Complete guide to the NIS2 Directive: everything companies need to know to comply with the new European cybersecurity regulations.

Digital security has become a top priority for organizations operating in the European Union.The acceleration of digitalization processes and the exponential increase in cyberattacks have made evident the need for common and robust regulation capable of protecting the economy, essential services, and citizens' privacy. In this context, The NIS2 Directive has taken a step forward, expanding its requirements and tightening everything related to cybersecurity., with an unprecedented reach in Europe.

Whether you are part of a company's management, in the public sector, or responsible for IT, it is essential to have a thorough understanding of how NIS2 affects you.This article comprehensively covers the key aspects of the directive, including who it applies to, its technical and operational requirements, key dates, incident reporting procedures, impact on the supply chain, new management responsibilities, sanctions, the imminent legislative transposition in Spain, and practical resources to prepare and avoid risks. If you're interested in avoiding multi-million-dollar fines, safeguarding your business continuity, and placing yourself at the forefront of European digital security, read on.

What is the NIS2 Directive and why is it essential for Europe?

NIS2 —which stands for Network and Information Systems Directive 2— is the evolution and extension of the first European cybersecurity legislation (NIS Directive of 2016), designed to respond to a much more complex and exposed digital environment. The new directive was published in the Official Journal of the European Union at the end of 2022 and formally entered into force on January 16, 2023It requires Member States to transpose it into their national legislation by October 17, 2024, and to implement it from the following October 18, although the deadlines have been extended in some countries.

The objective of NIS2 is to ensure a common and high level of security in networks and information systems throughout the European Union., laying the foundation for the digital economy—and society's basic services—to remain protected against increasingly sophisticated and aggressive threats.

Among its main new features are:

• Significant expansion of regulated sectors and the number of obligated entities.
• Much stricter requirements for risk management and incident reporting.
• A homogeneous and severe system of supervision and sanctions at European level.
• New specific obligations for the supply chain, suppliers and subcontractors.
• A strengthened role and direct responsibility of the governing bodies of the entities.

Scope: Who is required to comply with NIS2?

NIS2 directly and obligatorily affects public and private entities in the so-called "critical sectors" and "high criticality sectors" listed in Annexes I and II of the directive.The biggest difference from the original NIS is that The list of sectors and types of organizations has multiplied, and the criterion is no longer just activity, but also size and strategic importance.

In general terms, they must comply with NIS2:

• All medium and large companies (more than 50 employees or annual turnover exceeding 10 million euros) operating in these sectors.
• In specific cases, small and micro-enterprises may also be eligible if their function is critical to the country or they are the sole provider of an essential service.

The legal text distinguishes between:

• Essential entities: Belonging to highly critical sectors, qualified operators of trusted services, top-level domain name registries, DNS providers, medium-sized companies providing public electronic communications networks, certain public entities and those that each State considers strategic.
• Important entities: The rest of the entities in critical sectors that do not meet the above criteria.

The affected sectors are divided into two large groups:

High criticality sectors (Annex I):

• Energy (electricity, gas, crude oil, hydrogen, district heating and cooling systems)
• Transport (air, rail, sea and river, road)
• Banking and financial market infrastructure
• Health
• Drinking water and wastewater
• Digital infrastructure (data centers, cloud, internet exchange points, DNS, etc.)
• ICT service management
• Public administrations (central and regional)
• Studio

Other critical sectors (annex II):

• Postal and courier services
• Waste management
• Chemical industry
• Production, processing and distribution of food
• Manufacturing (including IT, optics, electrical equipment, machinery, transportation, etc.)
• Digital service providers (online marketplaces, search engines, social media platforms)
• Research

are excluded, with a few exceptions, the areas of defense, national security, police, judiciary, parliaments and central banks.

Remember: The simple absence of your company on the list does not exempt you from complying if you offer key services for the functioning of the country.Member States may expand the list of obliged entities based on national criticality criteria.

Key principles and developments of the NIS2 Directive

The NIS2 Directive represents a radical change in cybersecurity management, as it not only extends protection to more sectors but also tightens requirements and oversight.. Some of its main novelties are:

• Scope extension: It no longer only applies to providers of traditional essential services or critical infrastructure; it covers many more sectors and types of entities.
• “Maximum size” approach: Most obligations affect medium-sized and large companies, but there are exceptions for small entities if their function is key.
• Review of the concept of critics: Differentiates between "essential" and "important" entities, imposing a more severe supervisory and sanctioning regime for the former.
• European harmonization: It reduces variability between countries and facilitates cooperation and joint response to cross-border or large-scale incidents.

Key Obligations: What does NIS2 require of businesses and entities?

The obligations of NIS2 are numerous and are articulated around two major axes: proactive management of cybersecurity risks and rapid notification of significant incidentsIn addition, internal governance and relationships with suppliers, customers, and authorities are strengthened.

1. Cybersecurity risk assessment and management

All obliged entities must identify, analyze and treat risks that threaten the availability, confidentiality, integrity and authenticity of their digital systems and services.

Minimum measures include:

• Security policies and risk analysis: Asset inventory, identification of threats, vulnerabilities and potential impacts.
• Incident Management: Response plans, specialized equipment and monitoring systems.
• Business continuity and crisis management: Backups, periodic restoration testing, backup plans, and disaster resilience management.
• Supply chain security: Require and verify that suppliers and partners meet standards, and put this in writing in contracts.
• Security in development, acquisition and maintenance of systems: Encryption, access control, regular updating and patching.
• Periodic evaluation of the effectiveness of the measures: Periodic audits and reviews (internal or external) to verify compliance.
• Periodic training in cybersecurity and cyber hygiene for all employees and especially management.
• Encryption and information protection policies.
• Access control, multi-factor authentication, and asset management.

2. Incident notification: deadlines and procedures

Rapid notification to authorities is one of the main pillars of NIS2. Entities must inform the CSIRTs (incident response teams) or national competent authorities of any significant incident that causes or may cause serious operational interruptions, significant economic damage or affects third parties.

The deadlines are extremely strict:

• Early warning: Within the first 24h after being informed of the incident.
• Full notification: In a maximum of 72h, updating information on severity, impact, and measures taken. (For trusted service providers, 24 hours).
• Final reportWithin one month, with all relevant details, causes, measures and repercussions.

It must be remembered that also There is an obligation to inform affected users or customers when the incident may seriously impact them., offering guidelines for action and measures for their protection.

3. Governance, training and managerial responsibility

NIS2 focuses on senior management involvementManagement teams must approve security measures and actively oversee their implementation. They must also receive regular training and education (and the same applies to employees).

The directive expressly provides that, in the event of gross negligence or lack of supervision, senior managers may be disciplined, including temporary disqualification from holding office in essential entities.

4. Supply chain management and security in supplier agreements

Supply chain incidents have been one of the most serious vectors of recent cyberattacks in Europe.For this reason, NIS2 requires entities to assess and monitor the security of their direct suppliers and subcontractors, incorporating cybersecurity clauses and requirements into contracts, conducting audits, assessing the overall resilience of products and services, and monitoring known vulnerabilities in third-party components.

5. International collaboration and cooperation

The exchange of relevant information on threats, incidents, vulnerabilities, and best practices is mandatory, both nationally and through European mechanisms (Cooperation Group, CSIRT network, and EU-CyCLONe for large-scale crisis management).

6. Audits, inspections and supervision regime

The directive differentiates between two supervisory systems:

• For essential entities: Periodic audits, on-site or remote inspections, continuous supervision by national agencies, and sanctions regime both a priori and a posteriori.
• For major entities: Reactive supervision only, i.e., only after indications or evidence of non-compliance.

Authorities may require documentation, audit results, access to systems and data, or even public disclosure of serious violations.

7. Other relevant obligations

• Mandatory registration of entities, basic information and periodic updates to the competent authorities.
• Collaboration with European organizations, inclusion in the ENISA database of key European entities.
• Sectoral single-entry mechanisms for incident reporting and management.
• Data protection requirements always under the General Data Protection Regulation (GDPR).

Key dates and implementation schedule of the NIS2 Directive

The implementation and compliance schedule is one of the most sensitive aspects of NIS2.These are the critical dates:

• January 16, 2023: Official entry into force of the directive.
• 17th October 2024: Deadline for countries to adopt and publish national legislation transposing NIS2.
• 18th October 2024: Implementation imminently in all Member States; entities must be prepared.
• April 17th 2025: Deadline for drawing up and communicating to Brussels the list of essential and important entities at the national level.
• January 17, 2025: Deadline for notifying the sanctions regime applicable in each country.

The remaining milestones, such as the development of national cybersecurity strategies or the publication of implementing acts (specific technical requirements), have dates that are periodically published on official European and national portals.

