NIS2 Compliance: Act Before the Regulator Does

NIS2 — Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union — replaces the original NIS Directive and significantly expands the scope of mandatory cybersecurity obligations in the EU. It classifies organisations in 18 critical sectors as "essential entities" or "important entities" and requires them to implement risk management measures (Article 21), report significant incidents to national authorities within 24 hours (early warning) and 72 hours (formal report), and ensure their supply chains meet adequate security standards. In Spain, transposition into national law is expected by June 2026; competent supervisory authorities are INCIBE (Instituto Nacional de Ciberseguridad) for most private entities and CCN (Centro Criptológico Nacional) for public entities and their providers. Fines for essential entities reach EUR 10 million or 2% of global annual turnover.

Our NIS2 compliance team combines legal expertise in technology regulation with technical cybersecurity knowledge, allowing us to address both the legal scope assessment and the practical implementation of the controls the directive requires.

The Most Significant Cybersecurity Regulation in EU History

NIS2 is not an incremental update to the original NIS Directive. It is a fundamental rewrite that transforms cybersecurity from a technical concern into a board-level governance obligation — with personal liability for directors, fines comparable to GDPR, and a scope that reaches across 18 critical sectors and their supply chains. The Spanish transposition expected in June 2026 will bring these obligations into domestic law, but the prudent response is to begin implementation now rather than wait for the law to take formal effect.

Scope: Broader Than Most Companies Expect

The most common source of NIS2 surprises is scope. Companies that do not consider themselves operators of critical infrastructure in the traditional sense — logistics platforms, cloud service providers, food manufacturers, medical device companies — are captured by the directive’s expanded sector list. Supply chain exposure adds another layer: organisations supplying services to essential entities may be required by those entities to demonstrate NIS2-equivalent compliance as a condition of their contracts, well before any Spanish supervisory authority comes calling.

Our scope assessment is a formal legal and technical analysis, not a checklist exercise. It produces a documented conclusion that can be presented to the board, to customers, and to regulators.

Article 21: What Controls Are Actually Required

The gap analysis against Article 21’s requirements is typically where organisations discover the most work. Most have some form of cybersecurity controls, but NIS2’s requirements go substantially further: a formally documented and board-approved risk management framework, a supply chain security programme with contractual teeth, multi-factor authentication and encryption deployed across all critical systems, and — critically — a tested incident notification protocol that can actually deliver a 24-hour early warning to the supervisory authority, not just in theory.

For organisations simultaneously pursuing ISO 27001 certification, we structure the NIS2 compliance project to maximise overlap between the two frameworks, avoiding duplication of effort while ensuring that the specific NIS2 requirements not covered by the standard — board accountability documentation, incident notification timelines, supply chain clauses — are addressed in full.

The Incident Notification Requirement

NIS2’s incident notification obligations are operationally demanding. An early warning must reach the supervisory authority within 24 hours of detecting a significant incident — before full analysis, before root cause determination, and often before the incident is fully contained. The 72-hour initial report requires more substance, and the one-month final report requires a comprehensive account of impact, cause, and remediation.

For incidents affecting personal data, these timelines run in parallel with the GDPR’s 72-hour notification window to the AEPD. Our data protection and NIS2 teams coordinate these notifications jointly, ensuring that the information provided to different authorities is consistent and that neither deadline is missed in the urgency of the other.