ENISA explains how to meet new European security rules

The EU Agency for Cybersecurity (ENISA) has released guidelines to help businesses meet the NIS2 Directive’s compliance requirements. The documents outline how legal obligations can be translated into practical measures, focusing on organisational and technical aspects.

Under Article 21 of NIS2, essential entities must adopt proportionate technical and organisational measures to safeguard systems. The measures involve structured compliance, mapping regulatory tasks, defining clear roles, and appointing competent staff.

The first scenario ENISA recommends is appointing a Cybersecurity Manager (often the CISO) to shape policy and oversee remediation. It also highlights the need for a Cyber Legal, Policy, and Compliance Officer to handle cybersecurity-related compliance.

The second scenario addresses incident response under Article 23, suggesting a team approach involving the CISO, a Cybersecurity Implementer, the Compliance Officer, and, if needed, third-party providers, with ultimate responsibility retained internally.

ENISA’s Technical Guidance supports entities covered by Implementing Regulation (EU) 2024/2690, such as DNS providers, cloud providers, and online platforms. While aimed at specific sectors, its principles are valuable for all organisations under NIS2.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!