Skip to content

NIS2 in Spain: Everything Your Company Needs to Know to Comply with the Cybersecurity Directive

NIS2 Directive affects approximately 40,000 entities in Spain and introduces personal liability for directors. Everything your company needs to know about NIS2 compliance.

Assess whether my company is affected by NIS2

The problem

The NIS2 Directive (EU Directive 2022/2555) represents the most significant overhaul of Europe's cybersecurity framework since 2016. It dramatically expands the scope of obligated entities — from a few hundred essential service operators under NIS1 to approximately 40,000 entities in Spain — and introduces an entirely new sanctions regime with fines of up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1.4% for important entities. What concerns legal and compliance officers most is the personal liability framework for management bodies. NIS2 establishes that directors and senior executives can incur personal liability if the entity has not implemented adequate cybersecurity risk management measures. This is not theoretical: European supervisory authorities have begun actively investigating compliance. In Spain, the transposition of NIS2 — which was due by October 17, 2024 — has been delayed, but many of the directive's obligations are directly applicable under EU law principles, and the national implementing legislation is expected in the first half of 2026. Many companies that will need to comply with NIS2 still do not know whether they are affected, what technical and organisational measures they must implement, or how to manage the new 24-hour incident notification requirement.

Our solution

BMC offers a comprehensive NIS2 compliance programme covering all dimensions of the directive: initial scope assessment, gap analysis against the required security measures standard, implementation roadmap, risk management policies and procedures, and ongoing compliance support and incident response. Our team combines lawyers specialised in technology regulatory compliance with cybersecurity experts who can assess both the legal and technical dimensions of NIS2 compliance. We act as Virtual CISO for entities that do not have their own Chief Information Security Officer, and advise management bodies on their personal responsibilities and how to document compliance with their supervisory obligations. We integrate NIS2 compliance with GDPR (particularly regarding security breach notification), with European cybersecurity certification schemes, and with ISO 27001 where the company already operates under that standard.

Process

How we do it

1

Scope assessment

We determine whether your company falls within the NIS2 perimeter as an essential or important entity, based on sector of activity, company size, and its relevance to critical infrastructure. We identify the specific subsectors under Annex I and II of the Directive that apply and the implications for the supervisory regime.

2

Gap analysis

We assess the technical and organisational cybersecurity risk management measures currently in place and compare them against Article 21 NIS2 requirements: security policies, incident management, business continuity, supply chain security, systems development security, vulnerability management, encryption, and multi-factor authentication.

3

Implementation and documentation

We develop and implement the policies, procedures, and technical controls needed to close identified gaps: information security policy, incident notification procedures (24h alert, 72h report, monthly final report), continuity plan, key supplier risk assessments, and training and awareness programme.

4

Monitoring and incident response

We provide ongoing compliance monitoring, support in notifying significant incidents to INCIBE-CERT or CCN-CERT depending on sector, legal assistance during supervisory authority inspections, and updates to the compliance programme following regulatory changes or new ENISA guidance.

€10M
Maximum fine for essential entities (or 2% of global annual turnover)
40,000+
Estimated affected entities in Spain
24 hours
Deadline to notify significant incidents to the competent authority

Download our guide

Download our guide: 'NIS2 in 10 steps — From scope assessment to incident notification'

The NIS2 Directive: the biggest change in European cybersecurity since 2016

Directive (EU) 2022/2555, known as NIS2, replaces the original NIS Directive of 2016 and represents the most ambitious revision of the European cybersecurity framework to date. Its objective is to raise the common level of cybersecurity across the European Union, reduce divergences between member states, and significantly expand the scope of entities subject to security obligations.

The scale of change is considerable. The original NIS Directive affected a limited number of Operators of Essential Services and Digital Service Providers. NIS2 extends that scope to all sectors in Annex I and II of the Directive — including waste management, chemical production, food industry, and machinery manufacturing that were previously unregulated from a cybersecurity standpoint — and applies to companies above size thresholds, which translates to approximately 40,000 affected entities in Spain.

