Organizations across Europe are in the midst of a challenging process—implementing the requirements of the NIS2 Directive. This EU-wide cybersecurity legislation, which took effect on January 16, 2023, demands significant and broad-ranging compliance efforts. However, a key obstacle remains: the EU, or more specifically the member states who need to translate this into national legislation, have yet to provide detailed guidance on what organizations must do to comply. This ambiguity leaves much to interpretation, creating a fertile ground for third-party recommendations and, perhaps, confusion.
The Countdown to Compliance
NIS2 affects a wide range of companies, far more than its predecessor, the original NIS Directive. The clock is ticking, with the October 18, 2024, deadline for implementation drawing near. The problem? NIS2 requires that all member states integrate its provisions into their national cybersecurity laws, a process that is still incomplete in several countries. While some, like Germany, are nearing the final stages of this legislative adoption, the lack of detailed guidance has led many organizations to mainly rely on established control frameworks to meet the directive's broad requirements. And the NIS2 policy makes several references to the ISO27000 family of documents, for example, as a source of best practice.
Many EU member states are still not fully prepared, and the directive’s broad, somewhat generic provisions—such as those in Article 21—leave organizations guessing what specific measures to take. Companies must adopt an all-hazards approach, addressing everything from risk analysis and incident handling to business continuity and supply chain security. Yet, the details of what this entails are sparse.
One exception to this lack of specificity is the requirement for multi-factor authentication (MFA), which NIS2 explicitly mentions. Beyond that, however, companies are left to navigate a landscape of general directives, hoping that their interpretations will suffice.
A Glimmer of Guidance
Amid this uncertainty, a notable development has quietly emerged. The European Commission recently published a draft Implementing Regulation (IR) that could bring much-needed clarity - though only for a narrow subset of entities within the digital infrastructure sector, such as cloud computing providers, DNS service providers, and online marketplaces. The draft includes an Annex with detailed controls, providing a level of specificity that many have been craving.
For example, in the realm of Identity and Access Management (IAM), where Article 21 (2) of NIS2 vaguely calls for “access control policies,” the Annex goes much further. It dedicates three full pages to detailed, actionable requirements. These include the need to establish and implement logical and physical access control policies for network and information systems, addressing access by people and processes, and ensuring access is granted only after proper authentication. The document demands the regular review and update of these policies, and the management of access rights based on principles like least privilege and separation of duties. It even specifies requirements for privileged accounts, system administration systems, and the life cycle management of identities, including secure authentication procedures.
And there is much more, as this was just a single example.
Article 3 of the main draft document defines basic criteria for identifying "significant incidents". And who was not looking for such a definition (although even those could be clearer)?
Want more? Chapter 3 of the Annex provides another three pages of incident management controls from establishing a comprehensive incident handling policy (including clear roles, responsibilities, and procedures for detecting, analyzing, responding to, and reporting incidents) to post-incident reviews.
This level of detail, while only applicable to the given list of specific sectors when approved, provides a solid foundation for organizations preparing for NIS2 compliance. It offers a glimpse into what might become the standard for other industries and states as well.
The Broader Implications
If approved and finalized, this draft regulation will only apply to certain sectors, but it's easy to see how it could serve as a blueprint for broader national legislation. The specificity it offers contrasts sharply with the general nature of NIS2 itself, making it a valuable resource for organizations seeking to align with the directive’s requirements. Indeed, as more countries finalize their national implementations of NIS2, it is likely that they will look to this draft IR as a model for their own regulatory frameworks.
However, it’s again important to note that this regulation is still in draft form. And it will only directly affect multinational organizations in the digital infrastructure sector that would otherwise fall through the regulatory cracks. But even in its current state, not yet applicable and with limited scope, the draft IR makes sense. It’s a step toward the clarity and guidance that practitioners - especially those on the front lines of cybersecurity - desperately need.
A Practitioner’s Take
As someone who is not a lawyer but looks at these regulations from both an analyst's and a practitioner's perspective, I see the value in any document that offers a reasonable level of detail. For organizations struggling to prepare for NIS2, the draft IR’s specificity provides a welcome roadmap. It’s likely that we’ll see elements of this document adopted more broadly, shaping the way national legislations and implementation procedures evolve.
In the meantime, organizations might want to keep a close eye on developments around this draft IR. While it is - yes - still a draft and a future applicability will be limited, the clarity it offers could soon extend to a much wider audience, helping to dispel some of the uncertainty surrounding NIS2 compliance.