NIS2 Compliance: Act Before the Regulator Does

NIS2 — Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union — replaces the original NIS Directive and significantly expands the scope of mandatory cybersecurity obligations in the EU. It classifies organisations in 18 critical sectors as "essential entities" or "important entities" and requires them to implement risk management measures (Article 21), report significant incidents to national authorities within 24 hours (early warning) and 72 hours (formal report), and ensure their supply chains meet adequate security standards. In Spain, transposition into national law is expected by June 2026; competent supervisory authorities are INCIBE (Instituto Nacional de Ciberseguridad) for most private entities and CCN (Centro Criptológico Nacional) for public entities and their providers. Fines for essential entities reach EUR 10 million or 2% of global annual turnover.

Our NIS2 compliance team combines legal expertise in technology regulation with technical cybersecurity knowledge, allowing us to address both the legal scope assessment and the practical implementation of the controls the directive requires.

The Most Significant Cybersecurity Regulation in EU History

NIS2 is not an incremental update to the original NIS Directive. It is a fundamental rewrite that transforms cybersecurity from a technical concern into a board-level governance obligation — with personal liability for directors, fines comparable to GDPR, and a scope that reaches across 18 critical sectors and their supply chains. The Spanish transposition expected in June 2026 will bring these obligations into domestic law, but the prudent response is to begin implementation now rather than wait for the law to take formal effect.

Scope: Broader Than Most Companies Expect

The most common source of NIS2 surprises is scope. Companies that do not consider themselves operators of critical infrastructure in the traditional sense — logistics platforms, cloud service providers, food manufacturers, medical device companies — are captured by the directive’s expanded sector list. Supply chain exposure adds another layer: organisations supplying services to essential entities may be required by those entities to demonstrate NIS2-equivalent compliance as a condition of their contracts, well before any Spanish supervisory authority comes calling.

Our scope assessment is a formal legal and technical analysis, not a checklist exercise. It produces a documented conclusion that can be presented to the board, to customers, and to regulators.

Article 21: What Controls Are Actually Required

The gap analysis against Article 21’s requirements is typically where organisations discover the most work. Most have some form of cybersecurity controls, but NIS2’s requirements go substantially further: a formally documented and board-approved risk management framework, a supply chain security programme with contractual teeth, multi-factor authentication and encryption deployed across all critical systems, and — critically — a tested incident notification protocol that can actually deliver a 24-hour early warning to the supervisory authority, not just in theory.

For organisations simultaneously pursuing ISO 27001 certification, we structure the NIS2 compliance project to maximise overlap between the two frameworks, avoiding duplication of effort while ensuring that the specific NIS2 requirements not covered by the standard — board accountability documentation, incident notification timelines, supply chain clauses — are addressed in full.

The Incident Notification Requirement

NIS2’s incident notification obligations are operationally demanding. An early warning must reach the supervisory authority within 24 hours of detecting a significant incident — before full analysis, before root cause determination, and often before the incident is fully contained. The 72-hour initial report requires more substance, and the one-month final report requires a comprehensive account of impact, cause, and remediation.

For incidents affecting personal data, these timelines run in parallel with the GDPR’s 72-hour notification window to the AEPD. Our data protection and NIS2 teams coordinate these notifications jointly, ensuring that the information provided to different authorities is consistent and that neither deadline is missed in the urgency of the other.

NIS2 and DORA: Sector-Specific Overlap for Financial Entities

For financial institutions — banks, payment institutions, insurance companies, investment firms — the Digital Operational Resilience Act (DORA) applies alongside NIS2. DORA creates a harmonised framework for ICT risk management specifically in the financial sector, with requirements that overlap with NIS2 in certain areas but go substantially further in others: mandatory ICT risk management frameworks, contractual requirements for critical third-party ICT providers, digital operational resilience testing (including threat-led penetration testing for systemically important institutions), and an incident classification and reporting regime with tighter timelines than NIS2.

Where both regimes apply, we coordinate the DORA compliance and NIS2 programmes to avoid duplication while ensuring full coverage of both frameworks. The efficiency gains from integration are significant: a single ICT risk management framework, a unified incident notification protocol, and a consolidated third-party management programme serve both requirements.

Supply Chain Security: The NIS2 Obligation Most Companies Underestimate

Article 21(2)(d) of NIS2 requires affected entities to manage supply chain security — the security of supplier and service-provider relationships. This obligation is more operationally demanding than it appears: it requires organisations to assess the cybersecurity practices of all their critical suppliers, include security requirements in procurement contracts, and monitor supplier compliance on an ongoing basis.

For organisations that rely on cloud infrastructure, SaaS platforms, or outsourced IT services — which means virtually all organisations in scope — this creates a programme of third-party risk management that goes beyond the typical vendor assessment questionnaire. We design supply chain security programmes that are proportionate to the organisation’s supply chain complexity, integrated with their existing procurement processes, and capable of producing the documentation that NIS2 supervisors will expect.

