Back to Blog
testimonial-strategy
nis2-compliance
eu-cybersecurity
essential-entity
important-entity
incident-reporting
cross-border-compliance

When a Customer Completes NIS2 Compliance — Testimonial Wall Strategy for EU Cybersecurity Directive Attestation, Essential vs Important Entity Classification, and Cross-Border Subsidiary Coordination

ProofShow Team··11 min read

NIS2 (Directive (EU) 2022/2555, formally the second Network and Information Security Directive) imposes cybersecurity, incident-reporting, supply-chain risk-management, and management-accountability obligations on a broad set of organizations operating in the European Union. The directive entered into force in January 2023, member-state transposition deadlines fell in October 2024, and enforcement has been ramping through 2025 and 2026. NIS2 expanded the scope of the original NIS Directive in three material ways — a larger set of in-scope sectors (eighteen sectors including healthcare, manufacturing, food, postal services, and digital infrastructure), a binary classification of in-scope entities as "essential" or "important" with different supervisory regimes, and a personal-accountability regime that holds management bodies directly responsible for compliance failures.

From a customer-success and testimonial-wall perspective, a NIS2 compliance milestone is structurally different from the SOC 2 audit, ISO 27001 certification, PCI DSS certification, HIPAA attestation, and FedRAMP authorization milestones covered elsewhere in this series. Four structural differences drive distinct testimonial-wall risks. First, NIS2 is a directive — not a certification — so there is no single auditor stamp that marks "compliance"; member-state competent authorities administer compliance individually. Second, the essential-vs-important classification affects the supervisory regime, the penalty ceiling, and the disclosure obligations, and the classification varies by member state. Third, the cross-border subsidiary structure of many ProofShow customers means a single corporate group may have separate compliance posture in each member state. Fourth, the personal-accountability regime for management bodies creates a sensitivity around executive-quote testimonials that does not arise under purely technical compliance frameworks.

This guide separates the NIS2 compliance journey into four phases, explains what changes for the testimonial wall in each phase, and provides per-phase playbooks. The phases are structured around the readiness and scoping assessment, the technical and organizational measures (TOM) implementation, the competent-authority registration and supervision, and the ongoing incident-reporting and supply-chain due-diligence obligations.

The four phases of NIS2 compliance

A NIS2 compliance journey, from readiness assessment to first-cycle competent-authority supervision, typically runs nine to eighteen months across the four phases.

Phase 1: Readiness and scoping assessment. The customer determines whether it is in scope of NIS2, whether it falls in the essential or important entity classification, which member states' competent authorities have jurisdiction, and what gaps exist against the directive's requirements. The phase is characterized by legal-and-technical scoping work and produces a compliance roadmap with member-state-specific implementation tracks.

Phase 2: Technical and organizational measures (TOM) implementation. The customer implements the ten enumerated TOM categories required by Article 21 of the directive — risk management, incident handling, business continuity, supply-chain security, secure development, vulnerability handling, effectiveness evaluation, basic cyber hygiene and training, cryptography and encryption, and human resources security. The phase is characterized by capability-building and produces the operational evidence base against which competent authorities will assess compliance.

Phase 3: Competent-authority registration and supervision. The customer registers with the relevant member-state competent authorities, submits to supervisory engagement (ex-ante supervision for essential entities, ex-post supervision for important entities), and receives initial findings or attestation outcomes. The phase varies materially by member state — Germany's BSI, France's ANSSI, the Netherlands' RDI, and other competent authorities have different supervisory styles and timelines.

Phase 4: Ongoing incident-reporting and supply-chain due diligence. The customer enters a steady-state operational mode of twenty-four-hour early-warning incident reports, seventy-two-hour incident notifications, one-month final reports, and continuous supply-chain risk management. The phase has no end-date and produces a stream of compliance-event evidence that may or may not be appropriate for testimonial publication depending on the event type.

Each phase has its own testimonial-wall risks. The biggest mistake is to treat NIS2 like a certification (SOC 2 / ISO 27001 / PCI DSS) and to publish a "the customer is NIS2 certified" testimonial — NIS2 has no certification mechanism, and the framing creates a credibility-and-legal risk.

Per-phase playbook for the testimonial wall

Phase 1: Readiness and scoping assessment

During readiness scoping, the testimonial wall faces a scope-confidentiality risk, a classification-disclosure risk, and a member-state-jurisdiction risk.

