Share This Article
On June 26, 2025, the European Union Agency for Cybersecurity (ENISA) published two sets of guidelines to help businesses ensure their organizational compliance with the NIS2 Directive.
The aim of the guidelines is to support companies in understanding how legal requirements translate into operational activities, particularly regarding (i) roles and skills for professionals within essential and important entities, and (ii) technical measures aimed at ensuring the security and resilience of IT systems.
Guidelines on Cybersecurity Roles and Skills for NIS2 Essential and Important Entities
As established under Article 21 of the NIS2 Directive, essential and important entities must adopt appropriate cybersecurity risk management measures. These measures are not limited to technical protections of systems, but also include proportionate organizational measures designed to ensure the resilience and overall protection of digital assets.
Such organizational measures require the implementation of a structured compliance system which – starting from the mapping and identification of the tasks required by the Directive and its national implementations – includes the definition of clear roles and the selection of competent professionals to carry them out.
To this end, the Guidelines present two specific use cases focused on medium-sized organizations, which may face certain limitations in terms of human resources and budget. While each organization must structure its roles according to its specific needs – which may vary depending on regulatory obligations and its cybersecurity maturity level – the examples provided by ENISA serve as a practical starting point.
In the first scenario, ENISA recommends appointing a Cybersecurity Manager (potentially overlapping with the role of the CISO), who plays a strategic role in defining and implementing security policies, as well as managing technical remediation plans. In parallel, ENISA highlights the importance of identifying a Cyber Legal, Policy and Compliance Officer, responsible for supporting compliance activities related to cybersecurity.
Beyond identifying these key roles, ENISA encourages targeted training for existing internal roles – such as IT department members and System Administrators – to enhance cross-functional cybersecurity expertise. Additionally, outsourcing specific services, such as incident response, cyber threat intelligence, and digital forensics, is viewed positively. However, the internal roles remain ultimately responsible, with third-party providers playing only a support role without strategic decision-making authority.
The second scenario focuses on incident response management and the related notification obligations under Article 23 of the NIS2 Directive. Here, ENISA suggests implementing a structured process involving the CISO, a so-called Cybersecurity Implementer (typically a system administrator with incident response skills), the Cyber Legal, Policy and Compliance Officer, and – if necessary – a third-party service provider.
Establishing a team with clearly defined roles and responsibilities, composed of both internal and external resources, allows the organization to meet the stringent notification requirements of the NIS2 Directive while ensuring a responsive and effective incident handling approach. This structured, collaborative setup is fundamental not only for regulatory compliance, but also for strengthening the organization’s overall cybersecurity posture.
The Guidelines also provide a comprehensive mapping of roles, including detailed descriptions of responsibilities, tasks, expected outcomes, and potential collaborations for each role profile in relation to the requirements of the NIS2 Directive. Furthermore, they highlight the benefits of this approach, showing how clear role structures enhance operational transparency, process efficiency, and workforce planning.
While ENISA acknowledges the need to tailor each organizational model to the specific context of the entity subject to the NIS2 Directive, these Guidelines undoubtedly represent a solid starting point for defining an internal structure aligned with the directive’s stringent compliance requirements.
Guidelines on Technical Implementation Guidance
ENISA’s Technical Guidance is designed to support entities falling under the scope of Implementing Regulation (EU) 2024/2690 of 17 October 2024 – including DNS service providers, top-level domain name registries, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace providers, online search engine providers, social networking platform providers, and trust service providers – in implementing the technical and methodological requirements of the NIS2 Directive’s security measures.
In addition to its targeted support for entities covered by the regulation, the Technical Guidance provides detailed and practical information on the risk management measures required by the NIS2 Directive, making it a useful resource for a broader audience of essential and important entities.
Initially released in draft form in January 2025, the final version introduced no significant changes.
The finalization of this document provides organizations with another concrete tool for implementing the NIS2 Directive. Although primarily intended for a specific category of entities, the methodological principles and technical requirements outlined serve as a strong reference point for all organizations subject to NIS2, offering practical and detailed support for implementing an effective cyber compliance system.
On a similar topic, you can find the following article interesting “NIS 2 – Personal Liability of Directors For Lack of Compliance“.
Authors: Giulia Zappaterra e Maria Chiara Meneghetti