Board Accountability and Director Liability Under NIS2

NIS2 creates direct and personal liability for board-level executives in a way that prior cybersecurity regulation did not. Management bodies of essential and important entities must approve the cybersecurity risk management measures, oversee their implementation, and be held accountable for non-compliance. Crucially, NIS2 allows member states to hold individual board members personally liable for infringements resulting from failures in cybersecurity governance — a significant departure from the position under the original NIS Directive.

This personal liability exposure makes board-level cybersecurity governance a boardroom agenda item rather than an IT department concern. We advise boards of directors on their NIS2 obligations, facilitate board training on cybersecurity governance requirements, and help establish the governance structures — board-level cybersecurity committee or equivalent — that document the organisation’s compliance with this obligation. The intersection with director liability under company law adds a further dimension to the personal risk profile of board members in organisations that are NIS2-obligated.

Sectors and Specific NIS2 Obligations by Category

Essential entities in energy: electricity generators, transmission and distribution operators, oil and gas suppliers. High criticality means the strictest application of Art. 21 controls, mandatory registration with the supervisory authority before operations commence, and INCIBE oversight.

Essential entities in transport: airlines, rail operators, port operators, logistics companies operating critical infrastructure. Spain’s transport sector has a large population of entities that will discover their NIS2 status only when the supervisory authority initiates a formal inspection or a customer requires compliance documentation.

Healthcare and medical devices: hospitals, clinical laboratories, pharmaceutical manufacturers, and medical device companies face NIS2 classification simultaneously with their obligations under the MDR, IVDR, and — for companies deploying AI-assisted diagnostics — the EU AI Act. The tripartite regulatory overlay requires careful coordination to avoid conflicting compliance programmes.

Digital infrastructure and ICT service providers: cloud computing providers, data centres, content delivery networks, and managed security service providers are essential entities under NIS2, regardless of their size. This is a significant departure from the NIS1 framework, which applied a size threshold to most sectors. Providers in this category already supplying services to regulated financial institutions or healthcare companies have typically built control frameworks that partially satisfy NIS2 requirements — but a formal gap analysis against Art. 21 is necessary to confirm coverage.

Food production and distribution: large food manufacturers and wholesale distributors are categorised as important entities. This is one of the most surprising inclusions for companies in the sector that have not previously been subject to cybersecurity regulation; many will discover their NIS2 status only when a customer or insurer requests confirmation.

Company Size Segmentation and Proportionality

Microenterprises and small enterprises (fewer than 50 employees, below EUR 10 million revenue) are generally excluded from NIS2 scope, except where they operate in specific categories where size thresholds do not apply (top-level domain registries, trust service providers, and certain digital infrastructure providers). However, microenterprises in the supply chains of essential entities will increasingly be required by their customers to meet NIS2-equivalent standards as a contract condition.

Medium enterprises (50-250 employees, EUR 10-50 million revenue) in covered sectors are classified as important entities with somewhat lighter supervision than essential entities, but the Art. 21 technical and organisational requirements are substantially the same. The primary practical difference is the supervisory approach: essential entities face proactive supervision, while important entities are subject to ex-post supervision (i.e., inspections following an incident or complaint).

Large enterprises (250+ employees, above EUR 50 million revenue) in covered sectors are classified as essential entities and face the full weight of NIS2 supervision, including mandatory registration, proactive compliance oversight, and the possibility of board-level personal liability for governance failures.

Worked Example: NIS2 Scope Assessment and Implementation for a Logistics Platform

A Spanish logistics platform (220 employees, EUR 55 million revenue) operating a national network of distribution centres discovered its NIS2 status when a major retail client requested a compliance questionnaire. The company had no formal ISMS, no incident notification protocol, and its supply chain security programme consisted of standard IT vendor questionnaires.

BMC managed the NIS2 compliance programme:

• Scope assessment confirmed classification as an important entity in the transport sector.
• Gap analysis identified 14 material gaps against Art. 21 requirements: absence of a formal risk management framework, no MFA on critical systems, no supply chain security contractual provisions, and no tested incident notification protocol.
• Implementation over 5 months: formal ISMS design and documentation, MFA rollout across all critical infrastructure access points, supply chain security clause integration into 23 key supplier contracts, and a tabletop incident notification exercise testing the 24-hour early warning capability.
• Board training on NIS2 obligations and personal liability exposure completed with all board members and the executive team.
• Final compliance documentation package prepared for client submission and future supervisory inspection.

Timeline from scope assessment to documented compliance: 6 months.

