Cybersecurity has moved well beyond the IT department and become a board-level responsibility — one that carries penalties of up to €10 million or 2% of global turnover. That shift has a name: the NIS2 Directive, the new European regulation that obliges thousands of organisations in strategic sectors to raise their cybersecurity standards. Although Spain has not yet completed its transposition, NIS2 already operates as a de facto reference framework. This guide explains what it is, who it applies to, what it requires, and how to prepare.
What Is the NIS2 Directive?
The NIS2 Directive is Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, on measures for a high common level of cybersecurity across the European Union. It replaces and significantly expands the original NIS Directive of 2016, extending its scope to many more sectors, tightening requirements, and introducing far stricter enforcement mechanisms and sanctions.
Its goal is to harmonise the cybersecurity of critical infrastructure and essential services across the EU, reducing fragmentation between Member States. In practice, NIS2 moves cybersecurity from the IT department to the boardroom: senior management becomes formally responsible for approving and overseeing security measures, with personal consequences for non-compliance.
Which Businesses Does NIS2 Apply To? Essential and Important Entities
NIS2 applies to entities across 18 strategic sectors divided into two annexes, and to organisations that exceed the medium-sized enterprise threshold: at least 50 employees or €10 million in annual turnover, with exceptions that include certain SMEs in particularly critical sectors.
The Directive classifies covered organisations into two categories:
| Category | Sectors | Supervisory approach |
|---|---|---|
| Essential Entities (EE) | 11 sectors in Annex I (energy, transport, banking, health, water, digital infrastructure, public administration…) | More stringent: proactive supervision |
| Important Entities (IE) | 7 sectors in Annex II (postal services, waste management, manufacturing, food, digital providers…) | Reactive supervision, triggered by indications of non-compliance |
The practical difference matters: essential entities are subject to stricter, proactive compliance monitoring, while important entities are primarily supervised when there are signs of a breach. A critical point that many businesses overlook: even if your organisation is not directly listed in one of these sectors, you may still be bound in practice if you form part of the supply chain of an entity that is.
Key Obligations: Risk Management and Incident Notification
NIS2 is built around two main blocks of obligations. The first is cybersecurity risk management: entities must carry out periodic, documented risk assessments and implement proportionate technical and organisational measures. These include, among others, security policies, incident management, business continuity, supply-chain security, encryption, and access controls.
The second block is the notification of significant incidents to the competent authority — in Spain, through INCIBE-CERT — within staggered deadlines:
| Deadline | What must be reported |
|---|---|
| 24 hours (early warning) | Minimum initial alert: whether the incident is suspected to be malicious and whether it may have cross-border impact |
| 72 hours (notification) | Preliminary analysis: probable cause, confirmed scope, compromised data, and corrective actions under way |
| 1 month (final report) | Full forensic analysis, root cause, measures implemented, and lessons learned |
A third cross-cutting obligation is supply-chain security, which requires organisations to assess and demand cybersecurity guarantees from their suppliers and contractors.
Penalties and Management Accountability
This is where NIS2 marks a clear departure from previous regulations. Financial sanctions are substantial and scale according to entity type:
- Essential entities: up to €10 million or 2% of total global annual turnover, whichever is higher.
- Important entities: up to €7 million or 1.4% of global turnover, whichever is higher.
But fines are not the only consequence. Authorities may temporarily suspend certifications or authorisations, ban individuals responsible for the breach from exercising management functions (disqualification), publish the sanction by name — with the resulting reputational damage — and impose daily coercive fines until compliance is achieved.
The defining change NIS2 introduces is personal management liability: delegating cybersecurity to the technical team is no longer sufficient. The board must approve the measures, oversee them, and receive training on the subject, because it is accountable for them.
It is also worth looking beyond the fine itself. The real cost of non-compliance — or of a poorly managed incident — rarely stops at the financial penalty: it includes operational disruption, the loss of contracts with clients who require security guarantees, the reputational damage of a publicly named sanction, and, increasingly, difficulty obtaining cyber-risk insurance on reasonable terms. Seen in this light, investing in NIS2 compliance is not a regulatory expense but a way to protect business continuity and reputation. Organisations that treat it as a genuine resilience improvement — rather than a box to tick — are the ones that see a real return on the effort.
NIS2 in Spain: Transposition Status in 2026
Precision matters here, because there is considerable confusion on this point. The deadline for transposing NIS2 into national law was 17 October 2024, and Spain missed it. The European Commission opened infringement proceedings, and in 2025 referred the case to the Court of Justice of the EU, alongside other Member States that were similarly delayed.
As of 2026, transposition is partial and ongoing: Spain has advanced through Real Decreto-ley 7/2025 and has the Draft Law on Cybersecurity Coordination and Governance in parliamentary procedure, approved by the Council of Ministers in January 2025 and still pending parliamentary debate. This draft creates a National Cybersecurity Centre (CNC) as the directing and coordinating body for national policy and the single point of contact with the EU and ENISA.
