The NIS2 Directive has become one of the key pillars of the new European cybersecurity framework. Its goal is to raise the level of protection against cyberattacks in the most critical sectors of the European economy and in the supply chain that supports them.
In Spain, NIS2 is being transposed through the future Law on Coordination and Governance of Cybersecurity, which is still under parliamentary discussion and, at the time of writing this article, has not yet been published in the Official State Gazette (BOE). However, the message for companies is clear: compliance is coming and the requirements will be demanding.
In this article, we explain what NIS2 is, which companies it will affect in Spain, what its main obligations are and which practical steps you can start taking now so that your organisation is ready in time, with the support of a technology partner such as Inmove IT Solutions.
What is the NIS2 Directive and why it matters
To understand the impact of NIS2 on companies, it is worth starting with its origin and purpose. We are talking about a European directive, Directive (EU) 2022/2555, designed to ensure a common and high level of cybersecurity across all Member States and which replaces the previous NIS Directive from 2016.
NIS2 broadens the scope of the regulation, introduces more detailed risk management requirements and reinforces the role of national cybersecurity authorities. In practice, this means that many more organisations – and not just large critical operators – will have to adopt advanced measures for security, incident reporting and governance.
In addition, NIS2 is not limited to the main company. It extends responsibility to the supply chain and key providers, which means that even companies that are not critical by themselves may be affected by contractual requirements and audits arising from NIS2.
Status of NIS2 in Spain: from Directive to national law
European directives are not directly applicable: each country must transpose them into its own legal system. In the case of NIS2, Member States were required to do so by 17 October 2024.
In Spain, this transposition is being carried out through the future Law on Coordination and Governance of Cybersecurity, which foresees the creation of a National Cybersecurity Centre and a strengthened coordination framework between authorities, essential operators and important entities.
Different legal sources confirm that, as of today, the text has not yet been enacted or published in the BOE, although the parliamentary debate is advanced and European regulatory pressure is high. In other words: the law may come into force at any time and leave little room for reaction for organisations that have not prepared.
For this reason, many companies are already using the text of the NIS2 Directive as a reference to review their cybersecurity model and anticipate changes, instead of waiting for the BOE to mark the official starting line.
Which companies does NIS2 affect: sectors, size and supply chain
One of the biggest changes of NIS2 for companies is the expansion of its scope. We are no longer talking about a small group of critical operators: the directive introduces two categories – essential and important entities – that cover a much wider range of sectors.
In general terms, NIS2 will apply to:
- Medium and large companies (more than 50 employees or more than 10 million euros in annual turnover).
- Organisations in critical sectors such as energy, water, transport, healthcare, banking, digital infrastructure, public administration, managed IT service providers and others.
- Certain micro-enterprises when they provide essential services or play a key role in national security.
In addition, NIS2 places great emphasis on the supply chain. Regulated entities will have to assess and manage cybersecurity risks associated with their suppliers and business partners. This means that technology companies, integrators, cloud providers, communications providers or IT maintenance companies may face specific contractual requirements, security audits and minimum levels of maturity.
For many technology SMEs in Barcelona and its surroundings, this is not only a challenge, but also an opportunity to position themselves as trusted partners capable of complying with and helping others comply with NIS2.
Key NIS2 obligations for companies
Beyond sector classification, what really impacts day-to-day operations are the specific obligations that NIS2 introduces for companies. Broadly speaking, they can be grouped into four main blocks.
1. Governance and responsibility of the management body
Top management can no longer delegate cybersecurity exclusively to the IT department. NIS2 states that the management body is responsible for approving the cybersecurity risk management policy, overseeing its implementation and receiving specific training on these risks.
In cases of serious non-compliance, some Member States even foresee the possibility of personal liability for directors, including temporary disqualification from holding management positions. This radically changes the conversation in board and executive committees: cybersecurity is no longer seen as a “technical cost” but as a strategic and legal risk.
2. Risk management and minimum technical measures
NIS2 requires the implementation of a structured cybersecurity risk management system, with measures that cover everything from technical protection to processes and training. Among others, the directive mentions areas such as:
- Information security policies and procedures.
- Incident management and response to cyberattacks.
- Business continuity and disaster recovery.
- Security in the supply chain and in relationships with providers.
- Use of encryption and access control.
- Staff training and awareness.
In practice, this translates into having solutions such as next-generation firewalls, advanced corporate antivirus, 24/7 monitoring, robust backups and network segmentation, among others. This is where services such as perimeter security services for companies or corporate cybersecurity and antivirus solutions from Inmove IT Solutions provide a solid technical foundation.
3. Incident notification: the 24–72–30 scheme
Another key component of NIS2 for companies is the new scheme for notifying significant incidents to the competent authorities or national CSIRTs. The directive defines a three-step sequence:
- 24 hours: early warning with basic information about the incident and its potential impact.
- 72 hours: more detailed notification, with an initial assessment of severity, impact and indicators of compromise.
- 1 month: final report with full description, root cause and mitigation measures implemented.
This requires clear processes for detection, classification and escalation, as well as a team or provider able to react quickly. Services such as 24/7 monitoring and incident response help meet these timelines without improvisation.
4. Penalties and consequences of non-compliance with NIS2
NIS2 introduces a tough sanctions regime designed to ensure that non-compliance is not a cheaper option than investing in cybersecurity. For essential entities, fines can reach up to 10 million euros or 2 % of the global annual turnover; for important entities, up to 7 million euros or 1.4 % of that turnover, always applying the higher figure.
On top of that, there are non-monetary penalties: corrective orders, mandatory audits, possible activity restrictions and even, in some cases, personal liability for senior management. Beyond the financial impact, the reputational damage of a poorly managed incident can be much higher.
How to prepare your company for NIS2: 5 practical steps
For many organisations, the real question is not whether NIS2 will affect them, but how to be ready in time. Below is a practical roadmap that you can adapt to your context.
1. Initial assessment and gap analysis
The first step is to assess where you stand in relation to NIS2 requirements. This involves reviewing policies, processes, technical controls and response capabilities, identifying what you already comply with (for example, alignment with ISO 27001 or INCIBE best practices) and what still needs to be strengthened.
At this stage, a specialised partner can help you translate the legal language of the directive into concrete cybersecurity requirements for your company, prioritising actions based on risk and business impact.
2. Defining cybersecurity governance
NIS2 requires a clear model of roles and responsibilities. This means involving the board or general management, appointing clear cybersecurity leaders (CISO or equivalent role) and setting up committees or follow-up forums.
The key is to ensure that decisions on investment, project prioritisation and risk management are taken with an overall view of the organisation, not as isolated initiatives within the IT department.
3. Strengthening critical technical controls
Once the governance model is clear, it must be translated into concrete technical measures. Some typical pillars include:
- Network segmentation and advanced perimeter protection.
- Endpoint and server solutions with anti-malware and anti-ransomware capabilities.
- 24/7 security event monitoring and alerts.
- Identity and access management (MFA, least privilege).
- Tested backups and recovery plans.
At this point, services such as managed firewall and perimeter security solutions, corporate antivirus and antispam solutions or 24/7 monitoring of systems and networks offered by Inmove IT Solutions fit perfectly.
4. Managing the supply chain and IT providers
NIS2 extends responsibility to critical providers: cloud, communications, IT outsourcing, maintenance and others. It is essential to inventory them, assess their maturity level and reflect specific requirements in contracts, service level agreements (SLAs) and security clauses.
If your company acts as a technology provider, being prepared for NIS2 can become a strong commercial advantage with clients who must comply with the directive and are looking for partners aligned with their level of requirements.
5. Incident response, continuity and training plan
An NIS2 programme for companies is not complete without a detailed incident response and business continuity plan, including drills, playbooks and internal and external communication channels.
In parallel, staff training and awareness is one of the most effective and cost-efficient controls to reduce phishing incidents, human error and misuse of systems.
At this point, it is useful to connect with existing initiatives such as the cybersecurity programmes to protect your company from cyberattacks or with content on disaster recovery and business continuity plans that help bring these concepts down to earth.
NIS2 as an opportunity to strengthen your cybersecurity
Although NIS2 may initially be perceived as just another regulatory burden, for many companies it will be the catalyst they needed to professionalise their cybersecurity approach and align technology, processes and people with European best practices.
Getting ahead of the BOE and starting to work on NIS2 now allows you to spread investments over time, avoid last-minute rush and negotiate more calmly with providers, clients and cyber-risk insurers.
At Inmove IT Solutions, we support companies along this journey, combining consultancy, managed services and technology solutions so that NIS2 is not just an obligation, but an opportunity to increase resilience, customer trust and competitive advantage.
Frequently asked questions about NIS2 for companies
Below we answer some of the most common questions raised by management teams and IT leaders when they start working with NIS2.
What is the NIS2 Directive in simple terms?
NIS2 is a European regulation that requires certain sectors and companies to strengthen their cybersecurity, manage risks in a systematic way and report serious incidents within very tight timelines (24–72–30 days). Its goal is to reduce the impact of cyberattacks on services that are essential for citizens and the economy.
What types of companies does NIS2 affect in Spain?
Although the Spanish transposition law has not yet been published in the BOE, the European text establishes that it will mainly apply to medium and large companies in critical sectors (energy, water, transport, healthcare, digital, public administration, etc.), as well as to key providers in the supply chain and certain essential micro-enterprises.
What happens if my company does not comply with NIS2?
Non-compliance may result in very significant financial penalties (up to 10 million euros or 2 % of global turnover for essential entities, and 7 million or 1.4 % for important entities), as well as corrective orders, mandatory audits and potential liability for senior management.
How is NIS2 different from other regulations such as GDPR or DORA?
While GDPR focuses on the protection of personal data and DORA on the digital resilience of the financial sector, NIS2 is aimed at ensuring the continuity of essential services and the cybersecurity of networks and systems across multiple sectors. It is common for a single company to be subject to several frameworks at once, so it is important to harmonise controls to avoid duplication.
What first steps should my company take to get ready?
The most advisable steps are: carry out an initial assessment against NIS2, involve top management, strengthen critical technical controls, review the security of the supply chain and establish an incident response and continuity plan, supported by staff training. Working with a specialised partner makes it easier to prioritise actions and turn the directive into a manageable project.
For more official and technical information, you can consult the NIS2 FAQ from INCIBE, which explains the scope of the directive and its application to strategic sectors in Spain, or get in contact with us.
