The NIS2 Directive (EU Directive 2022/2555 of the European Parliament and of the Council, of 14 December 2022) is the most ambitious European cybersecurity framework adopted to date. It repeals and replaces the first NIS Directive of 2016, doubles the number of obligated sectors, toughens sanctions, and requires incident notification within hours. If you run a company in Spain and have heard about NIS2 without knowing for certain whether it affects you, this article answers the question directly: who it applies to, with what thresholds, in which sectors and when.
What is the NIS2 Directive and how does it differ from NIS1?
The first NIS Directive (2016) created a minimum framework covering seven sectors that left the majority of European companies outside its scope. It only applied to so-called operators of essential services and some large digital service providers. The result was notable regulatory fragmentation between Member States and insufficient coverage in the face of the escalating cyberattacks of recent years.
NIS2 corrects those flaws at the root: it expands the sectors from 7 to 18, introduces the concepts of essential entity and important entity with differentiated obligations, establishes clear size thresholds, and harmonises sanctions across the European Union. It also requires affected entities to manage the cybersecurity of their supply chain, which indirectly draws in many suppliers that, by size, would fall outside the direct scope.
State of transposition in Spain (2025–2026)
The deadline for Member States to transpose NIS2 into national law was 17 October 2024. Spain did not meet that deadline. In January 2025, the Council of Ministers approved the Draft Law on Cybersecurity Coordination and Governance, the text that will incorporate the Directive into Spanish law. As of mid-2026, that draft is still progressing through the parliamentary process, so the final law has not yet been published in the Official State Gazette (BOE).
This does not mean Spanish companies can ignore NIS2. The Directive has partial direct effect for States that fail to transpose on time, and the European Commission may open infringement proceedings. More importantly, entities already operating in regulated sectors (energy, banking, telecoms, healthcare) are being required by their sectoral regulators to demonstrate cybersecurity maturity in line with NIS2 standards, even though the national law has not been published. Waiting for the BOE to formally require it is a risky strategy.
If you need support to assess your exposure and prepare the required documentation, Summum Consultoria manages the entire process: see our NIS2 and DORA service and learn how we structure the process.
Who NIS2 applies to: the two key categories
NIS2 distinguishes two types of obligated entities with different levels of requirements:
Essential entities
These are organisations whose failure would have a particularly severe impact on society or the economy. This category includes large companies (more than 250 employees or more than 50 million euros in annual turnover) operating in the highly critical sectors listed in Annex I of the Directive. Regardless of size, certain critical infrastructures, providers of public electronic communications networks, and qualified trust service providers are also included.
Important entities
These are medium-sized companies (between 50 and 250 employees, or between 10 and 50 million euros in turnover) operating in the sectors covered by Annex I or the highly critical sectors of Annex II. The obligations are similar to those for essential entities, but the supervisory regime is reactive rather than proactive: authorities intervene mainly when non-compliance is detected, rather than conducting periodic audits.
The general minimum threshold
Micro-enterprises (fewer than 10 employees and less than 2 million euros in turnover) and small enterprises (fewer than 50 employees and less than 10 million euros) fall outside the direct scope, unless national rules expressly designate them as critical or they provide services on which public safety, national defence, or regulated activities depend.
The 18 sectors affected by NIS2
The table below summarises the obligated sectors and whether they fall under Annex I (high criticality) or Annex II (elevated criticality):
| Sector | Category | Examples of entities |
|---|---|---|
| Energy | Annex I — Essential | Electricity, gas, oil, hydrogen, district heating |
| Transport | Annex I — Essential | Air, rail, maritime, road |
| Banking | Annex I — Essential | Credit institutions |
| Financial market infrastructures | Annex I — Essential | Trading venues, central counterparties |
| Healthcare | Annex I — Essential | Hospitals, laboratories, manufacturers of critical medical devices |
| Drinking water | Annex I — Essential | Suppliers and distributors of drinking water |
| Waste water | Annex I — Essential | Sanitation and water treatment companies |
| Digital infrastructure | Annex I — Essential | IXPs, DNS, TLDs, data centres, CDNs, trust services, communications networks |
| ICT service management (B2B) | Annex I — Essential | Managed service providers (MSP) and managed security service providers (MSSP) |
| Public administration | Annex I — Essential | Central government and, where applicable, regional and local authorities |
| Space | Annex I — Essential | Operators of ground-based infrastructure for space services |
| Postal and courier services | Annex II — Important | Mail and parcel operators |
| Waste management | Annex II — Important | Waste collection, treatment, and disposal |
| Manufacturing | Annex II — Important | Medical devices, computers, electronics, machinery, motor vehicles |
| Food production and distribution | Annex II — Important | Large food producers and distributors |
| Chemicals | Annex II — Important | Manufacture and distribution of hazardous substances |
| Digital providers | Annex II — Important | Online platforms, search engines, social networks, online marketplaces |
| Research | Annex II — Important | Research organisations (especially those with public funding or defence contracts) |
Does NIS2 affect SMEs?
This is the question that most worries directors of small and medium-sized businesses in Spain. The answer is nuanced:
Directly: only if you exceed the size thresholds (50 employees or 10 million euros in turnover) and you operate in one of the 18 sectors. An SME with 30 employees that manufactures furniture is not directly required to comply with NIS2.
Indirectly: if you are a supplier to an essential or important entity, NIS2 requires that entity to actively manage the risks in its supply chain. In practice, your large clients will ask you for security questionnaires, audits, or compliance evidence. Failing to comply could cost you contracts. The sectors where this cascading effect is most intense are ICT, manufacturing of critical components, logistics, and professional services (including consultancies that manage data belonging to essential entities).
