monsys.ai
NLFREN
Sign inGet started
Compliance guide · 2026-05-25

What a NIS2 auditor expects from you — and how to concretely prove it

NIS2 is in force in Belgium. Nine Article 21 requirements, each with the auditor's question, the evidence they expect, and the monsys page that delivers that evidence with no extra work.

NIS2 is in force in Belgium. The CCB (Centre for Cybersecurity Belgium) has enforcement powers. But what does that mean in practice when an auditor shows up at your door?

This article is not a legal interpretation — you'll need a lawyer for that. What it does give you: a concrete picture of which questions a NIS2 auditor will ask, which evidence they expect, and how to produce that evidence today.

The nine requirements of Article 21

Article 21 NIS2 requires "appropriate technical and organisational measures". The Belgian transposition specifies nine domains. We walk through each one with the question an auditor asks, and the evidence you need.

1. Policy for risk analysis and information security

Auditor question: "Show me your risk analysis from the past year."

What you need: A documented analysis + evidence it's current.

How monsys helps: The Trust Score (0-100) is a reproducible risk number across six components: patch hygiene, agent health, secrets exposure, configuration drift, EAT discipline, evidence continuity. The number changes every 30 minutes based on live data. You can show the evolution over 90 days as a trend — that is a living risk analysis, not a yearly document gathering dust.

Trust Score overview with evolution and components The Trust Score for the tenant — one number, transparent composition, updated continuously.

2. Incident handling

Auditor question: "What was your average response time on critical incidents? Show me the timeline of the last three."

What you need: An audit trail per incident with timestamps: detected, escalated, resolved.

How monsys helps: Every detection event has detected_at, acknowledged_at, resolved_at. The SMART correlation worker adds MITRE tags. Emergency Actions are logged with issued_at and exit_code. The MTTR dashboard shows p50/p95 per severity over 90 days.

Alerts & incidents overview The alerts overview shows open and closed incidents with severity, source and age — directly clickable to the full timeline.

3. Business continuity and crisis management

Auditor question: "Prove that your backups work and have been tested recently."

What you need: Logs of backup runs per system, including success/failure.

How monsys helps: The agent inventories backup configurations and runs per host. The auditor sees for every production server when the last successful backup ran and how many runs failed over 90 days. A row with "0 successful runs" on a production host is an audit finding you want to discover before the audit — not during.

4. Supply chain security

Auditor question: "How do you know which third-party software components run in production and whether they're vulnerable?"

What you need: A current software BOM (Bill of Materials) with CVE status.

How monsys helps: The agent scans package-lock.json, requirements.txt, composer.lock, go.sum and OS packages. The hub matches daily against OSV.dev and NVD. You have at any moment a current CVE status per host, per dependency, with fix version, weighted by internet exposure and EPSS exploit probability.

Recommendations with prioritised CVE actions Recommendations are prioritised by blast radius: a Critical on an internet-facing edge weighs more than the same Critical on an isolated dev server.

5. Security in acquisition, development and maintenance

Auditor question: "How do you detect changes to software in production?"

What you need: Evidence of change detection and change management.

How monsys helps: Process DNA fingerprinting detects when a binary in production changes without a known package update. Drift detection compares configuration files with a baseline. The time-machine diff shows per host what changed between two points in time: packages added/removed/upgraded, services, open ports, kernel.

Integrity page with process DNA status per host The integrity page shows per host whether binaries deviate from the baseline or a known manifest.

6. Policies and procedures for assessing the effectiveness of measures

Auditor question: "How do you measure whether your security measures work?"

What you need: A measurable KPI that demonstrates control effectiveness.

How monsys helps: The Trust Score is exactly that: a composite KPI showing whether your security measures are effective. The compliance erosion worker detects when controls silently degrade. The compliance timeline shows per framework (NIS2, ISO 27001, CRA) which controls fail or pass in which months.

Compliance page with per-framework status Compliance status per framework, with direct insight into which controls are failing.

7. Basic cyber hygiene practices and training

Auditor question: "Which basic hygiene measures are technically enforced?"

What you need: Evidence of technical controls, not just a policy document.

How monsys helps: The inventory contains for each host: password policy from /etc/shadow, SSH key fingerprints, sudoers configuration, SUID/SGID files, world-writable directories. That is evidence of technical implementation of basic hygiene — not just a text document saying you do it.

Inventory overview with technical controls per host The inventory page aggregates what the agent has found on the host: packages, services, users, SSH keys, certificates.

8. Policies and procedures for cryptography

Auditor question: "Which cryptographic controls are active and audited?"

What you need: Evidence of key management and use.

How monsys helps: The signing chain (Ed25519 per agent, per hub) is documented and auditable. Key rotation is logged in the transparency log. Certificate scans detect expiring certificates 60+ days in advance.

9. Personnel security and access policies

Auditor question: "Which users have admin rights and how is that tracked?"

What you need: A current overview of privileged access + usage.

How monsys helps: The RBAC page shows per user role, access per agent/group and recent use. Admins who never execute Emergency Actions → candidates for downgrade to least-privilege. That is active evidence of access management.

RBAC: users, roles and scope The RBAC page shows who has which role on what scope (tenant-wide or limited to a group/agent).

The audit day itself: what you bring

A NIS2 audit typically proceeds in two phases: a documentary review and a technical verification. For the documentary review, an auditor doesn't want dashboards — they want an artifact they can verify offline.

The monsys Auditor Workbench generates a monthly ZIP bundle:

Audit packs overview with monthly bundles Monthly audit packs are generated automatically; an auditor downloads the tarball and verifies it offline.

The auditor verifies:

python verify.py evidence_acme-corp_Q1-2026.tar.gz
✓ Signature valid (Ed25519)
✓ All 847 entries intact
✓ Period: 2026-01-01 → 2026-03-31
exit 0

No dashboard access required. No screenshots. No "trust us".

What we don't promise

NIS2 compliance is not a product you buy — it's a continuous effort. monsys delivers:

monsys does not deliver:

But if an auditor asks "prove that CVE-2026-XXXX was patched within seven days on all your production servers", and you can show that within five minutes with a signed timeline — then you have a significant advantage over those who must reconstruct it manually.

Auditor workflows are documented at docs.monsys.ai/en/practical/auditor. First five servers free, no credit card: monsys.ai/en/signup.

Back to blog