ETSI TR 104 168 V1.1.1 (2025-09)

TECHNICAL REPORT
Cyber Security (CYBER);
Critical Security Controls for
Network and Information Security Directive 2 (NIS2)

2 ETSI TR 104 168 V1.1.1 (2025-09)

Reference
DTR/CYBER-00164
Keywords
cyber security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.
All rights reserved.
ETSI
3 ETSI TR 104 168 V1.1.1 (2025-09)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Executive summary . 4
Introduction . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definition of terms, symbols and abbreviations . 6
3.1 Terms . 6
3.2 Symbols . 6
3.3 Abbreviations . 6
4 Applying the Critical Security Controls for effective implementation of the NIS2 Directive . 6
4.1 Methodology and Use . 6
4.2 Applicability Overview . 9
4.3 Applying the Critical Security Controls and Safeguards . 10
Annex A: Unmapped NIS2 Provisions . 55
Annex B: Unmapped Critical Security Control Safeguards . 57
History . 59

ETSI
4 ETSI TR 104 168 V1.1.1 (2025-09)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
The present document provides a mapping of the Critical Security Controls [i.10] to support NIS2 Directive provisions.
Introduction
The present document is one of several ETSI publications [i.8], [i.11], [i.12], [i.13] and [i.14] directed at supporting the
EU NIS2 Directive and related legislative instruments [i.1], [i.2], [i.3], [i.4], [i.5], [i.6] and [i.7].

ETSI
5 ETSI TR 104 168 V1.1.1 (2025-09)
1 Scope
The present document item provides a mapping between the Critical Security Controls and NIS2 provisions.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's
understanding, but are not required for conformance to the present document.
[i.1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on
measures for a high common level of cybersecurity across the Union, amending Regulation (EU)
No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2
Directive).
[i.2] Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on
electronic identification and trust services for electronic transactions in the internal market and
repealing Directive 1999/93/EC.
[i.3] Directive (EU) 2016/1148 of The European Parliament and of The Council of 6 July 2016
concerning measures for a high common level of security of network and information systems
across the Union.
[i.4] Resolution (EC) 13084/1/20: "Council Resolution on Encryption - Security through encryption
and security despite encryption".
[i.5] Recommendation 2003/361/EC: "Commission Recommendation of 6 May 2003 concerning the
definition of micro, small and medium-sized enterprises".
[i.6] 2020/0365 (COD), COM(2020) 829 Final: "Proposal for a directive of the European Parliament
and of the Council on the resilience of critical entities".
[i.7] Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018
establishing the European Electronic Communications Code.
[i.8] ETSI TR 103 456: "CYBER; Implementation of the Network and Information Security (NIS)
Directive".
[i.9] Center for Internet Security: "CIS Controls v8.1, Mapping to NIS2 Directive 2022/2555".
[i.10] ETSI TS 103 305-1: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 1: The Critical Security Controls".
[i.11] ETSI TR 103 305-4: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 4: Facilitation Mechanisms".
[i.12] ETSI TR 103 305-5: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 5: Privacy and personal data protection enhancement".
ETSI
6 ETSI TR 104 168 V1.1.1 (2025-09)
[i.13] ETSI TR 103 866: "Cyber Security (CYBER); Implementation of the Revised Network and
Information Security (NIS2) Directive applying Critical Security Controls".
[i.14] ETSI TS 103 992: "Cyber Security (CYBER); Implementation of the Revised Network and
Information Security (NIS2) Directive applying Critical Security Controls".
3 Definition of terms, symbols and abbreviations
3.1 Terms
Void.
