Half year after the entry into force of the NIS2 Directive, the radiography of compliance in Spain shows worrying data. Although the new cybersecurity regulations mark a before and after in the European digital strategy, an important part of the business fabric still does not take the minimum measures required by legislation. The contrast between the self -perception of organizations and their real preparation begins to generate alarm between experts and authorities.
According to the Observatory of Business Competitiveness of the Chamber of Commerce of Spain, just one third of companies offers regular cybersecurity training to their employees, and more than a quarter completely lacks responsible personnel in this area. However, 73 % believe they are sufficiently protected, which demonstrates a lag between trust and reality that could translate into critical sanctions and vulnerabilities.
An ambitious directive, an implementation at medium gas
The NIS2, in force since October 2024, hardens the demands regarding its predecessor and forces thousands of companies considered “essential” or “important” to deploy formal risks analysis policies, continuity plans, incident management and, especially, continuous continuous training both at the operational and managerial level.
“The problem is not only technological: NIS2 requires a structural transformation of the company, from top to bottom. And that implies the involvement of the management, investment in talent and security culture,” says José Antonio Morcillo, Head of Channel Iberia of Kaspersky. “The data says it all: much of the Spanish business fabric is still not prepared.”
The figures of the Ministry of Interior corroborate it: the average degree of compliance between important entities barely reaches 27 %, and only those previously regulated by NIS1 exceed 90 % implementation. The new additions to the category of essential entities, many of the health sector, ICT or digital infrastructure, have not yet made the leap.
The talent gap, an obvious bottleneck
Beyond the normative demands, the lack of qualified professionals in cybersecurity is consolidated as one of the greatest obstacles. Enisa’s report on the labor market in cybersecurity warns that most EU countries, including Spain, have difficulties in covering key roles in forensic analysis, operations management or security architecture.
In this context, solutions such as Kaspersky Xtrainingwhich offers advanced training to technical specialists, or the program Security Awarenessfocused on training the entire template, they charge a renewed prominence. “Training employees is not a luxury, it is a legal obligation. And forming the CISO is no longer enough: managers must also be prepared to manage the risk,” says Morcillo.
Solutions and strategies for compliance
In addition to training programs, Kaspersky is reinforcing its catalog of technological solutions to help companies align with NIS2 requirements. Among them stand out:
- Kaspersky Nexta scalable EDR/XDR solution to protect critical infrastructure.
- Kaspersky MDRa 24/7 managed detection and response service.
- Kicsspecifically designed for industrial environments and critical operating systems.
These tools allow organizations to advance without expanding template or undertaken disproportionate investments, betting on continuous and sustainable improvement.
A non -compliance with consequences
Companies that do not adapt in time face a strictest sanctioning regime, which includes fines proportional to the seriousness of the breach. Surveillance will intensify especially in strategic sectors, and greater coordination between national organizations and European institutions is expected.
From Kaspersky they launch a clear message: “NIS2 demands to move from good intentions to a structured and measurable action. We not only offer technology, but accompany, audit and practical training so that each organization can meet guarantees.”
