Disclaimer: This article is for informational purposes and does not constitute legal advice. Drata recommends consulting with legal counsel to understand your specific obligations under NIS2 and the relevant national laws of EU Member States where you operate.
Introduction
In June 2025, the European Union Agency for Cybersecurity (ENISA) released new operational guidance to support organisations in implementing the NIS2 Directive. This includes:
ENISA Technical Implementation Guidance on Cybersecurity Risk Management Measures (26 June 2025) — (170 pages) translating the European Commission’s Implementing Regulation (EU) 2024/2690 into practical measures and evidence examples across 13 thematic areas.
Mapping NIS2 Obligations with ECSF Role Profiles (26 June 2025) — (32 pages) linking NIS2 requirements to specific cybersecurity role definitions from the European Cybersecurity Skills Framework (ECSF).
Handbook for Cyber Stress Tests (June 2025) — (27 pages) provides methodology for designing and running large-scale cyber incident simulations, including EU-level and cross-border stress test scenarios, to assess organisational and sectoral resilience under NIS2.
NIS360 Sectoral Assessment Report (5 March 2025) — (61 pages) ranking sectors by maturity vs. criticality and identifying priority areas for risk reduction and cross-sector collaboration.
These documents are not new legislation — they are non-binding guidance intended to help organizations translate NIS2 requirements into operational controls, processes, and evidence for audits and regulatory checks.
Quick Takeaways:
No changes needed to Drata’s NIS2 Cybersecurity Core mapping — your current configuration in the platform remains accurate and applicable.
ENISA’s 2025 guidance is operational rather than legislative, focusing on how to implement and evidence NIS2 requirements.
What’s new for you: ENISA’s 13 “core themes” provide a clear, structured approach to governance, risk management, incident handling, supply chain security, and more — all of which will inform Drata’s upcoming evidence guidance feature for NIS2.
Optional sector-specific actions: ENISA adds extra recommendations for “risk zone” sectors; your organization may wish to create custom controls if you serve or expand into these sectors.
Legal note: This is general operational guidance — not legal advice. Please review with your counsel and applicable national authorities.
1. Why This Guidance Matters
The European Union Agency for Cybersecurity (ENISA) has recently published new material linking NIS2’s requirements to specific organisational roles, tasks, and evidence examples.
While NIS2 already sets higher standards for governance, risk management, and incident reporting, ENISA’s guidance gives organizations a playbook for meeting these obligations in practice — including:
Thematic coverage across 13 areas.
Example evidence types for audits and supervisory checks.
Recommendations for joint exercises and cross-border coordination.
This means:
Better clarity on what evidence to collect for each NIS2 requirement.
Improved mapping of roles and responsibilities, internally and with vendors.
Optional sector-specific controls if your scope changes or you serve regulated sectors.
2. What Stays the Same in Drata
Drata’s GRC team reviewed ENISA’s guidance against our current NIS2 Cybersecurity Core mapping in Drata.
Result: No re-mapping is required. The DCFs linked to NIS2 requirements remain accurate and broadly applicable.
However: In the future, we plan to incorporate ENISA’s thematic structure and evidence examples into Drata’s evidence guidance for NIS2 — giving you practical, audit-ready pointers for documentation, logs, reports, and testing records; this is in our backlog.
3. Highlights From ENISA’s June 2025 Guidance
ENISA identifies 13 core implementation areas that should be documented, tested, and evidenced:
Governance & Policy: Documented NIS2 security policy, defined roles, periodic reviews.
Risk Management: Formal risk process, monitoring, and independent reviews.
Incident Handling & Reporting: Clear workflow, classification, escalation, and reporting aligned to 24h / 72h / 1-month timeframes.
Business Continuity & Crisis Management: Tested BCP/DR, backups, escalation plans.
Supply Chain Security: Supplier vetting, contractual security clauses, ongoing monitoring.
Secure Acquisition / Development / Maintenance: Procurement security, SDLC, patching, vulnerability disclosure.
Effectiveness Measurement: Control reviews, metrics, and improvement cycles.
Cyber Hygiene & Training: Staff and leadership awareness programs.
Cryptography: Policies and evidence for encryption and key management.
HR Security: Background checks, joiner/mover/leaver processes.
Access Control (incl. MFA): Privileged access controls, MFA as a testable measure.
Asset Management: Classification, handling, inventory, and secure disposal.
Physical & Environmental Security: Perimeter, environmental controls, utilities resilience.
4. Optional Sector-Specific Considerations
If your organization operates in or serves high-risk sectors (e.g., health, maritime, space, public administration), ENISA recommends additional measures:
OT-specific security controls (for maritime and industrial environments).
Medical device procurement guidelines (for health).
Shared service governance models (for public administrations).
Component testing and pre-integration checks (for space).
5. New Emphasis Areas You May Want to Act On
Even without changes to your core mapping, you may want to:
Review and align your incident reporting playbook to ENISA’s 24h / 72h / 1-month structure.
Participate in joint or cross-border cyber exercises — ENISA strongly encourages these for readiness.
Enhance procurement documentation to reflect secure-by-design principles and supplier collaboration frameworks.
Map your internal and vendor roles to ENISA’s recommended role profiles for clearer accountability.
In summary, ENISA's new guidance is a valuable resource for operationalizing NIS2, but it doesn't change your current compliance requirements. Your existing setup in Drata remains accurate and effective. As you plan ahead, use these new recommendations to refine your security playbook, and rest assured that Drata will be incorporating these insights into future platform enhancements to make evidencing compliance even easier.