Publications

Featured publications

ENISA NIS360

This edition of the ENISA NIS360 report is the third to assess the cybersecurity maturity and criticality of all sectors of high criticality as identified under Annex I of the NIS2 directive. The assessment covers the entire ecosystem of a sector…

NIS Investments 2025

The annual NIS Investments report presents the findings of a study conducted by ENISA to explore how cybersecurity policy translates in practice across organisations in the EU and its effects on their investments, resources, and operations.

NIS2 Technical Implementation Guidance

This report provides technical guidance to support the implementation of the NIS2 Directive for several types of entities in the NIS2 digital infrastructure, ICT service management and digital providers sectors. The cybersecurity requirements for…

All publications

Publish Date

Brokerage model for Network and Information Security in Education

By publishing the Brokerage model for Network & Information Security (NIS) in Education report, we aim to provide content and promote digital education on network and information security at all levels. The target group is composed of…

Flash note: Risks of using discontinued software

ENISA warns about the risks of using discontinued software, not only because of the lack of support from the manufacturer, but also from third parties, like manufacturers of anti-malware or other kind of software, or computer peripherals. This…

Recommendations for a methodology of the assessment of severity of personal data breaches

The European Union Agency for Network and Information Security (ENISA) reviewed the existing measures and the procedures in EU Member States with regard to personal data breaches and published in 2011 a study on the technical implementation of…

eID Authentication methods in e-Finance and e-Payment services - Current practices and Recommendations

This report collects the results of a survey launched by ENISA (European Network and Information Security Agency). The main purpose of the survey has been to collect information about the electronic IDentity and Authentication Systems (eIDAS)…

Guidelines for trust service providers - Part 1: Security framework

This document describes the framework surrounding trust service providers (TPSs) – the concepts and standards related to operations of a TSP. It focuses on EU standards, but also takes into account others where relevant. The document specifically…

Guidelines for trust service providers - Part 2: Risk assessment

This document covers the following aspects of Trust Service Providers operations:
• Assets: identification, classification and evaluation
• Threats to assets: classification and evaluation
• Vulnerabilities present in the environment…

Guidelines for trust service providers - Part 3: Mitigating the impact of security incidents

This document recommends measures to mitigate the impact of security incidents on trust service providers (TSP) by proposing suitable technical and organisational means to handle the security risks posed to the TSP. This is done using a…

Proposal for One Security Framework for Articles 4 and 13a

There are two pieces of EU legislation which explicitly mention security measures in the telecom sector: Article 4 of the e-Privacy directive asks providers to take security measures to protect security of personal data processing. Article 13a of…

Position Paper of the EP3R Task Forces on Incident Management and Mutual Aid Strategies (TF-MASIM)

This document summarises the discussions that happened between April and September 2013 in the EP3R Task Force on Incident Management and Mutual Aid Strategies. The task assigned to this Task Force was to reflect on the potential issues found…

EP3R 2013 – Task Forces on Terminology Definitions and Categorisation of Assets (TF-TDCA)

This Position Paper intends to establish the foundations of a commonly accepted and adopted methodology to define proper Terminology within EP3R, and later allow a concise Key Assets Categorisation.