Network and Information Security Directive (NIS2)

(c) Sergio Garcia / Unsplash

AFAICS, NIS2 does not apply to crypto-assets providers (beware that DORA is, which is similar to NIS2 contentwise), but you can expect regulators under MiCA to require similar cybersecurity measures as required under NIS2. Inspired by international cybersecurity frameworks such as the ISO 27000 standard, the required security measures are a de facto minimum nowadays, and should be common sense practices by now.

Besides the Digital Operational Resilience Act (DORA), which is aimed exclusively at the European financial sector, the NIS2 directive is probably the most encompassing security regulation in Europe. NIS2 is a revision of the 2016 NIS directive and the most significant change is that it expands its scope to more sectors.

In order to help organizations comply with NIS2, the European Union Agency for Cybersecurity (ENISA) compiled a list of minimum requirements, e.g. Minimum Security Measures for Operators of Essentials Services. You can filter on sector (e.g. financial sector, digital infrastructure, ...) as well as on country. The latter lists additional "national controls" stemming from country specific, local legislation (currently only Cyprus, France, Germany and Sweden have listed such national controls).

ENISA luckily did not reinvent the wheel, its minimum security measures are based on existing international standards, such as

  • ISO 27001
  • NIST Cybersecurity Framework (please note NIST recently released an updated version: NIST CSF 2.0)
  • ISA/IEC 62443

For the financial sector specifically, and a bit arbitrarily because some of these come from US regulation(?!), ENISA additionally mapped security measures from the following regulations and/or standards:

  • Sarbanes-Oxley Act (SOX)
  • ISO Standard 13569 - Financial services -- Information security guidelines
  • GLBA (Gramm-Leach-Bliley Act)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • (Revised) Payment Services Directive (PSD2)

In Belgium, the NIS2 compentent authority, Center for Cybersecurity Belgium, (CCB) compiled this guidance into the CyberFundamentals Framework ( (that bad pun was most certainly intended...)


I. Defence

  • Computer Security Incident Management
    • Communication with competent authorities
      Communication with competent authorities and CSIRTs
    • Incident Reporting
    • Information system security incident response
  • Detection
    • Detection
    • Logging
    • Logs correlation and analysis

II. Governance and Ecosystem

  • Ecosystem Management
    • Ecosystem mapping
    • Ecosystem relations
  • Information System Security Governance & Risk Management
    • Human resource security
    • Information system security accreditation
    • Information system security audit
    • Information system security indicators
    • Information system security policy
    • Information system security risk analysis

III. Protection

  • Identity and access management
    • Access rights
    • Authentication and identification
  • IT Security Administration
    • Administration accounts
    • Administration information systems
  • IT Security Architecture
    • Cryptography
    • System segregation
    • Systems configuration
    • Traffic filtering
  • IT Security Maintenance
    • Industrial control systems
    • IT security maintenance procedure
  • Physical and environmental security
    • Physical and environmental security

IV. Resilience

  • Continuity of operations
    • Business continuity management
    • Disaster recovery management
  • Crisis management
    • Crisis management organisation
    • Crisis management organization
    • Crisis management process

Additional reading

Photo by Sergio García on Unsplash