In 2026, the real question is no longer “should we prepare for NIS2?” but “which ERP evidence can we produce within 24 hours when an auditor asks?” NIS2 (Directive (EU) 2022/2555) sets security and reporting obligations that directly affect ERP processes and controls (EUR-Lex, Directive (EU) 2022/2555).
The biggest risk is not a missing policy slide deck. The real risk is being unable to prove, with verifiable records, that controls are actually operating across critical processes such as procurement, order-to-cash, finance, inventory, and production.
What auditors will check first
NIS2 requires risk-management measures that cover incident handling, business continuity, supply-chain security, and access hygiene (Article 21, Directive (EU) 2022/2555).
For an ERP environment, auditors reduce this to three simple questions:
- Are the controls formally defined?
- Are they consistently applied in day-to-day operations?
- Can you produce time-stamped evidence on demand?
If evidence is missing, the control is treated as weak for audit purposes.
NIS2 reporting deadlines that directly impact ERP teams
NIS2 defines a strict notification sequence for significant incidents:
- early warning within 24 hours;
- incident notification within 72 hours;
- final report within one month after notification (Article 23, Directive (EU) 2022/2555).
If your ERP landscape cannot quickly reconstruct facts (who did what, when, with what impact and scope), you burn critical time against regulatory deadlines.
NIS2 checklist: ERP evidence to prepare now
1) ERP asset register and critical scope definition
What you need to prove
- Up-to-date inventory of critical ERP modules (finance, sales, purchasing, logistics, production).
- Interface map (EDI, e-commerce, BI, banking, SSO, partner APIs).
- Criticality classification (mission-critical vs support processes).
Evidence expected
- Versioned export of the asset register.
- Dated architecture diagrams.
- Change history for the ERP scope.
Why this matters: NIS2 requires proportionate risk management; without a clear scope, proportionality cannot be demonstrated (Article 21, Directive (EU) 2022/2555).
2) Logging and traceability for sensitive ERP actions
What you need to prove
- Audit trails enabled for high-risk actions: vendor creation, bank detail changes, payment approvals, role changes, accounting close actions.
- Consistent timestamps and log retention.
- Ability to link ERP actions to identified users.
Evidence expected
- Recent log extracts.
- Log retention and integrity policy.
- Incident log-collection procedure.
Without usable logs, incident reporting under NIS2 deadlines becomes unreliable (Article 23, Directive (EU) 2022/2555).
3) Access governance and stronger authentication
What you need to prove
- ERP role matrix and segregation of duties (SoD).
- Periodic access reviews (joiners, movers, leavers).
- Use of multi-factor authentication where relevant.
Evidence expected
- Signed access review records.
- Time-stamped access revocation tickets.
- MFA/SSO configuration proof.
NIS2 explicitly lists multi-factor authentication as a measure to implement based on context (Article 21(2)(j), Directive (EU) 2022/2555).
4) Business continuity and ERP recovery readiness
What you need to prove
- Documented business continuity and disaster recovery plans for ERP.
- Tested and restorable backups.
- Crisis exercises with lessons learned.
Evidence expected
- Backup restore test reports.
- Exercise records (date, scenario, findings, corrective actions).
- Tracked improvement plan.
Continuity is part of the baseline required by NIS2 (Article 21, Directive (EU) 2022/2555).
5) Incident management workflow and ERP playbook
What you need to prove
- Escalation workflow for cyber incidents affecting ERP.
- Clear responsibilities across IT, security, business, legal, and communications.
- Ready-to-use incident case template.
Evidence expected
- Versioned incident response procedure.
- Timeline from a real incident or simulation.
- Notification template aligned to NIS2 expectations.
The objective is operational: issue a reliable early warning in 24 hours, then a consolidated notification in 72 hours (Article 23, Directive (EU) 2022/2555).
6) Supplier and ERP integrator security controls
What you need to prove
- Supplier risk assessment (SaaS vendor, integrator, hosting provider, managed service provider).
- Security and incident-notification clauses in contracts.
- Periodic review of critical dependencies.
Evidence expected
- Supplier due-diligence scorecard.
- Signed contractual clauses (SLA, security, incident reporting).
- Follow-up records for supplier remediation plans.
NIS2 includes supply-chain and supplier relationship security among expected measures (Article 21(2)(d), Directive (EU) 2022/2555).
7) Executive governance and accountability
What you need to prove
- Leadership involvement in cybersecurity measure approval.
- Regular executive-level reporting on ERP cyber risk.
- Documented budget decisions and risk trade-offs.
Evidence expected
- Steering committee minutes.
- ERP/cyber risk dashboards.
- Signed remediation decisions.
NIS2 strengthens management accountability for cybersecurity governance (Article 20, Directive (EU) 2022/2555).
8) Encryption policy and ERP data protection controls
What you need to prove
- Encryption policy for data in transit and at rest.
- Key and certificate management process.
- Controls over sensitive data exports.
Evidence expected
- Technical settings and applied standards.
- Access logs for sensitive datasets.
- Periodic compliance reviews.
NIS2 explicitly covers cryptography policy and, where relevant, encryption practices (Article 21(2)(h), Directive (EU) 2022/2555).
How to structure an “ERP evidence pack” for audit day
To avoid last-minute scrambling, build one folder per control domain with five layers:
- Policy: the formal rule.
- Procedure: who does what, when, and how.
- Execution: logs, tickets, exports, screenshots.
- Control: internal review, gap tracking, corrective action.
- History: version and last update date.
This structure moves your organization from declarative compliance to demonstrable compliance.
Top 5 mistakes seen before NIS2 audits
- Generic policies with no ERP-specific execution evidence.
- Incomplete logs or retention windows too short for investigations.
- Technical accounts with no clear owner.
- Underestimated third-party risk (integrators, APIs, hosting).
- One-off DR test with no replay or continuous improvement.
90-day priorities for CIOs and CFOs
- Weeks 1-2: map critical ERP scope and assign evidence owners.
- Weeks 3-6: consolidate logs, access governance, and incident procedures.
- Weeks 7-10: run one ERP incident simulation and one restore test.
- Weeks 11-12: compile the final evidence pack and run executive review.
This is not a full cyber strategy, but it gets your team to audit readiness with verifiable material instead of intentions.
Financial exposure if non-compliant
NIS2 sets administrative fine ceilings that can reach, depending on entity category, up to EUR 10,000,000 or 2% of total worldwide annual turnover, and for other entities up to EUR 7,000,000 or 1.4% (Article 34, Directive (EU) 2022/2555).
That changes the ERP discussion: this is no longer just about operational performance, but also governance accountability and direct financial exposure.
Download our ERP scoring grid - 30 criteria over 100 points to benchmark 3 vendors side by side.
