ENISA publishes practical guidance on mapping NIS2 obligations to cybersecurity role profiles

In June 2025, the European Union Agency for Cybersecurity (ENISA) published a new report titled Cybersecurity roles and skills for NIS2 essential and important entities – Mapping NIS2 Obligations with ECSF Role Profiles, which represents a key step in translating legal cybersecurity requirements into actionable workforce strategies across the EU. It aims to support both essential and important entities, as defined under the NIS2 Directive, in operationalising compliance by aligning regulatory obligations with specific cybersecurity roles and skills.

While, in fact, the NIS2 Directive introduces stricter and more comprehensive requirements, many organisations struggle to interpret what these legal texts mean in practical terms. ENISA’s report bridges this gap by mapping obligations under NIS2 to the role definitions provided in the European Cybersecurity Skills Framework (ECSF).

At its core, the guidance focuses on two key articles of the NIS2 Directive: Article 21 on cybersecurity risk-management measures and Article 23 on incident reporting. Article 21 requires a broad set of technical, operational, and organisational measures, such as risk analysis, business continuity, supply chain security, and staff training. Article 23 mandates structured incident notification (including an early warning within 24 hours, a detailed report within 72 hours, and a final report within a month) coordinated with relevant national authorities or Computer Security Incident Response Teams (CSIRTs).

By linking these legal obligations to ECSF role profiles, ENISA provides a structured methodology for identifying the cybersecurity functions needed to achieve compliance. The ECSF defines twelve professional roles, including Chief Information Security Officer (CISO), Cyber Incident Responder, and Cyber Legal, Policy and Compliance Officer. Each role comes with detailed tasks, competences, and deliverables.

This new guidance builds on ENISA’s earlier work on the ECSF, launched in 2022, which outlined a structured approach to cybersecurity roles across the EU, and is also part of ENISA’s broader efforts to support NIS2 implementation, particularly through its NIS360 initiative, which provides a general overview of how Member States and organisations can operationalise the directive. The current mapping report extends that work by turning role definitions into a dynamic tool aligned with NIS2 implementation.

CyberHubs has actively promoted the ECSF as a foundational tool across all phases of project implementation. In its resource The common language for cybersecurity professional workforce development, the project underlines how the ECSF enables clarity in defining professional roles and supports targeted capacity building efforts. Additionally, the article A key enabler for CyberHubs across all work stages highlights how the framework has served as a strategic reference in CyberHubs’ design of skills development interventions, from skills forecasting and national strategy building to capacity planning and academy delivery.

The alignment between ECSF and NIS2 also reinforces key findings from the CyberHubs project. In its Cybersecurity Skills Needs Analysis Summary Report, the lack of clear role definitions linked to regulatory obligations was identified as a key gap in the EU cybersecurity landscape, especially within national legal frameworks. ENISA’s new report directly addresses this need by offering a practical framework organisations can use to ensure they are properly staffed and skilled to meet NIS2 requirements.

Both ENISA and CyberHubs advocate a strategic approach to workforce development. Rather than treating skills as a general compliance concern, they promote targeted capacity building, the use of defined role profiles, and sustained investment in training. With the ECSF now mapped to NIS2 obligations, it serves as a valuable reference point for national strategies, sectoral implementation plans, and public-private cooperation.

ENISA’s guidance provides a fundamental operational bridge between EU cybersecurity law and organisational practice. It not only helps regulated entities meet their legal duties but also supports Member States in building coherent, skill-based cybersecurity strategies. The overall aim is to build a long-term cybersecurity resilience across the EU.