When will the NIS2 directive be implemented in Spain?

October 17 is the deadline for the NIS2 directive to be transposed in Spain, so companies must be prepared to adapt to its provisions

RGPD, DORA, NIS2… The European Union is building a regulatory framework that seeks to place cybersecurity at the heart of European companies’ strategies by shaping a common cybersecurity level. Why? Cyber-attacks have become one of the biggest threats facing companies. Their consequences can have repercussions not only for them but also for their customers, society as a whole, and the economic system, especially when the companies concerned operate in critical sectors.

For this reason, the EU approved the NIS2 directive at the end of 2022, which is an update of the original standard, approved in 2016, to remedy the limitations detected in its application. However, as it is a directive, it must be transposed by the EU states into their domestic legislation. The regulation establishes that the deadline for this action is October 17, 2024. Therefore, as of October 18, the NIS2 directive must be applied in Spain and the rest of the EU.

What is the problem? With two weeks to go, the NIS2 directive has still not been transposed in Spain, and the horizon is unclear in the context of a lack of general budgets. In fact, Spain already ended 2023 in fourth place in terms of transposition, with more than 13 directives still to be transposed.

Below, we will review the key aspects of NIS2 and shed light on how companies affected by this standard should act while waiting for it to be transposed into Spanish law.

1. What is the NIS2 directive?

The NIS2 directive owes its name to the English title of its predecessor: Network and Information Security. Although this standard helped to harmonize cybersecurity protocols in the EU and to provide states with greater capacity to act, its implementation was uneven. In addition, the threat landscape facing European companies has changed dramatically over the past decade.

Today, there are more cyberattacks, the techniques and tactics of hostile actors are more sophisticated, and the consequences of a serious incident can be both devastating and uneven from country to country, or sector to sector.

This is why the NIS2 directive provides for a wide range of obligations for member states and companies operating in critical sectors such as energy or transport, encouraging the creation of a homogeneous and common framework.

This article will not dwell on all the obligations that the states and public institutions responsible for cybersecurity must assume. Still, we will summarize the four main areas affecting the business fabric.

1.1. Governance

The management teams of companies that fall within the scope of NIS2 must:

1. Approve the measures that are necessary to carry out effective cybersecurity risk management.
2. Oversee that such measures are implemented.
3. Be accountable for the company’s risk management breaches.
4. Attend specific training to understand the risks they face, analyze the company’s risk management practices and be aware of their impact on the business.

1.2. Risk management

Cybersecurity risk management is the master pillar of NIS2 as it relates to the business fabric. The directive seeks to ensure that companies can protect their systems against incidents. To this end, when transposing the directive, states must, as a minimum, stipulate that risk management must include:

• Information systems security policies.
• Risk analysis.
• Incident management.
• Ensuring business continuity: backup, disaster recovery and crisis management.
• Supply chain protection.
• Network and information systems security.
• Evaluation of cybersecurity risk management measures.
• Training of professionals and cyber hygiene practices.
• Policies for the use of cryptography and encryption.
• Human resources security, policies to control access to corporate systems and management of corporate assets.
• Procedures for using multifactor authentication solutions and secure and emergency communications systems.

1.3. Incident Notification

Entities subject to the NIS2 directive in Spain must immediately notify the CSIRT, the Spanish cybersecurity and incident management team, of any significant incident or the competent authority established by national legislation when approved.

What incidents are significant? Those that cause:

1. Serious operational disruptions in the company or economic losses.
2. Significant material or immaterial damage to citizens or entities.

The chronology of notification to public authorities can be summarized in the following deadlines:

• Within 24 hours after detection: initial early warning notification.
• Within 24 hours after this notification, the CSIRT or competent authority will provide guidance or operational advice on implementing possible mitigating measures.
• No later than 72h after detection: intermediate notification.
• The status update includes an initial assessment of the incident, considering its severity, impact, and indicators of compromise.
• Within one month after initial detection, the final report shall be submitted indicating at least the description of the incident, including its severity and impact, the type of threat or root cause, the mitigating measures implemented and in progress, and cross-border repercussions when applicable.
• If the incident is still ongoing, this report will become a status report, and the final report will be postponed to a maximum period of one month after the incident has been handled.

