Independent reporting: why your IT provider should not judge its own work
Published on July 3, 2026
Many organizations receive their security reports through their IT provider: the same party that builds the servers, manages the firewall and runs the updates. It feels logical and efficient. But ask the question an auditor asks: who is judging whose work here?
This article is about that question. Why reporting through your managing party weakens your evidence, why it counts double under NIS2, and what independent reporting means in practice.
In short
- A managing party reporting on its own environment is judging its own work. Every finding is implicit criticism of its setup; the incentive to soften is structural, even at honest firms.
- Under NIS2 this counts double: your IT provider is itself a supplier in the chain you must manage.
- Independent reporting means: directly to the client, without the managed party in between.
- Ask yourself: does your auditor currently get evidence, or a filtered summary?
The butcher judging his own meat
An IT provider presenting scan results about infrastructure it built itself is in an impossible position. Every vulnerability that makes the report raises the question why it is there: should the provider not have prevented it? Every finding is implicit criticism of its own work.
That does not mean providers lie. It means the incentive to soften a finding, reclassify it, or "quickly fix it before the client sees it" is structurally present. This is exactly why separation of duties exists in every mature control environment: the accountant does not audit their own books, and the inspector does not work for the butcher.
Why this counts double under NIS2
The NIS2 supply chain duty of care requires you to demonstrably manage risks at your suppliers. Your IT provider is not just the party that can help you with that: it is one of those suppliers itself, and often the most critical one. What your large customer may ask about this is covered in what does your large customer expect under the NIS2 duty of care.
Demonstrating supply chain due care with a report from the party that report is (partly) about is evidence that undermines itself. A critical auditor or buyer spots it immediately. The question to ask yourself: do I currently receive my security reports through the party that manages my environment, and would my auditor consider that sufficient?
What independent reporting means
Reporting independently is not a matter of a different logo on the report. It comes down to three things:
- Direct delivery. The report goes from the measuring party straight to the client. The managing party can read along if the client wants, but never sits in the line as a filter.
- Traceable findings. The client can verify per finding how and when it was established, without relying on the interpretation of an interested party. How that works is covered in forensically grounded evidence.
- Verifiability. The report itself is signed and timestamped, so a third party can establish that it is genuine and unaltered. See how to check whether a security report is real.
Your IT provider remains just as valuable: it fixes the findings. The roles are simply separated. Measuring and remediating are two different things, and it is exactly that separation that makes the remediation credible.
How Exposentry safeguards this itself
Claiming independence is easy; organizing it is the real work. Exposentry is a Hasecon service, and Hasecon also provides implementation, maintenance and development services around OpenKAT, such as on-premise installations and custom modules. That is why the separation of duties is laid down in writing:
- Reports always go directly to the client, even when another party brought in the customer.
- If Hasecon does OpenKAT work for the same client or in the same environment, that overlap is stated explicitly in the report.
- Hasecon does not issue security reports on scanned environments outside of Exposentry: there is only one reporting channel.
- For active supply chain verifications, Hasecon does not perform remediation or management work in the verified environment.
This policy is part of our terms and conditions, so your auditor does not have to guess.
The test for your own situation
Take your latest security report and ask three questions. Who produced it? Does that party manage (part of) the environment it covers? And did the report reach you directly, or through that party? Two "yes" answers on the latter questions do not make the report useless. They do mean it stands weaker as evidence towards an auditor, customer or insurer than you think.
Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.