Transposition in Spain: Cybersecurity Coordination and Governance Law

Spain has approved the Draft Law on Cybersecurity Coordination and Governance to adapt its legal framework to NIS2. Although the final text may be subject to adjustments, key aspects include:

• Wide scope of application: Includes public and private organizations based or operating in Spain, in all critical and highly critical sectors, according to the directive's annexes.
• Detailed risk analysis and protection obligations of networks, systems and services, including the evaluation of suppliers and partners with access to critical data.
• Obligation to report relevant incidents and serious threats both to authorities and to affected users or clients.
• Creation of the position of information security officer in each entity, responsible for designing, supervising and ensuring regulatory compliance, centralizing management.
• Establishment of the National Cybersecurity Center as the main coordinator at the state level and channel of dialogue with the EU.
• Assignment of control and supervision powers to several ministries: Interior (Cybersecurity Coordination Office), Defense (CCN), Digital Transformation, together with sectoral authorities.
• Specialized incident management teams, vulnerability detection, support to affected entities and issuance of early warnings.
• Urgent processing and priority parliamentary coordination to accelerate the entry into force of the law before the deadlines regulated by the EU.

Classification of entities: “essential” and “important”

NIS2 establishes two distinct categories of entities:

• Essential entities: Large companies in highly critical sectors, qualified trusted and DNS providers, medium-sized companies in certain subsectors, critical entities according to national legislation, and those decided by the State (such as former NIS1 essential service operators).
• Important entities: All others included in critical sectors that do not meet essential criteria.

This distinction affects the intensity of supervision, the severity of sanctions, and the type of documentary requirements.

Incident reporting and crisis management obligations

Companies and organizations should be very clear about the concepts of "significant incident," "near-miss incident," and "significant cyber threat.":

• Significant Incident: Any event that causes serious interruptions in services, significant economic losses, or causes significant harm to individuals or legal entities.
• Significant cyber threat: A technical threat that, due to its magnitude, can cause significant damage or disruption.
• Near miss: An event that could have caused an incident, but which did not materialize thanks to preventive measures.

In all these cases, notification should preferably be made by electronic means, through the specific national entry point., and following the procedure:

• Initial early warning (24h).
• Full advance notification (72h, except for exceptions).
• Final report (1 month after the incident is closed).

Failure to comply with the notification in a timely manner may be considered a serious and punishable offense..

Technical, operational and organizational measures required

NIS2 includes a minimum list of measures that all entities must adopt, always taking into account the principle of proportionality and the cost of implementation.:

• Internal security policies and ongoing risk analysis.
• Incident management and response: Including monitoring systems, response teams, CSIRT integration, and escalation protocols.
• Business continuity plans, backup management, recovery testing and crisis plans.
• Rigorous management of the supply chain and suppliers: Auditing, contractual requirements, monitoring product and service resilience, integrating third-party cybersecurity best practices.
• Security in the lifecycle of systems and applications: Use of encryption, programming secure, patching and access control.
• Periodic evaluation of the effectiveness of measures: Internal and external audits, document review and technical testing.
• Internal training programs and regular awareness raising.
• Clear policies on the use of cryptography and multi-factor authentication.
• Asset management, inventory and information access control.

Sanctions and supervision regime

The sanctions provided for by NIS2 are especially severe for essential entities, with the aim of ensuring compliance and effectiveness of the rule.:

• Essential entities: Fines of up to 10 million euros or 2% of the global annual turnover (whichever is greater).
• Important entities: Fines of up to 7 million euros or 1,4% of the global annual turnover (whichever is greater).

Furthermore, sanctions may be public and involve the suspension of certifications, publication of the noncompliance, or even temporary disqualification from management positions in the most serious cases.

How to prepare for NIS2 compliance: practical steps

NIS2 compliance is essentialCompanies should immediately begin a roadmap that includes:

• Comprehensive inventory of IT infrastructure and digital assets.
• Risk analysis and definition of cybersecurity policies aligned with ISO 27001, ENS and other internationally recognized frameworks.
• Review and update of contracts and agreements with suppliers to ensure compliance in the supply chain.
• Implementation of incident response plans and design of internal alert channels and fluid communication with CSIRT.
• Conducting periodic cybersecurity audits (internal and external).
• Specific and ongoing training for managers and staff.
• Establishment of monitoring and early warning mechanisms.
• Formal designation of the information security officer.
• Development of documented crisis notification and management protocols.