), Important (99 additional controls), and Essential (85 further controls on top of Important).

The 2025 edition of CyFun aligns closely with NIST CSF 2.0 and adds Governance as a sixth function alongside Identify, Protect, Detect, Respond, and Recover. Supply chain security and OT coverage have also been strengthened.

For essential entities, the timeline is clear. Obtain at least Basic or Important verification by April 2026. Achieve full Essential certification by April 2027. Organisations that prefer ISO/IEC 27001 must submit their scope and Statement of Applicability to the CCB by April 2026, with full certification by April 2027.

Checklist part 1: governance, risk management, and board accountability

Auditors start here. NIS2 Article 20 makes board-level involvement mandatory. Your management body must approve cybersecurity risk measures, oversee their implementation, and accept personal liability for shortcomings.

What auditors expect to see:

• A formally approved information security policy, signed by the board.
• Evidence that board members have completed cybersecurity training. This is not optional. The directive explicitly requires it.
• Risk analyses that are updated periodically and after significant infrastructure changes, covering the organisation’s specific threat landscape, not generic templates.
• Documented budget allocation proportionate to the identified risks, with clear escalation lines from IT/security to the board.
• Meeting minutes or dashboard exports showing the board reviews cybersecurity status regularly.

The financial quantification of cyber risk is increasingly expected. If you can express potential downtime, breach costs, and regulatory fines in financial terms, auditors view this as a sign of organisational maturity.

Checklist part 2: incident detection, response, and reporting

NIS2 imposes strict reporting timelines that your systems must be able to support. An incident that disrupts services or affects data integrity triggers a multi-stage reporting cycle.

Your incident response plan needs to provide 24/7 coverage, whether through internal teams or a managed security service provider. Auditors will look for documented workflows that map to each reporting stage, evidence of regular testing (tabletop exercises or simulations), and classification criteria that account for severity, impact, and potential cross-border effects.

Organisations that still collect logs manually from separate firewalls and endpoints will struggle here. Centralised visibility, where access decisions, network activity, and threat detections are correlated in a single view, is what modern audits expect. A SASE platform that routes all traffic through a cloud-managed control plane provides this by design, creating an immutable audit trail without manual aggregation.

Checklist part 3: business continuity and backup resilience

Ransomware tactics in 2026 specifically target backup infrastructure before encrypting production systems. NIS2 Article 21.2.c reflects this reality by requiring demonstrable recovery capabilities, not just backup policies.

What auditors expect:

• Immutable backups that cannot be altered or deleted, even by accounts with administrative privileges.
• Physical or logical separation (air-gapping) between production networks and backup storage.
• Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) based on a documented Business Impact Analysis, not arbitrary numbers.
• Quarterly tested recovery procedures, ideally automated rather than manual, including restoration of cloud-native network configurations.

An RTO of four hours means nothing if your actual restore process takes 48 hours. Auditors will ask you to demonstrate, not just document, that your infrastructure can meet these targets. The Belgian hospital ransomware incident earlier this year showed exactly what happens when backup integrity is assumed rather than tested.

Checklist part 4: supply chain security

NIS2 Article 21.2.d extends your responsibility to the security posture of direct suppliers and service providers. This is one of the most challenging areas for mid-market organisations, and auditors know it.

What you need to document:

• A maintained inventory of direct suppliers, their role in your operations, and their criticality.
• Risk profiles for each supplier, including whether they follow recognised frameworks such as CyFun or ISO 27001.
• Contractual clauses that require suppliers to report incidents to you within defined timelines.
• Audit rights that allow you to verify (or have a third party verify) the security practices of critical suppliers.

The most common failure point is broad VPN access for external technicians. An auditor expects to see that third-party access follows least-privilege principles, with identity-based access limited to the specific application or system the supplier needs to reach. Time-limited sessions, step-up authentication, and recorded activity logs are the standard. This is precisely what Zero Trust Network Access provides: per-application access instead of network-level entry.

Checklist part 5: technical security controls

This section covers the measures auditors will inspect on your systems, not just in your documentation.

Access control and authentication

• Multi-factor authentication (MFA) is mandatory for all external access and privileged accounts. SMS-based codes and simple push notifications are increasingly considered insufficient for critical access. Phishing-resistant methods such as FIDO2 hardware keys or biometric passkeys are the expected direction.
• Access decisions based on identity and device posture, not IP addresses or network location.
• Continuous session validation, not just one-time authentication at login.

Network segmentation and lateral movement prevention

• Microsegmentation that limits communication paths between identities, devices, and services. Auditors look for evidence that a breach in one segment cannot spread to others.
• Isolation of agentless devices. Printers, IoT sensors, and industrial equipment that cannot run security agents need to be placed behind inline isolation controls with only explicitly permitted traffic flows. Jimber’s NIAC hardware provides this bridge between IT and OT without disrupting production systems.