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
COTS Commercial Off The Shelf
CSC Critical Security Controls
CSF Computer Security Framework
DHCP Dynamic Host Configuration Protocol
ERM Enterprise Risk Management
IG1 Implementation Group 1
IG2 Implementation Group 2
IG3 Implementation Group 3
NIS2 Network and Information Security Directive 2
SSO Single Sign-On
4 Applying the Critical Security Controls for effective
implementation of the NIS2 Directive
4.1 Methodology and Use
Methodology
The methodology used to create the mapping can be useful to anyone attempting to understand the relationships
between the Critical Security Controls and NIS2. The overall goal for Control mappings is to be as specific as possible,
leaning towards under-mapping versus over-mapping. The general strategy used is to identify all of the aspects within a
control and attempt to discern if both items state the same thing. For instance:
Control 6.1 - Establish an Access Granting Process
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire,
rights grant, or role change of a user. For a defensive mitigation to map to this CSC Safeguard it is required by
NIS2 to have at least one of the following:
- A clearly documented process, covering both new employees and changes in access.
- All relevant enterprise access control is required by NIS2 to be covered under this process, there can be
no separation where different teams control access to different assets.
ETSI
7 ETSI TR 104 168 V1.1.1 (2025-09)
- Automated tools are ideally used, such as a SSO provider or routing access control through a directory
service.
- The same process is followed every time a user's rights change, so a user never amasses greater rights
access without documentation.
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not equal but
still related, the exact type of relationship between two defensive mitigations can be further explored. The relationships
can be further analysed to understand how similar or different the two defensive mitigations are. The relationship
column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the Control.
• Superset: The Control is partially or mostly related to the defensive mitigation in question, but the Control is
broader in concept.
• Subset: The Safeguard is partially or mostly related yet is still subsumed within the defensive mitigation. The
defensive mitigation in question is broader in concept than the Control.
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. Control Safeguard X is Equivalent to this < >.
EXAMPLES: Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST
CSF PR.DS-7 "The development and testing environment(s) are separate from the production
environment".
Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are
formally managed throughout removal, transfers, and disposition".
The Critical Security Controls are written with certain principles in mind, such as only having one ask per Safeguard.
This means many of the mapping targets are written in a way that contain multiple Safeguards within the same
defensive mitigation, so the relationship can often be "Subset".
Mappings are available from a variety of sources online, and different individuals may make their own decisions on the
type of relationship. Critical Security Controls mappings are intended to be as objective as possible, and improvements
are encouraged.
Use
The clauses in the Critical Security Controls concerning delineation of Asset Types, Security Functions, and
Implementation Groups apply to the mappings below. For reference, these delineations are repeated in part here.
Asset Types are shown in Figure 4.1-1.
ETSI
8 ETSI TR 104 168 V1.1.1 (2025-09)

Figure 4.1-1
Security Functions include:
• GOVERN - The organization's cybersecurity risk management strategy, expectations, and policy are
established, communicated, and monitored. The GOVERN Function provides outcomes to inform what an
organization may do to achieve and prioritize the outcomes of the other five Functions in the context of its
mission and stakeholder expectations. Governance activities are critical for incorporating cybersecurity into an
organization's broader Enterprise Risk Management (ERM) strategy. GOVERN addresses an understanding of
organizational context; the establishment of cybersecurity strategy and cybersecurity supply chain risk
management; roles, responsibilities, and authorities; policy; and the oversight of cybersecurity strategy.
• IDENTIFY - The organization's current cybersecurity risks are understood. Understanding the organization's
assets (e.g. data, hardware, software, systems, facilities, services, people), suppliers, and related cybersecurity
risks enables an organization to prioritize its efforts consistent with its risk management strategy and the
mission needs identified under GOVERN. This Function also includes the identification of improvement
opportunities for the organization's policies, plans, processes, procedures, and practices that support
cybersecurity risk management to inform efforts under all six Functions.
• PROTECT - Safeguards to manage the organization's cybersecurity risks are used. Once assets and risks are
identified and prioritized, PROTECT supports the ability to secure those assets to prevent or lower the
likelihood and impact of adverse cybersecurity events, as well as to increase the likelihood and impact of
taking advantage of opportunities. Outcomes covered by this Function include identity management,
authentication, and access control; awareness and training; data security; platform security (i.e. securing the
hardware, software, and services of physical and virtual platforms); and the resilience of technology
infrastructure.
