EU cybersecurity agency opens consultation on draft NIS2 guidance

Europe

On 7 November 2024, the EU Agency for Cybersecurity (ENISA) published for industry consultation the draft implementing guidance to support relevant entities to implement technical and methodological requirements under Directive (EU) 2022/2555 (NIS2 Directive) and the Commission Implementing Regulation (EU) 2024/2690. 

Importantly, neither the Draft Implementing Guidance nor the final version of the guidance will be legally binding on entities falling under the NIS2 Directive and the Commission Implementing Regulation. The purpose of the Draft Implementing Guidance is to help national competent authorities develop an approach for supervision of the requirements. As a result, the competent national authorities are expected to take the content of the Draft Implementing Guidance into account during their supervisory activities. 

Entities falling under the Draft Implementing Guidance 

The Draft Implementing Guidance does not cover all essential and important entities under the NIS2 Directive (and the respective national transposition laws), but only the following entities that fall under the scope of the Commission Implementing Regulation: 

  • domain name system (DNS) service providers;
  • top-level domain (TLD) name registries;
  • cloud computing service providers;
  • data centre service providers;
  • content delivery network providers;
  • managed service providers;
  • managed security service providers;
  • providers of online marketplaces, online search engines and social networking services platforms; and
  • trust service providers. 

Content of the Draft Implementing Guidance 

The Draft Implementing Guidance offers the following support to relevant entities in implementing the technical and methodological requirements under the NIS2 Directive and the Commission Implementing Regulation: 

  • guidance (i.e. indicative and actionable advice on parameters to consider when implementing a requirement or further explanation to concepts found in the legal text);
  • examples of evidence (i.e. the types of evidence that a requirement is in place);
  • extra general tips for additional consideration by the entity (where available); and
  • mapping correlating each requirement to European and international standards and national frameworks. 

The guidance, examples of evidence, and tips referred to above are non-exhaustive. Their partial or complete implementation does not assume compliance or conformity with the requirements of the NIS2 Directive and the Commission Implementing Regulation. Entities may choose alternative methods to fulfil a requirement or use different evidence to demonstrate compliance. Moreover, a single piece of evidence may support various requirements. 

The mapping table correlates each requirement with the following European and international standards or frameworks, and with national frameworks: 

  • ISO/IEC 27001:2022;
  • ISO/IEC 27002:2022;
  • NIST Cybersecurity Framework 2.0;
  • ETSI EN 319 401 V2.2.1 (2018-04);
  • CEN/TS 18026:2024);
  • Belgian CyberFundamentals framework;
  • Finnish Kybermittari (Cybermeter);
  • Greek Cybersecurity Framework;
  • Spanish National Security Framework. 

The mapping table only includes horizontal standards, and not detailed standards or technical specifications for specific topics. The Draft Implementing Guidance does not attempt to establish a new standard or duplicate existing ones (e.g. ISO, IEC, CEN), and is intended to be written in a technology-neutral and standards-neutral way. 

Next steps 

The text of the Draft Implementing Guidance is available here. Interested parties have until 9 December 2024, 18:00 CET to submit comments on the draft. Further instructions on how to provide feedback can be found here

Background 

The aim of the NIS2 Directive is to ensure a high level of cybersecurity across the EU. It covers entities operating in sectors that are critical for the economy and society, including providers of public electronic communications services, ICT service management, digital services, wastewater and waste management, space, health, energy, transport, manufacturing of critical products, postal and courier services, and public administration. EU member states had until 17 October 2024 to transpose the NIS2 Directive into national law. 

The Commission Implementing Regulation further details the technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant regarding DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, providers of online search engines, providers of social networking services platforms, and trust service providers. 

For more information on the Draft Implementing Guidance or your obligations under the NIS2 Directive and the Commission Implementing Regulation, contact your CMS client partner or these CMS experts. 

This article was co-authored by: János Bálint