First, treat the readiness assessment as confidential. The customer's readiness assessment will identify gaps against NIS2 requirements, and gap inventories are sensitive — they map the customer's current cybersecurity posture deficiencies. A testimonial that references the readiness assessment in any specificity creates an information-disclosure risk for the customer.

The remediation is to defer any NIS2-related testimonial publication until at least the TOM implementation phase, when the customer's posture has been remediated rather than catalogued.

Second, do not publish the essential-vs-important classification without coordination. The customer's classification as an essential or important entity has legal consequences — essential entities face higher penalty ceilings (up to 10 million euros or 2% of global annual turnover, whichever is higher) and more intensive supervision. The classification is sensitive and may be subject to the customer's regulatory-disclosure protocols.

The remediation is to coordinate any classification reference with the customer's legal-and-compliance team. Generic phrasings such as "the customer is an in-scope NIS2 entity" are typically acceptable; specific classifications such as "the customer is a NIS2 essential entity" should be coordinated.

Third, account for member-state-jurisdiction multiplicity. A customer with operations in multiple EU member states may have separate compliance tracks in each member state, with different competent authorities, different transposition timelines, and different supervisory styles. A testimonial that conflates the customer's compliance posture across jurisdictions ("the customer is NIS2 compliant in Europe") will be inaccurate where compliance is at different stages in different member states.

The remediation is to anchor any testimonial copy to specific jurisdictions ("the customer has completed NIS2 readiness assessment with the German BSI as primary competent authority") rather than to "Europe" or "the EU" generically.

Phase 2: Technical and organizational measures (TOM) implementation

During TOM implementation, the testimonial wall faces a capability-overstatement risk, a TOM-vocabulary risk, and a supplier-coordination risk.

Capability-overstatement risk. TOM implementation is iterative — capabilities are stood up, tested, refined, and re-tested over months. A testimonial published in mid-implementation that characterizes the customer's posture as "complete" or "mature" will overstate the actual capability state and may be revisited unfavorably during competent-authority supervision in Phase 3.

The remediation is to defer capability-claim testimonials until Phase 3 outcomes provide an external validation point. Mid-implementation testimonials should focus on the customer's commitment, governance, and program structure rather than on capability-level claims.

TOM-vocabulary risk. The ten TOM categories in Article 21 have specific definitions that differ from the vocabulary used in SOC 2 and ISO 27001. For example, "supply-chain security" in NIS2 has a broader scope than "vendor management" in SOC 2, and "incident handling" in NIS2 has tighter timing requirements than ISO 27001's "information security incident management." A testimonial that uses cross-framework vocabulary loosely will read as imprecise to NIS2-knowledgeable readers.

The remediation is to use NIS2's actual vocabulary when referring to NIS2 obligations and to use other frameworks' vocabulary when referring to those frameworks. Cross-framework comparisons should be explicit ("the customer's NIS2 supply-chain security program builds on the vendor-management foundation established for SOC 2 Type II").

Supplier-coordination risk. NIS2 imposes supply-chain risk-management obligations on in-scope entities, which means ProofShow customers in scope of NIS2 will be assessing their own suppliers — including potentially ProofShow itself — for cybersecurity posture. Testimonials that touch on supply-chain topics should be coordinated with the customer's procurement and vendor-risk teams to avoid creating an inadvertent supplier-attestation.

Phase 3: Competent-authority registration and supervision

During competent-authority engagement, the testimonial wall faces a supervisory-outcome confidentiality risk, an "attestation" mischaracterization risk, and a multi-jurisdiction timing risk.

Supervisory-outcome confidentiality risk. Competent-authority findings — both positive findings and corrective-action requirements — are typically confidential between the customer and the authority. A testimonial that quotes or implies specific findings creates a disclosure risk and may breach the customer's confidentiality obligations to the authority.

The remediation is to publish only what the customer has independently disclosed in public statements, regulatory filings, or annual reports. The customer's own public characterization is the safe ceiling for testimonial content.

"Attestation" mischaracterization risk. NIS2 does not have a certification or attestation mechanism in the SOC 2 / ISO 27001 sense. Competent authorities conduct supervision and may issue findings, but there is no equivalent of a clean audit opinion or a certification certificate. A testimonial that uses certification or attestation language ("the customer is NIS2 certified," "the customer has received NIS2 attestation") misrepresents the regulatory mechanism.

The remediation is to use accurate vocabulary: "the customer has registered with [competent authority] as an in-scope NIS2 [essential/important] entity," "the customer has completed initial supervisory engagement," or "the customer's NIS2 compliance program has been operational since [date]." Certification-style framings should be avoided.

