Cybersecurity: Comprehensive Protection Against Digital Risks

BMC advises companies on the legal and technical framework governing cybersecurity: from adapting to the NIS2 Directive and obtaining ISO 27001 certification to continuous security governance through an outsourced Virtual CISO. We cover the full cycle: diagnosis, control implementation, incident management, and regulatory compliance.

Why cybersecurity is no longer purely a technical matter

Cybersecurity has shifted from an IT function to a legal obligation with direct consequences for corporate governance. The NIS2 Directive, expected to be transposed into Spanish law by June 2026, imposes personal liability on the management bodies of essential and important entities that fail to meet their security obligations. Sanctions for essential entities can reach €10 million or 2% of global annual turnover.

In parallel, the DORA Regulation has applied since January 2025 to financial entities and their critical ICT providers, requiring demonstrable digital operational resilience. The Spanish National Security Framework (RD 311/2022) requires public sector suppliers to certify their information systems. And corporate clients, insurers, and certification bodies increasingly demand documented evidence of security governance.

Our team combines legal expertise in digital compliance with operational knowledge of information security — delivering integrated advice that addresses both the regulatory dimension and the operational one.

Cybersecurity legal and digital compliance services

Governance and strategic leadership

• Virtual CISO: Outsourced Chief Information Security Officer for SMEs that do not require or cannot justify a full-time CISO. Defines the security strategy, oversees controls, reports to the board, and leads incident response. Covers the formal management-level security leadership required by NIS2 and ENS.
• Cybersecurity audit: Technical and regulatory assessment of security controls against reference frameworks (NIS2, ISO 27001, ENS, NIST). Produces a prioritised gap map with closure recommendations and effort estimates.

Regulatory compliance

• NIS2 compliance: Scope assessment, compliance plan, implementation of Article 21 NIS2 measures, incident notification procedures, and ICT supply chain management.
• ISO 27001 certification: Design and implementation of an Information Security Management System (ISMS), internal audit, and management of the certification process with an accredited body.
• DORA compliance: For financial entities and their critical ICT providers: ICT risk management (DORA Title II), incident management (Title III), resilience testing (Title IV), and third-party risk management (Title V).

Operations and response

• Cybersecurity incident response: Incident response plan design, tabletop exercises, operational incident management, and preparation of regulatory notification reports to INCIBE-CERT, CCN-CERT, or AEPD within legally required timeframes.
• Cyber insurance: Advisory on the structuring and procurement of cyber liability insurance: coverages, exclusions, sublimits, and integration with corporate risk management.

Applicable regulatory framework in Spain (2026)

The cybersecurity regulatory landscape in Spain in 2026 centres on four principal frameworks:

NIS2 Directive (EU 2022/2555 — ES transposition June 2026): Significantly expands the scope of obligated entities compared to NIS1 and imposes minimum cybersecurity risk management measures, strict incident notification deadlines (24h/72h/1 month), ICT supply chain requirements, and formal senior management accountability. Essential entities are subject to ex ante supervision; important entities, ex post.

DORA Regulation (EU 2022/2554 — in force since January 2025): Applies to financial entities (banks, insurers, funds, crypto-asset service providers) and their critical ICT providers. Imposes a specific framework for digital operational resilience across four pillars: ICT risk management, incident management, resilience testing, and third-party risk management.

Spanish National Security Framework — ENS (RD 311/2022): Mandatory for public sector bodies and private suppliers providing services to the Administration. Classifies systems into categories (basic, medium, high) and requires certified controls with biennial renewal.

ISO/IEC 27001:2022: International standard for information security management systems. Not generally legally mandatory, but has become the market benchmark for demonstrating security maturity to clients, insurers, and regulators.

When to contact the cybersecurity team

We recommend consulting our team when:

• Your company is assessing whether it falls within the NIS2 scope as an essential or important entity.
• You have suffered a cybersecurity incident and need to manage the regulatory notification within legal timeframes.
• You need to demonstrate NIS2, ENS, or ISO 27001 compliance to a corporate client or in a public tender.
• You operate in the financial sector and need to adapt your systems to the DORA Regulation before the next supervisory inspection.
• You are implementing an ISMS to obtain ISO 27001 certification.
• You lack an in-house CISO and need a formal security governance function to satisfy NIS2 requirements.

An initial consultation allows us to assess your current compliance status and define priority actions before regulatory obligations become enforceable.

Preventive cybersecurity: from regulatory obligation to competitive advantage

Companies that treat cybersecurity as a minimal compliance obligation are leaving competitive advantage on the table. M&A buyers, private equity investors conducting due diligence, and large corporate clients in supplier qualification processes increasingly value security programme maturity as an indicator of management quality and operational risk reduction. A robust cybersecurity programme reduces cyber insurance premiums, facilitates access to public procurement, and strengthens credibility with investors and supervisors.

BMC’s model integrates legal security governance — NIS2, DORA, ENS compliance and coordination with the data protection DPO function — with technical security expertise, offering clients an end-to-end service covering both regulatory obligations and real-world resilience against threats.