Peer Reviews Under NIS2: How Member States Will Be Assessed

Understand NIS2 Article 19 peer review process. Learn how Member States evaluate each other's cybersecurity capabilities and NIS2 implementation.

Daniel Grigorovich
Daniel Grigorovich
Founder · 10 Jun 2026 · 9 min read
NIS2
Peer Reviews Under NIS2: How Member States Will Be Assessed

Who should read this: Policy Makers, Competent Authority Leadership, National Cybersecurity Officials, CSIRT Directors, EU Institutional Representatives.

The peer review mechanism established in Article 19 of the NIS2 Directive represents a significant innovation in EU cybersecurity governance. Rather than relying solely on Commission oversight or national self-assessment, Member States will conduct systematic peer reviews of each other’s cybersecurity capabilities and implementation of NIS2 obligations. This is not a punitive enforcement mechanism; it is a collaborative, confidence-building process designed to strengthen the overall level of cybersecurity across the Union by enabling Member States to learn from each other’s experiences and identify areas for improvement.

For Member States, peer reviews create both opportunity and obligation. An opportunity to showcase your cybersecurity achievements, to learn best practices from peer Member States, and to obtain external validation of your capabilities. An obligation to undergo scrutiny, to provide sensitive information to external assessors, and to address recommendations that emerge from reviews. Understanding the peer review framework (what it covers, how it operates, what happens with the results) is essential for national cybersecurity leadership preparing to either conduct or undergo a peer review.

Scope and Coverage of Peer Reviews

Article 19(1) establishes that the Cooperation Group, with assistance from the Commission and ENISA and in cooperation with the CSIRTs network, will establish the methodology and organisational aspects of peer reviews by 17 January 2025. This methodology will govern how peer reviews are conducted, what evidence is evaluated, and how findings are assessed. The Cooperation Group is responsible for establishing objective, non-discriminatory, fair and transparent criteria on the basis of which Member States designate cybersecurity experts to carry out peer reviews.

Article 19(1) specifies that peer reviews may cover at least one of six areas. These are not the only possible areas, but they represent the core scope of peer reviews.

First, peer reviews can assess the level of implementation of the cybersecurity risk-management measures and reporting obligations laid down in Articles 21 and 23. This means evaluating whether essential and important entities within a Member State are actually implementing the mandatory cybersecurity measures and whether they are properly reporting significant incidents to the national CSIRT. This is probably the most common focus for peer reviews because Articles 21 and 23 are core to NIS2 implementation.

Second, peer reviews can assess the level of capabilities and effectiveness of competent authorities. This includes evaluating whether the competent authority has adequate financial resources, adequate technical expertise, adequate staffing, and adequate authority to supervise essential and important entities. It also includes assessing whether the competent authority is effectively exercising its supervisory and enforcement powers.

Third, peer reviews can assess the operational capabilities of the national CSIRT. Does the CSIRT have 24/7 availability? Can it effectively coordinate with essential and important entities? Does it have adequate expertise in incident handling? Can it effectively cooperate with other CSIRTs and with EU-CyCLONe?

Fourth, peer reviews can assess the level of implementation of mutual assistance. Article 37 requires that Member States assist each other in managing incidents that have cross-border impact. A peer review might evaluate whether the Member State has mechanisms in place to provide and receive mutual assistance, and whether it has actually provided assistance in recent incidents.

Fifth, peer reviews can assess the level of implementation of cybersecurity information-sharing arrangements. Article 29 requires that Member States facilitate information sharing among entities regarding cyber threats and vulnerabilities. A peer review might evaluate whether effective information-sharing arrangements have been established and whether entities are actively participating in them.

Sixth, peer reviews can assess specific issues of cross-border or cross-sector nature. Member States can identify particular concerns or areas of interest and request that these be included in the review scope.

The Peer Review Process

Article 19 establishes a structured process for conducting peer reviews. The process begins with methodology development. The Cooperation Group, with Commission and ENISA assistance, establishes the peer review methodology by 17 January 2025. This methodology includes the criteria and procedures for selecting cybersecurity experts, the evidence gathering process, the assessment framework, and the reporting format for peer review findings.

Once the methodology is established, Member States can request peer reviews. A Member State requesting a peer review must notify other participating Member States of the review’s scope, including any specific issues identified for review. Before the peer review commences, Article 19(5) permits Member States to carry out a self-assessment and provide it to the designated cybersecurity experts. The Cooperation Group establishes the self-assessment methodology.

The peer review itself involves cybersecurity experts designated by at least two Member States different from the Member State being reviewed. These experts come from other Member States and are designated based on objective, non-discriminatory, fair and transparent criteria. The Commission and ENISA participate as observers in the peer reviews. This ensures that peer reviews are not purely bilateral Member State activities but have EU-level oversight.

Article 19(6) specifies that peer reviews shall entail physical or virtual on-site visits and off-site exchanges of information. The on-site visit is critical; it allows experts to directly observe the Member State’s facilities, interview key personnel, and gather evidence that cannot be obtained remotely. Off-site exchanges allow for additional information gathering and clarification of findings.

The Member State subject to the peer review must cooperate and provide the designated cybersecurity experts with the information necessary for assessment. However, this cooperation is subject to important limitations: it is “without prejudice to Union or national law concerning the protection of confidential or classified information and to the safeguarding of essential State functions, such as national security.” This means a Member State can withhold information on national security grounds, but this authority is limited and should be used sparingly. Broad claims of national security should not be used to avoid accountability to peer reviewers.

