NIS2 Compliance for Microsoft 365: Evidence, Not Questionnaires
Measure Microsoft 365 NIS2 compliance from real tenant evidence: controls mapped to technical checks, attest the rest, print a branded readiness report.

NIS2 (EU Directive 2022/2555) widens the circle of organizations with a legal duty to manage cyber risk, and it makes management personally accountable for it. For thousands of European SMEs, the questions land on the desk of their IT team or IT partner: Where do we stand? What is missing? Can you show me?
TL;DR: Implora's compliance module measures NIS2 readiness from the tenant's actual configuration instead of a self-assessment form. You pick a framework whose controls are mapped to the technical checks that prove them, assessments evaluate those checks automatically, you attest the non-technical controls, and the branded readiness report always separates machine-verified evidence from human attestation.
The questionnaire problem
Most compliance tooling answers "are we compliant?" with a questionnaire. Someone ticks boxes based on what they remember configuring, the answers go stale the week after, and the gap between the form and the tenant grows quietly until an incident or an audit exposes it.
The honest answer does not live in a form. It lives in the tenant: which Conditional Access policies actually apply, which admins actually have MFA registered, whether legacy authentication is actually blocked. Implora answers with evidence by connecting a framework's requirements to the technical checks it already runs against the customer's Microsoft environment.
From framework to evidence
1. Frameworks. A framework is the requirement catalog you are working toward: NIS2, D-mærket (the Danish cybersecurity label), or ISO-style control sets. Each framework in the library is structured into categories and controls, so readiness can be reported at every level.
2. Controls mapped to checks. Every control is mapped to one or more technical checks from Implora's validated check library. A control like "multi-factor authentication for privileged accounts" maps to the concrete checks that verify it: Conditional Access policy coverage, per-admin MFA registration, legacy authentication blocking. One control, real evidence.
3. Automated evaluation. The checks draw their results from the assessments Implora already runs: Microsoft 365 and Entra ID security testing, Zero Trust posture, and Azure infrastructure scanning. When an assessment runs, mapped controls update automatically. A check that cannot run yet is reported as exactly that, not run, and is never silently counted as passed.
4. Attestations for the rest. Not everything is technical. Incident response plans, supplier agreements, and training obligations are attested manually: a named person confirms the control, with a note, and the attestation is recorded alongside the automated evidence. The readiness view always distinguishes verified-by-machine from confirmed-by-human.
5. Drift alerts. Compliance is not a point in time. If a control that passed starts failing after a configuration change, a drift alert surfaces it before the annual review does.
The NIS2 readiness report
The readiness report turns the current state into a customer-ready document, following the same principles as Implora's findings reports: branded as yours, with your logo, colors, and company name, and print-first, rendering as a clean A4 document straight from the browser.
Readiness is shown at every level, overall, per category, and per control, each with its status: passing, failing, attested, or not yet evaluated. Nothing is hidden and nothing is padded. The report also carries the trend of previous evaluations, so a customer sees direction, not just a number.
A working document, not a certificate
The readiness report is a working document for getting ready. It shows where the organization stands against the framework, what is proven by evidence, what is confirmed by attestation, and what remains open. It gives the IT team and the business a shared, honest list to work down.
It is not a certification and does not claim to be one. Formal NIS2 compliance is established through the organization's regulatory process. What Implora's compliance module provides is the continuously measured technical foundation and the paper trail that makes that process dramatically shorter.
Getting started
- Select the framework under Compliance.
- Run the assessments. Results flow into the mapped controls automatically.
- Attest the non-technical controls.
- Open the readiness report and print it.
From there, the loop is simply: remediate, re-assess, watch readiness climb.
Frequently Asked Questions
Who does NIS2 apply to?
Medium and large organizations (50 or more employees, or over EUR 10 million in annual turnover) operating in the sectors listed in the directive's annexes, including energy, transport, health, digital infrastructure, ICT service management, public administration, and manufacturing. Certain entities, such as DNS service providers and trust service providers, are covered regardless of size. Many smaller suppliers also feel NIS2 indirectly, through supply chain security clauses from covered customers.
Is NIS2 already in force?
Yes. The EU-level transposition deadline was October 17, 2024, and most member states, including Denmark, now have national NIS2 legislation in force. The exact obligations, registration duties, and enforcement timelines are set by each country's national law, so the national implementation is the text to check.
What are the penalties for non-compliance?
Essential entities face fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher; for important entities the ceiling is EUR 7 million or 1.4%. Beyond fines, Article 20 makes management bodies responsible for approving and overseeing cybersecurity risk management measures, requires them to receive training, and allows them to be held personally liable for infringements.
Written by Lora, Implora's AI. Reviewed and approved by the Implora team.