NIS2 in Spain: A Practical Guide for Mid-Market Companies Without a Dedicated Legal Team

The NIS2 Directive—Network and Information Security Directive 2—became binding across EU member states in October 2024. Spain transposed NIS2 through national legislation that extends the scope of the original NIS Directive significantly: more sectors, lower thresholds for coverage, stricter security requirements, and executive personal liability for governance failures.

If your company operates in a sector covered by NIS2 and meets the size thresholds, you have compliance obligations that cannot be delegated to “IT will handle it.” NIS2 explicitly places security governance responsibility at the management level.

This guide is written for the general counsel, compliance officer, or CEO of a Spanish mid-market company who has heard about NIS2 and needs to understand, practically, what it requires—without a 200-page regulatory text.

Who is covered

NIS2 divides covered entities into two tiers:

Essential entities: Large organisations in high-criticality sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

Important entities: Medium and large organisations in additional sectors including postal services, waste management, chemical manufacture and distribution, food production, manufacture of medical devices, electronic equipment, motor vehicles, and digital providers (online marketplaces, search engines, social networks).

Size thresholds: Generally, entities with 50 or more employees or EUR 10 million annual turnover in a covered sector are in scope. Certain critical sectors have no size threshold—any entity in digital infrastructure or public administration may be covered regardless of size.

If your Spanish company is a medium-sized manufacturer, logistics provider, IT services company, food producer, or operates in any sector listed above, you should conduct a coverage assessment before assuming you are out of scope.

What NIS2 requires

NIS2 is organised around three pillars: risk management, incident reporting, and supply chain security. For mid-market companies without extensive legal or compliance resources, here is what each pillar requires in practice.

Pillar 1: Risk management

NIS2 Article 21 requires covered entities to implement appropriate technical and organisational measures to manage cybersecurity risks. The measures must be proportionate to the risk, taking into account the state of the art, applicable standards, and the costs of implementation.

In practice, this means:

• A documented cybersecurity risk assessment, reviewed annually and after significant changes
• Policies for information security, access control, and incident handling
• Business continuity and disaster recovery arrangements, including backup procedures
• Encryption of sensitive data in transit and at rest
• Multi-factor authentication for access to systems and networks
• Basic cyber hygiene practices implemented organisation-wide

The key phrase is “appropriate and proportionate.” A 60-person food distributor is not expected to have the same security programme as a national bank. But it is expected to have a programme, documented, with evidence of implementation.

Pillar 2: Incident reporting

NIS2 creates a mandatory incident reporting obligation in three stages:

• Early warning within 24 hours of becoming aware of a significant incident
• Incident notification within 72 hours with an initial assessment of severity, impact, and probable cause
• Final report within one month with a complete description of the incident, root cause, and remediation actions

A “significant incident” under NIS2 is one that has caused or could cause serious disruption to service delivery or financial loss to the organisation, or that has affected or could affect other organisations or individuals.

The reporting channel in Spain is the INCIBE-CERT (for private sector entities) or CCN-CERT (for public administration and essential services). Each notification must contain specific information elements; a generic email describing “a cyber incident” does not meet the requirement.

Pillar 3: Supply chain security

NIS2 explicitly extends security requirements to the supply chain. Covered entities must assess the cybersecurity practices of their direct suppliers and service providers and address security risks in those relationships. This has practical implications:

• ICT service providers, cloud vendors, and software providers used in your operations need to be assessed for cybersecurity maturity
• Contracts with critical suppliers should include security requirements, audit rights, and incident notification obligations
• A register of critical suppliers with their last security assessment is a baseline requirement

The 10 actions that create a compliant baseline

1. Conduct a coverage assessment. Confirm whether your organisation is in scope, which tier (essential or important), and who within your sector is the competent authority. In Spain, INCIBE coordinates with sector-specific authorities for different industries.

2. Assign governance accountability. NIS2 places cybersecurity governance responsibility at the management board level. Assign a named executive accountable for the cybersecurity programme. Document this in board minutes.

3. Complete a cybersecurity risk assessment. Document your key assets, the threats they face, the likelihood and impact of materialisation, and the controls in place. This does not need to be an elaborate exercise—a structured, honest assessment of your environment is what regulators look for.

4. Document your security policies. Produce written policies for: information security governance, access control, acceptable use, incident response, and business continuity. Each policy should be approved by management, dated, and reviewed annually.

5. Implement technical baseline controls. Multi-factor authentication for all remote access and privileged accounts. Encryption for sensitive data. Network segmentation separating production systems from general office networks. Patch management with defined windows for critical vulnerabilities.

6. Establish backup and recovery procedures. Define RPO and RTO for critical systems. Test backup restoration at least annually. Document the test outcome. NIS2 examiners ask whether your recovery procedures have actually been validated—not whether they exist on paper.

7. Build the incident response procedure. Document the 24-hour early warning and 72-hour notification procedures with named responsibilities, the INCIBE-CERT contact details, and the information elements required for each notification stage. Conduct a tabletop exercise.

8. Assess your critical suppliers. Identify the ICT vendors and service providers on whom your operations critically depend. For each, document: what services they provide, what access they have to your systems, what their last security assessment showed, and whether your contract includes security requirements.

9. Train your staff. Basic cybersecurity awareness training for all staff is an explicit NIS2 requirement. Record completion. The training should cover phishing recognition, password security, incident reporting, and acceptable use.

10. Document everything. Every risk assessment, every policy review, every training completion, every supplier assessment, every incident. NIS2 examinations—when they come—are evidence reviews. The question is always “can you demonstrate this is operational?” not “do you have a policy that says you will do this?”

The personal liability dimension

One feature of NIS2 that distinguishes it from most previous cybersecurity regulation: it creates potential personal liability for management board members who fail to implement or oversee the required measures. This is not theoretical. NIS2 Article 20 requires member states to ensure that management bodies of essential and important entities can be held liable for infringements.

In Spain’s national transposition, this has been implemented in a way that creates real exposure for executives who cannot demonstrate active oversight of the cybersecurity programme. The board minute, the assigned executive accountable, the documented review of the risk assessment—these are not bureaucratic exercises. They are the evidence that senior management fulfilled its NIS2 obligations.

What the fines look like

Essential entities: up to EUR 10 million or 2% of global annual turnover (whichever is higher). Important entities: up to EUR 7 million or 1.4% of global annual turnover (whichever is higher).

For a Spanish company with EUR 50 million annual turnover, a maximum fine as an important entity would be EUR 700,000. The economic case for building the compliance programme is not complicated.