NIS2 Compliance: Act Before the Regulator Does

NIS2 — Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union — replaces the original NIS Directive and significantly expands the scope of mandatory cybersecurity obligations in the EU. It classifies organisations in 18 critical sectors as "essential entities" or "important entities" and requires them to implement risk management measures (Article 21), report significant incidents to national authorities within 24 hours (early warning) and 72 hours (formal report), and ensure their supply chains meet adequate security standards. In Spain, transposition into national law is expected by June 2026; competent supervisory authorities are INCIBE (Instituto Nacional de Ciberseguridad) for most private entities and CCN (Centro Criptológico Nacional) for public entities and their providers. Fines for essential entities reach EUR 10 million or 2% of global annual turnover.

Our NIS2 compliance team combines legal expertise in technology regulation with technical cybersecurity knowledge, allowing us to address both the legal scope assessment and the practical implementation of the controls the directive requires.

The Most Significant Cybersecurity Regulation in EU History

NIS2 is not an incremental update to the original NIS Directive. It is a fundamental rewrite that transforms cybersecurity from a technical concern into a board-level governance obligation — with personal liability for directors, fines comparable to GDPR, and a scope that reaches across 18 critical sectors and their supply chains. The Spanish transposition expected in June 2026 will bring these obligations into domestic law, but the prudent response is to begin implementation now rather than wait for the law to take formal effect.

Scope: Broader Than Most Companies Expect

The most common source of NIS2 surprises is scope. Companies that do not consider themselves operators of critical infrastructure in the traditional sense — logistics platforms, cloud service providers, food manufacturers, medical device companies — are captured by the directive’s expanded sector list. Supply chain exposure adds another layer: organisations supplying services to essential entities may be required by those entities to demonstrate NIS2-equivalent compliance as a condition of their contracts, well before any Spanish supervisory authority comes calling.

Our scope assessment is a formal legal and technical analysis, not a checklist exercise. It produces a documented conclusion that can be presented to the board, to customers, and to regulators.

Article 21: What Controls Are Actually Required

The gap analysis against Article 21’s requirements is typically where organisations discover the most work. Most have some form of cybersecurity controls, but NIS2’s requirements go substantially further: a formally documented and board-approved risk management framework, a supply chain security programme with contractual teeth, multi-factor authentication and encryption deployed across all critical systems, and — critically — a tested incident notification protocol that can actually deliver a 24-hour early warning to the supervisory authority, not just in theory.

For organisations simultaneously pursuing ISO 27001 certification, we structure the NIS2 compliance project to maximise overlap between the two frameworks, avoiding duplication of effort while ensuring that the specific NIS2 requirements not covered by the standard — board accountability documentation, incident notification timelines, supply chain clauses — are addressed in full.

The Incident Notification Requirement

NIS2’s incident notification obligations are operationally demanding. An early warning must reach the supervisory authority within 24 hours of detecting a significant incident — before full analysis, before root cause determination, and often before the incident is fully contained. The 72-hour initial report requires more substance, and the one-month final report requires a comprehensive account of impact, cause, and remediation.

For incidents affecting personal data, these timelines run in parallel with the GDPR’s 72-hour notification window to the AEPD. Our data protection and NIS2 teams coordinate these notifications jointly, ensuring that the information provided to different authorities is consistent and that neither deadline is missed in the urgency of the other.

NIS2 and DORA: Sector-Specific Overlap for Financial Entities

For financial institutions — banks, payment institutions, insurance companies, investment firms — the Digital Operational Resilience Act (DORA) applies alongside NIS2. DORA creates a harmonised framework for ICT risk management specifically in the financial sector, with requirements that overlap with NIS2 in certain areas but go substantially further in others: mandatory ICT risk management frameworks, contractual requirements for critical third-party ICT providers, digital operational resilience testing (including threat-led penetration testing for systemically important institutions), and an incident classification and reporting regime with tighter timelines than NIS2.

Where both regimes apply, we coordinate the DORA compliance and NIS2 programmes to avoid duplication while ensuring full coverage of both frameworks. The efficiency gains from integration are significant: a single ICT risk management framework, a unified incident notification protocol, and a consolidated third-party management programme serve both requirements.

Supply Chain Security: The NIS2 Obligation Most Companies Underestimate

Article 21(2)(d) of NIS2 requires affected entities to manage supply chain security — the security of supplier and service-provider relationships. This obligation is more operationally demanding than it appears: it requires organisations to assess the cybersecurity practices of all their critical suppliers, include security requirements in procurement contracts, and monitor supplier compliance on an ongoing basis.

For organisations that rely on cloud infrastructure, SaaS platforms, or outsourced IT services — which means virtually all organisations in scope — this creates a programme of third-party risk management that goes beyond the typical vendor assessment questionnaire. We design supply chain security programmes that are proportionate to the organisation’s supply chain complexity, integrated with their existing procurement processes, and capable of producing the documentation that NIS2 supervisors will expect.

Board Accountability and Director Liability Under NIS2

NIS2 creates direct and personal liability for board-level executives in a way that prior cybersecurity regulation did not. Management bodies of essential and important entities must approve the cybersecurity risk management measures, oversee their implementation, and be held accountable for non-compliance. Crucially, NIS2 allows member states to hold individual board members personally liable for infringements resulting from failures in cybersecurity governance — a significant departure from the position under the original NIS Directive.

This personal liability exposure makes board-level cybersecurity governance a boardroom agenda item rather than an IT department concern. We advise boards of directors on their NIS2 obligations, facilitate board training on cybersecurity governance requirements, and help establish the governance structures — board-level cybersecurity committee or equivalent — that document the organisation’s compliance with this obligation. The intersection with director liability under company law adds a further dimension to the personal risk profile of board members in organisations that are NIS2-obligated.