Compliance

NIS2: What It Is, Who It Affects, and Compliance Deadlines

Published David Moya
· 11 min read
Table of Contents
NIS2: What It Is, Who It Affects, and Compliance Deadlines

The NIS2 Directive is the European Union’s most ambitious cybersecurity legislation to date, affecting over 160,000 entities across Europe. With penalties reaching 10 million euros and personal liability for senior management, NIS2 fundamentally raises the bar for cybersecurity obligations across critical and important sectors. Here is what organizations need to know to prepare.

Key Takeaways

  • NIS2 affects over 160,000 entities across Europe, a 20x increase from NIS1’s scope
  • Penalties of up to EUR 10 million or 2% of global turnover for essential entities
  • Ten mandatory minimum cybersecurity risk management measures
  • Incident notification within 24 hours (early warning) and 72 hours (initial assessment)
  • In Spain, the ENS covers part of NIS2’s requirements for the public sector

What is the NIS2 Directive and why does it matter?

The NIS2 Directive (Network and Information Security 2) is the update to the original NIS Directive of 2016, which was the first European legislation focused exclusively on cybersecurity. NIS2 was adopted by the European Parliament and the Council in December 2022 and published in the Official Journal of the European Union on December 27, 2022.

Its primary objective is to achieve a common high level of cybersecurity across the European Union, harmonizing obligations among Member States and eliminating the disparities that existed under the first directive. According to the EU Agency for Cybersecurity (ENISA), cyberattacks against European critical infrastructure increased by 68 percent between 2021 and 2024, which fully justified the need to tighten the regulatory framework.

What are the differences between NIS1 and NIS2?

The original NIS Directive, transposed in Spain through Royal Decree-Law 12/2018, had a limited scope and left too much room for interpretation by Member States. NIS2 addresses these shortcomings substantially:

Expanded scope

NIS1 affected approximately 7,000 entities across Europe, primarily operators of essential services and digital service providers. NIS2 multiplies that number by more than twenty, including sectors that were previously excluded such as waste management, the food industry, postal services, manufacturing of critical products, and public administration.

Entity classification

NIS1 distinguished between operators of essential services and digital service providers. NIS2 introduces a more precise classification: essential entities and important entities, with different levels of supervision and penalties for each group.

More specific security requirements

While NIS1 established general principles, NIS2 details ten mandatory minimum cybersecurity risk management measures that all affected entities must implement, without exceptions.

Harmonized penalty regime

NIS1 left penalties up to each Member State, which created enormous disparities. NIS2 sets minimum penalties: up to 10 million euros or 2 percent of global turnover for essential entities, and up to 7 million or 1.4 percent for important entities.

Senior management liability

NIS2 introduces, for the first time, personal liability for management bodies, which must approve cybersecurity measures, oversee their implementation, and can be held accountable in case of non-compliance.

Which companies and sectors does NIS2 affect?

NIS2 establishes two categories of obligated entities, based on the sector of activity and the size of the organization.

Essential entities

These are organizations operating in highly critical sectors that, due to their size or nature, pose a systemic risk. They include:

  • Energy: electricity, oil, gas, hydrogen, district heating and cooling.
  • Transport: air, rail, maritime, and road.
  • Banking and financial markets.
  • Healthcare: hospitals, laboratories, pharmaceutical and medical device manufacturers.
  • Drinking water and wastewater.
  • Digital infrastructure: Internet exchange point providers, DNS services, top-level domain name registries.
  • Public administration (central and regional level).
  • Space: operators of ground-based infrastructure supporting space services.

To be classified as essential, an entity must operate in one of these sectors and generally have more than 250 employees or annual turnover exceeding 50 million euros.

Important entities

These operate in critical sectors but with a lower risk profile. They include:

  • Postal and courier services.
  • Waste management.
  • Chemical manufacturing.
  • Food production and distribution.
  • Manufacturing of critical products: medical devices, computer, electronic, and optical products, machinery, vehicles, and transport equipment.
  • Digital services: online marketplaces, search engines, social networks.
  • Research: research organizations.

Important entities are typically medium-sized companies (between 50 and 250 employees or between 10 and 50 million euros in turnover) operating in these sectors.

There are exceptions: certain entities are included regardless of their size, such as DNS service providers, top-level domain name registries, or providers of public electronic communications networks.

