Art.31.1 NIS2

NIS2 Art.31.1: Supervisory Powers for Essential Entities

What This Control Requires

Member States shall ensure that their competent authorities effectively monitor compliance of essential entities with the obligations laid down in this Directive. The competent authorities shall have the power to subject those entities to: on-site inspections and off-site supervision; regular and targeted security audits; ad hoc audits; security scans based on objective criteria; requests for information necessary to assess the cybersecurity risk-management measures adopted by the entity.

In Plain Language

Regulators have a wide toolkit for keeping essential entities in check, and you need to be ready for all of it. On-site inspections where auditors walk your premises. Off-site reviews of your documentation. Regular and targeted security audits. Ad-hoc audits triggered by incidents or intelligence. Automated security scans of your external posture. Formal information requests demanding detailed responses.

You cannot refuse or obstruct any of these activities. Non-cooperation triggers additional enforcement actions and penalties on top of whatever they were originally looking into.

The practical takeaway is straightforward: maintain continuous compliance readiness. If you need a week to pull your evidence together every time a regulator calls, you are not ready. The organisations that handle supervisory activities smoothly are the ones that treat compliance as an ongoing operational concern, not an annual exercise.

How to Implement

Build an internal regulatory response procedure covering each type of supervisory activity.

For on-site inspections: identify facility contacts and access procedures, prepare meeting rooms and technical access for auditors, keep key documentation organised and accessible, and brief staff on how to interact with inspectors.

For security audits (regular, targeted, or ad-hoc): maintain a standing evidence pack covering all NIS2 control areas, be ready to give auditors access to systems, logs, and configurations, have technical staff available to answer detailed questions and demonstrate controls, and set up a process for gathering additional evidence quickly during an audit.

For security scans: know your external attack surface from the perspective of automated scanning, keep internet-facing systems hardened and regularly assessed, maintain an inventory of all public-facing services and their security status, and fix known vulnerabilities before regulators discover them.

For information requests: set up a rapid-response process for formal requests, define internal SLAs for gathering and submitting information, implement quality review before anything goes out the door, and track every request and response for the audit trail.

Run internal readiness assessments that simulate different supervisory scenarios. Test whether you can respond to short-notice inspection requests, gather evidence within regulatory timeframes, and give live demonstrations of security controls.

Maintain a centralised compliance management system that gives you real-time visibility into your posture across all NIS2 requirements. When a regulator contacts you, you want to know immediately where you stand.

Evidence Your Auditor Will Request

Regulatory response procedures for each type of supervisory activity
Standing evidence pack covering all NIS2 control areas
External attack surface inventory and security scan results
Records of responses to regulatory information requests
Internal readiness assessment reports

Common Mistakes

No standing evidence pack; evidence must be gathered ad-hoc for each regulatory request
External attack surface has unaddressed vulnerabilities discoverable by security scans
Staff unprepared for auditor interactions; provide inconsistent or inaccurate information
Responses to information requests are slow, incomplete, or of poor quality
No internal readiness assessments; organisation is surprised by supervisory findings

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.35	Related
SOC 2	CC4.1	Related

Frequently Asked Questions

Can we refuse an on-site inspection?

No. Competent authorities have the legal power to inspect essential entities on-site, and refusing or obstructing them will make things worse - expect additional enforcement actions and penalties. Cooperate fully, but make sure you have appropriate legal representation available during inspections.

How much notice will we receive before an inspection?

It depends on the Member State and the type of activity. Regular audits might come with weeks of notice, but ad-hoc audits and inspections can arrive with very little warning. The only reliable strategy is continuous readiness rather than relying on advance notification.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment