If your company has more than 50 employees or generates more than 10 million euros in revenue, the NIS2 directive probably applies to you. And if you operate in sectors such as healthcare, energy, transport, banking, digital infrastructure or the food industry, it almost certainly does.
Directive (EU) 2022/2555, known as NIS2, entered into force in January 2023 with a transposition deadline for Member States of 17 October 2024. Spain missed it. The Council of Ministers approved a Preliminary Draft Law on Cybersecurity Coordination and Governance in January 2025, but the definitive law has not yet been published. It is expected to come into force during 2026.
That does not mean you can wait. It means you have a window that is closing. When the law is published, compliance deadlines will be short and penalties considerable.
Key fact: NIS2 dramatically expands the scope of the former NIS1 directive. It is estimated that the number of affected entities in the EU goes from around 15,000 to more than 160,000. In Spain, thousands of businesses that were previously outside the scope are now within it.
What is the NIS2 directive
NIS2 is the second version of the European directive on network and information systems security. It replaces NIS1 (2016) and was created with a clear objective: to raise the level of cybersecurity across the EU in a uniform way.
The first directive had problems. Each country transposed it differently, with different criteria for deciding who was within scope. The result was a regulatory patchwork that left enormous gaps. NIS2 corrects this with three fundamental changes:
- Much broader scope. More sectors, more types of entities, clear inclusion criteria based on size.
- More specific obligations. It is no longer a case of "apply appropriate measures". NIS2 specifies which measures and which processes must exist.
- Real penalties. Fines of up to 10 million euros or 2% of global turnover for essential entities. And direct liability for management.
Who is affected in Spain
NIS2 classifies entities into two categories:
| Category | Sectors | Size criteria |
|---|---|---|
| Essential entities (Annex I) | Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space | Large enterprises (>250 employees or >50M turnover) |
| Important entities (Annex II) | Postal services, waste management, manufacturing (chemical, food, medical devices, electronics, machinery, vehicles), digital providers (marketplaces, search engines, social networks), research | Medium enterprises (>50 employees or >10M turnover) |
If your company falls within any of these sectors and exceeds the size thresholds, you are in scope. You do not need to register anywhere or wait to be notified. The obligation is automatic based on the type of activity and size.
Attention SMEs: Although the general criterion is 50+ employees or 10M+ turnover, there are exceptions. Some entities are included regardless of their size: DNS service providers, TLD domain registries, trust service providers and public electronic communications network providers. If your company provides any of these services, NIS2 applies to you even if you have 5 employees.
Main obligations
NIS2 structures obligations into three fundamental blocks: governance, risk management and incident reporting.
1. Governance (Article 20)
Management bodies must:
- Approve cybersecurity risk management measures.
- Oversee their implementation.
- Receive specific training in cybersecurity. It is not enough to delegate to the IT department.
- Accept personal liability in case of non-compliance. NIS2 introduces direct liability for managers.
This is a paradigm shift. Until now, cybersecurity was "an IT thing". With NIS2, it is the responsibility of the board of directors.
2. Cybersecurity risk management (Article 21)
Entities must implement technical, operational and organisational measures to manage security risks. Article 21 is specific:
Risk analysis policies and information system security
Incident handling
Business continuity and crisis management
Including backups, disaster recovery and crisis management.
Supply chain security
Assessment of suppliers with access to critical systems. This includes software, cloud and managed service providers.
Security in the acquisition, development and maintenance of networks and systems
Including vulnerability handling and disclosure.
Policies and procedures for assessing the effectiveness of measures
Basic cyber-hygiene practices and cybersecurity training
Cryptography and encryption policies
Human resources security, access control and asset management
Multi-factor authentication (MFA) and secure communications
This is not a wish list. These are requirements that must be documented, implemented and auditable.
3. Incident reporting (Article 23)
When a significant incident occurs, the entity must:
24h
Early warning to the CSIRT or competent authority from the moment the incident is detected
72h
Incident notification with initial assessment of severity and impact
1 month
Final report with detailed description, root cause, mitigation measures and cross-border impact
An incident is considered "significant" if it causes or may cause serious operational disruption or financial losses for the entity, or if it affects or may affect other natural or legal persons by causing considerable material or immaterial damage.
Timeline and transposition in Spain
The timeline has been bumpy:
16 January 2023
NIS2 enters into force at European level.
17 October 2024
Deadline for national transposition. Spain misses it.
January 2025
The Council of Ministers approves the Preliminary Draft Law on Cybersecurity Coordination and Governance.