• DETECT - Possible cybersecurity attacks and compromises are found and analysed. DETECT enables the
timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events
that may indicate that cybersecurity attacks and incidents are occurring. This Function supports successful
incident response and recovery activities.
• RESPOND - Actions regarding a detected cybersecurity incident are taken. RESPOND supports the ability to
contain the effects of cybersecurity incidents. Outcomes within this Function cover incident management,
analysis, mitigation, reporting, and communication.
ETSI
9 ETSI TR 104 168 V1.1.1 (2025-09)
• RECOVER - Assets and operations affected by a cybersecurity incident are restored. RECOVER supports the
timely restoration of normal operations to reduce the effects of cybersecurity incidents and enable appropriate
communication during recovery efforts.
Implementation Groups include:
• IG1. An IG1 enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate
toward protecting IT assets and personnel. The principal concern of these enterprises is to keep the business
operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to
protect is low and principally surrounds employee and financial information.
• Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart
general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with
small or home office Commercial Off-The-Shelf (COTS) hardware and software.
• IG2 (Includes IG1). An IG2 enterprise employs individuals responsible for managing and protecting IT
infrastructure. These enterprises support multiple departments with differing risk profiles based on job
function and mission. Small enterprise units can have regulatory compliance burdens. IG2 enterprises often
store and process sensitive client or enterprise information and can withstand short interruptions of service. A
major concern is loss of public confidence if a breach occurs.
• Safeguards selected for IG2 help security teams cope with increased operational complexity. Some Safeguards
will depend on enterprise-grade technology and specialized expertise to properly install and configure.
• IG3 (Includes IG1 and IG2). An IG3 enterprise employs security experts that specialize in the different
facets of cybersecurity (e.g. risk management, penetration testing, application security). IG3 assets and data
contain sensitive information or functions that are subject to regulatory and compliance oversight. An IG3
enterprise should address availability of services and the confidentiality and integrity of sensitive data.
Successful attacks can cause significant harm to the public welfare.
Safeguards selected for IG3 should abate targeted attacks from a sophisticated adversary and reduce the impact
of zero-day attacks.
4.2 Applicability Overview
Table 4.2-1: Applicability of the Critical Security Controls to the NIS2 Directive
Control Safeguard Title Applicability
1 Inventory and Control of Enterprise Assets 1 of 5
2 Inventory and Control of Software Assets 1 of 7
3 Data Protection 9 of 14
4 Secure Configuration of Enterprise Assets and Software 4 of 12
5 Account Management 4 of 6
6 Access Control Management 8 of 8
7 Continuous Vulnerability Management 7 of 9
8 Audit Log Management 10 of 12
9 Email and Web Browser Protections 2 of 7
10 Malware Defences 3 of 7
11 Data Recovery 4 of 5
12 Network Infrastructure Management 5 of 8
13 Network Monitoring and Defence 2 of 11
14 Security Awareness and Skills Training 3 of 9
15 Service Provider Management 6 of 7
16 Application Software Security 2 of 14
17 Incident Response Management 8 of 9
18 Penetration Testing 1 of 5
ETSI
10 ETSI TR 104 168 V1.1.1 (2025-09)
4.3 Applying the Critical Security Controls and Safeguards
Table 4.3-1 below provides a mapping by the Critical Security Controls community to the NIS2 provisions to support the indicated requirements [i.9].
Table 4.3-1
NIS 2 Requirement Description
Inventory and Control of
Enterprise Assets
The relevant entities shall develop and maintain a
Establish and Maintain
Asset complete, accurate, up-to-date and consistent
Identify
1.1 Devices Detailed Enterprise Asset x x x Superset 12.4 12.4.1
inventory inventory of their assets. They shall record changes to
Inventory
the entries in the inventory in a traceable manner.
