NIS2 Directive

What Is the NIS2 Directive?

The NIS2 Directive (Directive 2022/2555/EU), which entered into force in January 2023, is the European Union’s primary legislative instrument for cybersecurity. It replaces the original NIS Directive (2016) and had a transposition deadline of 17 October 2024 for all EU member states. Spain is currently completing its national transposition legislation, with compliance obligations expected to be fully enforceable in 2025.

NIS2 reflects the EU’s recognition that cyber threats have grown substantially in severity and sophistication since 2016, and that the patchwork of national approaches to the original NIS Directive produced inconsistent results across the single market.

Who Is in Scope?

NIS2 dramatically expands the population of regulated entities compared to its predecessor. Entities are classified into two tiers:

Essential entities (subject to the strictest supervision) include:

• Energy (electricity, gas, oil, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health and pharmaceuticals
• Drinking water and wastewater
• Digital infrastructure (IXPs, DNS, TLD registries, cloud providers, datacentres, CDNs, TSPs, electronic communication networks)
• Space
• Public administration (central government; member states may include regional/local)

Important entities (subject to lighter supervision but still substantial obligations) include:

• Postal and courier services
• Waste management
• Chemicals
• Food production and distribution
• Medical devices, computers, machinery, motor vehicles, and other manufacturing sectors
• Digital providers (online marketplaces, search engines, social networks)
• Research organisations

For most sectors, the threshold is medium-sized enterprises (50+ employees or €10 million+ turnover), so NIS2 reaches far deeper into the SME market than the original directive.

Core Obligations

NIS2 imposes obligations in two main areas:

1. Risk Management Measures

Regulated entities must implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These must cover:

• Risk analysis and information system security policies
• Incident handling (detection, response, recovery)
• Business continuity and crisis management
• Supply chain security (including relationships with direct suppliers and service providers)
• Security in network and information systems acquisition, development, and maintenance
• Policies and procedures to assess the effectiveness of cybersecurity measures
• Use of cryptography and, where appropriate, encryption
• HR security, access control, and asset management
• Multi-factor authentication and continuous authentication solutions

2. Incident Reporting

Significant incidents must be reported to the national CSIRT or competent authority on a strict timeline:

• Early warning: within 24 hours of becoming aware
• Incident notification: within 72 hours
• Final report: within one month

Management Body Accountability

A critical NIS2 innovation is the explicit accountability placed on management bodies. Boards and senior management must approve cybersecurity risk management measures, oversee implementation, and can be held personally liable for infringements. Management personnel are required to undergo cybersecurity training.

Penalties

NIS2 introduces GDPR-style tiered penalties:

• Essential entities: up to €10 million or 2% of total global annual turnover, whichever is higher
• Important entities: up to €7 million or 1.4% of total global annual turnover, whichever is higher

Supervisory authorities also have powers to issue binding instructions, mandate security audits, and (for essential entities) temporarily suspend management personnel responsible for infringements.

Spain’s Transposition and INCIBE / CCN-CERT

In Spain, the National Cybersecurity Institute (INCIBE) is the CSIRT for private-sector entities; the CCN-CERT handles public administration and critical infrastructure. Spain’s NIS2 transposition legislation will designate sector-specific competent authorities aligned with existing regulators (CNMC for telecoms, Bank of Spain/CNMV for financial entities, CNE for energy, etc.).

How BMC Can Help

We assist companies with NIS2 scope analysis, gap assessments against the required technical and organisational measures, supply chain security reviews, incident response plan drafting, board-level cybersecurity governance programmes, and coordination with INCIBE during the registration and notification process.