What NIS2 is
Europe raises the bar. And responsibility moves up to the board.
NIS2 is the European cybersecurity directive (EU Directive 2022/2555), in force since 2023. It replaces the 2016 rules and raises the required level: risk management, business continuity planning, incident notification within 24 and 72 hours, and supply chain security.
The change that stings most: responsibility no longer sits with IT — it sits with the governing body. The board must approve and oversee the measures, train in cybersecurity, and can be held personally liable for non-compliance. With fines of up to €10 million or 2% of worldwide turnover.
The Spanish law
The Spanish law is about to land. The obligations are already running.
Spain was due to transpose NIS2 by 17 October 2024 and still hasn't. The draft Cybersecurity Coordination and Governance Law was approved by the Council of Ministers on 14 January 2025 and is still going through parliament, with no final approval.
The pressure to get it passed is at its peak: the European Commission opened infringement proceedings against Spain and in May 2026 sent the second formal notice, the step before taking the case to the EU Court of Justice. When it's published in the Official State Gazette, there will be no comfortable adaptation period: those who arrive late will be late.
Status verified as of 6 July 2026Who does it bind directly?
18 sectors. And from 50 employees, you're in.
It binds companies in essential sectors (energy, transport, banking, healthcare, water, digital infrastructure, managed ICT services, public administration, space…) and important sectors (food, chemicals, waste, manufacturing, postal, digital platforms, research…).
The general threshold: being in one of those sectors and having 50 or more employees or over €10 million in turnover. And there are exceptions that reach companies of any size if their service is critical.
The cascade effect
Not on the list? Your clients are.
Here's the fine print almost nobody reads: NIS2 requires affected companies to guarantee the security of their supply chain. In other words, to demand cybersecurity from their suppliers — whatever the supplier's size.
In practice: security questionnaires, cybersecurity clauses in contracts and supplier approval. If you sell to a company in scope, its obligations cascade down onto you. It won't be the regulator that fines you: it will be your client that drops you.
The question isn't whether it affects you. It's how much: enormously, a lot, or quite a bit.
Directly in scope, supplier to a company in scope, or simply holding data the law already requires you to protect: every road leads to demonstrable cybersecurity.
Enormously, a lot, or quite a bit?
Answer it with the free check-up: which regulations apply to you, what your obligations are and what's at stake. No jargon, no strings attached.
Find out in 5 minutes how much it affects you (Spanish) →