The granularity of the inventory of the assets shall be at
a level appropriate for the needs of the relevant
entities. The inventory shall include the following:
Establish and Maintain
Asset (a) the list of operations and services and their
1.1 Devices Identify Detailed Enterprise Asset x x x Superset 12.4 12.4.2
inventory description,
Inventory
(b) the list of network and information systems and
other associated assets supporting the entities'
operations and services.
Establish and Maintain The relevant entities shall regularly review and update
Asset
Identify
1.1 Devices Detailed Enterprise Asset x x x Superset 12.4 12.4.3 the inventory and their assets and document the history
inventory
Inventory of changes.
Address Unauthorized
1.2 Devices Respond x x x
Assets
Utilize an Active Discovery
1.3 Devices Detect  x x
Tool
Use Dynamic Host
Configuration Protocol
1.4 Devices Identify (DHCP) Logging to  x x
Update Enterprise Asset
Inventory
Use a Passive Asset
Detect
1.5 Devices   x
Discovery Tool
Inventory and Control of
Software Assets
Establish and Maintain a
2.1 Software Identify x x x
Software Inventory
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
11 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
By way of derogation from point 1(a), the relevant
entities may choose not to apply security patches when
Ensure Authorized
Security patch the disadvantages of applying the security patches
2.2 Software Identify Software is Currently x x x Subset 6.6 6.6.2
management outweigh the cybersecurity benefits. The relevant
Supported
entities shall duly document and substantiate the
reasons for any such decision.
Address Unauthorized
2.3 Software Respond x x x
Software
Utilize Automated
Detect
2.4 Software  x x
Software Inventory Tools
Allowlist Authorized
Protect
2.5 Software  x x
Software
Allowlist Authorized
2.6 Software Protect  x x
Libraries
Allowlist Authorized
2.7 Software Protect   x
Scripts
3   Data Protection
For the purpose of Article 21(2), point (h) of Directive
(EU) 2022/2555, the relevant entities shall establish,
implement and apply a policy and procedures related to
Establish and Maintain a
cryptography, with a view to ensuring adequate and
3.1 Data Govern Data Management x x x Superset 9.1 Cryptography 9.1.1
effective use of cryptography to protect the
Process
confidentiality, authenticity and integrity of information
in line with the relevant entities' information
classification and the results of the risk assessment.
The relevant entities shall establish, implement and
apply a policy for the proper handling of information
Establish and Maintain a Handling of
and assets in accordance with their network and
3.1 Data Govern Data Management x x x Subset 12.2 information 12.2.1
information security policy, and shall communicate the
Process and assets
policy to anyone who uses or handles information and
assets.
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
12 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
The policy shall:
(a) cover the entire life cycle of the information and
assets, including acquisition, use, storage,
transportation and disposal;
(b) provide instructions on the safe use, safe storage,
safe transport, and the irretrievable deletion and
Establish and Maintain a Handling of
destruction of the information and assets;
3.1 Data Govern Data Management x x x Subset 12.2 information 12.2.2
(c) provide that equipment, hardware, software and
Process and assets
data may be transferred to external premises only after
approval by bodies authorized by management bodies
in accordance with the policies,
(d) provide that the transfer shall take place in a secure
manner, in accordance with the type of asset or
information to be transferred.
The relevant entities shall review and, where
Establish and Maintain a Handling of
appropriate, update the policy at planned intervals and
3.1 Data Govern Data Management x x x Subset 12.2 information 12.2.3
when significant incidents or significant changes to
Process and assets
operations or risks occur.
Establish and Maintain a
3.2 Data Identify x x x
Data Inventory
For the purpose of Article 21(2), point (i) of Directive
(EU) 2022/2555, the relevant entities shall establish,
document and implement logical and physical access
Configure Data Access Access control
3.3 Data Protect x x x Subset 11.1 11.1.1 control policies for the access of persons and
Control Lists policy
processes on network and information systems, based
on business requirements as well as network and
information system security requirements.
