[co-author: Aleksander Aleksiev]
Executive Summary
- What is new: On 26 June 2025, the EU Agency for Cybersecurity (ENISA) published guidance documents setting out security measures that regulated organisations should have in place to comply with the EU’s critical infrastructure cybersecurity law (NIS2).
- Why it matters: These expansive security standards will require significant investment for many newly regulated entities, and member states’ varying NIS2 implementations add a further layer of complexity.
- What to do next: As companies assess their 2026 security and compliance budgets, they should determine what expanded security efforts will be required —prioritizing the greatest enforcement risks — and plan implementation and funding for the coming months and years.
__________
The Guidance
The guidance, though not strictly binding, further clarifies ENISA’s expectations of NIS2-regulated entities, building upon both the text of NIS2 and the European Commission’s NIS2 Implementing Regulation 2024/2690 on cyber risk management.1 (For an overview of NIS2, see our previous client alert “Navigating the New Cybersecurity Landscape: Key Implications of the…