The practical conclusion for businesses is clear: although the national legal framework is not yet finalised, NIS2 already operates as a de facto reference standard. Regulators, critical infrastructure operators, and large industrial companies are making decisions based on its principles, and waiting for the definitive law before beginning to prepare is a miscalculation. Always verify the current status of the regulation, as the legislative timetable may change.
NIS2 versus the Original NIS Directive: What Changes
Understanding what NIS2 adds relative to its predecessor helps organisations gauge the effort required. The original NIS Directive of 2016 was the EU's first attempt to harmonise cybersecurity, but it fell short: it covered few sectors, left wide margins of interpretation to each Member State, and had very limited enforcement powers. NIS2 addresses those shortcomings on four fronts:
- Broader scope. It moves from a handful of operators of essential services to 18 sectors and thousands of entities, including medium-sized businesses that were previously excluded.
- More concrete requirements. It defines a minimum set of risk-management measures, rather than generic principles.
- Real penalties. It introduces fines comparable to those under the GDPR and, critically, personal liability for senior management.
- Supply chain. It requires organisations to account for the security of their suppliers — something almost entirely absent from the previous regulation.
In short, NIS2 converts recommendations into enforceable obligations, with tangible consequences for those who fail to comply.
How to Prepare for NIS2: A Step-by-Step Approach
Adapting to NIS2 is a structured project, not a last-minute sprint. A realistic roadmap follows these steps:
- Determine whether you are in scope. Analyse your sector, size, and position in the supply chain of obligated entities. Reasonable doubt is itself sufficient reason to start preparing, because the scope is broader than many businesses assume.
- Conduct a gap analysis. Compare your current measures against the Directive's requirements and identify the shortfalls.
- Implement proportionate technical and organisational measures: incident management, business continuity, access controls, encryption, and supplier security.
- Establish your incident notification process with the 24-hour and 72-hour deadlines, and assign clear ownership.
- Engage senior management. Train the board and define its role in approving and overseeing the measures, because accountability sits at the top.
At Technova Partners we help organisations navigate this journey with clarity, connecting compliance with a sustainable cybersecurity strategy. You can start with our enterprise cybersecurity guide and, if your organisation also uses AI, with the EU AI Act compliance guide — a complementary regulation that is increasingly relevant for the same organisations.
Frequently Asked Questions about the NIS2 Directive
Is my business required to comply with NIS2? It depends on your sector and size. NIS2 applies to entities across 18 strategic sectors that exceed the medium-sized enterprise threshold (50 employees or €10 million in annual turnover), with exceptions for SMEs in critical sectors. You may also be indirectly affected if you are a supplier to an obligated entity.
What happens given that Spain has not yet completed transposition? Even though the national law is not finalised, the Directive already sets the standard and major operators are applying it in practice. Preparing now reduces the risk and cost of adapting under pressure once the regulation fully enters into force.
What is the deadline for notifying an incident? Three milestones: an early warning within 24 hours, a detailed notification within 72 hours, and a final report within one month of detecting the significant incident.
Who is responsible for compliance within the organisation? Senior management. NIS2 establishes that governing bodies must approve and oversee cybersecurity measures, and may be disqualified in the event of serious non-compliance. Cybersecurity is no longer solely the technical department's concern.
How does NIS2 relate to ISO 27001? They are complementary. ISO 27001 is an information security management standard that, when properly implemented, covers a large portion of the technical and organisational measures NIS2 requires. Having a management system based on ISO 27001 greatly facilitates demonstrating compliance with the Directive, although it does not automatically substitute for it.
Does NIS2 affect my business if I am only a supplier to an obligated entity? Yes, indirectly. NIS2 places significant emphasis on supply-chain security, so obligated entities pass cybersecurity requirements down to their suppliers through contracts. Even if your business is not directly in scope, it may end up having to meet equivalent requirements in order to retain its clients.
Conclusion
The NIS2 Directive redefines cybersecurity as a governance obligation with real consequences. In summary:
- It applies to 18 strategic sectors and to organisations exceeding the medium-sized enterprise threshold, as well as their supply chains.
- It imposes risk management and incident notification within 24 hours, 72 hours, and one month.
- Penalties reach €10 million or 2% of global turnover, with personal liability for senior management.
- In Spain, transposition is ongoing in 2026, but NIS2 already operates as a de facto reference: waiting is not an option.
The right time to start is not when the definitive law is published or when the first client demand arrives — it is before either happens. Robust cybersecurity is built with time, not under pressure. Want to find out whether your organisation is subject to NIS2 and build a realistic compliance plan? Talk to our team and we will help you turn a regulatory obligation into stronger cybersecurity and a competitive advantage.
