NIS2, the network security and information directive of the European Union, has been transposed to Spanish legislation through the draft Coordination and Governance of Cybersecurity, recently approved by the Council of Ministers. This urgent measure updates the 2016 regulations and establishes a unified legal framework to protect network and information systems, as well as its users, in the face of incidents and cyber harm in critical sectors.

NIS2 imposes legal obligations to essential sectors and digital services, with the aim of strengthening both cybersecurity and resilience. Unlike NIST CSF 2.0 regulation, which is voluntary and flexible, NIS2 has a specific approach to the EU and establishes mandatory requirements for public and private entities in high -critical areas such as energy, transport, banking, health, water, digital infrastructure and technological services.

5 Keys from Nis2

Evolution has analyzed the five key points of this new regulation and its impact on the cyber -defense strategies of organizations:

  1. Identification of essential and important entities: The NIS2 affects entities with fiscal residence in Spain or that offer services in the territory. These entities, which operate in critical sectors, must be identified and managed to face the cyberamean panorama. In Spain, it is estimated that 33,072 companies with more than 50 employees will be subject to these regulations. The EU states have until April 17, 2025 to elaborate a list of these entities, which must be reviewed every two years.
  2. Planning and proportional measures: Essential and important entities must implement risk management measures in their networks, information systems and physical environments. This includes security policies, threat analysis, detection and response procedures, crisis plans and continuity, security with suppliers, scanning of vulnerabilities and continuous training programs. Having security experts and a broad cybersecurity proposal will increase the digital confidence of a company.

Identify the essential entities, establish adequate and proportional measures and manage the risks of the supply chain, between the keys of the new NIS2 regulations

  1. Supply chain risk management: The NIS2 also addresses security in the supply chain, an area that has seen an increase in cyber attacks. Essential entities must make contractual agreements with their suppliers to guarantee the safety and resilience of the contracted products and services. Organizations need advanced protection of sensitive data, greater visibility and behavior control, and scalable and adapted solutions.
  2. Internal responsibility: The senior management of essential and important entities will be responsible for approved and supervise cybersecurity measures. This includes acquiring knowledge in cybersecurity risk management and providing regular training to all employees. Entities must manage their cyber risks through audits and control mechanisms. The implementation of the NIS2 has increased cybersecurity expense in the EU, with the security of information representing 9% of IT investments in 2023.
  3. Notification of significant incidents: The NIS2 establishes the obligation to notify any incident, cyber -cyber or “quasi -incident” to cybersecurity and management of Spanish incidents (CSIRT) or the competent authority. The entities have up to 24 hours to launch an early alert and 72 hours to issue a notification of the incident and an initial evaluation. A final report must be submitted one month after the first notification. Having threat research and detection capabilities will help organizations to anticipate cybercriminals.
Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.