NIS2 Art.29.1: Peer Review and Information Sharing
What This Control Requires
Peer reviews shall be established in order to learn from shared experiences, to strengthen mutual trust, to achieve a high common level of cybersecurity across the Union, and to enhance the capabilities of the Member States' competent authorities and CSIRTs to supervise the implementation of this Directive.
In Plain Language
No organisation has complete visibility into the threat landscape on its own. NIS2 establishes peer reviews between Member States to promote consistent implementation, and encourages information sharing at every level - between entities, across sectors, and across borders. While peer reviews happen at the Member State level, their findings trickle down to you. Updated guidance, new best practice recommendations, and harmonised supervisory expectations often follow peer review cycles. Keeping an eye on these developments helps you anticipate where regulators will focus next. Organisations that actively participate in information sharing get better threat intelligence, earlier warning of emerging risks, and stronger relationships with regulators and peers. The ones that only consume without contributing tend to find themselves on the outside when the really valuable intelligence is being shared.
How to Implement
Find and join the information-sharing communities relevant to your sector: ISACs (Information Sharing and Analysis Centres), sector-specific groups, national or European cybersecurity communities, and CSIRT-facilitated platforms. Develop clear internal policies for what you share and how. Define the types of information that can go out (threat indicators, incident summaries, best practices), who you share with (sector peers, CSIRTs, cross-sector partners), what approval is needed, and how incoming shared intelligence gets processed and acted on. Build a threat intelligence function that both consumes and contributes. Organisations that only take without giving are less likely to receive the high-quality intelligence that makes a real difference. Watch for NIS2 peer review outcomes and associated guidance publications. When reviews highlight best practices or flag areas of concern, assess your own posture against those findings. Appoint a designated contact for information-sharing activities - someone with the authority and technical capability to share relevant information quickly when it matters. Get involved in sector exercises and simulations organised by CSIRTs, competent authorities, or industry groups. These build relationships and test coordination procedures in a low-stakes environment. Track the value you get from participation: actionable intelligence received, threats detected earlier because of shared information, and your contributions to the sector's collective knowledge.
Evidence Your Auditor Will Request
- Membership in relevant information sharing communities
- Information sharing policy defining scope, recipients, and approval process
- Records of information shared and received through sharing communities
- Evidence of monitoring peer review outcomes and regulatory guidance
- Participation records in sector exercises and collaborative activities
Common Mistakes
- Organisation does not participate in any information sharing community
- Information sharing is one-directional; consumes intelligence but does not contribute
- No policy governing what information can be shared and with whom
- Peer review outcomes and regulatory guidance not monitored or acted upon
- Legal concerns about liability prevent meaningful information sharing
Related Controls Across Frameworks
Frequently Asked Questions
Is information sharing mandatory under NIS2?
Are there legal protections for information sharing?
Track NIS2 compliance in one place
AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.
Start Free Assessment