Common Mistakes We Fix

1. Assuming NIS2 does not apply because the company is not a technology company. NIS2 captures 18 sectors including food, chemicals, manufacturing, and waste management. Traditional B2B companies in these sectors that have never been subject to cybersecurity regulation are frequently in scope and unaware of it.

2. Treating the incident notification obligation as a paper exercise. The 24-hour early warning requirement is operationally demanding. It requires detecting the incident, making the significance determination (is this a significant incident under NIS2 criteria?), and transmitting the notification to the supervisory authority — all within 24 hours of detection. Without a pre-designed, tested, and drilled protocol, this timeline is impossible to meet reliably.

3. Not including NIS2 obligations in supplier contracts proactively. Article 21(2)(d) requires supply chain security management. A company that has not yet updated its standard supplier contracts to include cybersecurity requirements cannot demonstrate compliance with this obligation — even if its own internal controls are strong. The contractual update programme is often the most time-consuming element of the compliance project.

4. Conflating ISO 27001 certification with NIS2 compliance. ISO 27001 is valuable evidence of technical control maturity, but it does not cover all NIS2 obligations. The board accountability provisions, the incident notification timelines, and the specific supply chain management requirements of NIS2 require additional measures beyond what ISO 27001 mandates.

5. Delaying implementation until the Spanish transposition is complete. Companies operating in EU member states that have already transposed NIS2 — Germany (KRITIS-DachG), France (LPM), Italy — must comply there now. And the Spanish transposition, expected by June 2026, will apply to incidents that occurred before the transposition date. Controls must be in place before an incident happens, not after the law formally takes effect.

Geographic Coverage

We advise NIS2-obligated entities across Spain, coordinating with INCIBE (national supervisory authority for most private entities) and CCN (for public entities and their providers) on scope assessment, compliance documentation, and incident notification. For multinational organisations with operations in multiple EU member states, we coordinate NIS2 compliance across jurisdictions with EU counsel in Germany, France, and Italy — where NIS2 transposition is already in force and enforcement has begun.

Incident Response Readiness: Testing Before the Incident Happens

The most expensive discovery an organisation can make about its NIS2 incident notification protocol is that it does not work — after a real incident has already started. The 24-hour early warning deadline does not allow for protocol design, tool procurement, or contact verification after the incident begins.

Incident response readiness under NIS2 requires:

• A pre-designed notification template for early warnings that can be completed with partial information (as will always be the case at the 24-hour stage).
• Verified contact details for the competent supervisory authority (INCIBE for most private entities, CCN for public entities and their providers).
• A 24/7 escalation chain from the IT security function to the person authorised to sign the formal notification.
• A tested procedure for the significance determination — the judgment call about whether an incident crosses the NIS2 threshold for mandatory notification.
• A GDPR parallel track (72-hour AEPD notification) that runs simultaneously when the incident affects personal data.

We design and facilitate tabletop exercises that simulate a real NIS2-triggering incident, testing the notification chain, the significance determination process, and the parallel GDPR coordination. Tabletop results typically reveal 3-5 practical failures in notification procedures that are immediately correctable before a real incident occurs.

Integration with Cyber Insurance

Organisations that hold cyber insurance policies must understand the intersection between their NIS2 obligations and their insurance coverage. Cyber insurance policies typically include specific provisions about incident notification to authorities — some require the insurer to be notified before a regulatory authority, others require simultaneous notification. Failure to follow the policy’s notification sequence can void the coverage for the incident.

We review cyber insurance policies in the context of NIS2 and GDPR notification obligations to ensure that the notification sequence agreed with the insurer is consistent with the regulatory deadlines. Where conflicts exist, we advise on renegotiating the policy or establishing an agreed parallel notification protocol with the insurer. The cyber insurance advisory is increasingly conducted in conjunction with NIS2 compliance as organisations recognise the close operational relationship between the two.

How We Work

Our NIS2 compliance practice combines technology regulation lawyers with cybersecurity consultants who hold CISM and ISO 27001 Lead Implementer certifications. A typical engagement:

Phase 1 — Scope assessment (1-2 weeks): formal legal and technical analysis of NIS2 classification, production of a documented scope conclusion for board and customer reporting.

Phase 2 — Gap analysis (2-4 weeks): assessment of current cybersecurity controls against Art. 21 requirements, identification of material gaps, and a risk-prioritised remediation plan with realistic implementation timeline.

Phase 3 — Implementation (3-6 months): ISMS design and documentation, supply chain security programme, incident notification protocol design and tabletop testing, board training on NIS2 obligations and personal liability.

Phase 4 — Ongoing monitoring: quarterly compliance reviews, annual gap reassessment (as the NIS2 supervisory guidance evolves), and incident notification support when a significant incident occurs.

Fixed-fee scope assessment packages are available for organisations that need an urgent NIS2 classification determination — for example, when a customer or insurer has requested confirmation of compliance status.