ENISA NIS2 guidance pushes European cyber compliance toward a more operational model

Summary

ENISA has published technical guidance to support implementation of the NIS2 Implementing Regulation for digital infrastructure and ICT service management sectors. The document is designed to help in-scope organisations translate high-level obligations into practical security measures across areas such as incident handling, business continuity, supply-chain security, cyber hygiene, access control, asset management, cryptography, and effectiveness testing.

What happened

On 26 June 2025, ENISA announced a technical implementation guide intended to support organisations covered by the NIS2 Implementing Regulation. The guidance was developed with the NIS Cooperation Group and the European Commission, with additional feedback gathered through an open consultation with the private sector.

The implementing regulation further elaborates NIS2 cybersecurity requirements for digital infrastructure and ICT service management sectors at EU level. ENISA’s new publication is meant to make those requirements more usable in practice for the entities that have to comply.

Key details

The guidance covers a wide range of control areas, including:

security policy for network and information systems
risk management policy
incident handling
business continuity and crisis management
supply-chain security
secure acquisition, development, and maintenance of network and information systems
assessment of the effectiveness of cybersecurity risk-management measures
basic cyber hygiene and security training
cryptography
human resources security
access control
asset management
environmental and physical security

ENISA says the guidance is relevant to organisations such as DNS providers, TLD registries, cloud computing providers, data-centre providers, content delivery networks, managed service providers, managed security service providers, online marketplaces, search engines, social networking platforms, and trust service providers.

The agency also published linked guidance mapping NIS2 obligations to cybersecurity roles and responsibilities using the European Cybersecurity Skills Framework.

Why it matters

This matters because one of the persistent problems with cyber regulation is the gap between legal obligation and operational implementation. Organisations can understand that NIS2 applies to them while still struggling to turn the framework into concrete controls, ownership structures, and engineering practice.

ENISA’s guidance is an attempt to narrow that gap. It pushes NIS2 away from being treated only as a compliance text and toward being treated as an operating model for how critical and digital service providers should structure cyber risk management.

Assessment

The key value here is practical alignment. NIS2 has always been more consequential than a paperwork exercise, but implementation quality will vary widely unless organisations have usable guidance that connects policy, technical controls, and workforce roles.

This guidance does not replace national authorities, and ENISA is explicit that it is not legally binding. But it does strengthen the compliance baseline by giving both companies and regulators a more concrete reference point. Over time, that can make NIS2 enforcement less abstract and more operationally demanding.

Recommended actions

determine whether your organisation falls within the digital infrastructure or ICT service management sectors directly covered by the implementing regulation
compare current security controls against the guidance areas, especially incident handling, supply-chain security, continuity planning, access control, and effectiveness testing
review whether cyber roles and responsibilities are clearly assigned enough to support NIS2 implementation in practice
track how national authorities interpret and apply the guidance alongside local transposition and supervisory expectations