Back to Blog

How to Document Phishing Simulations for a NIS2 Audit

A practical evidence checklist for security teams that need to show recurring awareness activity without overclaiming what phishing simulations prove.

By Autophish Team|Published on 7/19/2026
Cover image for How to Document Phishing Simulations for a NIS2 Audit

If you need to document phishing simulations for a NIS2 audit, the goal is not to prove that one campaign made the organization compliant. The useful goal is narrower: show that security awareness activity is planned, controlled, repeated, reviewed, and improved over time.

Phishing simulations can support that evidence story because they create a visible record of training scope, employee feedback, reporting behavior, follow-up actions, and management review. They should not be presented as a complete NIS2 control by themselves. NIS2 compliance depends on the broader governance, risk management, incident handling, policies, technical controls, supplier oversight, and accountability model around the program.

This guide is defensive only. It does not include phishing templates, delivery tactics, credential collection steps, bypass advice, or instructions for real attacks.

Start with the audit question

Before exporting reports, define the question your evidence needs to answer. For most security and compliance teams, the question is not "did people click?" It is closer to:

  • Did the organization run awareness activity on a defined cadence?
  • Was the activity approved and aligned with policy?
  • Were employees covered at a meaningful level?
  • Were risky behaviors followed by feedback or training?
  • Were reports and results reviewed by accountable owners?
  • Did the program improve or change based on results?
  • Was employee data handled proportionately?

That framing matters because a click-rate chart is weak evidence on its own. A phishing simulation report becomes more useful when it sits inside a documented program: scope, approvals, safe scenario design, privacy settings, training follow-up, review notes, and trend data.

AutoPhish's existing guide to NIS2 security awareness and phishing simulations covers where simulations fit in the wider NIS2 conversation. This article focuses on the evidence pack.

What NIS2 actually changes for awareness evidence

The NIS2 Directive raises expectations around cybersecurity risk management, governance, incident handling, and accountability for covered entities. It does not prescribe one universal phishing simulation format.

That means security teams should avoid claims like "this phishing test makes us NIS2 compliant." A safer claim is:

"Our phishing simulation program supports security awareness and risk management evidence by documenting recurring activity, employee feedback, reporting behavior, and management review."

That statement is easier to defend. It connects simulations to governance without pretending that a training platform replaces legal analysis, risk assessment, incident response, access controls, or technical security measures.

For audit preparation, your documentation should show process maturity rather than theater. A single dramatic campaign may impress a dashboard. A steady program with approvals, coverage data, follow-up, and review notes is much more useful for compliance stakeholders.

Build an evidence pack before the auditor asks

Create a reusable evidence pack for each reporting period. Keep it boring, consistent, and easy to refresh.

Useful items include:

  • awareness program owner and reviewer names or roles
  • approved campaign calendar or cadence
  • policy or procedure reference for phishing simulations
  • campaign scope, dates, and target groups
  • scenario category and safety review
  • employee communication or notice where applicable
  • privacy settings and retention settings
  • delivery summary and known delivery caveats
  • report rate, time-to-report, and follow-up completion
  • training content shown after risky interactions
  • aggregate trend data over multiple campaigns
  • exceptions, exclusions, and remediation notes
  • management review notes and decisions

The evidence pack should be understandable without giving an auditor access to raw employee-level event logs. Aggregate reports are often enough for leadership and compliance review. Individual-level details should be limited to people with a clear operational need.

Keep scenario documentation safe and high level

Audit evidence should describe the risk theme and control objective, not provide reusable attacker playbooks.

Good scenario documentation might say:

  • "Invoice-themed business email compromise awareness scenario for finance users"
  • "QR-code awareness scenario for mobile-first workflows"
  • "Document-share awareness scenario for collaboration-tool risk"
  • "Password-reset awareness scenario with no real credential collection"

Avoid storing unnecessary step-by-step details in general compliance folders. Do not document exact lures, domains, landing-page mechanics, or message copy more broadly than your internal security process requires. The point is to prove that the scenario was approved, safe, relevant, and reviewed.

If a simulation includes landing pages, document the guardrails clearly. A safer program records controlled training events and feedback completion rather than collecting real passwords, MFA codes, tokens, payment details, or sensitive personal information. For more detail, see AutoPhish's guide to safe phishing simulation landing pages.

Use metrics auditors and executives can understand

Click rate is familiar, but it can be misleading. It should not be the only metric in a NIS2 evidence pack.

