Decoding the NIS2 Directive: Practical guidelines from the EU Agency for Cybersecurity on NIS2 risk management and skills

The EU Agency for Cybersecurity (ENISA) has recently released two detailed technical guidelines that translate the NIS2 Directive’s legal obligations into practical measures companies can adopt.

The first guideline is the ENISA Technical Guidance (available in English) which translates the high-level NIS2 security obligations into a 170-page playbook with actionable controls across the security domains, such as policies, incident handling, supply chain security, and training. The second is the Cybersecurity Roles Guidance (available in English) providing a practical framework for linking the legal requirements of the NIS2 Directive to specific cybersecurity job roles and skills.

In this article, we will discuss both publications and how these might be relevant for your organisation.

Understanding NIS2 and the role of ENISA’s guidance

The NIS2 Directive (EU 2022/2555) took effect on 18 October 2024 (if transposed into national law) and replaces the original NIS framework. It extends mandatory cybersecurity requirements to various critical sectors, including energy, transport, health care, digital infrastructure, online marketplaces, and manufacturing. Most medium and large companies active in those sectors fall within its scope, and even smaller firms are covered if they provide essential services. If you require a reminder of what the NIS2 Directive entails, feel free to read our previous Law-Now on this topic.

ENISA Technical Guidance

The ENISA Technical Guidance addresses entities active in digital sectors, such as cloud computing, data centres, domain name system services, and online marketplaces. This Guidance expands upon the NIS2 Implementing Regulation, which requires NIS2 entities operating in digital sectors to take specific security measures.  These sectors have been chosen for EU-level regulation due to their cross-border nature. The provision of guidance for other sectors has been left to the member states. Even though the Guidance is not directly applicable to all NIS2 entities, this document will still greatly influence regulators conducting compliance checks.

The Guidance provides detailed information on how the following cybersecurity requirements should be implemented in proportion to the risks the IT systems of the relevant NIS2 entities face. These include:

1. network security policies;
2. risk management frameworks;
3. incident handling;
4. business continuity and crisis management;
5. supply chain security;
6. secure development practices;
7. effectiveness assessment procedures;
8. cybersecurity training;
9. cryptographic controls;
10. human resources security;
11. access management;
12. asset protection; and
13. physical security measures.

It does this by providing three types of information per requirement: (i) recommendations on how to implement the requirement (i.e. guidance); (ii) types of evidence illustrating how a requirement can be implemented (i.e. examples of evidence); and miscellaneous recommendations where relevant.

Additionally, ENISA has provided a mapping table linking the cybersecurity requirements to international, European and national standards and frameworks such as ISO/IEC 27001 and the NIST Cybersecurity Framework v2.0. This table will be an asset to all NIS2 entities since national regulators often allow the use of such standards and frameworks to demonstrate that the necessary cybersecurity risk management measures have been taken.

Cybersecurity Roles Guidance

ENISA has also published guidance on the skills and roles needed for cybersecurity professionals working for NIS2 entities. This document maps practical responsibilities regarding NIS2 obligations to the cybersecurity roles that can be implemented within an organisation, providing a helpful overview for NIS2 entities assessing their internal cybersecurity procedures.

Furthermore, an example of the designation and implementation of the necessary cybersecurity roles is discussed in detail (e.g. who should assume certain roles, the responsibilities that should be given to personnel when handling cybersecurity incidents).

Action points

Overall, both documents provide helpful tools for the compliance processes of NIS2 entities. They transform the NIS2 Directive’s broad cybersecurity mandates into specific, actionable requirements. Organisations should carefully assess the technical measures recommended, as well as the advice on roles, responsibilities, and training necessary for effective cybersecurity governance. To ensure effective compliance and minimise legal risk, we encourage undertaking the following actions:

• Assess whether your organisation falls under the scope of the NIS2 Directive.
• Conduct a gap analysis to identify where your cybersecurity measures do not meet NIS2 requirements. Use ENISA’s guidance to determine the necessary steps and develop a plan to address and prioritise any identified gaps.
• Implement a structured training programme based on the ENISA guidance to ensure that staff in key cybersecurity roles are aware of their NIS2 responsibilities. Regularly assess workforce competencies to clarify responsibilities and maintain preparedness.
• Develop and test incident handling policies with clear categorisation systems, communication plans, and reporting procedures that meet the NIS2 Directive’s strict notification timelines (24-hour early warning, 72-hour detailed reports, and monthly final reports). Regular tabletop exercises and simulations are essential for maintaining operational readiness.
• Strengthen contractual arrangements with suppliers and service providers to include cybersecurity requirements, incident notification obligations, and compliance verification procedures that extend NIS2 protection throughout the value chain.
• Set up a regular cycle to review and update your cybersecurity governance framework in line with new regulations, threats, and best practices.
• Regularly review national transposition requirements and coordinate with competent authorities to ensure that approaches to compliance align with supervisory expectations. 

For more information on the NIS 2 Directive and how it could affect your business operations, contact our TMC partner Tom De Cordier or your usual CMS advisor. Did you know our Tech & Data practice is recognised as Tier 1 (best-in-class) by both Chambers and Legal 500?