NIS2 Pre-Audit Preparation Checklist

Documented cybersecurity policy, formally approved and signed off by senior management

Assigned cybersecurity roles and responsibilities — named individuals, not just job titles

Board or management meeting minutes showing cybersecurity was discussed and reviewed

Record of cybersecurity training completed by senior management in the last 12 months

Current risk register covering cybersecurity risks, with risk owners assigned

Evidence of a formal risk assessment conducted within the last 12 months

Vulnerability management process documentation and evidence of recent scans

Record of how security controls are reviewed following infrastructure or threat changes

Documented incident response plan including detection, containment and recovery steps

Evidence of incident response plan testing (tabletop or live test) in last 12 months

CERT Bulgaria notification contact and 24/72-hour reporting workflow documented

Log retention policy and evidence of centralised logging in place

Register of critical technology suppliers and service providers

Evidence of security assessments or questionnaires completed for key vendors

Contracts with critical suppliers containing cybersecurity requirements or SLAs

MFA enforced on all administrative and privileged accounts — evidence of configuration

Access review completed in last 6 months — evidence that least privilege is applied

Network segmentation documentation showing separation of critical systems

Encryption policy covering data at rest and in transit

Backup and recovery procedures documented with defined RTO and RPO targets

Evidence of backup restoration test completed within the last 12 months

Business continuity plan covering cyber incident scenarios, with named crisis contacts

Crisis communication plan — who is notified internally and externally during an incident