The Cybersecurity Coalition submitted comments to the European Union Agency for Cybersecurity’s (ENISA) open consultation on its draft Implementing Guidance on the European Commission’s Implementing Regulation, which provides enumerated technical and methodological requirements related to the NIS 2 Directive. 

The NIS 2 Directive aims to enhance cybersecurity across the EU by mandating key entities manage risks to networks and information systems to minimize the impact of incidents. It entered into force on January 16, 2023 following its approval by the European Parliament and the Council of the European Union in 2022.

The Coalition and its member companies have actively engaged with ENISA, the European Commission, and other relevant European institutions throughout the development of the NIS 2 Directive. In August 2024, we submitted comments to the European Commission on its draft Implementing Regulation. While ENISA’s draft Implementing Guidance addresses several concerns raised in our earlier submission, some critical issues remain unresolved.

Our comments on the Implementing Guidance emphasize these remaining concerns, particularly regarding the technical and methodological requirements outlined in the Implementation Regulation’s Annex, which include items in the following areas:

• Policy on the Security of Networks and Information
• Risk Management Policy
• Incident Handling
• Supply Chain Security
• Security in Network and Information Systems Acquisition, Development, and Maintenance
• Human Resources Security
• Asset Management

Additionally, we highlighted concerns about the Implementing Guidance’s alignment with other national and international standards and its applicability to organizations of varying sizes.