Compliance
NIS2
compliance
cybersecurity

NIS2 in Spain: A Compliance Guide for 2026

Practical guide to NIS2 compliance in Spain: obligations, deadlines, penalties, and actionable steps for businesses operating in 2026.

SecraApril 16, 20269 min read

The NIS2 Directive is the most significant cybersecurity regulation to hit European businesses this decade. For companies operating in Spain, the situation is particularly pressing: the country missed the original transposition deadline, the European Commission is actively pursuing enforcement, and the October 2026 full compliance deadline is fast approaching. If your organization falls within scope, the time to act is now.

What Is NIS2 and Why Does It Matter?

Directive (EU) 2022/2555, commonly known as NIS2 (Network and Information Security 2), establishes a unified cybersecurity framework across all EU Member States. It replaces the original NIS Directive from 2016, which was widely regarded as insufficient given the dramatic evolution of cyber threats.

NIS2 entered into force in January 2023, with Member States required to transpose it into national law by 17 October 2024. Spain failed to meet that deadline. The Draft Law on Cybersecurity Coordination and Governance was approved by the Council of Ministers in January 2025 but remains pending parliamentary approval as of April 2026.

The European Commission issued a reasoned opinion to Spain in May 2025 over the delay — a formal step that could lead to proceedings before the Court of Justice of the EU, including financial penalties against the State. This pressure means the law's approval will accelerate, and organizations that haven't prepared will face a compliance scramble.

What makes NIS2 fundamentally different from its predecessor is its dramatically expanded scope: more sectors, more organizations, stricter obligations, harsher penalties, and direct accountability for senior management. This is not an incremental update — it's a paradigm shift in how Europe governs cybersecurity.

Who Must Comply With NIS2 in Spain?

NIS2 categorizes organizations into two groups: essential entities and important entities. Both must implement security measures, though the level of regulatory supervision and maximum penalties differ.

High-Criticality Sectors (Essential Entities)

  • Energy: electricity, gas, oil, hydrogen, district heating and cooling
  • Transport: air, rail, maritime, and road
  • Banking and financial market infrastructures
  • Healthcare: hospitals, laboratories, pharmaceutical and medical device manufacturers
  • Drinking water and wastewater
  • Digital infrastructure: DNS providers, TLD registries, cloud services, data centres, content delivery networks, trust service providers
  • ICT service management (B2B): managed service providers and managed security service providers (MSP/MSSP)
  • Public administration (central and regional government)
  • Space: ground-based infrastructure operators

Other Critical Sectors (Important Entities)

  • Postal and courier services
  • Waste management
  • Chemical industry
  • Food: production, processing, and distribution
  • Manufacturing: medical devices, computers, electronics, optics, machinery, motor vehicles, transport equipment
  • Digital providers: online marketplaces, search engines, social networking platforms
  • Research: research organizations

Size Threshold

As a general rule, NIS2 applies to organizations with 50 or more employees or annual revenue exceeding EUR 10 million. However, there are critical exceptions: SMEs providing services in especially sensitive areas such as DNS, trust services, or telecommunications may be included regardless of their size.

If your company operates in any of these sectors and meets the size criteria, you are subject to NIS2. The question is not whether it applies to you, but how quickly you can achieve compliance.

The 10 Core NIS2 Obligations

The directive structures its requirements into three pillars: governance, risk management, and incident reporting. Here's what your organization must implement.

1. Board-Level Accountability

NIS2 mandates that management bodies approve cybersecurity risk management measures, oversee their implementation, and bear direct responsibility for non-compliance. Board members and senior executives must receive mandatory training in cybersecurity risk management. Cybersecurity is no longer an IT department concern — it's a boardroom responsibility.

2. Comprehensive Risk Management

Entities must implement proportionate technical, operational, and organizational measures to manage risks to network and information systems. NIS2 specifies a risk-based approach covering:

  • Risk analysis and information system security policies
  • Incident handling (prevention, detection, and response)
  • Business continuity, backup management, and disaster recovery
  • Supply chain security
  • Security in system acquisition, development, and maintenance
  • Policies and procedures for assessing the effectiveness of measures
  • Basic cyber hygiene practices and training
  • Cryptography and encryption policies
  • Human resources security, access control policies, and asset management
  • Multi-factor authentication (MFA) and secured communications

3. Supply Chain Security

Entities must assess the cybersecurity posture of their direct suppliers and service providers, considering each supplier's specific vulnerabilities, the quality of their cybersecurity practices, and their secure development procedures. This includes contractual security clauses and periodic audits.

4. Incident Reporting

NIS2 establishes strict notification timelines to the relevant CSIRT:

  • Early warning: within 24 hours of detecting a significant incident
  • Official notification: within 72 hours with an initial assessment of severity and impact
  • Final report: within one month with a detailed description, root cause analysis, mitigation measures, and cross-border impact if applicable

5. Registration and Self-Identification

Entities must register with the competent authority, providing information about their name, address, sector, contact details, and IP ranges. This self-identification process is mandatory — failure to register does not exempt you from compliance.

6. Business Continuity

Documented business continuity and disaster recovery plans with periodic testing to demonstrate their effectiveness. Having a plan on paper is not enough — you must prove it works.

7. Encryption and Communication Security

Implementation of cryptography and encryption policies appropriate to the risk level, including secure communications within the organization and with third parties.

