NIS2 · EU cybersecurity directive for Spanish SMEs.

NIS2 is the European directive 2022/2555 that replaces NIS (2016). From 2026 it binds essential and important SMEs in critical sectors (energy, water, transport, banking, healthcare, digital infrastructure) across the EU.

Which Spanish SMEs does NIS2 cover?

Essential entities (>250 emp or >€50M turnover) in sectors: energy, transport, banking, healthcare, water, digital infrastructure, space. Important entities (50-250 emp or €10-50M) in expanded sectors: critical food supply, chemical products, postal/courier, waste, medical-device manufacturing. Some small SMEs in digital infrastructure are also in scope.

What technical obligations does NIS2 require?

Ten areas: information-security policy, incident management (notification within 24 h to INCIBE/CCN-CERT), business continuity + disaster recovery, supply chain (suppliers and dependencies), security in system acquisition/development, effectiveness assessment, basic cyber-hygiene practices + training, encryption, access control and multi-factor authentication, secure communications.

What happens if an SME does not comply with NIS2?

Administrative fines of up to €10 million or 2% of worldwide annual turnover (whichever is higher). Personal liability of the management body: directors may be personally liable if they fail to implement the measures. Activity suspension in severe cases.

How is NIS2 connected to ISO 27001 and ISO 22301?

ISO 27001 covers directly the area "information-security risk management" of NIS2 (article 21.2.a). ISO 22301 covers the area "business continuity" of NIS2 (article 21.2.c). A company with both standards in force satisfies approximately 75% of the directive's requirements. The remaining 25% (incident notification, supply chain, training) is covered with specific NIS2 procedures.

Official sources

• EUR-Lex · EU Directive 2022/2555 NIS2
• INCIBE · NIS2 resources for business
• CCN-CERT

Frequently asked questions

Which Spanish SMEs does NIS2 cover?

Essential entities (>250 emp or >€50M turnover) in sectors: energy, transport, banking, healthcare, water, digital infrastructure, space. Important entities (50-250 emp or €10-50M) in expanded sectors: critical food supply, chemical products, postal/courier, waste.

What technical obligations does NIS2 require?

Ten areas: information-security policy, incident management (24h notification to INCIBE/CCN-CERT), business continuity + disaster recovery, supply chain, security in system acquisition/development, effectiveness assessment, basic cyber-hygiene + training, encryption, access control and MFA, secure communications.

What happens if an SME does not comply with NIS2?

Administrative fines up to €10 million or 2% of worldwide annual turnover (whichever is higher). Personal liability of the management body. Activity suspension in severe cases.

Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalisation for SMEs.