Skip to content
AuditFront
Art.37.1 NIS2

NIS2 Art.37.1: National Cybersecurity Strategy Alignment

What This Control Requires

Each Member State shall adopt a national cybersecurity strategy that provides for the strategic objectives, the resources necessary to achieve those objectives, and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity.

In Plain Language

Every EU Member State must publish a national cybersecurity strategy, and while that sounds like a government-only concern, it directly shapes the regulatory environment you operate in. National strategies set supervisory priorities, define support mechanisms, and signal where policy is heading next.

These strategies typically cover governance frameworks, supply chain security, vulnerability disclosure coordination, education and training initiatives, R&D priorities, and public-private cooperation. Aligning your own cybersecurity approach with national priorities shows regulatory maturity and often unlocks access to government support programmes.

Just as importantly, national strategies are a leading indicator of where regulation is going. Organisations that track their national strategy can anticipate and prepare for changes rather than scrambling to catch up after the fact.

How to Implement

Read your Member State's national cybersecurity strategy. Identify the strategic priorities relevant to your sector, any specific expectations for entities in your category, available support mechanisms (funding, training, advisory services), sector-specific initiatives worth joining, and upcoming policy developments that could affect your compliance obligations.

Align your organisation's cybersecurity strategy with the relevant parts of the national strategy. This is not about copying government language into your documents - it is about ensuring your priorities are coherent with the broader ecosystem. Supervisors notice this alignment, and it reflects well.

Take advantage of national cybersecurity programmes. Many Member States offer training and certification programmes, sector-specific threat briefings, funding or incentives for security improvements, public-private partnerships, and national exercises. These are resources you are already paying for through taxes - use them.

Monitor updates to the national strategy and related policy developments. Strategies get reviewed and updated periodically, and changes often signal new compliance requirements or shifts in supervisory focus.

Contribute where you can. Share anonymised threat intelligence with national authorities, participate in public consultations on cybersecurity policy, contribute to sector standards, or get involved in training initiatives. This builds relationships and influence.

Include national strategy alignment in your board-level cybersecurity reporting. It demonstrates that your organisation understands the wider context, not just its own four walls.

For multi-jurisdictional organisations, review the national strategies of all Member States where you operate significantly. Look for common themes and any divergences that need jurisdiction-specific treatment.

Evidence Your Auditor Will Request

  • Review records of national cybersecurity strategy
  • Organisational cybersecurity strategy showing alignment with national priorities
  • Records of participation in national cybersecurity initiatives
  • Monitoring of national policy developments and impact assessments
  • Board reports referencing national cybersecurity strategy alignment

Common Mistakes

  • Organisation unaware of national cybersecurity strategy content or relevance
  • No alignment between organisational and national cybersecurity priorities
  • Available national support programmes not utilised
  • National policy developments not monitored; organisation is surprised by new requirements
  • No participation in national or sector-specific cybersecurity initiatives

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.1 Related
ISO 27001 A.5.36 Related

Frequently Asked Questions

Where can we find our national cybersecurity strategy?
Usually published by your government's national cybersecurity agency or centre. ENISA also maintains an overview of all Member State strategies on its website. If you are struggling to find it, your competent authority can point you to the right documents.
Is alignment with the national strategy mandatory?
Not explicitly under NIS2, no. But national strategies shape the regulatory environment and supervisory expectations you face. Aligning with them demonstrates maturity, may give you access to support programmes, and tends to result in more favourable regulatory interactions. It is a low-effort, high-return activity.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment