Do accounting firms fall under NIS2?

Accounting firms that serve business clients in critical sectors can fall under the NIS2 Directive (EU) 2022/2555 via the supply-chain security obligations of Article 21(2)(d). Large companies are increasingly building demonstrable cybersecurity into their procurement requirements, which effectively makes it a condition for accountants to continue doing business with them.

What does NIS2 mean for the annual audit?

Under NOCLAR (ISA 250), auditors must consider whether a client complies with relevant laws and regulations. If an organisation has not conducted a risk analysis or lacks an incident-management process, this affects the assessment of internal control, going concern, and potentially the annual accounts.

What does NIS2 compliance cost for an accounting firm?

Lupasafe covers the cybersecurity risk-management measures of Article 21 of the NIS2 Directive (EU) 2022/2555 with insight into your status within 60 minutes. The price is €7.99 per user, per month. Includes phishing simulations, e-learning, dark web monitoring, cloud audit, and audit-ready compliance reports.

Can I offer cybersecurity to my clients as an accounting firm?

Yes. Lupasafe offers full white-label capabilities so you can offer security awareness and NIS2 compliance as a service under your own brand. Firms such as Schuiteman and INAA members are already doing this successfully with 130+ clients.

NIS2 for accounting firms

From paper policy to demonstrable evidence. The NIS2 Directive (EU) 2022/2555 holds management bodies personally accountable under Article 20. Lupasafe helps your firm become compliant, and offer it as a service to your clients.

Run the NIS2 scan See pricing

Why NIS2 hits accounting firms directly

Four developments that affect your firm now, regardless of your size.

Management accountability

"You can outsource the work, but not the responsibility." Article 20 of NIS2 makes management bodies personally accountable for cybersecurity risk management.

Source: Article 20, NIS2 Directive (EU) 2022/2555

Supply-chain responsibility

Your clients must control cyber risks at their suppliers, including their accountant, under Article 21(2)(d) of the NIS2 Directive.

Source: Article 21(2)(d), NIS2 Directive (EU) 2022/2555

NOCLAR & annual accounts

No risk analysis or incident process? That directly affects the going-concern assessment and the annual accounts.

Source: ISA 250 (NOCLAR), EU audit regulation

Procurement requirements

Demonstrable cybersecurity is becoming a standard requirement. No compliance, no contract.

Source: Dutch government-backed NIS2 initiative

"We report facts: Lupasafe gives us the evidence on cyber risks and security posture."

Gert de Fluiter

Partner, Audit and Assurance

One dashboard for the key NIS2 risk-management measures

Lupasafe covers the cybersecurity risk-management measures of Article 21 of the NIS2 Directive (EU) 2022/2555. Insight into your status within 60 minutes.

Current status

Green, amber or red on every NIS2 risk-management measure. No surprises at audit time.

Progress over time

Month-on-month visibility on how your posture improves. Evidence for auditors and clients.

Next best action

Exactly what to do to become audit-ready. No guesswork, no spreadsheets.

One place for all documents and evidence. Share with every stakeholder (client, MSP, consultant) and download everything for your auditor. One source of truth.

See the complete NIS2 checklist with all risk-management measures →

Everything you need, deeply integrated

No loose tools. Every module feeds your compliance dashboard automatically.

Security awareness & e-learning

36-month curriculum with accountancy-specific scenarios. Covers Article 20 management training and Article 21(2)(g) staff cyber hygiene, plus the secure remote-work requirements of Article 21(2)(i) and (j). Role-specific modules for security officer, incident manager and DPO.

More about awareness training →

Phishing simulations

Quarterly simulations: fake invoice mails, tax-authority phishing, BEC targeted at payroll. Includes QR-code phishing and smishing.

More about phishing simulations →

Dark web monitoring

20 billion+ records. Catch leaked passwords before criminals do.

Email security

DMARC proves "this mail really came from our firm."

Microsoft 365 audit

MFA, permissions, segregation of duties: exactly what auditors ask for.

NIS2 & ISO reporting

Audit-ready reports on demand. Aligned with ISO 27001 Annex A.

40% Share a password at the first phishing test

60 min To full visibility on NIS2 risk-management measures

€7.99 Per user, per month

Accounting firms leading the way

Schuiteman Accountants

Schuiteman delivers security awareness as a service to dozens of SME clients, under their own brand via Lupasafe white-label. Real-time security insight, concrete NIS2 documentation, and effective collaboration between client, MSP and auditor.

See it at Schuiteman →

INAA International Network

130 clients, 3,200 staff, fully white-label under their own brand.

Read the INAA story →

Borrie Accountants

Continuous phishing awareness and NIS2 reporting as part of their trusted-advisor position.

Security as a service to your clients

Accountants are a logical first point of contact for SME clients on NIS2. Security awareness is a natural extension of your advisory services.

✓ Procurement contracts now require demonstrable cybersecurity
✓ Clients are already asking you: "do we fall under NIS2?"
✓ White-label: fully under your own brand
✓ API integration for automated billing
✓ Onboarding per client: 3 minutes

The "secure your own firm first" approach:

1. Secure your own firm: full visibility in 60 minutes

2. Become audit-ready (ISO 27001 / NIS2)

3. Prove it to your clients through your own reporting

4. Offer it as a service via Lupasafe white-label

Discuss the options

Ready to make your firm NIS2-proof?

Start with a free 30-day evaluation. No credit card required. Insight into your NIS2 status within 60 minutes.

Run the NIS2 scan Start free evaluation

Security awareness training for accountants

How to deliver NIS2 evidence to clients and auditors.Read more →

NIS2 and GDPR for accounting firms

How to handle both regimes in 2026.Read more →

Setting up a NIS2 awareness campaign

Why governance and remote-work controls demand more than an e-learning.Read more →

Disclaimer: This page is based on publicly available information, customer conversations and our own product knowledge (March 2026). NIS2 requirements may vary per organisation. Consult a legal advisor for specific guidance on your situation. Spotted an inaccuracy? Let us know via our contact form, we are happy to correct it.