Vulnerability management and patching

• A formal process for identifying, prioritising, and applying patches within defined timelines.
• Evidence that critical vulnerabilities are remediated quickly, not just acknowledged.
• The CCB’s inspection service can perform external attack surface scans at any time on essential entities, checking for open ports, unpatched services, and configuration weaknesses.

Encryption

• Encryption applied consistently to data at rest and in transit.
• Awareness of which cryptographic algorithms are in use across your infrastructure (a Cryptographic Bill of Materials).
• At minimum, a documented plan for migration to post-quantum cryptography, particularly for data with a long retention requirement.

Checklist part 6: logging, monitoring, and evidence

The thread running through every audit area is evidence. Auditors do not take your word for it. They need traceable records.

• Centralised logging of all access decisions, configuration changes, and security events. A Secure Web Gateway and Firewall-as-a-Service that log every policy decision alongside ZTNA access records provide this without manual correlation.
• SIEM integration for real-time analysis and alerting.
• Policy versioning with clear change history, approver identity, and timestamps.
• Standardised evidence exports for risk committees and regulators.

Organisations that manage security across multiple separate consoles face a practical problem: assembling a coherent audit trail from fragmented sources is slow, error-prone, and expensive. A unified platform that manages network security, access control, and web protection from one console reduces that burden significantly.

What auditors flag most often

Based on common findings in early NIS2 assessments across Belgium, these are the areas where organisations stumble:

Treating NIS2 as an IT project.
The directive explicitly requires board involvement. An IT manager who has done all the technical work but cannot show board approval, training records, and budget sign-off will fail the governance section.

Outsourcing security without oversight.
Using a managed service provider does not transfer compliance responsibility. You must demonstrate that you understand and control what your security partners do on your behalf. This “black box” approach is penalised.

Paper-only policies.
A documented incident response plan that has never been tested is a non-conformity. Auditors ask for drill results, lessons learned, and corrective actions.

Ignoring agentless devices.
Legacy equipment, IoT, and OT devices are specifically scrutinised because they often sit on flat network segments with broad access. Network segmentation that includes inline isolation for these devices is expected.

Weak supply chain controls.
Many organisations focus entirely on internal security while neglecting Article 21 obligations around supplier risk management.

How Jimber supports NIS2 audit readiness

Jimber delivers Real SASE in one cloud-managed platform, consolidating the technical controls that NIS2 audits require into a single console.

• Zero Trust Network Access replaces broad VPN access with identity-based, per-application access. Every connection verifies user identity and device posture before granting access, providing clear evidence of least-privilege enforcement.
• Secure Web Gateway and Firewall-as-a-Service apply consistent web security policies across all users and locations, with centralised logging that supports the 24-hour incident detection requirement.
• SD-WAN connects multiple sites with encrypted, resilient connectivity, simplifying network management and segmentation across distributed environments, particularly relevant for local government organisations and multi-site enterprises.
• NIAC hardware brings agentless devices under Zero Trust controls through inline isolation, closing the blind spot that auditors consistently flag.

All of this is managed from one console with unified logging, policy versioning, and API-first integration for SIEM streaming. For MSPs managing multiple customers, the multi-tenant architecture and transparent pricing model make it practical to deliver auditable security at scale.

Frequently asked questions

When is the NIS2 audit deadline in Belgium?

Essential entities must obtain at least a Basic or Important CyFun verification by 18 April 2026. Full Essential certification or ISO 27001 certification is required by 18 April 2027.

What happens if we miss the April 2026 deadline?

Essential entities face proactive supervision. The CCB can conduct inspections, request evidence, and impose fines up to EUR 10 million or 2% of global turnover. Board members can be held personally liable for non-compliance.

Is CyberFundamentals mandatory?

For entities in scope, you must demonstrate compliance through one of three routes: CyFun verification or certification, ISO/IEC 27001 certification, or an inspection by the CCB. CyFun is the most practical route for organisations with a national focus.

Does NIS2 require Zero Trust?

The directive does not mandate a specific technology. However, it requires proportionate access controls, least-privilege enforcement, and demonstrable incident containment. Zero Trust architecture directly addresses these requirements and provides the evidence auditors expect.

How does NIS2 affect our suppliers?

Article 21.2.d requires you to assess and manage security risks from direct suppliers. This includes contractual security clauses, incident notification requirements, and audit rights. The CCB recommends that supply chain partners implement at least CyFun Basic.

Can a SASE platform help with NIS2 compliance?

Yes. A unified SASE platform consolidates access control, web security, network segmentation, and logging into one auditable system. This reduces the time spent assembling evidence from multiple tools and provides consistent policy enforcement that auditors can verify from a single console.

Ready to close the gaps in your NIS2 readiness before the April 2026 deadline? Book a demo and see how Jimber’s SASE platform maps to CyberFundamentals controls in one cloud-managed console.