Essential entities vs. important entities: practical differences

NIS2 distinguishes two categories of affected entities with different levels of obligation and sanction:

Essential entities (Annex I): Energy (electricity, gas, oil, hydrogen), transport (air, rail, maritime, road), banking, financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure (IXPs, DNS, TLD registries, cloud computing, data centres, CDNs, trust service providers), and ICT service management. Essential entities are subject to ex ante supervision and sanctions of up to €10M or 2% of global turnover.

Important entities (Annex II): Postal and courier services, waste management, chemical manufacturing, food production, manufacturing (medical devices, electronics, machinery, motor vehicles), and digital service providers (online marketplaces, search engines, social networking platforms). Important entities are subject to ex post supervision and sanctions of up to €7M or 1.4% of global turnover.

The risk management measures NIS2 requires

Article 21 of NIS2 establishes the minimum measures that affected entities must adopt. These measures must be “appropriate and proportionate” to the entity’s level of risk, considering its size, the state of the art in technology, and sector-specific vulnerabilities:

Risk analysis and information system security policies: The entity must have formal cybersecurity risk management policies, approved by the management body.

Incident handling: Procedures to detect, analyse, contain, and communicate cybersecurity incidents, within the notification timeframes established in the directive.

Business continuity and crisis management: Continuity plans covering cyberattack scenarios, including system recovery and crisis procedures.

Supply chain security: Risk assessment of suppliers with access to critical systems and contractual security clauses.

Security in systems development, acquisition, and maintenance: Security practices in the software and systems lifecycle, including vulnerability management.

Policies to assess the effectiveness of measures: Regular evaluation and audit of implemented measures.

Basic cyber hygiene practices and training: Cybersecurity training for staff and management bodies.

Cryptography and encryption: Use of encryption for data in transit and at rest where necessary.

Multi-factor authentication and secure communications: MFA for critical systems and encrypted communications.

Our NIS2 compliance team helps companies implement these measures in a documented and auditable manner, establishing the evidence record that the supervisory authority may require during an inspection.

The management training dimension of NIS2

NIS2 introduces a people-management dimension that should not be underestimated. The directive requires management bodies to receive regular cybersecurity training sufficient to understand risks and supervise risk management decisions. The objective is not to turn executives into security technicians, but to ensure they can exercise their supervisory function with adequate knowledge.

For staff generally, the directive requires cybersecurity training and awareness programmes covering recognition of social engineering threats (phishing, vishing), secure use of systems and data, and internal incident reporting procedures.

BMC offers NIS2 training programmes for boards of directors and audit committees, tailored to participants’ level of technical knowledge and focused on the supervisory responsibilities the directive assigns to them.

NIS2 and Virtual CISO: when you do not need a full-time security director

Many NIS2-affected entities — particularly mid-sized companies — do not have a Chief Information Security Officer (CISO), nor do they need one full-time. For these companies, BMC’s Virtual CISO service provides the information security management function on an outsourced basis: security programme management, technology supplier oversight, liaison with the supervisory authority, and representation before the management body in periodic cybersecurity reviews.

The Virtual CISO is practically responsible for the entity’s NIS2 function, with the level of dedication and accountability that the company’s size and complexity requires, backed by BMC’s legal team for regulatory and notification matters.

NIS2 and ISO 27001: building on existing frameworks

For companies already operating under ISO 27001, the path to NIS2 compliance is shorter but not automatic. The ISO 27001 framework provides a strong foundation — particularly its risk assessment methodology, information security policy structure, and controls catalogue — but there are NIS2-specific requirements that go beyond what ISO 27001 demands.

The most significant gaps for ISO 27001-certified companies typically relate to: the specific NIS2 incident notification timelines and procedures (which are more prescriptive than ISO 27001 requires), the supply chain security assessment obligations, the management body training and formal approval requirements, and the registration and self-identification obligations with the national competent authority.

BMC conducts NIS2-specific gap analyses for ISO 27001-certified companies, identifying the incremental steps needed to achieve NIS2 compliance while building on the existing management system.

