NIS2 Audit Documentation: Can You Prove Your Endpoint Posture?

Only 16% of European organizations consider themselves fully NIS2-compliant — and the June 30, 2026 deadline is here. When auditors arrive, they will not simply review your security policies. They will ask for evidence.

Why Organizations Fall Short

Many IT teams are unprepared for the documentation demands of a NIS2 audit. Common failure points include:

Fragmented tooling — patch management, vulnerability scanning, and privilege access systems each create siloed records that are difficult to consolidate
Manual evidence collection — introduces gaps in data logging and timestamp alignment
Incomplete patch coverage — third-party applications and drivers are frequently excluded from patch records
Missing governance logs — privileged access elevation events go unrecorded, leaving no audit trail

The NIS2 Documentation Checklist

Auditors will expect organizations to produce the following seven categories of records:

Configuration history with timestamps — a continuous log of endpoint configuration changes
Patch records — covering operating systems, applications, and drivers
Vulnerability reports — documenting identified risks and their status
Privilege access logs with justification — showing who elevated access, when, and why
Asset inventory — a current and complete register of managed endpoints
Compliance reports — demonstrating adherence to policy over time
Remediation documentation — evidence that identified issues were resolved

How CapaOne Generates Continuous Compliance Evidence

CapaOne is designed to produce audit-ready documentation automatically, without manual collection effort. Three core modules work together:

Security Monitor — tracks configuration state and generates timestamped change history
Privilege Manager — logs every just-in-time elevation event, including the justification provided by the user
Application Manager — extends patch coverage to third-party applications and drivers, closing the gap that most organizations miss

All data is hosted within the EU, supporting data residency requirements that are themselves part of NIS2 compliance obligations.

NIS2 Is an Ongoing Obligation, Not a One-Time Certification

The key distinction from other compliance frameworks is that NIS2 is continuous. There is no audit pass that expires. Organizations must maintain evidence of their endpoint posture at all times — and face penalties of up to €10 million for non-compliance.

Ready to see how CapaOne handles this? Request a demo.

Name	Provider	Purpose	Expiry
capaone-consent	capaone.com	Stores your cookie consent choice and category preferences	12 months
theme	capaone.com	Remembers your chosen colour scheme (light/dark)	Persistent

Name	Provider	Purpose	Expiry
Supademo (iframe)	app.supademo.com	Interactive product demo — iframe loaded on click only	Session
Google Maps (iframe)	google.com	Interactive map showing our office location	Session

Name	Provider	Purpose	Expiry
_ga	Google Analytics	Distinguishes users from one another using a unique ID for statistical analysis	2 years
_ga_KX617PNCT5	Google Analytics	Persists session state and aggregates statistics for this property	2 years
capa_insights_did	CapaOne Insights (EU)	Random anonymous identifier used to count returning visitors (first-party, no personal data)	Persistent (localStorage)
capa_insights_sid	CapaOne Insights (EU)	Groups page views into a single visit for journey analysis	Session (sessionStorage)

Name	Provider	Purpose	Expiry
hubspotutk	HubSpot (EU1)	Tracks visitors for lead management and web analytics	13 months
__hs_cookie_cat_pref	HubSpot (EU1)	Stores cookie consent preferences for HubSpot forms	6 months