In addition, it also establishes the duty for companies to immediately inform the recipients of their services if they may be affected by a significant cyber threat. This information must include the measures recipients can implement to protect themselves against the threat.

1.4. Cybersecurity-certified services

The directive empowers Spain and the other EU states to require that companies falling within the scope of NIS2 use only certified cybersecurity products, services and technological processes. In addition, it establishes that the states must promote the use of trusted and qualified services by companies.

2. Which companies are affected by the NIS2 directive?

To determine the companies that must comply with the legislation transposing the NIS2 directive in Spain, two factors must be taken into account:

• The size of the companies.
• The sector in which they operate.

In terms of size, the directive stipulates that all entities considered medium-sized companies, according to European regulations or larger, must comply with their obligations. This means that thousands of companies are affected. However, as a general rule, small companies are excluded.

As far as the affected sectors are concerned, the standard differentiates between:

• Sectors of high criticality (essential)
  • Energy
  • Transportation
  • Banking
  • Financial market infrastructures
  • Health sector
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • ICT service management (business-to-business)
  • Public administration
  • Space
• Other critical sectors (major)
  • Postal and courier services
  • Waste management
  • Manufacture of products, machinery and vehicles
  • Production and distribution of chemical substances and mixtures
  • Food production, processing and distribution
  • Digital service providers (including RRSS platforms) and research, including educational institutions, if they carry out critical activities.

2.1. Essential vs. important entities

Size and inclusion in one group or another of sectors is a determining factor in establishing which entities are considered essential and which are important.

In general, large organizations operating in highly critical sectors are essential. To these must be added:

• Trusted service providers, top-level domain name registries, and DNS service providers, without their size being relevant.
• Providers of public communications networks and electronic communications services are considered medium-sized companies.
• Central public administrations.
• Companies that are the sole providers of a socially or economically essential service in their state.
• Entities that, if they were to suffer a disruption in their operations, would cause:
• Repercussions on public safety, order and health.
• Systemic risks.
• Critical entities at the national or regional level for their sector or others.

While important entities are all others.

The NIS2 directive obligates EU states to draw up a list of essential entities and companies providing domain name registration services. The deadline for drawing up this list is April 17, 2025. In addition, the rule stipulates that this list must be reviewed and updated at least every two years.

3. Why is there uncertainty about applying the NIS2 directive in Spain?

Unlike regulations (such as DORA or the GDPR), directives lack direct applicability. Why? Their articles leave a certain margin of decision to the states so that they are the ones to establish concrete and precise measures.

For example, states have some leeway when designing their national cybersecurity strategy. They can also decide which authorities will be in charge of managing large-scale cybersecurity crises. They must also establish concrete measures to ensure company managers are trained in cybersecurity and approve cybersecurity risk management measures.

For this reason, our country must approve a rule of domestic law specifying the measures that will allow the NIS2 directive to be implemented in Spain. The European standard clarifies that these provisions must be applied from October 18, 2024.

So, if on October 17, the Council of Ministers has not yet approved a RD-law to transpose the NIS2 directive in Spain, what will happen?

Firstly, the European Commission may sanction Spain for failing to comply with its obligation to transpose the directive properly within the stipulated deadline, as has been happening concerning other regulations in recent years.

Secondly, we must take into account that the Court of Justice of the European Union has established that directives may produce direct effects when:

• They have not been transposed into national legislation, or such transposition was incorrect.
• Their measures are unconditional and precise.
• They confer rights on EU citizens.

This means that a non-transposed directive can be invoked by an individual (a citizen, a company…) against a state and obtain compensation. Still, it is not possible to invoke it against another individual.

