NIS2 Endpoint Compliance: What IT Teams Must Document

Only 16% of organizations required to comply with NIS2 consider themselves fully compliant — a figure that has not moved in six months, according to CyberSmart’s April 2026 NIS2 Survey of 670 business leaders across Europe. 

For Danish IT teams, a parallel deadline sharpens the pressure. Under the 2026 municipal budget agreement between the Danish government and KL, Danish municipalities must establish 4–5 regional shared IT service organizations by 1 January 2027. 

The two deadlines converge at the same operational question: what evidence does your IT environment actually produce — and is it audit-ready? 

The compliance gap is not a motivation problem. The barriers are practical: budget constraints, lack of implementation guidance, and insufficient internal expertise. The organizations closing the gap fastest are not the ones with the most tools. They are the ones with the clearest operational ownership of their endpoint compliance evidence stack.

Why NIS2 Compliance Is Stalling Across Europe 

NIS2 entered force in October 2024. Enforcement is already active in Belgium, Germany, France, and the Netherlands. Despite this, CyberSmart’s research shows the compliance rate has not improved. The top barriers cited are consistent across all eight countries surveyed. 

Three patterns stand out for IT teams: 

• Compliance ownership is unclear. NIS2 requires documented controls across patch management, endpoint privilege management, device configuration governance, and vulnerability visibility — but in many organizations, no single team owns the evidence trail. 

• Tooling is fragmented. IT teams running separate solutions for patching, privilege management, driver updates, and vulnerability visibility cannot easily produce a unified compliance view. 

• Partner pressure is increasing. 42% of in-scope organizations have already been asked to demonstrate NIS2 status as part of standard due diligence. That pressure will only grow. 

The organizations closing the gap fastest are not necessarily those with the most mature security programs. They are the ones with the clearest operational ownership and the most consolidated evidence stack. 

The Danish Municipal IT Consolidation: What It Actually Means 

The decision to consolidate municipal IT operations is not primarily about cost savings. KL’s own materials are explicit: the driver is cybersecurity. According to KL, one in four Danish municipalities experiences more than 200 attempted cyberattacks per day. The pro-Russian hacker group NoName057(16) targeted municipal websites repeatedly during the 2025 local elections. 

The new regional IT service organizations will initially take over server and network infrastructure from the 98 municipalities. The ambition — not yet decided, but stated — extends further: endpoint management, user administration, monitoring, and service desk by 2030. 

That scope creates a specific operational challenge for the IT teams inheriting the work. 

The Consolidation Compliance Problem 

Each new regional IT service organization will take on infrastructure from multiple municipalities — in some cases, up to 25. Each of those municipalities has operated its own patch stack, its own privilege management approach, its own driver update process, and its own mobile device management configuration. 

The operational reality for many municipalities is straightforward: consolidation is no longer primarily about cost efficiency. Auditors, insurers, and municipal partners increasingly require documentation that fragmented tooling cannot easily produce — and the organizations that cannot provide it face both compliance exposure and procurement disadvantages. 

The organizations that start the consolidation with fragmented tooling will pay twice: once during the transition, and again at the first NIS2 audit. The ones that establish a unified evidence stack from day one will have a structural compliance advantage that compounds over time. 

What NIS2 Endpoint Compliance Actually Requires 

NIS2 does not prescribe specific tools. It prescribes outcomes and documentation. For IT teams, that translates into four operational evidence requirements: 

1. Patch and Application Currency 

Which applications are installed across which endpoints, at which versions, and when were they last updated? For third-party applications — the software outside Windows Update — this requires an automated update process with a documented evidence trail. A compliance auditor needs to see that known vulnerabilities are being addressed systematically, not reactively. 

2. Privilege and Access Control 

Who has elevated access, under what policy, for how long, and with what logging? NIS2’s requirements around access management mean that standing local admin rights — the default in many municipal environments — represent a documented compliance gap. Just-in-time elevation with full audit logging is the operational standard the directive points toward. 

3. Endpoint Configuration and Drift Visibility 

Are security configurations consistent across the fleet? Is drift from the intended configuration state detected and remediated? Consolidated visibility into patch status, configuration posture, and vulnerability exposure enables an IT team to answer these questions in a time-pressured audit context — rather than manually assembling data from multiple sources. 

4. Mobile Device Compliance 

iOS, iPadOS, Android, and Windows devices all require documented enrollment, configuration, and policy enforcement. For municipal environments managing thousands of devices across schools, administration, and field services, mobile compliance is often the least documented layer of the endpoint estate. 

How CapaOne Supports the Evidence Stack 

CapaOne Endpoint Management Platform is built to produce the technical controls and evidence data points required by NIS2 compliance documentation. It operates as a complete endpoint management platform — standalone or alongside Microsoft Intune. 

Application Manager automates third-party application updates across a governed catalog with staged rollouts and audit evidence, closing the patch-currency gap left open by OS-level tooling. 

Privilege Manager enforces least-privilege with policy-based, just-in-time elevation and no standing local admin rights. Every elevation event is logged for governance review. 

Security Monitor surfaces configuration drift and vulnerability insights across all endpoints, with exportable reports for auditors and leadership. 

Mobile Manager unifies enrollment, configuration, compliance, and application delivery across iOS, iPadOS, Android, and Windows — giving municipal IT teams a single documented posture view across their entire mobile estate. 

The platform consolidates endpoint operations, reporting, and compliance visibility into a single EU-hosted operational layer — built in Denmark, designed for GDPR alignment, and operated under European data sovereignty. 

Danish Municipal Reference 

Ishøj Kommune and Holbæk Kommune are both existing CapaOne customers. Ishøj Kommune uses CapaOne to manage 2,500+ endpoints across driver updates, device monitoring, and mobile device management: 

“Today, CapaOne is an essential part of our IT preparedness. It ensures our devices are always up to date and ready for use. We’ve left much manual work behind. Everything operates automatically — especially Mobile Manager, which has made a huge difference for us. CapaOne handles updates without us lifting a finger. Especially with frequent browser updates, we wouldn’t have been able to keep up without automation.”
— Victor Bjørke, IT Systems Administrator, Ishøj Kommune

What to Establish Before the Consolidation Deadline 

The 1 January 2027 deadline for establishing the new IT service organizations is closer than it appears. The transition work starts now — and the evidence requirements do not pause during it. 

• Audit your current evidence stack. For each NIS2 requirement area — third-party patch management, endpoint privilege control, device configuration posture, vulnerability visibility, and mobile device compliance — identify which tool produces which evidence, and whether that evidence is audit-ready or manually assembled. 

• Map your third-party application posture. List the most widely deployed applications across your municipality and confirm ownership, deployment cadence, and documentation for each. Applications outside Windows Update are the most common compliance gap. 

• Review privilege management policy. If standing local admin rights are still the default in your environment, that is a documented NIS2 gap — and a security exposure — that does not require consolidation to address. 

• Establish a mobile compliance baseline. Before devices from multiple municipalities merge into a shared service organization, document the current enrollment, configuration, and policy state for iOS, Android, and Windows mobile endpoints. 

• Evaluate tooling consolidation early. Starting the new IT service organizations with fragmented endpoint management tooling means inheriting compliance debt. A unified evidence stack from day one reduces both transition costs and audit risk. 

NIS2 compliance is not a reporting exercise. It is the operational outcome of daily IT practices that automatically enforce security and governance standards. Book a demo of CapaOne Endpoint Management Platform to see how automated patch management, privilege control, vulnerability visibility, and mobile compliance work together in a single EU-hosted operational layer.