NIS2 Compliance: Where Threat Intelligence Fits In

This article was updated on April 13, 2026 and originally published on January 8, 2024.

In June 2025, the European Union Agency for Cybersecurity (ENISA) published its Technical Implementation Guidance (“the Guidance”) that provides:

• Guidance with actionable advice when implementing requirements
• Examples of evidence that prove a requirement is in place
• Mapping between security requirements, industry best practices, and other national or international standards and frameworks

A notable thread running through the Guidance is the role of threat intelligence. Rather than treating it as an optional enhancement, the Guidance positions threat intelligence as a core input to risk management, incident handling, supply chain security, and vulnerability management.

This article maps the specific sections where the Guidance references threat intelligence.

Threat Intelligence as a Foundation for Risk Management

The Risk Management Framework acts as the foundation for the rest of the organization’s NIS2 or Member State-specific implementing act compliance. In section 2.1.2 under Risk Management Policy, the Guidance states, “relevant entities shall establish procedures for identification, analysis, assessment and treatment of risks (‘cybersecurity risk management process’).” Within this risk management process, the Guidance explains that as part of the risk management process, entities shall:

(e) analyse the risks posed to the security of network and information systems, including threat, likelihood, impact and risk level, taking into account cyber threat intelligence and vulnerabilities

By incorporating threat intelligence as a primary resource for understanding cybersecurity risk, the Guidance weaves it into various areas of compliance. 

Where the Guidance Specifically Mentions Threat Intelligence

Business Continuity and Crisis Management Section 4.3.3 

The Guidance states that relevant entities shall implement a process for managing and making use of information concerning incidents, vulnerabilities, threats, or possible mitigation measures while considering the following steps:

• Ensuring that the point of contact has sufficient knowledge concerning incidents and threat intelligence
• Validating information against internal logs, threat intelligence feeds, and existing security policies

Additionally, under examples of evidence, the Guidance reiterates the importance of the point of contact having sufficient knowledge about threat intelligence. 

Supply Chain Security Section 5.1.7

The Guidance outlines that relevant entities shall:

• Regularly monitor service level agreement reports about implementations
• Review incidents related to IC products and services from suppliers and service providers
• Assess whether they need to engage in unscheduled reviews and document findings 
• Analyze the risks that changes to ICT products and services create and mitigate them in a timely manner

Under Tips for this subsection, the Guidance states that in addition to the other data, organizations could consider “information stemming from known incidents or cyber threat intelligence.”

Security in Network and Information Systems Acquisition, Development and Maintenance Section 6.10.4

The Guidance outlines that relevant entities shall review and update the channels they use for monitoring vulnerability information. Under the list of Example of Evidence, it identifies:

• Logs that record the monitoring activities for vulnerability information, including dates and sources monitored (e.g. security advisories, vendor bulletins, threat intelligence feeds)

How Can Threat Exposure Management (TEM) Enable Organizations to Comply with NIS2?

Beyond the specified uses of threat intelligence, organizations that need to comply with their Member State’s NIS2 implementation law can use TEM to help mitigate various risks and prove that their security controls function as intended.

Access Monitoring with Identity Exposure Management

In section 11.1.2 the Guidance says that access control policies shall ensure that access is only granted to adequately authenticated users. 

Reading further into that section, Section 11.1.3 states that relevant entities shall review and update policies both at planned intervals and when significant incidents, operational changes, or risks occur. As examples of evidence, the Guidance includes:

• Past incident reports with records of any access control-related security incidents 
• Records of reviews and updates showing that the entity regularly reviews and updates policies as necessary

Under section 11.6.1, the guidance outlines the various authentication technologies that relevant entities can use to identify users, devices or systems, including but not limited to:

• Password-based authentication
• Passkeys
• Two-factor authentication
• MFA
• Biometric authentication,
• Token-based authentication, such as a one-time passcode (OTP)
• Smart cards
• Fast Identity Online 2 security keys
• Certificate-based authentication
• SSO
• OpenID Connect

How TEM Helps

With identity exposure management, relevant entities can document their access control risk management practices by proactively monitoring:

• Leaked credentials and stealer logs on the clear, dark, and deep web, including Telegram channels for visibility into current and emerging threats 
• Near real-time alerts when potential new exposures arrive on the black market
• Visibility into external risks to users and potential adversary attack paths

Malware and Virus Monitoring with Dark Web Market and Illicit Telegram Channel Monitoring

The Guidance discusses risk mitigation strategies related to preventing and detecting malware across systems and networks. 

In section 6.9 Protection Against Malicious and Unauthorized Software, the Guidance recognizes:

“…the use of malicious and unauthorised detection and repair software alone is not usually adequate or may not be available, so it should be complemented by additional measures.”

How TEM Helps

TEM offers a complementary measure that enables relevant entities to monitor threat actor chatter and identify mentions of the company’s name or domain. For example, this monitoring can help identify compromised devices and proactively mitigate risk. 

Vulnerability Handling by Prioritizing with Real-World Exploit Discussions

In section 6.10.2, the Guidance states that relevant entities shall:

(c) address, without undue delay, vulnerabilities identified by the relevant entities as critical to their operations

(d) ensure that their vulnerability handling is compatible with their change management, security patch management, risk management and incident management procedures

Additionally, within section 6.10.4, the Guidance provides the following as examples of evidence:

• List of monitoring channels for technical vulnerabilities, including suppliers and service providers’ single points of contact
• Subscriptions to relevant vulnerability notification services, mailing lists and alert systems (e.g. CERT, vendor advisories and security forums)
• Logs that document periodic reviews of the monitoring channels to verify that they are up to date and effective
• Records of alerts or notifications received from monitoring channels about new vulnerabilities, including how these alerts were handled and any subsequent actions taken

How TEM Helps

TEM augments traditional vulnerability monitoring services to help security and vulnerability management teams enhance their vulnerability handling and risk mitigation. For example, malicious actors on platforms, like the dark web forum Exploit, often discuss the vulnerabilities they plan to target and their current techniques. By incorporating this information into their vulnerability risk identification strategies, organizations can more rapidly mitigate the security weaknesses that could have the most impact on their operations and sensitive data. 

Threat Intelligence is Central to NIS2 Compliance

ENISA’s Technical Implementation Guidance makes clear that threat intelligence is not an optional addition to NIS2 compliance; it is woven into the Directive’s core requirements for risk management, incident handling, supply chain security, and vulnerability management. Organizations that treat threat intelligence as a checkbox will meet the letter of the requirement. Those that operationalize it through continuous monitoring of the clear and dark web, identity exposure tracking, and real-world exploit intelligence will build a compliance posture that is both defensible under audit and genuinely effective at reducing risk.