ENISA and the NIS 2 Technical Implementation Guidance
ENISA is the EU's cybersecurity agency. Article 18 of the NIS 2 Directive gives it a reporting and assessment role. CIR (EU) 2024/2690 sets the technical detail. The ENISA TIG is the voluntary playbook that ties both together.
What this page covers
ENISA is the EU Agency for Cybersecurity. It was set up by Regulation (EU) 2019/881, the Cybersecurity Act. Its job is to lift cybersecurity across the Union. It advises the Commission and member states, supports the national CSIRTs, and writes technical guidance and threat reports.
Under NIS 2, ENISA has four concrete jobs. It supports the Cooperation Group. It runs the European vulnerability database under Article 12. It writes a state-of-cybersecurity report every two years under Article 18. And it publishes technical guidance to help you put Commission Implementing Regulation (EU) 2024/2690 (the CIR) into practice.
The Technical Implementation Guidance (TIG) is that practical layer. It is reference material, not law. It takes the abstract wording of Article 21 NIS 2 and the CIR and turns it into concrete steps. It also maps those steps onto established standards, so an existing ISO 27001 or NIST CSF implementation gives you a head start.
Article 18 NIS 2 Directive (2022/2555)
ENISA shall, in cooperation with the Commission and the Cooperation Group, adopt by 17 January 2025, and every two years thereafter, a report on the state of cybersecurity in the Union.
Article 18 is where ENISA's role under NIS 2 lives. It tells ENISA to write a state-of-cybersecurity report every two years. That report feeds into Commission policy and into what national authorities do. Article 18 names ENISA by name. That is the legal peg the TIG hangs on.
Commission Implementing Regulation (EU) 2024/2690
This Regulation lays down technical and methodological requirements with regard to the measures referred to in Article 21(2) of Directive (EU) 2022/2555.
The CIR is directly applicable EU law. It binds the sectors named in its Annex: DNS providers, TLD registries, cloud and data centre providers, managed service providers, online marketplaces, trust service providers and others. The CIR puts Article 21 into operational language. ENISA then takes the CIR a step further with the TIG.
ENISA Technical Implementation Guidance
ENISA's guidance offers practical advice, examples of evidence, and mappings of security requirements to help companies implement the regulation.
The TIG is voluntary. ENISA publishes it, not the Commission and not the member states. It does not create new obligations. But national authorities and auditors cite it as a reasonable read of what 'appropriate and proportionate' means under Article 21(1). If you stray from it, you need a reason.
Maps Art. 21 measures onto four standards
The TIG takes every measure from Art. 21(2)(a) to (j) and every section of the CIR and lines them up against ISO/IEC 27001:2022, NIST CSF 2.0, ETSI EN 319 401 V3.1.1, and CEN/TS 18026:2024. If you already run one of these, you can reuse the controls you already have as evidence for NIS 2.
Names the evidence auditors expect
For each CIR point, the TIG lists the kind of evidence auditors want: policies, procedures, logs, configuration baselines, review records. It does not certify and it does not audit. But it gives you and your auditor a shared vocabulary for what 'good' looks like.
ENISA keeps it up to date
ENISA publishes the TIG and the mapping table as living documents under CC BY 4.0. The mapping table is at version 1.2 as of August 2025. New national frameworks and updated standards get added between versions. Pin the version you cite, so your audit trail says exactly which one you read.
Voluntary, but it carries weight
The TIG is not law. Your compliance is judged against the Directive and the CIR, not against the TIG. At the same time, ENISA is the EU's cybersecurity agency. Auditors and national regulators treat the TIG as a sensible reading. If you do something different, you need a reason that holds up.
A bridge between the law and the standards
The TIG sits between two worlds. On one side, the abstract wording of the Directive and the CIR. On the other side, the standards your engineering and audit teams already use. The TIG shortens the path from one to the other. If you have ISO 27001 or NIST CSF in place, it tells you what is already done and what is still missing.
BSI / Bundesamt für Sicherheit in der Informationstechnik
The BSI points at the TIG alongside its own Infopakete and the IT-Grundschutz catalogues. You can use IT-Grundschutz as your implementation standard in Germany. The TIG mapping gives you the bridge from Grundschutz building blocks to the Article 21 measures, so you do not have to re-derive that mapping yourself.
ENISA itself
ENISA publishes the TIG, keeps the mapping table current, and updates both as the standards evolve. ENISA does not enforce against companies. That is the job of the national competent authority in your country.
NCSC-NL, ANSSI, NCSC.GR and others
Other national authorities cite the TIG too. NCSC in the Netherlands, ANSSI in France, NCSC.GR in Greece, INCIBE in Spain, CCB in Belgium. The mapping table also includes national frameworks like BE-CyFun, FI-Kybermittari and ES-ENS. That makes cross-border compliance easier if you operate in more than one member state.
The TIG is mandatory.
It is not. What binds you is the NIS 2 Directive and Commission Implementing Regulation (EU) 2024/2690. The TIG is reference guidance. You can comply with the CIR without following the TIG, as long as you can show the binding requirements are met.
The TIG replaces ISO 27001 or NIST CSF.
It does not replace any standard. It maps the Article 21 measures onto them. If you have ISO 27001:2022 in place, you use the mapping to see which existing controls already cover which NIS 2 obligations, and where you still have gaps to close.
ENISA enforces NIS 2.
ENISA does not enforce. Enforcement is the job of the national competent authority that each member state designates under Article 8 of the Directive. ENISA advises, coordinates, writes guidance and runs the vulnerability database. Fines, audits and orders come from the national authority, not from ENISA.
If you already run ISO 27001:2022, take the TIG mapping table, walk through it, and mark which NIS 2 obligations your existing ISMS controls already cover. Document only the gaps. Write the exact TIG version you used into your audit notes, so the file says which version your decisions were based on.
If you are starting from scratch, the TIG is the first thing to read after the CIR Annex. It tells you which evidence types auditors expect for each obligation. That is more useful than starting from the standards, because it tells you which subset of each standard actually matters for NIS 2.
We loaded the ENISA TIG mapping table into the platform as a reference layer on every requirement. When an auditor asks how a given requirement maps to ISO 27001:2022, NIST CSF 2.0, ETSI EN 319 401 or CEN/TS 18026, the answer is already there. No manual crosswalk.
Our twelve categories simplify the obligations for the managing director. The TIG sits underneath as the auditor-facing reference. The mapping runs in the background. You do not have to read 170 pages of TIG to start working.
- Directive (EU) 2022/2555 (NIS 2), Article 18 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- Regulation (EU) 2019/881 (Cybersecurity Act, ENISA mandate) — eur-lex.europa.eu/eli/reg/2019/881/oj
- ENISA Technical Implementation Guidance — enisa.europa.eu/publications/nis2-technical-implementation-guidance
- ENISA TIG Mapping Table v1.2, CC BY 4.0 (August 2025)