8. Access Control and Identity Management

Access control policies based on the principle of least privilege, with multi-factor authentication (MFA) for access to critical systems.

9. Vulnerability Management

Documented processes for vulnerability identification, assessment, and remediation, including continuous monitoring and timely patch management.

10. Periodic Effectiveness Assessment

Security measures are not static. NIS2 requires entities to regularly evaluate the effectiveness of their controls through security audits, penetration testing, and simulation exercises.

NIS2 Penalties: A Steep Price for Non-Compliance

NIS2's enforcement regime is considerably tougher than its predecessor and follows the GDPR model to ensure real deterrent effect.

For essential entities: fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. Member States may also impose temporary suspension of certifications and temporary bans on individuals holding management positions.

For important entities: fines of up to EUR 7 million or 1.4% of global annual turnover.

Spain's draft legislation includes a tiered system of minor, serious, and very serious infringements, with penalties reaching EUR 2 million for the most serious domestic violations, while NIS2's higher caps apply to larger entities.

The most critical point for executives: NIS2 establishes personal liability for management body members for failure to fulfil supervisory obligations. Board members and CEOs may face individual consequences if they fail to ensure adequate cybersecurity governance.

How NIS2 Relates to ENS, DORA, and ISO 27001

NIS2 doesn't exist in isolation. Its implementation must be coordinated with other frameworks your organization may already follow.

NIS2 and ENS

Spain's National Security Framework (ENS) is mandatory for the public sector and its technology providers. NIS2 and ENS share security objectives, but NIS2 extends scope to the private sector and adds requirements around incident notification and governance. If your organization is already ENS-certified, you have a solid foundation, but you'll need to address NIS2-specific obligations — particularly supply chain security and board-level accountability. At Secra, we help organizations manage both frameworks in an integrated manner through our GRC services.

NIS2 and DORA

The Digital Operational Resilience Act (DORA), applicable since January 2025, specifically targets the financial sector. DORA is considered lex specialis in relation to NIS2, meaning its more specific requirements take precedence for financial entities. However, financial institutions must also comply with NIS2's general provisions where DORA does not provide more specific rules.

NIS2 and ISO 27001

ISO 27001 certification provides an excellent foundation for NIS2 compliance, covering most risk management requirements. However, NIS2 adds specific obligations not addressed by ISO 27001, such as incident notification timelines, management liability, and certain supply chain requirements.

Your 7-Step NIS2 Compliance Roadmap

Preparing for NIS2 requires a structured approach combining analysis, implementation, and validation. Here's the roadmap we recommend at Secra.

Step 1: Determine Whether NIS2 Applies to You

Review the sectors and size criteria outlined above. If you're uncertain, consult a compliance specialist. Remember that the assessment isn't limited to your primary sector: if you provide ICT services to essential entities, you may be in scope.

Step 2: Conduct a Gap Analysis

Compare your current cybersecurity posture against NIS2 requirements. Identify gaps in your technical, organizational, and governance controls. If you already hold certifications like ENS or ISO 27001, your starting point will be more advanced — but you'll still need to assess the differences.

Step 3: Assess Your Supply Chain

Identify your critical ICT suppliers, evaluate their cybersecurity practices, and incorporate security clauses into contracts. This obligation is among the most complex and time-consuming, so it should be prioritized early.

Step 4: Implement Technical Measures

Deploy the required security controls: vulnerability management, MFA, encryption, network segmentation, continuous monitoring, and backup systems. A penetration test will validate the real-world effectiveness of your controls and uncover attack vectors that might otherwise go undetected.

Step 5: Establish Incident Reporting Procedures

Define and document a clear procedure for incident detection, classification, and notification within NIS2 timelines (24h / 72h / 1 month). Conduct periodic tabletop exercises to verify that your team knows and follows the procedure.

Step 6: Engage Senior Management

Ensure that management bodies understand their responsibilities under NIS2, formally approve the security policy, and receive mandatory training. This is not a checkbox exercise — personal liability for executives makes their active involvement essential.

Step 7: Audit and Continuously Improve

NIS2 is not a one-time compliance project but an ongoing process. Schedule regular security audits, penetration tests, and Red Team exercises to assess your organization's real resilience against advanced threats. Feed the results back into your continuous improvement cycle.

Prepare Your Organization for NIS2 With Secra

The NIS2 Directive represents the most consequential change in European cybersecurity regulation in over a decade. For businesses operating in Spain, the combination of delayed transposition and European Commission pressure creates a scenario where early preparation is the only sound strategy.

At Secra, we guide organizations through the entire NIS2 compliance journey: from the initial gap analysis through technical control implementation, compliance evidence preparation, and offensive security audits that validate the real-world effectiveness of implemented measures.

Request a free initial assessment and find out where your organization stands relative to NIS2 requirements. Our GRC and offensive cybersecurity consultants will provide a clear diagnosis and a tailored action plan for your sector and maturity level.

Contact us and get ahead of the regulation before time runs out.

Share article

Related Articles

Compliance

Cybersecurity for schools and education sector 2026

Cybersecurity guide for schools and universities: threats, NIS2 and GDPR compliance, technical audits and protection of minors' data.

2026-04-138 min
Compliance

ENS Certification for Businesses: A Complete 2025 Guide

Everything about Spain's National Security Framework (ENS): levels, requirements, certification process, and impact on public contracts.

2026-02-2611 min

👋Hi! Have any questions? Write to us, we reply in minutes.

Open WhatsApp →