Supporting NIS2 implementation through actionable guidance

Under the NIS2 Directive, EU Member States set requirements for cybersecurity risk management measures at national level in critical sectors, for example digital infrastructures, energy, transport or health. For the NIS2 Digital Infrastructure and the ICT service management sectors these cybersecurity requirements are defined at EU level, by the Commission Implementing regulation 2024/2690 of 17 October 2024. ENISA now publishes a technical guidance to support companies in these sectors with the implementation of this regulation.

Juhan Lepassaar, Executive Director at ENISA stated: “The implementation of NIS2 is a top priority for ENISA. The Agency is pushing for more alignment and simplification. To achieve that, we are developing practical and technical cybersecurity guidance to support the implementation of cybersecurity measures, on their way to improve the cybersecurity maturity in Europe’s critical sectors.”

This ENISA technical guidance was developed in collaboration with the NIS Cooperation group and the Commission, and we collected feedback from the private sector via an open consultation. 

The document provides guidance in the following cybersecurity requirements of the NIS2 Implementing Regulation: 

• Policy on the security of network and information systems
• Risk management policy 
• Incident handling
• Business continuity and crisis management 
• Supply chain security
• Security in network and information systems acquisition, development and maintenance
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• Basic cyber hygiene practices and security training
• Cryptography
• Human resources security
• Access control
• Asset management
• Environmental and physical security

In scope of the NIS implementing regulation and this technical guideline are DNS providers, TLD registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers and managed security service providers, providers of online marketplaces, online search engines and social networking services platforms, and trust service providers.

The implementation guidance is not a legally binding document and it is not intended to replace the frameworks, guidance or tools provided by Member States at national level. Companies in scope of the NIS2 should first consult the national authorities in their country, to understand their obligations. 

Linking NIS2 security measures to the European Cybersecurity Skills Framework 

To support the EU in developing cyber skills, ENISA developed the European Cybersecurity Skills Framework. Developing cybersecurity skills in the workforce is an important challenge for many companies. To implement the NIS2 Directive, companies should define cybersecurity roles and responsibilities. ENISA publishes a guidance document on the skills and the roles of cybersecurity professionals needed to implement the NIS2 measures. Built upon the European Cybersecurity Skills Framework (ECSF), this guidance offers a detailed mapping of NIS2 obligations to relevant ECSF role profiles. Each role is mapped to its specific tasks, while practical use cases are also included.

• Implementation Guidance (and excel file of mapping to standards and frameworks)
• Asking for your feedback: ENISA technical guidance for the cybersecurity measures of the NIS2 Implementing Act | ENISA
• Guidance document on the skills and cybersecurity professionals’ roles
• New rules to boost cybersecurity of EU's critical entities and networks | Shaping Europe’s digital future
• Cybersecurity of Critical Sectors | ENISA
• NIS Directive 2 | ENISA
• European Cybersecurity Skills Framework Role Profiles | ENISA
• European Cybersecurity Skills Framework (ECSF) | ENISA