What are the main requirements of NIS2?

NIS2 establishes ten mandatory minimum risk management measures that all affected entities must implement:

  1. Risk analysis and information system security policies: conduct periodic risk assessments and maintain up-to-date security policies.

  2. Incident handling: establish procedures for detecting, analyzing, containing, and responding to cybersecurity incidents.

  3. Business continuity and crisis management: business continuity plans, backup management, and disaster recovery plans.

  4. Supply chain security: assess and manage cybersecurity risks in relationships with direct suppliers and service providers.

  5. Security in system acquisition, development, and maintenance: include security requirements throughout the information system lifecycle, including vulnerability management.

  6. Effectiveness assessment: policies and procedures to evaluate the effectiveness of cybersecurity measures implemented.

  7. Basic cyber hygiene practices and training: cybersecurity awareness and training programs for all personnel.

  8. Cryptography and encryption policies: appropriate use of encryption to protect information.

  9. Human resources security, access control, and asset management: personnel security policies, identity and access management, and asset inventory.

  10. Multi-factor authentication and secure communications: use of multi-factor authentication, continuous authentication solutions, and encrypted communications.

Incident notification obligations

NIS2 significantly tightens the deadlines for reporting significant incidents:

  • Early warning: within the first 24 hours after the entity becomes aware of the incident.
  • Incident notification: within 72 hours, with an initial assessment of severity and impact.
  • Final report: within one month of the notification, including a detailed description of the incident, measures applied, and lessons learned.

In Spain, these notifications are channeled through the relevant CSIRT, which for many sectors will be CCN-CERT or INCIBE-CERT.

When does NIS2 take effect in Spain?

The NIS2 Directive set October 17, 2024 as the deadline for Member States to transpose it into national legislation. However, Spain, like other EU countries, did not meet that deadline.

As of April 2026, Spain has a Draft Cybersecurity Law in parliamentary proceedings. The text transposes NIS2 requirements into Spanish law and introduces some specific features:

  • Relationship with the ENS: for public sector entities, compliance with the Esquema Nacional de Seguridad (ENS) is considered a valid mechanism for satisfying part of NIS2’s requirements.
  • Competent authorities: sectoral supervisory authorities are designated for each area of activity.
  • INCIBE as national CSIRT: INCIBE-CERT is consolidated as the reference incident response team for the private sector.

The sector expects the law to be fully in force before the end of 2026, with a transitional period for affected entities to adapt.

Organizations should not wait for the final transposition to act. The Directive has direct effect in many aspects, and entities that are not prepared when the law comes into force will face extremely tight adaptation deadlines.

What penalties does NIS2 impose for non-compliance?

The NIS2 penalty regime is significantly harsher than that of the first directive:

For essential entities:

  • Fines of up to EUR 10,000,000 or 2 percent of total annual global turnover, whichever is higher.
  • Possible temporary suspension of certifications or authorizations.
  • Temporary prohibition on holding management positions for those responsible.

For important entities:

  • Fines of up to EUR 7,000,000 or 1.4 percent of total annual global turnover.

Additionally, NIS2 introduces the possibility for supervisory authorities to conduct periodic audits and inspections, both planned and ad hoc, and to require the correction of deficiencies within specific deadlines.

NIS2 compliance requires risk management, incident notification, and demonstrable governance. Riskitera covers all three pillars.

See how

How to prepare for NIS2 compliance

Adapting to NIS2 requires a methodical, multidisciplinary approach. Here are the recommended steps:

1. Determine whether your organization is affected

Analyze your company’s sector of activity, its size (employees and turnover), and whether it provides services that fit the categories defined by NIS2. If in doubt, consult the full list of sectors in Annexes I and II of the Directive.

2. Conduct a gap analysis

Compare your current cybersecurity posture with NIS2’s ten minimum requirements. Identify areas where you already comply and those where improvement is needed. If your organization already holds ISO 27001 certification or complies with the ENS, you will have a solid foundation. Our ISO 27001 guide for startups is a good starting point if you have not yet implemented a security management system.

3. Engage senior management

NIS2 requires senior management to approve cybersecurity measures and assume responsibility. Present management with a clear report on NIS2 obligations, non-compliance risks, and the investment required.

