The technical requirements outlined in the NIS2 Directive cover various subsectors, including DNS service providers, cloud computing, content delivery networks, and online marketplaces.

Organizations are also required to develop asset management policies to classify and manage all assets within their networks, maintaining an accurate inventory.

On November 7, 2024, the European Union Agency for Cybersecurity (ENISA) announced the creation of technical guidance to aid EU Member States and relevant entities in implementing the NIS2 cybersecurity risk-management measures.

ENISA's guidance includes non-binding recommendations, actionable advice, and examples of evidence for compliance with NIS2 requirements.

This guidance is open for consultation until December 9, 2024, inviting feedback from industry stakeholders to inform its further development.

The NIS2 Directive mandates that EU Member States incorporate its provisions into national laws by October 17, 2024, with a focus on enhancing resilience in critical sectors.

In October 2024, the European Commission adopted implementing rules for the NIS2 Directive, aimed at bolstering cybersecurity across essential sectors within the EU.

These implementing rules outline specific cybersecurity risk-management requirements for sectors such as digital infrastructure, digital service providers, and ICT service management.

Relevant entities are required to establish a risk management framework, perform risk assessments, and document risk treatment plans, ensuring oversight from management bodies.

Entities must also implement an incident handling policy that details procedures for detecting and responding to cybersecurity incidents, along with a business continuity and disaster recovery plan.

Access control measures need to be documented and enforced to restrict access to networks and information systems, with secure authentication procedures in place.

Furthermore, a supply chain security policy must be established to manage risks from suppliers and service providers, ensuring employees understand their security responsibilities.