ENISA issues guidance on NIS2 Directive

  • November 21, 2024
  • William Payne

The EU NiS2 Directive on network security came into force in October 2024. The directive aims to bolster cybersecurity in Europe, especially the resilience of critical sectors and infrastructure throughout the European Union.

As the Directive comes into force, the European Union Agency for Cybersecurity (ENISA) has published non-binding guidance to help organisations implement the NIS2 directive.

NIS2 expands the scope of the original NIS network cybersecurity directive, which came into force in 2018. The new directive expands the scope of the original directive to cover critical infrastructure including public infrastructure, utilities, data centres, manufacturing, health devices and logistics.

To support integration with existing practices, the guidance includes a mapping table that correlates each requirement with established European and international standards and frameworks. This includes standards such as:

  • ISO/IEC 27001:2022
  • ISO/IEC 27002:20224
  • NIST Cybersecurity Framework 2.0
  • ETSI EN 319 401 V2.2.1 (2018-04)
  • CEN/TS 18026:2024

This mapping does not imply equivalence between the standards. The guidance highlights standards that touch on areas required by the NIS2 Directive, but the standards may not satisfy NIS2 requirements.

Under the directive, organisations are required to establish a risk management framework to identify and address risks to their networks and information systems. They must conduct documented risk assessments and implement risk treatment plans, and ensure that management accept risk assessment results and residual risks.

Organisations must establish an incident handling policy outlining procedures for incident detection, response, recovery, documentation, and reporting. This includes reporting mechanisms for employees, suppliers, and customers to report suspicious events, and mitigate the impact of incidents.

The guidance emphasizes the importance of a business continuity and disaster recovery plan in the event of incidents. Organisations must maintain backup copies of data, ensure appropriates level of redundancy, and establish a crisis management process.

Organisations must also classify all their assets, including information, within their networks and information systems to determine the required level of protection. These classifications must be regularly reviewed and updated, and an inventory of assets and information must be accurate and kept up to date.

ENISA has opened the guidance document for industry consultation and is actively seeking feedback until 9 December 2024.