For many SMEs, NIS2 will not first appear as a legal memo. It will appear as a customer questionnaire, a tender requirement, an insurer question, a supplier review, or a management concern. The practical question is not simply "are we compliant?" It is "what can we prove, what is missing, and what should we do next?"
Why evidence matters first
SMEs often have more cyber activity than they can show. Backups may be running, MFA may be enabled, staff may know who to call, and an MSP may be handling patching or security tools. But if that evidence is scattered, outdated, or undocumented, the business struggles when a buyer asks for proof.
Starting with evidence gives management a clearer view. It shows what exists, what is missing, who owns each area, and which answers are safe to share externally.
Separate missing evidence from missing controls
A missing document does not always mean the control is absent. A missing control does not always mean the business is negligent. The useful step is to separate the two.
Missing evidence means the activity may exist but needs proof, ownership, review, or safer wording. Missing controls mean the business may need to change how something works. Treating both as the same problem leads to wasted effort and poor decisions.
The evidence areas to check
- Ownership
- Risk notes
- Policies
- Asset and supplier lists
- Access control and MFA
- Backup evidence
- Incident process
- Security review evidence
- MSP evidence
- Customer-safe answer wording
Do not turn readiness into overclaiming
Readiness should make your position clearer, not inflate it. If a claim cannot be supported, it should not be presented as fact. If a question needs legal, audit, MSP, technical, or management review, mark it clearly.