Article 25

Standardisation

Directive on the security of network and information systems · UE 2022/2555

Standardisation

1.   In order to promote the convergent implementation of Article 21(1) and (2), Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of European and international standards and technical specifications relevant to the security of network and information systems.

2.   ENISA, in cooperation with Member States, and, where appropriate, after consulting relevant stakeholders, shall draw up advice and guidelines regarding the technical areas to be considered in relation to paragraph 1 as well as regarding already existing standards, including national standards, which would allow for those areas to be covered.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite

In Luxembourg, the ILR is the national cybersecurity authority responsible for designating essential and important operators, conducting inspections and verifying the effective application of Article 21. The Law of 28 July 2023 on cybersecurity, amended by the Law of 28 July 2025, transposes this standardisation logic: the ILR relies on ENISA advice and recognised frameworks (ISO 27001, IEC 62443) as a de facto assessment grid, without imposing a specific technology.

Luxgap practice: prepare a continuously updated standard-to-Article-21 coverage matrix, as this is exactly the document the ILR requests first during an inspection in Luxembourg.