Cybersecurity Compliance and Frameworks
Practical guides on the frameworks regulating information security in Spain and the European Union. How to comply, evidence and audit.
NIS2 (Directive 2022/2555)
EU cybersecurity framework for essential and important entities. Spain transposes it through the Cybersecurity Coordination and Governance Act. Covers technical obligations, governance and 24-hour incident notification.
NIS2 in Spain: A Compliance Guide for 2026
Practical guide to NIS2 compliance in Spain: obligations, deadlines, penalties, and actionable steps for businesses operating in 2026.
NIS2 Audit: How to Prepare Step by Step (2026 Guide)
Practical methodology to prepare a NIS2 audit: gap analysis, article 21 checklist, evidence, remediation plan and common mistakes.
NIS2 Directive: Scope, Fines and Key Deadlines
Complete analysis of NIS2 Directive (EU 2022/2555): scope, sectors, fines up to €10M and European transposition timeline.
NIS2 vs NIS1: Key Differences and What's New
NIS1 vs NIS2 comparison: new sectors, 24h/72h deadlines, supply chain, director liability and harmonised sanctioning regime.
ISO 27001 + NIS2: How They Complement Each Other
Does ISO 27001 cover NIS2? Technical analysis of overlap, real gaps and how to leverage your ISMS to accelerate compliance.
DORA vs NIS2: Which Regulation Applies and When
DORA vs NIS2 comparison: lex specialis, overlap, exclusive obligations and practical cases for the financial sector and mixed groups.
DORA (EU Regulation 2022/2554)
Digital operational resilience regulation for financial entities (banks, insurers, asset managers, crypto providers). Requires ICT risk management, advanced testing (including TLPT), third-party governance and structured incident reporting.
DORA Compliance Guide for Financial Entities in 2026
Practical guide to DORA compliance: requirements, TLPT testing, penalties, and actionable steps for financial entities and ICT providers in 2026.
DORA vs NIS2: Which Regulation Applies and When
DORA vs NIS2 comparison: lex specialis, overlap, exclusive obligations and practical cases for the financial sector and mixed groups.
ISO/IEC 27001
International information security management standard. Current version is 2022 with 93 controls. Certifiable by accredited bodies. Recognised baseline to evidence maturity before NIS2, DORA, B2B contracts and procurement.
ISO 27001: What It Is and How to Get Certified
ISO 27001:2022 explained for SMEs and midmarket: ISMS, the 93 Annex A controls, audit and certification step by step. Real cost and timelines.
ISO 27001 + NIS2: How They Complement Each Other
Does ISO 27001 cover NIS2? Technical analysis of overlap, real gaps and how to leverage your ISMS to accelerate compliance.
ENS (Spanish National Security Framework)
Mandatory framework for Spanish public sector entities and providers that deliver services to them. Basic, Medium and High categories. Updated via Royal Decree 311/2022 with 73 security measures.
TIBER-EU and TLPT
EU framework for threat-intelligence-led red team testing on critical financial infrastructure. Under DORA, TLPT (Threat-Led Penetration Tests) are mandatory every three years for significant financial entities.
Risk management and methodologies
Risk analysis and management methodologies recognised in Spain. MAGERIT (governmental standard), mapping to ISO 27005, supporting analyses under ENS and NIS2.
Frequently Asked Questions
- How does NIS2 differ from DORA?
- NIS2 is a horizontal directive for essential and important sectors (energy, health, public administration, transport, digital infrastructure). DORA is a sector-specific regulation for financial entities. If a financial entity is subject to DORA, DORA prevails as lex specialis. An entity can fall under both frameworks depending on its profile.
- Does ISO 27001 replace NIS2 or DORA?
- No. ISO 27001 is a voluntary certification evidencing a security management system. NIS2 and DORA are legal obligations. The ISO 27001 certification helps demonstrate maturity before regulators but does not exempt from each framework's specific compliance.
- Which companies must comply with ENS?
- Spanish public sector entities and private providers serving them. Application is tiered by categories (Basic, Medium, High) based on service criticality and data handled.
- When are TLPTs mandatory under DORA?
- For significant financial entities designated by the competent authority. Minimum frequency is triennial. TLPTs follow the TIBER-EU framework adapted to the DORA context and require accredited providers as red team and threat intelligence.
- Is an SME bound by NIS2?
- Generally no, unless it operates in sectors designated as essential or important. NIS2 sets thresholds by size and sector. However, many SMEs fall within scope indirectly as providers to obligated entities that demand contractual controls.
End-to-end compliance support
Gap assessment, prioritised roadmap, technical evidence for audit and ongoing support. We cover NIS2, DORA, ISO 27001, ENS and TIBER with teams that have implemented and audited the frameworks in production.
See GRC solutions