4. Implement technical and organizational measures

Prioritize implementing measures where gaps have been identified. The areas that typically require the most work are supply chain management, continuous monitoring, and incident response procedures.

5. Establish incident notification processes

Set up internal mechanisms to detect significant incidents and report them within the required deadlines (24 hours for early warning). This requires 24/7 monitoring capability and clear escalation procedures.

6. Document and gather evidence

Maintaining records and evidence of compliance is essential. GRC platforms like Riskitera facilitate centralized management of policies, controls, evidence, and compliance reports, automating evidence collection and continuous monitoring of conformity status.

7. Training and awareness

NIS2 requires cybersecurity training for all personnel, explicitly including senior management members. Establish a regular training program and measure its effectiveness.

8. Internal audits and continuous improvement

Conduct periodic internal audits to verify that implemented measures are effective and that the organization is prepared for an inspection by the competent authority.

How does NIS2 relate to ENS, DORA, and ISO 27001?

NIS2 does not exist in isolation. It interrelates with multiple regulatory frameworks:

  • ENS: in Spain, ENS compliance covers a substantial part of NIS2 requirements for public sector entities.
  • DORA: for the financial sector, the DORA Regulation (Digital Operational Resilience Act) is lex specialis with respect to NIS2, meaning it takes precedence within its scope. Financial entities must comply with DORA rather than NIS2 for the aspects covered by the former.
  • GDPR: NIS2 complements the GDPR. While the GDPR protects personal data, NIS2 protects networks and information systems. An incident can trigger obligations under both regulations.
  • CER (Critical Entities Resilience Directive): focused on the physical resilience of critical infrastructure, it complements NIS2 in the cybersecurity domain.

Does your company need to comply with NIS2? Request a free assessment of your readiness level.

Solicitar demo

Frequently asked questions

My company has 45 employees and operates in the food sector. Does NIS2 affect me?

It depends. NIS2 uses the criteria from Commission Recommendation 2003/361/EC to define company size. As a general rule, medium-sized companies (50 or more employees, or more than 10 million euros in turnover) and large companies in the food production and distribution sector are included. With 45 employees, you would in principle fall below the threshold, unless your turnover exceeds 10 million euros or national authorities specifically designate you due to the critical role you play in the food supply chain.

If I already comply with ISO 27001, am I covered for NIS2?

ISO 27001 provides an excellent foundation, but it does not cover all NIS2 requirements. The main differences lie in incident notification obligations (with very specific deadlines), the explicit responsibility of senior management, supply chain management at the level of detail NIS2 requires, and cooperation with competent authorities. You will need to supplement your ISMS with these additional aspects.

What happens if Spain has not transposed NIS2 and my company is already operating?

Even though Spain has not completed the transposition, the NIS2 Directive establishes clear obligations that Member States must implement. Prudent organizations do not wait for final transposition: they begin adapting to avoid being caught off guard when the law takes effect. Moreover, many NIS2 requirements overlap with cybersecurity best practices that any organization should have in place, with or without a legal obligation.

How does NIS2 relate to the ENS in Spain?

The Spanish Draft Cybersecurity Law establishes that, for public sector entities, compliance with the Esquema Nacional de Seguridad (ENS) is considered a valid mechanism for satisfying NIS2 requirements. This means that administrations and public sector entities that already comply with the ENS will have covered much of the ground. For the private sector, it will be necessary to comply directly with the requirements established by the transposition law.

Who oversees NIS2 compliance in Spain?

Under the planned model, supervision is divided among several sectoral authorities. The CCN will be the reference authority for the public sector, INCIBE for the private sector in general, and there will be specific sectoral authorities for areas such as energy, transport, or healthcare. INCIBE-CERT and CCN-CERT will act as the reference incident response teams, channeling notifications and coordinating the response.

Do you know your cybersecurity maturity level?

Free diagnostic in 3 minutes. Personalized score, gap map and action plan adapted to your sector.

Take diagnostic
NIS2 Compliance EU

Related Posts

A Practical Guide to Information Security Audits
· 14 min

A Practical Guide to Information Security Audits

Complete guide to information security audits: types of audits, process phases, evidence management, ISO 19011 and ISACA frameworks, tools, and automation.

GRC Audit Compliance
Share