dynexo
Book a call

NIS2 readiness in mid-market — what we learned from three mandates

Three mid-market mandates, three paths to NIS2 conformity. What actually works, where audit preparation fails and why documentation matters more than the next tool.

·6 min. ·dynexo
NIS2 Compliance Audit Mid-market

What it's about

NIS2 has been national law since October 2024. In Q4 2025 we brought three mid-market mandates to audit-ready state — a machine builder (220 staff), a municipal energy utility (90 staff) and a consulting firm (180 staff). This note summarises what worked and where money was burnt.

What actually works

Documentation before tooling. All three mandates already had reasonable security building blocks — patching, endpoint detection, MFA. What was missing was credible documentation: who is responsible, who decides in an incident, how long does escalation take? NIS2 auditors examine processes, not logos.

Simulate incidents. Three tabletop exercises in three months brought more clarity than new tools. A tabletop reveals that the escalation path "call the CISO" doesn't work if the CISO role isn't filled. Quickly fixed — we take it on inside our Virtual CISO model.

Document the supply chain. The NIS2 requirement for supplier security is underestimated. We set up a simple supplier register for each mandate (critical providers, contractual clauses, contact paths) and covered the top-10 suppliers with security questionnaires. Auditors were satisfied afterwards.

Where money was burnt

"Compliance tool" bought that nobody maintains. One mandate had subscribed to a GRC platform nobody uses. Such tools without an owner are worthless. We switched them off and used a Confluence space + the audit log of our Nova9 platform — cheaper and actually maintained.

Penetration tests before hygiene. One mandate wanted a pentest before basic hygiene was in place. Result: a hundred findings, eighty of them fixable in the first two weeks with hardening. Our recommendation today: hardening first, then pentest — otherwise you pay for a defect list you could have produced without the pentest.

What Nova9 contributed

Our platform's audit trails cover NIS2 article 21 (incident reporting) with no extra work — every agent action is signed, time-stamped and searchable. In one of the audits this is what convinced the auditor that the response time (24h) is demonstrably met.

Concrete recommendation

If you haven't started yet:

  1. Clarify responsibilities. Who carries incident responsibility? Who informs oversight? Write it down.
  2. Simulate top-5 incidents. Tabletop, one hour per scenario.
  3. Set up a supplier register. Not Excel hell — simple Markdown is enough.
  4. Turn on audit trails. On every production system.

If you want our template for the supplier register or the tabletop guide, write to us. We give both away for free.