UPDATE — SEPTEMBER 2025:
Since ENISA released its draft technical guidance for cybersecurity measures under the NIS2 Directive’s Implementing Regulation (EU) 2024/2690, the process has advanced through public consultation and revision. The consultation closed on December 9, 2024, and drew responses from cloud providers, telecom companies, critical infrastructure operators, and industry associations. Many stakeholders welcomed ENISA’s detailed mapping of NIS2 requirements to standards such as ISO/IEC. However, they also asked for clearer expectations on proportionality, sector-specific use cases, and support for SMEs.
ENISA published an updated version of the technical guidance in mid-2025. The final document incorporates the consultation input and clarifies what high-risk and essential entities must do to meet security obligations. It also strengthens the sections on governance and risk management so they better align with real-world operations. While the guidance is not legally binding, it has become a central reference for regulators and covered entities implementing Implementing Regulation (EU) 2024/2690, which took effect on January 17, 2025.
Throughout 2025, the NIS Cooperation Group released new sector profiles for areas such as energy, healthcare, and digital infrastructure. These profiles add practical examples and help entities interpret the required technical and organizational measures. Together with ENISA’s updated guidance, they now form the backbone of a more consistent EU-wide approach to NIS2 compliance.
ORIGINAL NEWS POST:
ENISA Seeks Industry Feedback on NIS2 Cybersecurity Guidance
The European Union Agency for Cybersecurity (ENISA) has published draft technical guidance to help organizations meet the cybersecurity measures required under the NIS2 Directive’s Implementing Regulation (EU) 2024/2690. ENISA released the draft to support EU Member States and critical digital infrastructure providers as they prepare for stricter risk-management obligations.
Purpose of the Guidance
The NIS2 Directive, in effect since October 17, 2024, sets a stronger EU-wide framework for cybersecurity resilience across essential sectors. ENISA’s draft guidance aims to make these rules more practical. It offers clear explanations of legal terms, step-by-step interpretations of requirements, and examples that show how entities can demonstrate compliance.
Key Elements of the Guidance
ENISA structured the draft around several helpful tools. First, it offers explanatory notes that break down complex parts of the regulation. Next, it includes sample evidence that organizations may submit to show they meet specific security measures. It also provides mapping tables that link NIS2 requirements to European and international standards, as well as relevant national frameworks. These resources are meant to help DNS service providers, cloud computing companies, and managed security service providers align their cybersecurity programs with NIS2 expectations.
Consultation and Participation
ENISA is inviting feedback from digital infrastructure stakeholders. The agency will accept comments until December 9, 2024, at 18:00 CET through its consultation platform. It has also published instructions to guide participants through the submission process.
Collaboration Behind the Draft
The draft guidance is the product of cooperation between ENISA, the European Commission, and Member States working through the NIS Cooperation Group. Their shared goal is to ensure the smooth and consistent implementation of the NIS2 Directive across the EU.
Directive Goals
NIS2 expands the scope of its predecessor by imposing stronger cybersecurity rules on critical entities, including online platforms, data centers, and content delivery networks. Its central purpose is to create a unified and resilient cybersecurity framework for the EU.
Additional Details
Stakeholders with questions about the draft or the consultation process can contact ENISA at [email protected].
Need Help?
If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
