UPDATE — SEPTEMBER 2025: Since ENISA released its draft technical guidance for cybersecurity measures under the NIS2 Directive’s Implementing Regulation (EU) 2024/2690 in late 2024, the process has advanced significantly. The public consultation, which closed on December 9, 2024, drew input from cloud providers, telecoms, critical infrastructure operators, and industry associations. While stakeholders broadly welcomed ENISA’s mapping of NIS2 obligations to international standards such as ISO/IEC, they also requested clearer direction on proportionality, sector-specific applications, and guidance tailored to SMEs.

In response, ENISA published an updated version of the technical guidance in mid-2025. The finalized document reflects feedback from the consultation, clarifies expectations for high-risk and essential entities, and refines the risk-management and governance sections to better align with sectoral realities. Importantly, while the guidance is non-binding, it has become a key reference for both regulators and covered entities seeking to implement the binding requirements of Implementing Regulation (EU) 2024/2690, which formally entered into force on January 17, 2025.

Throughout 2025, the NIS Cooperation Group has issued additional sectoral profiles—covering domains such as energy, healthcare, and digital infrastructure—that complement ENISA’s guidance and provide practical examples of how to apply the mandated security measures. Together, these resources form the foundation for a harmonized approach to NIS2 compliance across the EU.

ORIGINAL NEWS POST:

ENISA Seeks Industry Feedback on NIS2 Cybersecurity Guidance

The European Union Agency for Cybersecurity (ENISA) released draft technical guidance for the cybersecurity measures outlined in the NIS2 Directive’s Implementing Regulation (EU) 2024/2690. Industry stakeholders are invited to provide feedback on the draft guidance, which aims to support EU Member States and critical digital infrastructure entities in implementing robust cybersecurity risk-management measures.

The NIS2 Directive, which came into effect on October 17, 2024, sets out a new EU-wide framework to bolster cybersecurity resilience across critical sectors. ENISA’s technical guidance supplements this directive, offering practical advice and tools to ensure compliance with the newly adopted Commission Implementing Regulation.

The guidance is designed to help stakeholders navigate the technical and methodological requirements specified under NIS2. Key features include:

• Explanatory Support: Clarifications on legal terms and additional tips for interpreting and applying the requirements.

• Compliance Tools: Examples of evidence entities can provide to demonstrate compliance with the outlined measures.

• Standard Mapping: Tables linking NIS2 security requirements to European and international standards, as well as national cybersecurity frameworks.

This practical approach aims to ensure that entities such as DNS service providers, cloud computing providers, and managed security service providers can align their cybersecurity practices with NIS2’s rigorous expectations.

ENISA is inviting stakeholders from the digital infrastructure sector to review and comment on the draft guidance. Feedback can be submitted until December 9, 2024, at 18:00 CET, through the agency’s consultation platform. Detailed instructions for submitting comments are available online.

The draft guidance marks a collaborative effort between ENISA, the European Commission, and Member States via the NIS Cooperation Group. It is part of a larger initiative to ensure the successful implementation of the NIS2 Directive, which aims to enhance the cybersecurity posture of Europe’s critical infrastructure.

The NIS2 Directive expands upon its predecessor, establishing comprehensive cybersecurity measures for critical entities, including data centers, online platforms, and content delivery networks. The directive’s goal is to create a unified and resilient cybersecurity framework across the EU.

For more details or questions regarding the consultation process, stakeholders can contact ENISA via email at [email protected].

Need Help?

If you have questions or concerns about any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.