3.4 Data Protect Enforce Data Retention x x x
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
13 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
The policy shall:
(a) cover the entire life cycle of the information and
assets, including acquisition, use, storage,
transportation and disposal;
(b) provide instructions on the safe use, safe storage,
safe transport, and the irretrievable deletion and
Handling of
destruction of the information and assets;
3.5 Data Protect Securely Dispose of Data x x x Subset 12.2 information 12.2.2
(c) provide that equipment, hardware, software and
and assets
data may be transferred to external premises only after
approval by bodies authorized by management bodies
in accordance with the policies,
(d) provide that the transfer shall take place in a secure
manner, in accordance with the type of asset or
information to be transferred.
For the purpose of Article 21(2), point (h) of Directive
(EU) 2022/2555, the relevant entities shall establish,
implement and apply a policy and procedures related to
Encrypt Data on End-User cryptography, with a view to ensuring adequate and
3.6 Data Protect x x x Subset 9.1 Cryptography 9.1.1
Devices effective use of cryptography to protect the
confidentiality, authenticity and integrity of information
in line with the relevant entities' information
classification and the results of the risk assessment.
For the purpose of Article 21(2), point (i) of Directive
Establish and Maintain a (EU) 2022/2555, the relevant entities shall lay down
Asset
3.7 Data Identify Data Classification  x x Subset 12.1 12.1.1 classification levels of all information and assets in
classification
Scheme scope of their network and information systems for the
level of protection required.
For the purpose of point 12.1.1, the relevant entities
shall:
(a) lay down a system of classification levels for
information and assets;
(b) associate all information and assets with a
Establish and Maintain a
Asset classification level, based on confidentiality, integrity,
3.7 Data Identify Data Classification  x x Subset 12.1 12.1.2
classification authenticity and availability requirements, to indicate
Scheme
the protection required according to their sensitivity,
criticality, risk and business value,
(c) align the availability requirements of the information
and assets with the delivery and recovery objectives
set out in their business and disaster recovery plans.
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
14 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
Establish and Maintain a The relevant entities shall conduct periodic reviews of
Asset
3.7 Data Identify Data Classification  x x Subset 12.1 12.1.3 the classification levels of information and assets and
classification
Scheme update them, where appropriate.
3.8 Data Identify Document Data Flows  x x
The relevant entities shall establish, implement and
apply a policy on the management of removable
storage media and communicate it to their employees
Encrypt Data on Removable
3.9 Data Protect  x x Subset 12.3 12.3.1 and third parties who handle removable storage media
Removable Media media policy
at the relevant entities' premises or other locations
where the removable media is connected to the
relevant entities' network and information systems.
The policy shall:
(a) provide for a technical prohibition of the connection
of removable media unless there is an organizational
reason for their use;
(b) provide for disabling self-execution from such media
and scanning the media for malicious code before they
Encrypt Data on Removable
3.9 Data Protect  x x Subset 12.3 12.3.2 are used on the entities' systems;
Removable Media media policy
(c) provide measures for controlling and protecting
portable storage devices containing data while in transit
and in storage;
(d) where appropriate, provide measures for the use of
cryptographic techniques to protect information on
removable storage media.
Encrypt Sensitive Data in
3.10 Data Protect  x x
Transit
Encrypt Sensitive Data at
3.11 Data Protect  x x
Rest
Segment Data Processing
Administration The relevant entities shall restrict and control the use of
Protect
3.12 Data and Storage Based on  x x Subset 11.4 11.4.1
systems system administration systems.
Sensitivity
For that purpose, the relevant entities shall:
(a) only use system administration systems for system
administration purposes, and not for any other
Segment Data Processing
Administration operations;
3.12 Data Protect and Storage Based on  x x Subset 11.4 11.4.2
systems (b) separate logically such systems from application
Sensitivity
software not used for system administrative purposes,
(c) protect access to system administration systems
through authentication and encryption.