Multi-jurisdiction timing risk. Different member-state competent authorities supervise at different cadences. A testimonial that anchors a single compliance date will misrepresent the multi-jurisdiction reality. The remediation is to either anchor to the most relevant single jurisdiction explicitly or to use range language ("the customer's NIS2 compliance program has been operational across multiple member states since [earliest date]").

Phase 4: Ongoing incident-reporting and supply-chain due diligence

In the steady-state phase, the testimonial wall has two ongoing considerations.

Consideration 1 — incident-reporting events are not testimonial moments. NIS2 requires twenty-four-hour early-warning reports, seventy-two-hour incident notifications, and one-month final reports for significant incidents. These reporting events are operational compliance moments, not testimonial-publication moments. A testimonial that references a specific incident-reporting event (even positively, as in "the customer's incident-response team executed a flawless NIS2 notification") creates incident-disclosure risk and should be avoided.

Consideration 2 — supply-chain due-diligence renewal cycles are good testimonial moments. NIS2 supply-chain risk-management cycles are typically annual. The completion of a clean supply-chain due-diligence cycle is a positive compliance event that the customer may want to amplify, and it does not have the incident-disclosure sensitivity that direct incident-reporting events have. Coordinate testimonial publication with the customer's compliance team to align with the customer's own communications cadence.

Tone and structural-vocabulary checklist

NIS2 testimonial copy is read by readers familiar with EU regulatory vocabulary, so vocabulary precision matters. The following structural-vocabulary distinctions should be observed.

Directive vs. regulation. NIS2 is a directive, which means it requires member-state transposition into national law. The directive establishes minimum requirements, and member states may implement additional national requirements. Refer to "NIS2" or "the NIS2 Directive," not to "the NIS2 regulation."

Essential vs. important entity. The two classifications have different supervisory regimes (ex-ante for essential, ex-post for important) and different penalty ceilings. Do not use the terms interchangeably.

Competent authority vs. auditor. NIS2 supervision is conducted by competent authorities (national regulators), not by accredited third-party auditors. Do not refer to "NIS2 auditors."

Significant incident vs. data breach. NIS2's incident-reporting trigger is a "significant incident," which has a specific definition tied to operational impact. The concept overlaps with but is not identical to a GDPR personal-data breach, and the two reporting regimes are separate.

Cyber hygiene baseline vs. mature program. Article 21 of NIS2 distinguishes a baseline of "basic cyber hygiene" from a mature risk-management program. Testimonial copy that conflates the two will read as imprecise.

Common NIS2 scenarios in ProofShow testimonials

Three NIS2 scenarios recur among ProofShow customers and each suggests a specific testimonial-collection strategy.

Scenario 1: Healthcare or manufacturing customer entering scope for the first time. The customer was not in scope of the original NIS Directive but is in scope of NIS2 due to the expanded sector list. The testimonial-collection strategy focuses on the customer's first-cycle implementation journey and the maturity gain from the program structure.

Scenario 2: Digital infrastructure or cloud-service customer with cross-border scope. The customer operates in multiple member states and has a multi-jurisdiction NIS2 implementation. The testimonial-collection strategy emphasizes the customer's program-management capability for coordinating compliance across competent authorities.

Scenario 3: Customer with cross-framework compliance (SOC 2 + ISO 27001 + NIS2). The customer has a mature security program with multiple framework attestations and has added NIS2 as the EU-specific layer. The testimonial-collection strategy positions NIS2 as the regulatory-completion capstone rather than as a standalone milestone.

Summary

A NIS2 compliance milestone is structurally different from SOC 2, ISO 27001, PCI DSS, HIPAA, or FedRAMP milestones in four material respects — directive-not-certification mechanism, essential-vs-important classification, multi-jurisdiction supervision, and personal-accountability regime. Testimonial-wall strategy for NIS2 must account for the structural differences across the four phases of the compliance journey: readiness and scoping, TOM implementation, competent-authority registration and supervision, and ongoing incident-reporting and supply-chain due diligence. The biggest mistakes — treating NIS2 like a certification, using cross-framework vocabulary loosely, and conflating multi-jurisdiction compliance — are all avoidable through the phase-by-phase playbook above. For adjacent compliance-event guidance, see the ISO 27001 certification and SOC 2 audit guides.

Ready to get started?

Start collecting and showcasing testimonials in under 5 minutes.

Start Free