NIS2 arrived quietly in Spain, but its obligations are real and so are the fines. The problem is that many companies do not know whether it applies to them, what they need to do exactly, or how much it will cost. This guide clarifies all of it.
What NIS2 consulting involves
NIS2 consulting is not a certification you obtain and frame on the wall. It is a continuous process of implementing and maintaining the cybersecurity measures the directive requires from affected entities.
Unlike ISO 27001, where the end goal is a certificate from an accredited body, NIS2 operates through registration and supervision by competent authorities. In Spain, INCIBE (for private sector entities) and CCN (for public administrations) will be the supervisory bodies once the national law enters into force.
What NIS2 consulting involves in practice:
- Determining whether your company is affected and in which category (essential or important entity).
- GAP analysis against the requirements of NIS2 Article 21.
- Implementing the required technical and organisational security measures.
- Establishing the incident notification process (24h initial warning, 72h full report, 30 days final report).
- Managing supply chain security: evaluating and documenting the security of critical suppliers.
- Registering with the competent authority when mandatory.
- Training the governing body in cybersecurity (NIS2 holds boards of directors directly accountable).
Who is affected: essential and important entities
| Category | Sectors included | Maximum fine |
|---|---|---|
| Essential entities | Energy, transport, banking, financial markets, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space | EUR 10M or 2% global turnover |
| Important entities | Postal services, waste management, critical manufacturing (chemicals, medical, electronics, machinery), food, digital providers (marketplaces, search engines, social networks) | EUR 7M or 1.4% global turnover |
The general size threshold is more than 50 employees or more than EUR 10 million in turnover in affected sectors. Micro-enterprises (fewer than 10 employees and under EUR 2 million) are generally exempt with some specific exceptions.
Healthcare sector: Hospitals, clinics, diagnostic laboratories, medical device manufacturers and pharmaceutical companies are directly within NIS2 scope as essential entities. If your company operates in healthcare or pharma, NIS2 applies with no ambiguity.
What NIS2 requires technically
Article 21 of NIS2 sets out the measures affected entities must implement:
A documented risk management framework adapted to the sector's threat profile. Generic documents do not work: it must reflect the organisation's specific risks and be kept current.
Detection, response and notification process. NIS2 sets strict deadlines: initial warning to the authority within 24 hours, full report within 72 hours, final report within 30 days. Missing these deadlines is sanctionable independently of the incident itself.
Tested and updated contingency plans. Having them written is not enough: NIS2 expects they have been exercised and results documented.
Assessment of the security of suppliers and subcontractors with access to critical systems or data. One of the most complex aspects of NIS2: involves reviewing contracts, conducting security questionnaires with suppliers and in some cases performing audits.
Security by design practices in the software lifecycle. Vulnerability management, regular security testing — which makes pentesting practically mandatory for NIS2 entities.
Identity management, mandatory multi-factor authentication (MFA) for access to critical systems, encryption of data in transit and at rest.
NIS2 explicitly makes governing bodies (boards, senior management) accountable for the organisation's cybersecurity. It requires these bodies to receive specific training and to approve cybersecurity policies for all employees.
How much does NIS2 compliance cost
| Company size | Starting point | Indicative first-year cost | Annual maintenance |
|---|---|---|---|
| 50-150 employees | No prior controls | 20,000 - 40,000 EUR | 8,000 - 15,000 EUR |
| 50-150 employees | ISO 27001 in place | 10,000 - 20,000 EUR | 5,000 - 10,000 EUR |
| 150-500 employees | No prior controls | 35,000 - 70,000 EUR | 15,000 - 30,000 EUR |
| 150-500 employees | ISO 27001 in place | 15,000 - 35,000 EUR | 8,000 - 18,000 EUR |
Compare it to the fines: The cost of compliance for a mid-sized company is 20,000-40,000 EUR. The maximum fine for a critical entity is EUR 10,000,000 or 2% of global annual turnover. If your company turns over EUR 10 million, the maximum fine is EUR 200,000. The ROI of compliance is clear.
The compliance process step by step
Not all companies in affected sectors are required to comply. The first step is analysing whether your company exceeds the size thresholds and whether the sector is within scope. The category (essential or important) determines the level of obligations and maximum fines.
Assessment of existing security measures against NIS2 requirements. The result is a risk-prioritised gap map: missing controls, undocumented processes, areas requiring technical investment.
A phased remediation plan prioritised by impact and risk. Not everything needs to happen at once: start with highest-risk controls and distribute the rest over 12-18 months.
MFA, vulnerability management, SIEM, access policies, encryption, continuity plans, incident notification procedures, supplier security evaluation.
NIS2 is explicit: directors must approve cybersecurity measures and receive specific training. This training can be subsidised through FUNDAE credits in Spain.
Once the Spanish law enters into force, affected entities must register with the relevant supervisory body and notify significant changes in their activity.
Timelines: when does NIS2 come into force in Spain
The NIS2 directive had a transposition deadline of 17 October 2024. Spain did not meet it. The draft Law on Coordination and Governance of Cybersecurity is in parliamentary proceedings as of March 2026, with no confirmed approval date.
The delay does not eliminate the risk. The directive is directly applicable in many areas. The European Commission can open infringement proceedings against Spain for the delay, which could accelerate approval of the national law at any time. Waiting until "it is final" is a high-risk strategy.
NIS2, ISO 27001 and ENS: how they relate
| NIS2 | ISO 27001 | ENS | |
|---|---|---|---|
| Type | Mandatory EU directive | International voluntary standard | Spanish mandatory framework |
| Who | Critical sectors, public and private | Any organisation | Public administrations and digital suppliers |
| Certification | No. Registration + authority supervision | Yes. Accredited body certificate | Yes. ENAC-accredited body certificate |
| Overlap with NIS2 | - | 60-70% shared controls | 50-60% shared controls |
The most efficient strategy for a critical sector company that also works with the public sector: implement ISO 27001 first (shared technical base), certify ENS using that ISMS, and complete the NIS2-specific requirements on top of that already-built structure. Three compliance frameworks, one organised process.
Free NIS2 assessment
If you are not sure whether NIS2 applies to your company, which category you fall into or how far you are from compliance, we offer a free initial assessment. In one session: scope determination, basic GAP analysis and indicative budget.
Request free assessmentFrequently asked questions
How much does NIS2 compliance cost?
For a mid-sized company of 50-150 employees in a critical sector with no prior controls, the indicative range is EUR 20,000-40,000 in the first year. With ISO 27001 already in place, this can be reduced to EUR 10,000-20,000. Annual maintenance is typically EUR 8,000-15,000.
Is my company affected by NIS2?
It depends on sector and size. If your company has more than 50 employees or more than EUR 10 million in turnover and operates in sectors like healthcare, banking, energy, transport, digital infrastructure or public administration, it very likely is. The first step is determining the exact category.
Is ISO 27001 enough for NIS2?
No, but it covers 60-70% of the work. ISO 27001 does not include NIS2-specific requirements: incident notification within 24/72 hours, governing body accountability, registration with the competent authority and specific supply chain management measures. But if you already have ISO 27001, the remaining work is significantly less.
What are the NIS2 fines?
For essential entities: up to EUR 10 million or 2% of global annual turnover (whichever is higher). For important entities: up to EUR 7 million or 1.4% of turnover. NIS2 also establishes personal liability for senior management in cases of serious negligence.