EU NIS2 Directive: What it means for NRENs

Updated: November 2025

The Network and Information Systems Directive (NIS2) strengthens Europe’s collective cybersecurity posture and sets a higher standard for resilience across all essential and important entities.

By now, national implementations are well underway, and NRENs across Europe are working to align with these new requirements.

Why NIS2 Matters for NRENs

NIS2 expands its reach beyond traditional critical sectors to include digital infrastructure and research and education.

For NRENs, this means that services such as:

• National and regional network operations;
• DNS and TLD management;
• cloud and trust services;
• and digital identity federations, fall within the Directive’s scope.

Even when an NREN is not directly designated as an essential entity, it often operates as a critical dependency within the digital supply chain, meaning that comparable standards and obligations apply.

Key requirements and expectations

NIS2 introduces a harmonised framework across the EU for cybersecurity risk management and incident reporting.

All covered entities must be able to:

• Demonstrate effective risk management practices across systems and suppliers.
• Establish clear accountability and assign roles for cybersecurity governance.
• Report significant incidents quickly (typically within 24 hours for initial notification).
• Undergo regular audits and reviews by competent national authorities.
• Document security policies, controls, and procedures to prove compliance.

Recommended actions for NRENs

1. Engage with your national authority or CSIRT to confirm classification and reporting obligations.
2. Appoint a NIS2 compliance lead or coordinator to oversee readiness and response.
3. Assess your current security baseline to identify compliance gaps.
4. Review and update key policies – including risk management, incident handling, and supply chain security.
5. Integrate NIS2 compliance into governance and procurement to ensure a consistent organisational approach.

Early collaboration with peers through GÉANT’s security communities can help align approaches and reduce duplication of effort.

How GÉANT can support you

GÉANT provides tools, guidance, and community collaboration opportunities to help NRENs prepare effectively.

• GÉANT Security Baseline

Assess your organisation’s cybersecurity maturity and identify areas for improvement.

• SIG-ISM (Special Interest Group on Information Security Management)

Join the active community of NREN security professionals sharing experiences, templates, and peer advice.

• Workshops and infoshares

Participate in ongoing GÉANT infoshare sessions and training workshops covering NIS2 implementation updates.

Stay informed and connected

Keep up to date with evolving NIS2 guidance and best practices.

• ENISA NIS2 resources

Guidance, implementation studies, and templates for essential and important entities.

• EU Commission NIS2 Portal

Legislative texts, FAQs, and updates on national transpositions.

• TF-CSIRT / Trusted Introducer

Practical frameworks and tools for incident response maturity.

GÉANT continues to support the community

As member states finalise national implementations, GÉANT will continue to provide:

• Updated infoshare sessions and workshops.
• Collaborative projects on security maturity and risk management.
• Practical guidance from SIG-ISM and TF-CSIRT communities.

Together, the European NREN community is building a stronger, more resilient digital research and education ecosystem.