FAQ

Frequently asked questions

NIS2 distinguishes between essential entities (Annex I) and important entities (Annex II). Essential entities are companies in critical sectors: energy, transport, banking, financial market infrastructure, healthcare, water, digital infrastructure, and ICT service management. Important entities are companies in sectors including postal services, waste management, chemicals, food production, medical device manufacturing, machinery manufacturing, motor vehicle manufacturing, and digital service providers. In both cases, size thresholds matter: the directive generally applies to medium (50+ employees or €10M turnover) and large companies. Micro and small enterprises are excluded except in specific cases for particularly critical sectors.
The NIS2 Directive was due to be transposed into Spanish law by 17 October 2024. Spain, like several other member states, did not meet that deadline. The National Cybersecurity Law bill, which would incorporate NIS2, is expected in the first half of 2026. However, many of the directive's obligations are already directly applicable under EU direct effect principles, and Spanish authorities (INCIBE, CCN) have issued guidance on measures that affected entities should implement. The delay does not exempt companies from complying with the substantive obligations.
For essential entities, maximum penalties are €10 million or 2% of total global annual turnover (whichever is higher). For important entities, the maximum is €7 million or 1.4% of total global annual turnover. In addition to financial penalties, the directive provides for temporary suspension of an entity's operating authorisation and temporary prohibition of natural persons exercising management functions. Member states may establish additional penalties in their national transposition legislation.
This is one of NIS2's most significant innovations. The directive imposes obligations on management bodies to: (1) approve cybersecurity risk management measures; (2) oversee their implementation; and (3) bear personal responsibility for violations. Member states must ensure that members of management bodies can be held liable for their entity's non-compliance. The directive also provides for competent authorities issuing public statements and imposing temporary bans from management roles on responsible individuals. For executives, this means cybersecurity can no longer be fully delegated to the IT department: it is a corporate governance responsibility.
NIS2 establishes a three-stage incident notification system: (1) early warning within 24 hours of becoming aware of a significant incident, indicating whether it is suspected to be intentional or has cross-border impact; (2) incident notification within 72 hours with an initial assessment of the incident, its severity and impact, and available indicators of compromise; and (3) final report within one month with a detailed description of the incident, threat type, root cause, measures taken, and — for cross-border incidents — impact on other member states. An incident is 'significant' if it causes severe operational disruption, material financial losses to the entity, or material or non-material damage to other persons.
ISO 27001 and NIS2 are complementary but not equivalent. Having ISO 27001 certification is a positive indicator of information security maturity and can significantly simplify NIS2 compliance, as many ISO 27001 controls address NIS2 requirements. However, ISO 27001 certification does not automatically guarantee NIS2 compliance because: (1) NIS2 has specific requirements on incident notification, supply chain security, and management training that go beyond the ISO standard; and (2) the scope of the ISMS may not cover all systems within NIS2 scope. We recommend a NIS2-specific gap analysis even for companies already certified under ISO 27001.
When a cyberincident also constitutes a personal data breach, the company must simultaneously comply with the notification obligations under NIS2 (to the cybersecurity authority: INCIBE-CERT or CCN-CERT) and GDPR (to the data protection authority: AEPD in Spain). Both regulations have 72-hour windows for the primary notification, but the recipients, required content, and consequences differ. NIS2 can also be triggered without personal data being affected (for example, a denial of service attack). BMC manages coordination of both notification obligations to ensure they are fulfilled correctly and consistently when an incident triggers both frameworks simultaneously.
NIS2 introduces explicit obligations on supply chain security for the first time: affected entities must assess cybersecurity risks from their suppliers and service providers, particularly those with access to their systems or data, and must include contractual clauses ensuring adequate security standards throughout the supply chain. This creates a cascade effect: a company that supplies an NIS2 entity will receive security requirements from its customer, even if it is not directly within NIS2 scope itself. The European Commission and ENISA have published specific guidance on supplier risk assessment.

Related services

Compliance 50 Employees Hub Csrd Sustainability Hub Ai Act Regulation
View all services in this area

Take the first step

Request a no-obligation consultation and discover what we can do for your business.

Free consultation
Call Contact