More useful metrics include:

  • user coverage across the reporting period
  • report rate for simulation messages
  • time to report
  • report-before-click behavior
  • follow-up training completion
  • repeat-risk trends over time
  • delivery quality and false positives
  • improvement actions created after review

The best metrics show a learning loop. A campaign happened. Employees received feedback. Reports were reviewed. The team changed something. Later results showed whether behavior improved.

AutoPhish's guide to phishing simulation reporting features is a useful benchmark for separating operational metrics from vanity charts.

Document governance, not just results

For NIS2-related discussions, governance evidence often matters as much as the campaign result.

Record:

  • who can approve simulations
  • who can launch campaigns
  • who can view individual-level results
  • how employee data is retained or deleted
  • what scenario themes are prohibited
  • how works councils, employee representatives, HR, or privacy stakeholders are involved where relevant
  • how results are escalated to management
  • how follow-up training is assigned

This protects the program from two common problems. First, simulations can become ad hoc exercises that depend on one enthusiastic admin. Second, awareness training can become privacy-sensitive surveillance if access controls and retention rules are vague.

If your organization has employee-representation or privacy review requirements, document them early. AutoPhish's guide to privacy-friendly phishing training covers the employee-trust side of that conversation.

Evidence checklist for each campaign

Use this checklist to keep campaign documentation consistent:

  1. Campaign name and internal ID
  2. Business reason or risk theme
  3. Approved target group
  4. Date range and time zone
  5. Scenario category, not attacker-style instructions
  6. Safety review confirmation
  7. Privacy and retention settings
  8. Employee notice or communication reference, if used
  9. Delivery summary
  10. Reporting and interaction metrics
  11. Follow-up training or feedback summary
  12. Exclusions and exceptions
  13. Review owner
  14. Improvement actions
  15. Export date and storage location

The checklist does not need to become a heavy workflow. It needs to be repeatable enough that the next audit period does not require forensic archaeology through old spreadsheets, chat threads, and screenshots.

What to avoid in audit evidence

Avoid evidence that creates more risk than it removes.

Common mistakes include:

  • relying only on screenshots with no review notes
  • storing raw employee-level data too broadly
  • keeping simulation data indefinitely without a reason
  • presenting one campaign as proof of compliance
  • using punitive leaderboards as "awareness evidence"
  • documenting exact lure mechanics in shared compliance folders
  • collecting real credentials to make results look more realistic
  • ignoring delivery problems that distort metrics

Auditors and executives do not need a dramatic story. They need a defensible one. If the evidence shows scope, safeguards, review, and improvement, the program is easier to trust.

How AutoPhish helps

AutoPhish is designed for security teams that need phishing simulations to be repeatable, privacy-aware, and explainable. That matters when simulations are part of a compliance evidence story.

With the right program design, AutoPhish can help teams document:

  • recurring phishing simulation activity
  • safer scenario handling
  • employee reporting behavior
  • follow-up training completion
  • management-ready reporting
  • privacy-conscious result handling
  • evidence exports for review

The platform does not replace legal advice or a full NIS2 readiness program. It helps security teams run and document the awareness part of that program more consistently.

FAQ

Do phishing simulations prove NIS2 compliance?

No. Phishing simulations can support evidence for security awareness, reporting behavior, and continuous improvement. They do not prove NIS2 compliance by themselves.

What should a NIS2 phishing simulation evidence pack include?

Include campaign scope, approval, date range, audience coverage, scenario category, safety review, privacy settings, reporting metrics, follow-up training, review notes, and improvement actions.

Should auditors see individual phishing simulation results?

Usually not by default. Aggregate reports often answer the compliance question. Individual-level data should be limited to people with a clear operational need and handled under defined retention and access rules.

Is click rate enough for audit evidence?

No. Click rate is only one signal. Reporting rate, time to report, follow-up completion, coverage, repeat-risk trends, and documented review actions are usually more useful.

How often should phishing simulation evidence be refreshed?

Refresh the evidence pack after each campaign or on a fixed reporting cadence. The important part is consistency: the organization should be able to show that awareness activity happens repeatedly and is reviewed.

Final takeaway

The best way to document phishing simulations for a NIS2 audit is to show a controlled awareness program, not a one-off test. Keep the evidence practical: scope, approvals, safe scenario design, privacy controls, metrics, follow-up, and management review.

If you want phishing simulations that are easier to run, review, and document, Sign Up.


Run your first phishing test in 10 minutes.

Sign up free — no credit card. Try Pro free for 7 days when you're ready.