By express designation: Spanish law may include small entities whose activity is critical for national security or the provision of essential services. It is not ruled out that, for example, certain small clinics or testing laboratories could be brought within scope.
Main obligations imposed by NIS2
Regardless of whether your entity is essential or important, the substantive obligations are equivalent. The difference lies in the intensity of supervision. The required measures include:
- Information security policy documented, approved by the governing body, and reviewed periodically.
- Risk management with documented analysis and treatment of identified risks.
- Supply chain security: risk assessment of key suppliers and subcontractors.
- Incident notification: early warning to the CSIRT or competent authority within a maximum of 24 hours of becoming aware of a significant incident, with full notification within 72 hours and a final report within 30 days.
- Business continuity management: continuity plans, crisis management, and disaster recovery.
- Cryptography and encryption in the processing of critical data.
- Human resources security, including privileged access management and ongoing staff training.
- Multi-factor authentication for access to sensitive information systems.
- Accountability of the governing body: managers may be personally liable for non-compliance in essential entities.
Sanctions: how much can you be fined?
The NIS2 sanctioning regime is significantly tougher than that of NIS1:
- For essential entities: up to 10 million euros or 2% of global annual turnover (whichever is higher).
- For important entities: up to 7 million euros or 1.4% of global annual turnover.
- In addition to financial sanctions, managers of essential entities may be temporarily disqualified from holding management positions if non-compliance results from gross negligence.
The 2% threshold equates these sanctions, in relative scale, to those of the GDPR (which reaches 4% for the most serious infringements), giving a sense of how seriously the European legislator treats this matter.
NIS2 and the National Security Framework (ENS)
In Spain, the National Security Framework (ENS), regulated by Royal Decree 311/2022, is the reference standard for cybersecurity in public administrations and their suppliers. NIS2 and the ENS share many principles and controls, but they are not the same and do not have the same scope of application.
The ENS is mandatory for public administrations and for companies that provide services or manage information systems for public entities. If you already hold ENS compliance, you have a head start on NIS2, but you will need to carry out a specific gap analysis: there are NIS2 requirements (such as supply chain management or incident notification within 24 hours) that the ENS does not cover in an identical manner.
Practical steps to prepare your company now
Even though the Spanish transposition law has not been published in the BOE, the time left to act is limited. These are the steps we recommend at Summum Consultoria based on our experience supporting companies through regulatory compliance processes:
- Determine whether you are in scope: cross-reference your sector of activity with Annexes I and II of the Directive and check whether you exceed the size thresholds. If in doubt, the conservative answer is to assume you are within scope.
- Carry out a gap analysis: compare your current security posture with NIS2 obligations. INCIBE offers free self-assessment tools that serve as a starting point.
- Involve senior management: NIS2 requires the governing body to approve security policies and be aware of the risks. This is not solely an IT matter.
- Audit your supply chain: identify critical suppliers and review contracts to include cybersecurity clauses.
- Prepare your incident notification protocol: 24 hours is very little time if the process has not been defined and practised in advance.
- Document everything: security policy, risk analysis, continuity plans, incident records. Documentation is what demonstrates compliance to supervisors.
For a personalised roadmap and full support throughout the compliance process, see our NIS2 and DORA compliance service, where we cover everything from the initial diagnosis to support with incident notification.
Frequently asked questions
Is NIS2 already in force in Spain even though it has not been published in the BOE?
The NIS2 Directive is directly applicable in its essential aspects since the transposition deadline expired (October 2024), even though the Spanish implementing law is still pending publication. In practice, sectoral regulators (CNMC for telecoms and energy, Banco de España and CNMV for the financial sector, etc.) are already requiring entities under their supervision to meet NIS2 standards. Moreover, if the final law is approved with a nine-month adaptation period, as envisaged in the draft bill, companies that start now will have a significant advantage.
Can a company with fewer than 50 employees be required to comply with NIS2?
Yes, in two scenarios. First, if Spanish legislation expressly designates it as a critical entity due to its activity (for example, a provider of qualified trust services or a one-of-a-kind digital infrastructure). Second, if it is a supplier to an essential entity and that entity requires cybersecurity compliance accreditations as a contractual condition. The cascading supply-chain effect is one of the most relevant aspects of NIS2 for Spanish SMEs.
What is the relationship between NIS2, the GDPR, and ISO 27001?
NIS2 and the GDPR are complementary but distinct frameworks. The GDPR regulates the processing of personal data; NIS2 regulates the security of network and information systems, including infrastructure that does not process personal data. That said, a cybersecurity incident that compromises personal data may simultaneously trigger the GDPR notification obligations (72 hours to the AEPD) and those of NIS2 (24 hours to the CSIRT). For its part, ISO 27001 is the reference standard for information security management systems: implementing it does not automatically equate to NIS2 compliance, but it covers a very significant portion of the required controls and greatly facilitates the adaptation process.
What is DORA and how does it differ from NIS2?
The DORA Regulation (Digital Operational Resilience Act, EU Regulation 2022/2554) is the cybersecurity and digital operational resilience standard specifically designed for the European financial sector: banks, insurers, investment funds, payment companies, and their critical ICT providers. DORA entered into force on 17 January 2025 and has direct effect without the need for national transposition. If your company operates in the financial sector, DORA is the priority framework, although NIS2 remains relevant as the general framework. If your company is a technology supplier to financial entities, DORA affects you as a critical third-party provider.