4. What should companies do until the NIS2 directive is transposed in Spain?

We can answer this question concisely: adapt their cybersecurity structures to the dictates of the NIS2 directive, although Spain has not yet approved the specific measures in which the articles of the European standard will be substantiated.

In other words, without national legislation, companies must turn to the European directive and implement the necessary actions to adapt their cybersecurity strategy to its requirements.

To do so, they must have advanced cybersecurity services such as:

• Security audits to assess all their systems and technology assets.
• Vulnerability management to detect and prioritize mitigating weaknesses found, including supply chains.
• Ongoing risk analysis is inherent to your structure, digital exposure, and threat landscape.
• Penetration Testing services to test your cybersecurity structures and evaluate the effectiveness of implemented measures.
• Incident response services to detect and respond effectively to cyber-attacks, ensure business continuity, and restore normalcy.
• Social engineering tests to help educate your staff on the risks they face daily.

5. What are the consequences of non-compliance with NIS2?

We pointed out earlier that states have a certain leeway to establish the specific measures companies must comply with. This freedom directly affects the penalties that can be imposed on companies that do not comply with the NIS2 directive in Spain. Why?

1. States have to specify a series of measures to ensure that the management teams of companies comply with their obligations.
2. The directive sets the administrative fines on non-compliant entities, which must be effective, proportionate and dissuasive. It also establishes a minimum amount for the highest fines.
3. The regulation stipulates that it must be up to the states to decide whether or not to impose coercive fines on companies to stop an action that breaches the directive.
4. States have until January 17, 2025, to establish and communicate the penalty regime to the European Commission.

Therefore, until the national legislation transposing the NIS2 directive is approved in Spain, we cannot know exactly how much the companies will face administrative fines. But companies should be aware that the maximum penalties may amount to:

• For essential entities, €10 million or 2% of their annual worldwide turnover is required, depending on which amount is higher. This is a minimum limit, i.e., Spain could approve higher maximum fines.
• For important entities, 7 million or 1.4% of their annual worldwide turnover.

6. What powers will the authorities have to force companies to comply with the NIS2 directive in Spain?

6.1. Supervisory powers

The directive dictates that the competent authorities must have minimum powers to supervise the essential entities. These powers should include conducting inspections, security audits and risk assessment analyses. As these are minimum powers, states may increase the supervisory powers of the competent authorities.

6.2. Enforcement powers

While in terms of enforcement powers, the NIS2 directive states that, at a minimum, the authorities may:

• Issue warnings to companies that fail to comply with the directive.
• Adopt binding instructions with the measures a company must implement to prevent or remedy an incident.
• Require companies to remedy detected deficiencies or cease non-compliance.
• Require companies to ensure that their risk management measures are adequate and comply with their reporting obligations.
• Enforce the implementation of recommended measures following a security audit.
• Mandate entities to inform all stakeholders to whom they provide services about significant cyber threats that may affect them.
• Obligate companies to publicly report on issues related to non-compliance with the directive.
• Impose administrative fines or request judicial authorities to do so.

6.3. Powers of suspension

Likewise, if these measures do not take effect, the states are obliged to ensure that the competent authorities have the power to:

1. Temporarily suspend or request the suspension of part or all of the services provided by the non-compliant social entity through judicial channels.
2. Request the competent courts temporarily prohibit a person from acting as general manager or legal representative and performing managerial functions in the entity.

These measures may only be imposed when the company does not remedy the deficiencies found or does not comply with the requirements set by the competent authority.

In short, although the NIS2 directive has not yet been transposed in Spain, the deadline for doing so is about to expire. The Government will, therefore, have to pass the relevant national legislation in the immediate future.

All Spanish companies subject to the new regulatory framework must be prepared to implement the NIS2 directive in Spain. Otherwise, they will be exposed to financial penalties and even the suspension of their activities or management positions.

For this reason, it is vital to have advanced cybersecurity services that enable companies to meet all their obligations and effectively manage the risks they face. At stake are their business continuity, reputation and market position.