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
15 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
Deploy a Data Loss
3.13 Data Protect   x
Prevention Solution
The relevant entities shall maintain, document, and
review logs. Logs shall include:
(a) outbound and inbound network traffic;
(b) creation, modification or deletion of users of the
relevant entities' network and information systems and
extension of the permissions;
(c) access to systems and applications;
(d) authentication-related events;
(e) all privileged access to systems and applications,
and activities performed by administrative accounts;
Log Sensitive Data Monitoring (f) access or changes to critical configuration and
3.14 Data Detect   x Subset 3.2 3.2.3
Access and logging backup files;
(g) event logs and logs from security tools, such as
antivirus, intrusion detection systems or firewalls;
(h) use of system resources, as well as their
performance;
(i) physical access to facilities, where appropriate;
(j) access to and use of their network equipment and
devices;
(k) activation, stopping and pausing of the various logs;
(l) environmental events, such as flooding alarms,
where appropriate.
Secure Configuration of
4   Enterprise Assets and
Software
The relevant entities shall establish, document,
Establish and Maintain a
Configuration implement, and monitor configurations, including
4.1 Documentation Govern Secure Configuration x x x Subset 6.3 6.3.1
management security configurations of hardware, software, services
Process
and networks.
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
16 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
For the purpose of point 6.3.1, the relevant entities
shall:
(a) lay down configurations, including security
configurations, for their hardware, software, services
Establish and Maintain a
Configuration and networks;
4.1 Documentation Govern Secure Configuration x x x Subset 6.3 6.3.2
management (b) lay down and implement processes and tools to
Process
enforce the laid down configurations, including security
configurations, for hardware, software, services and
networks, for newly installed systems as well as for
operational systems over their lifetime.
The relevant entities shall review and, where
Establish and Maintain a
Configuration appropriate, update configurations at planned intervals
4.1 Documentation Govern Secure Configuration x x x Subset 6.3 6.3.3
management or when significant incidents or significant changes to
Process
operations or risks occur
Establish and Maintain a The relevant entities shall establish, document,
Secure Configuration Configuration implement, and monitor configurations, including
4.2 Documentation Govern x x x Subset 6.3 6.3.1
Process for Network management security configurations of hardware, software, services
Infrastructure and networks.
For the purpose of point 6.3.1, the relevant entities
shall:
(a) lay down configurations, including security
Establish and Maintain a configurations, for their hardware, software, services
Secure Configuration Configuration and networks;
4.2 Documentation Govern x x x Subset 6.3 6.3.2
Process for Network management (b) lay down and implement processes and tools to
Infrastructure enforce the laid down configurations, including security
configurations, for hardware, software, services and
networks, for newly installed systems as well as for
operational systems over their lifetime.
Establish and Maintain a The relevant entities shall review and, where
Secure Configuration Configuration appropriate, update configurations at planned intervals
4.2 Documentation Govern x x x Subset 6.3 6.3.3
Process for Network management or when significant incidents or significant changes to
Infrastructure operations or risks occur
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
17 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
For that purpose, the relevant entities shall:
(a) ensure the strength of authentication is appropriate
to the classification of the asset to be accessed;
(b) control the allocation to users and management of
secret authentication information by a process that
ensures the confidentiality of the information, including
advising personnel on appropriate handling of
authentication information;
Configure Automatic
(c) require the change of authentication credentials
4.3 Devices Protect Session Locking on x x x Subset 11.6 Authentication 11.6.2
initially, and when suspicion that the credential is
Enterprise Assets
revealed to an unauthorized person;
(d) require the reset of authentication credentials and
the blocking of users after a predefined number of
unsuccessful log-in attempts;
(e) terminate inactive sessions after a predefined
period of inactivity; and
(f) require separate credentials to access privileged
access or administrative accounts.
