EU: Cybersecurity – ENISA publishes final NIS2 guidance

In June 2025, ENISA published the NIS2 technical guidance, which provides detailed advice on mandatory cybersecurity risk management measures for digital providers subject to the NIS2 cybersecurity regime.  The NIS2 Directive establishes a strengthened cybersecurity framework across the EU to be implemented by Member States – a task which was due to be completed by October 2024 although many countries are still to adopt final legislation. For more detail on implementation status see our Tracker here: NISD 2 Tracker - Bird & Bird.

Pursuant to  the NIS2 Implementing Regulation, in-scope digital services providers are required to implement specific harmonised security measures in line with the requirements set out in the Annex to the Implementing Regulation. Measures required range from implementing an overarching policy on the security of network and information systems to establishing appropriate cryptography and access control measures – each containing numerous sub-requirements.

For these entities (i.e. DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, as well as trust service providers), the implementation of these requirements requires getting to grips with intricacies of cybersecurity risk management measures.

Given the highly technical nature of the requirements, ENISA’s new technical guidelines provides 170 pages of guidance on the practical implementation of these measures. For each legal requirement, the technical guidelines include indicative guidance (either actionable advice on parameters to consider when implementing a requirement or further explanation of concepts found in the legal text),  examples of evidence that can be used to support compliance (including references to certain industry standards), as well as some additional general tips for additional consideration by the entity, where applicable.

This technical guidance remains non-binding and compliance with its content will not necessarily equate to compliance with the Implementing Regulation, nor supersede any national requirements or guidance. Nevertheless, ENISA itself hopes that this document will help national authorities develop their own approach in supervising compliance of these digital service providers – it is designed to create a helpful framework to demonstrate good faith compliance efforts.

In addition, drafted with the help of Member States representatives in the NIS2 Cooperation Group, the technical guidance includes a mapping of each legal requirement from the NIS2 Implementing Regulation onto European and international standards and national frameworks, thereby providing a helpful overview of similarities between these reference frameworks. Although this mapping may not be interpreted as proof of equivalence between these requirements, it can constitute a helpful tool to compare progress and avoid duplicating compliance efforts for companies who have already obtained EU-level or national cybersecurity certifications.

Finally, ENISA also provides a mapping of relevant tasks onto cybersecurity profiles drawn from the European Cybersecurity Skills Framework (ECSF), to assist companies in hiring skilled professionals and assigning responsibilities for cybersecurity within their organisations.

For more information, please contact Lisa Gius.