A significant number of recommendations from ECSO’s input to the public consultation were incorporated into the final version of the ENISA’s Technical Implementation Guidance. This represents a great step towards helping and easing implementation of NIS2 requirements in EU organisations while assuring achievement of NIS2 objectives.  

The document provides a solid foundation for implementing Article 21 of the NIS2 Directive, which defines cyber security risk management measures. The alignment with the Directive’s provisions is clear and well-referenced throughout the guide. 

ECSO values the structured breakdown of cyber measures, together with the mapping to relevant standards. The risk-based and modular approach provides a useful level of flexibility, which is essential for organisations of different sizes and risk profiles. ECSO also considers the document as a valuable and forward-looking instrument that contributes to the European cybersecurity ecosystem.   

ECSO sees some ideas to further improve this content that may be deemed applicable for the next versions: 

1. Include information to help SMEs with a faster selection of implementation guidance most suitable for them. 
2. Develop actionable self-assessment tools and templates, where possible.
3. Provide sector specific guidance and toolkits. 
4. Establish expected implementation thresholds for security controls to streamline cross-border collaboration with national supervisory authorities. 
5. Update NIS2 and technical guidance mapping to new cybersecurity frameworks.

ECSO welcomes ENISA’s open position to facilitate dialogue. This should be maintained during the NIS2 implementation phase, to identify lessons learned in the process and refine the guidance and best-practice approach.