Implement and Manage a
4.4 Devices Protect x x x
Firewall on Servers
Implement and Manage a
4.5 Devices Protect Firewall on End-User x x x
Devices
Securely Manage
4.6 Devices Protect Enterprise Assets and x x x
Software
Manage Default Accounts
4.7 Users Protect on Enterprise Assets and x x x
Software
Uninstall or Disable
Unnecessary Services on
Protect
4.8 Devices  x x
Enterprise Assets and
Software
Configure Trusted DNS
4.9 Devices Protect Servers on Enterprise  x x
Assets
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
18 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
For that purpose, the relevant entities shall:
(a) ensure the strength of authentication is appropriate
to the classification of the asset to be accessed;
(b) control the allocation to users and management of
secret authentication information by a process that
ensures the confidentiality of the information, including
advising personnel on appropriate handling of
authentication information;
Enforce Automatic Device
(c) require the change of authentication credentials
4.10 Devices Protect Lockout on Portable End- x x Subset 11.6 Authentication 11.6.2
initially, and when suspicion that the credential is
User Devices
revealed to an unauthorized person;
(d) require the reset of authentication credentials and
the blocking of users after a predefined number of
unsuccessful log-in attempts;
(e) terminate inactive sessions after a predefined
period of inactivity; and
(f) require separate credentials to access privileged
access or administrative accounts.
Enforce Remote Wipe
Protect
4.11 Data Capability on Portable  x x
End-User Devices
Separate Enterprise
4.12 Data Protect Workspaces on Mobile   x
End-User Devices
5   Account Management
The relevant entities shall manage the full life cycle of
Establish and Maintain an
Identify
5.1 Users x x x Subset 11.5 Identification 11.5.1 identities of network and information systems and their
Inventory of Accounts
users.
The relevant entities shall regularly review the identities
Establish and Maintain an
5.1 Users Identify x x x Subset 11.6 Authentication 11.6.4 and, if no longer needed, deactivate them without
Inventory of Accounts
delay.
5.2 Users Protect Use Unique Passwords x x x
5.3 Users Protect Disable Dormant Accounts x x x
ETSI
Control
Safeguard
Control Asset
Type
Safeguard
Security
Function
Control /
Safeguard
Title
IG1
IG2
IG3
NIS2
Relationship
NIS 2 Provision
NIS 2
Requirement
Category
NIS2
Requirement #
19 ETSI TR 104 168 V1.1.1 (2025-09)
NIS 2 Requirement Description
The policies referred to in point 11.3.1 shall:
(a) establish strong identification, authentication such
as multi-factor authentication, and authorization
procedures for privileged accounts and system
Privileged administration accounts;
Restrict Administrator accounts and (b) set up specific accounts to be used for system
Protect
5.4 Users Privileges to Dedicated x x x Subset 11.3 system 11.3.2 administration operations exclusively, such as
Administrator Accounts administration installation, configuration, management or
accounts maintenance;
(c) individualize and restrict system administration
privileges to the highest extent possible,
(d) provide that system administration accounts are
only used to connect to system administration systems.
For that purpose, the relevant entities shall:
(a) ensure the strength of authentication is appropriate
to the classification of the asset to be accessed;
(b) control the allocation to users and management of
secret authentication information by a process that
ensures the confidentiality of the information, including
advising personnel on appropriate handling of
authentication information;
Restrict Administrator
(c) require the change of authentication credentials
Protect
5.4 Users Privileges to Dedicated x x x Subset 11.6 Authentication 11.6.2
initially, and when suspicion that the credential is
Administrator Accounts
revealed to an unauthorized person;
(d) require the reset of authentication credentials and
the blocking of users after a predefined number of
unsuccessful log-in attempts;
(e) terminate inactive sessions after a predefined
period of inactivity; and
(f) require separate creden
...