2026 (expected)
Entry into force of the national law transposing NIS2. Compliance deadlines will start running from that date.
Do not wait for the law. The fact that Spain is behind schedule does not protect you. The European Commission has already opened infringement proceedings against Member States that have not transposed on time. And when the law is published, adaptation deadlines will be short. Companies that already have Article 21 measures in place will have a head start. Those that do not will have to rush.
Penalties: up to 10 million euros
NIS2 introduces a serious penalty regime:
| Entity type | Maximum penalty |
|---|---|
| Essential entities | Up to 10 million EUR or 2% of global annual turnover (whichever is higher) |
| Important entities | Up to 7 million EUR or 1.4% of global annual turnover (whichever is higher) |
But financial penalties are not the only consequence. NIS2 also provides for:
- Temporary suspension of the entity's certifications or authorisations.
- Temporary ban from holding management positions for responsible executives.
- Mandatory security audits ordered by the competent authority.
- Publication of non-compliance. The authority can make infringements public, with the reputational damage that entails.
Management liability is new and significant. Executives cannot simply delegate cybersecurity and forget about it. They must approve the measures, oversee them and, if they fail to do so, they can be personally sanctioned.
Differences between NIS1 and NIS2
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Scope | ~15,000 entities in the EU | ~160,000+ entities in the EU |
| Sectors | 7 sectors | 18 sectors (11 essential + 7 important) |
| Inclusion criteria | Designation by each Member State | Automatic by size and sector |
| Security measures | Generic ("appropriate measures") | 10 specific mandatory measures |
| Supply chain | Not regulated | Mandatory supplier assessment |
| Incident reporting | "Without undue delay" | 24h alert + 72h notification + 1 month report |
| Penalties | Decided by each Member State | Up to 10M EUR / 2% turnover |
| Management liability | No | Yes, personal and direct |
How to prepare your business
You do not need to wait for the national law to be published. The obligations are clear in the European directive. Here is what you can do now:
Determine whether you are within scope
Review Annexes I and II of the directive. Cross-reference your company's sector with the size criteria (50+ employees or 10M+ turnover). If you fall within scope, keep reading. If in doubt, consult a specialist.
Conduct a gap analysis
Compare the 10 measures in Article 21 with what you already have in place. Identify where you are strong and where you have gaps. If you already hold ISO 27001 or ENS certification, many measures will already be covered, but not all.
Assess your supply chain
Identify critical suppliers with access to your systems or data. Evaluate their cybersecurity posture. Establish minimum contractual requirements. This is new compared to NIS1 and many companies have not yet addressed it.
Implement an incident response plan
You need a documented and tested process to detect, classify, report and respond to incidents within the NIS2 deadlines (24h + 72h + 1 month). Include regular drills.
Train your leadership team
NIS2 requires management to receive cybersecurity training and oversee the measures. It is not enough for the CISO to know what is happening. Executives must understand the risks and formally approve the measures.
Conduct a cybersecurity audit
An external pentest and a security audit will give you a real picture of your cybersecurity posture. Better to discover vulnerabilities yourself than to have an attacker or an inspector find them.
NIS2 and ISO 27001: how they complement each other
If your company already holds ISO 27001 certification, you are in a strong position. There is significant overlap between the controls of ISO 27001:2022 and the measures in Article 21 of NIS2. But it is not a complete equivalence.
What ISO 27001 already covers:
- Risk analysis and information security management system (ISMS).
- Incident management.
- Business continuity.
- Access control and asset management.
- Cryptography.
- Human resources security.
What NIS2 adds and may require adjustments:
- Supply chain security with formal supplier assessment (more specific than ISO 27001 A.15).
- Strict notification deadlines (24h/72h/1 month) that require pre-established processes and contacts with the national CSIRT.
- Management liability with mandatory training for executives.
- Mandatory MFA where appropriate.
At Delbion we work with companies that already hold ISO 27001 to conduct the specific gap analysis against NIS2 and close the gaps. We also help those starting from scratch to implement an ISMS that covers both standards at once.
Competitive advantage: Companies that already comply with NIS2 before the law comes into force will be able to demonstrate it to clients and partners. In regulated sectors such as healthcare, banking or industry, this becomes a commercial differentiator. "We comply with NIS2" will be the new "we comply with GDPR".
Cybersecurity Audit
Do you know if your company complies with NIS2?
We conduct a gap analysis against the 10 measures in Article 21 of NIS2 and deliver a report with your compliance level, critical gaps and a prioritised action plan. If you already hold ISO 27001, we can perform the specific gap analysis.
Request NIS2 Audit →