ENISA Publishes Technical Guidance to Help Companies Comply with NIS2 Cybersecurity Rules

Key Takeaways

• ENISA Guidance Released: ENISA has published technical implementation guidance to support digital infrastructure and managed service providers in complying with the cybersecurity requirements of the NIS2 Implementing Regulation.
• Targets Cross-Border Digital Services: The guidance applies to essential and important entities regulated at the EU level, such as cloud providers, DNS operators, data centers, and online platforms.
• 13 Core Cybersecurity Requirements Covered: The document outlines best practices, tips, and evidence examples for implementing measures including incident handling, supply chain security, access control, and business continuity.
• Mapped to Standards and Frameworks: Each requirement is mapped to relevant international standards (e.g. ISO/IEC 27001, NIST CSF) and national cybersecurity frameworks to support alignment and audit readiness.
• Cybersecurity Skills Guidance Included: A complementary guide maps NIS2 obligations to roles in the European Cybersecurity Skills Framework (ECSF), helping organizations identify and plan for necessary workforce capabilities.

Deep Dive

The EU Agency for Cybersecurity (ENISA) has issued its first technical guidance to help digital infrastructure and managed service providers implement the cybersecurity measures required under the EU’s new NIS2 Implementing Regulation. The non-binding guidance aims to make compliance with the NIS2 Directive’s technical and methodological requirements more practical, consistent, and achievable for companies operating in critical sectors across the EU.

The guidance comes as part of the EU’s broader effort to raise cybersecurity maturity in essential services such as cloud computing, domain name systems, online platforms, and ICT service management. While EU member states set national-level risk management requirements under NIS2, a subset of cross-border digital services are regulated directly at the EU level by Commission Implementing Regulation 2024/2690, which was adopted last October.

“The implementation of NIS2 is a top priority for ENISA. The Agency is pushing for more alignment and simplification,” said Juhan Lepassaar, ENISA’s Executive Director. “To achieve that, we are developing practical and technical cybersecurity guidance to support the implementation of cybersecurity measures.”

ENISA’s new guidance document outlines best practices, examples of evidence, and helpful tips for meeting 13 core cybersecurity requirements listed in the Implementing Regulation, including:

• Security and risk management policies
• Incident handling and business continuity
• Supply chain security
• Secure development and maintenance of systems
• Cryptographic safeguards
• Access control and asset management
• Human resources and physical security measures
• Policies for assessing the effectiveness of risk management

Each section is mapped to relevant European and international standards, such as ISO/IEC 27001, NIST Cybersecurity Framework 2.0, and CEN/TS 18026, as well as to national cybersecurity frameworks submitted to ENISA during public consultations.

ENISA emphasized that the document is not a substitute for national-level regulations or guidance, and organizations should consult their national authorities to fully understand their legal obligations. Still, the guidance offers a common foundation for aligning implementation practices across EU countries.

The document also encourages entities to reuse existing standards and frameworks they already apply and offers suggestions for how to provide documentation or evidence of compliance. An Excel file mapping each requirement to recognized standards is available on ENISA’s website.

Who’s in Scope?

The guidance targets companies classified as “essential” or “important” entities under NIS2, specifically those providing:

• Cloud computing services
• Data center services
• Domain Name System (DNS) services
• Top-level domain registries
• Content delivery networks
• Online marketplaces, search engines, and social media platforms
• Trust and digital identity services
• Managed service and managed security service providers

These services, deemed critical to digital society and the internal market, are subject to EU-level regulation because of their cross-border nature.

Skills Guidance to Match the Mandates

In tandem with the technical guidance, ENISA also published a skills and roles guide designed to help organizations understand the workforce capabilities needed to meet NIS2 obligations.

Based on the European Cybersecurity Skills Framework (ECSF), the new document maps the Directive’s requirements to relevant cybersecurity role profiles, detailing tasks, responsibilities, and practical use cases. The guide is intended not only for businesses, but also for EU member states as they build national cybersecurity talent pipelines and capacity-building programs.

As tens of thousands of entities across the EU prepare for compliance with NIS2, the need for clearly defined cybersecurity roles has become increasingly urgent. ENISA’s own NIS Investments 2024 report found that 89% of organizations surveyed expect to hire additional cybersecurity staff to meet the directive’s demands.

ENISA stressed that the guidance is a “living document” subject to future updates, as both the technical requirements and referenced standards evolve. It was developed with input from the NIS Cooperation Group, European Commission, private sector stakeholders, and ENISA expert groups for electronic communications and trust services.

For organizations navigating the new regulatory landscape, ENISA’s dual guidance offers a structured but flexible approach to both implementation and workforce readiness, underscoring the EU’s push for a more resilient and secure digital ecosystem.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.