Conflict of Interest and Expert Qualification

Article 19(8) requires that any risk of conflict of interest concerning designated cybersecurity experts be revealed to other Member States, the Cooperation Group, the Commission, and ENISA before the peer review commences. Conflicts of interest might arise if an expert has worked for the Member State being reviewed, if the expert has commercial interests in the Member State being reviewed, or if there are other relationships that could compromise the expert’s impartiality.

The Member State being reviewed has a right to object to the designation of particular cybersecurity experts on duly substantiated grounds. If a reviewing expert is biased or has a clear conflict of interest, the Member State being reviewed can object and request a replacement. This right is important to the credibility of the peer review process; reviewers must be perceived as impartial.

The designation of appropriate cybersecurity experts is critical to the quality of peer reviews. Experts must have sufficient expertise in cybersecurity, in regulatory and policy matters, in the specific domains being reviewed, and in the legal and institutional frameworks relevant to the Member State being reviewed. This is a demanding skill set. The Cooperation Group’s establishment of clear criteria for designating experts is therefore crucial.

Codes of Conduct

Article 19(6) requires that the Cooperation Group, in cooperation with the Commission and ENISA, develop appropriate codes of conduct underpinning the working methods of designated cybersecurity experts. These codes of conduct address several issues.

First, they should establish confidentiality obligations. Sensitive information obtained during a peer review (strategies, technical details, internal assessments) must be treated as confidential. Codes of conduct should require that experts do not disclose such information to third parties.

Second, they should establish impartiality and fairness principles. Experts should be expected to conduct reviews based on objective evidence, to treat all Member States fairly, and to avoid bias.

Third, they should establish procedures for handling disputes or disagreements. If a Member State objects to findings or recommendations, what process exists for resolving the disagreement? Codes of conduct should provide clarity on such procedures.

Fourth, they should address the use of information gathered during reviews. Such information can typically be used only for peer review purposes, not for enforcement actions or other regulatory purposes. This limitation is important to encourage Member States to be candid during peer reviews.

Peer Review Reports and Follow-Up

Once a peer review is completed, the cybersecurity experts prepare a report on their findings and conclusions. Article 19(9) permits the Member State being reviewed to provide comments on the draft report, and such comments are attached to the final report. This right to comment ensures that the Member State’s perspective is represented in the final document.

Peer review reports include recommendations to enable improvement on the aspects covered by the review. These are not mandatory requirements; they are suggestions based on best practices and the reviewer’s assessment of areas where the Member State could improve. However, recommendations from peer reviewers carry significant weight, and a Member State that does not address substantial peer review recommendations might face questions from the Commission or the Cooperation Group about why improvements are not being pursued.

Article 19(9) provides that a Member State subject to a peer review may decide to make its report, or a redacted version of it, publicly available. This transparency is valuable; it demonstrates accountability and allows other Member States to learn from the findings.

The CSIRTs network assesses progress made regarding peer reviews and includes findings in its biennial report to the Cooperation Group. This ensures that peer review outcomes inform broader EU cybersecurity policy and capability development.

Timing and Frequency

Article 19(7) specifies that once a Member State has been subject to a peer review covering particular aspects, those same aspects shall not be subject to a further peer review in that Member State for two years following the conclusion of the peer review, unless otherwise requested by the Member State or agreed upon after a proposal of the Cooperation Group. This provision prevents excessive repetition of reviews and allows Member States time to implement recommendations before being re-reviewed on the same topics.

The Cooperation Group establishes a schedule for peer reviews and coordinates which Member States undergo review in which years. Because participation is voluntary (as noted in Article 19(1)), not all Member States undergo reviews simultaneously. Instead, reviews are staggered to allow for adequate resources and to allow lessons from earlier reviews to inform later ones.

Impact on Competent Authorities and Entities

Peer reviews, whilst conducted at Member State level, have implications for competent authorities and essential/important entities. If a peer review identifies deficiencies in competent authority capabilities, the Member State government should address those deficiencies, potentially by allocating additional resources or restructuring supervisory arrangements. If a peer review identifies low implementation of Article 21 cybersecurity measures among essential entities, the competent authority should increase supervisory activity to address the gap.

Conversely, if peer reviewers identify best practices that have proven effective in another Member State, essential entities should be encouraged to adopt similar practices, and competent authorities should consider whether they need to strengthen their guidance to entities.

Key Takeaways

  • Article 19 establishes a peer review mechanism through which Member States assess each other’s cybersecurity implementation and capabilities. Reviews are voluntary and are conducted by cybersecurity experts from other Member States, with Commission and ENISA observation.

  • Peer reviews can cover implementation of Articles 21 and 23 measures, competent authority capabilities, CSIRT operational capabilities, mutual assistance mechanisms, information-sharing arrangements, and specific cross-border or cross-sector issues.

  • The Cooperation Group establishes peer review methodology by 17 January 2025, including criteria for designating expert reviewers, evidence gathering procedures, and assessment frameworks. Methodology must be objective, non-discriminatory, fair, and transparent.

  • Member States undergoing review must cooperate with experts, provide necessary information, and can provide comments on draft reports. They can object to reviewer designation on conflict-of-interest grounds.

  • Codes of conduct govern expert conduct, requiring confidentiality, impartiality, fair procedures, and appropriate use of information obtained during reviews. These codes are developed by the Cooperation Group with Commission and ENISA input.

  • Peer review reports include findings and recommendations; Member States may publish reports (or redacted versions) to demonstrate accountability. Aspects covered by a peer review cannot be re-reviewed for two years unless the Member State requests or the Cooperation Group proposes it.

Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.