Insights from Talos IR: Navigating NIS2 technical implementation

Insights from Talos IR: Navigating NIS2 technical implementation

/in

Insights from Talos IR: Navigating NIS2 technical implementation

When the NIS2 Directive arrived in 2023, organizations across Europe began preparing for enhanced cybersecurity requirements. Many focused on obligations such as rapid incident notifications and comprehensive security policies. However, while the directive provided the “what,” it left the “how” largely undefined. Organizations understood that they needed incident response capabilities and swift reporting mechanisms, but the details of implementation remained unclear.  

The release of ENISA’s Technical Implementation Guidance in June 2025 revealed the true complexity of compliance with the NIS2 standard. The technical guidance now reveals requirements that fundamentally challenge conventional security operations, particularly during incidents. Organizations that once prioritized operational continuity over forensic response and detailed analysis must now balance all three.

Competing objectives in incident response 

Under the old approach, organizations had the flexibility to isolate, investigate and report incidents at their own pace. These processes were typically be dictated by business needs, with exceptions for when personal data was involved under GDPR

Now, the clock starts ticking toward a 24-hour deadline from the moment an incident happens (Article 23 of the NIS2 Directive). 

The incident response procedures outlined in Section 3.5.2 of the ENISA guidance illustrate this shift perfectly. Security teams must now “recognize and address potential conflicts between forensic activities, incident response activities, and operational continuity.” The guidance explicitly acknowledges that teams face competing objectives: 

  1. Preserve evidence for legal purposes 
  2. Mitigate current threats to minimize business disruption 
  3. Minimize IT service downtime to maintain operational continuity 

Traditional incident response playbooks assume you can prioritize one or two of these objectives. NIS2 demands all three simultaneously. 

Let’s consider an example. A ransomware attack hits payment processing systems at midnight. According to Section 3.2.3, teams must maintain comprehensive logs including “all privileged access to systems and applications and activities performed by administrative accounts,” while Section 3.5.4 requires logging all incident response activities and recording evidence. At the same time, the business operations would require system restoration to process morning transactions so that the bottom line is not impacted.  

Throughout this process, someone must compile an initial report meeting the notification requirements within 24 hours as mandated by Article 23(3) of the NIS2 Directive. This is followed by a more detailed report with impact assessment details within 72 hours. Not to mention, organizations operating across borders may need country-specific procedures to support notification timelines.   

The guidance acknowledges the inherent conflict in these objectives and requires organizations to “establish a clear decision-making process that prioritizes based on the accepted risk tolerance levels, business impact and legal obligations.”

Logging requirements 

Another key challenge lies in the depth of logging requires. Section 3.2.3 specifies that logs shall include, where appropriate: “(a) relevant outbound and inbound network traffic; (b) creation, modification or deletion of users of the relevant entities’ network and information systems and extension of the permissions; (c) access to systems and applications; (d) authentication-related events; (e) all privileged access to systems and applications and activities performed by administrative accounts” as well as 7 additional categories, for 12 total. All this assumes visibility into shadow IT and appropriate configuration of user activity tracking so that a proper audit trail can be constructed, reviewed and stored for analysis.  

Furthermore, the guidance notes in Section 3.2.6 that monitoring and logging systems must be redundant, and that “the availability of the monitoring and logging systems shall be monitored independent of the systems they are monitoring.” Although this is music to an incident responder’s ears, setting up the complex systems needed to correlate, analyze, store and retrieve detailed audits is a significant challenge.

Forensic activities vs. business recovery 

Traditional incident response strategies often prioritize rapid recovery to ensure that business operations can return to normal while simultaneously analyzing evidence. Incident response teams often want to acquire all evidence upfront so that business recovery can begin alongside the forensic investigation. The business can also decide what to recover and even go as far as to simply make decision to rebuild the environment from scratch and thus accelerate recovery and eradication. 

Section 3.5.2 explicitly calls for creation of a playbook to ensure that evidence handling, incident response and threat eradication take place during appropriate stages of the business cycle. The playbook must manage tradeoffs so that there is no impact on preservation of evidence for compliance and legal purposes. 

In addition, Section 3.5.4 mandates that entities “log incident response activities” and “record evidence.” The guidance suggests this should include “time of detection, containment and eradication,” “indicators of compromise,” “root cause” and “actions taken during each phase.” To meet this requirement, organizations must develop procedures that capture this critical information while managing active incidents. Typically, incident response teams already do this when creating a detailed timeline of all activities. Close collaboration between business stakeholders and IR teams is a must for NIS2 compliance.

Looking beyond compliance 

While the guidance focuses on meeting technical requirements, organizations that implement these capabilities also gain broader operational benefits. For example, comprehensive logging not only satisfies compliance, but also supports threat hunting and delivers valuable operational insights. With these capabilities, IR teams can review the environment for malicious activities. Enhanced monitoring, especially when automated, can identify security incidents quicker and reduce adversary dwell time.  

Structured incident response procedures improve overall operational resilience by ensuring every team member knows what to do and when to act. Talos IR services directly align with these key ENISA Technical Implementation Guidance requirements, helping organizations bridge the gap between current capabilities and NIS2 compliance. 

Log Architecture Assessment (Section 3.2 Requirements) 

Section 3.2.3  mandates logging across 12 categories of events “where appropriate,” while Section 3.2.6 requires redundant logging systems with synchronized time sources. Talos IR’s Log Architecture Assessment evaluates current logging capabilities against best practices, identifying deficiencies and providing a roadmap to strengthen an organization’s logging posture. 

Incident Response Playbooks (Section 3.5.2 Requirements)  

Perhaps the most challenging aspect of the NIS2 is the explicit requirement for “incident response playbooks that incorporate decision making and escalation paths for managing trade-offs between evidence preservation, threat containment and operational continuity.” Talos IR develops customized playbooks that address these competing priorities, giving your team a clear process tailored for each incident type.  

Incident Response Plans (Section 3.1 and 3.5 Requirements) 

Section 3.1.1 requires establishing comprehensive “procedures for detecting, analyzing, containing or responding to, recovering from, documenting and reporting of incidents.” Talos IR helps organizations develop IR plans that reflect their internal processes and operational needs. 

Threat Hunting and Compromise Assessments (Section 3.4 Requirements) 

Section 3.4.1 requires organizations to assess “suspicious events to determine whether they constitute incidents.” Talos IR provides proactive Threat Hunting and Compromise Assessment services to identify suspicious events before they escalate into major incidents. We look to answer critical questions such as “Am I currently compromised?” or “Is there any evidence of historical compromise?” 

Incident Support (Section 3.6 Requirements) 

Talos IR provides 24/7 incident support to help organizations respond swiftly and effectively during emergencies. Our team engages quickly to understand the situation, address immediate concerns and analyze threats. In addition to deep forensic expertise, Talos IR provides comprehensive root cause analysis and actionable recommendations that transform each incident into an opportunity to strengthen the organization’s security posture.

Cisco Talos Blog – ​Read More