- \n
- What is new:<\/strong> On 26 June 2025, the EU Agency for Cybersecurity (ENISA) published <\/a>guidance documents setting out security measures<\/a> that regulated organisations should have in place to comply with the EU\u2019s critical infrastructure cybersecurity law (NIS2).<\/li>\n
- Why it matters:<\/strong> These expansive security standards will require significant investment for many newly regulated entities, and member states\u2019 varying NIS2 implementations add a further layer of complexity.<\/li>\n
- What to do next:<\/strong> As companies assess their 2026 security and compliance budgets, they should determine what expanded security efforts will be required \u2014prioritizing the greatest enforcement risks \u2014 and plan implementation and funding for the coming months and years.<\/li>\n<\/ul>\n
__________<\/strong><\/p>\n
The Guidance<\/p>\n
The guidance, though not strictly binding, further clarifies ENISA\u2019s expectations of NIS2-regulated entities, building upon both the text of NIS2 and the European Commission\u2019s NIS2 Implementing Regulation 2024\/2690<\/a> on cyber risk management.1<\/a> (For an overview of NIS2, see our previous client alert \u201cNavigating the New Cybersecurity Landscape: Key Implications of the EU\u2019s NIS 2 Directive<\/a>.\u201d) As an example:<\/p>\n
- \n
- NIS2 requires companies to have security measures covering \u201cthe use of multi-factor authentication.\u201d<\/li>\n
- The NIS2 Implementing Regulation expands on this obligation, stating that companies\u2019 multifactor authentication measures \u201cshall ensure that users are authenticated by multiple authentication factors \u2026 in accordance with the [risk] classification of the asset to be accessed.\u201d<\/li>\n
- The guidance further expands on the Implementing Regulation, stating that companies should \u201cenforce [multifactor authentication] on internet-facing systems, such as email, remote desktop and VPNs,\u201d and document this compliance through configuration logs. The guidance also maps ENISA\u2019s expectations to widely-used international standards such as ISO 27001.<\/li>\n<\/ol>\n
![\"Triangular](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/08\/b7b770c7-15f7-4db4-844e-412a49ebdcc2-nis2_chart.png\"\/)
<\/p>\nPyramid chart: from top to bottom, reads: “NIS2 – NIS2 Implementing Regulation – ENISA Guidance”<\/p>\n
\u00a0<\/p>\n
The guidance, and in particular ENISA\u2019s commitment to aligning regulatory obligations with existing international standards that many companies have already adopted, is welcome, and sets out a helpful blueprint for technical implementation of NIS2 compliance programs. However, the scale of ENISA\u2019s guidance (stretching to nearly 200 pages of security measures) reinforces the extent of investment and documentation regulators expect for comprehensive NIS2 compliance. Companies should target their NIS2 compliance programs to focus on systems (e.g., operationally critical systems) and topics (e.g., incident response and vendor management) that present the greatest enforcement risk to avoid spreading limited compliance resources too thinly.<\/p>\n
As part of the guidance, ENISA published a \u201croles and skills\u201d summary<\/a>, mapping the internal expertise and responsibilities required to meet NIS2 obligations and emphasizing that NIS2 compliance requires cross-functional teams, including IT, cybersecurity, legal and compliance specialists.<\/p>\n
NIS2 Implementation Status<\/p>\n
While ENISA continues to advance NIS2, EU member states\u2019 implementation has lagged behind. Despite continued complaints from the European Commission, including a public rebuke<\/a>, 13 out of 27 states have not yet implemented NIS2 into local law. This challenges companies to hit a moving compliance target.<\/p>\n
![\"Map](\"https:\/\/www.europesays.com\/uk\/wp-content\/uploads\/2025\/08\/b7b770c7-15f7-4db4-844e-412a49ebdcc2-nis2_map_of_europe.png\"\/)
<\/p>\nEU NIS2 Directive – Transposition<\/strong><\/p>\n
Act adapted: Belgium, Croatia, Cyprus, Denmark, Greece, Finland, Hungary, Italy, Lithuania, Latvia, Malta, Romania, Slovakia, Slovenia.<\/p>\n
\u00a0<\/p>\n
Legislative process ongoing: Austria, Bulgaria, Czech Republic, Estonia, France, Germany, Greece, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain, Sweden.<\/p>\n
\u00a0<\/p>\n
\u00a0<\/p>\n
While approximately half of member states have already transposed NIS2 into national law (some, like Latvia and Lithuania, even ahead of the October 2024 deadline), others are moving more slowly. Several countries, including Germany, Ireland, the Netherlands and Poland, have advanced draft legislation that outlines national frameworks, regulators and sector-specific requirements. Meanwhile, member states such as Spain, Estonia and Sweden remain at an earlier stage of the process.<\/p>\n
Approaches to key implementation elements also vary.<\/p>\n
- \n
- Many countries, including Belgium, Hungary and Italy, have aligned liability provisions for management bodies with national existing civil law regimes.<\/li>\n
- Additionally, the \u201cmain establishment\u201d principle has been adopted in countries such as Belgium, Croatia, Greece, Italy and Slovakia, meaning that NIS2 obligations primarily apply to entities headquartered in those jurisdictions. Hungary has departed from this model: Service providers operating in Hungary must register locally and comply with the Hungarian Cybersecurity Act, regardless of where their main establishment is located.<\/li>\n<\/ul>\n
Reporting obligations under NIS2 also vary significantly across member states, creating a fragmented compliance landscape for cross-border entities. Definitions of \u201csignificant incidents,\u201d reporting thresholds and timelines differ, with some countries imposing stricter requirements than NIS2 does. For example, entities in Cyprus must submit early warnings within six hours of detection \u2014 well ahead of NIS2\u2019s 24-hour requirement. This divergence in national rules increases administrative and compliance burdens for organizations operating across multiple EU jurisdictions.<\/p>\n
Given this uncertainty, companies should take a phased approach to compliance, focused on addressing core compliance obligations that are likely to be consistent across member states, while leaving flexibility to address jurisdiction-specific quirks once more member states complete their implementations.<\/p>\n
What To Do Now<\/p>\n
Given the breadth of NIS2\u2019s obligations and the ongoing uncertainty surrounding its implementation, companies need to scope and target their NIS2 compliance efforts to make the most of limited compliance resources. In particular, companies should:<\/p>\n
- \n
- Continue to progress NIS2 compliance programs, focusing on systems (e.g., operationally critical systems) and documentation (e.g., incident response plans) that present the greatest enforcement risk.<\/li>\n
- Ensure that management bodies (e.g., boards) are updated on NIS2 compliance progress, as those management bodies can be held personally liable for NIS2 noncompliance.<\/li>\n
- Take advantage of ENISA\u2019s mapping to existing international standards to identify areas where existing information security documentation can be leveraged \u2014 for example, where policies prepared for ISO 27001 compliance can be reused with minimal changes for NIS2 compliance \u2014 and identify gaps in that documentation.<\/li>\n
- Track NIS2 implementation status in the jurisdictions in which a company operates, and identify areas where compliance efforts can be advanced before local implementation is complete.<\/li>\n<\/ul>\n
____________________<\/p>\n
- Why it matters:<\/strong> These expansive security standards will require significant investment for many newly regulated entities, and member states\u2019 varying NIS2 implementations add a further layer of complexity.<\/li>\n