NIS2 in Spain: practical guide for SMEs and who it applies to
The NIS2 Directive (EU 2022/2555) has dramatically expanded the number of organisations required to demonstrate cybersecurity across Europe. If your company is based in or serves customers in Spain, this guide explains who NIS2 applies to, what it requires, timelines, and how to prepare without expensive hardware.
What is the NIS2 Directive?
NIS2 is the evolution of the 2016 NIS Directive. Its goal is to raise the common level of cybersecurity in the EU by imposing technical and organisational obligations on a much broader set of entities. In Spain, it is transposed via the Cybersecurity Coordination and Governance Act.
Key differences from NIS1:
- Covers medium and large companies in essential and important sectors.
- Introduces direct board-level responsibility.
- Imposes strict incident reporting deadlines (24 h early warning, 72 h full notification).
- Sets fines up to €10 M or 2 % of global turnover.
Who does NIS2 apply to in Spain?
NIS2 applies to organisations with 50+ employees or €10 M+ revenue operating in essential or important sectors:
| Essential sectors | Important sectors |
|---|---|
| Energy, transport, banking | Postal services |
| Health, water | Waste management |
| Digital infrastructure, public administration | Manufacturing (chemicals, food, medical devices) |
| Space | Digital providers |
Many tech SMEs, MSPs, private clinics, local utilities and public bodies fall within scope even when they don't expect to.
If you are a supplier to an essential entity, your contract probably already forces NIS2 compliance even if your company is below the threshold.
Key technical requirements
Article 21 requires, among others:
- Risk analysis and information security policies.
- Incident handling with detection, response and notification.
- Business continuity and disaster recovery.
- Supply chain security.
- Secure development and maintenance.
- Encryption where appropriate.
- Access control and identity management, with mandatory MFA on remote and privileged access.
- Training and awareness.
How Zero Trust helps meet NIS2
Many of the above are solved by replacing the traditional VPN with a Zero Trust Network Access (ZTNA) model:
- Granular access control by identity + device.
- Per-application segmentation limiting incident blast radius.
- Full session logging as the basis for 24/72 h reporting.
- Native, no-exception MFA.
- No public-facing attack surface (no exposed VPN ports).
If you still depend on a classic VPN, read our VPN → ZTNA migration guide.
Deadlines and penalties
- Enforcement: INCIBE-CERT and CCN-CERT are already notifying essential entities.
- Fines: up to €10 M or 2 % of turnover for essential entities; €7 M or 1.4 % for important ones.
- Personal liability of the management body.
Quick checklist for SMEs
- Confirm whether you are in scope.
- Appoint a cybersecurity lead.
- Inventory of assets and critical suppliers.
- Incident management policy with NIS2 timings.
- MFA on all remote and privileged access.
- Network segmentation per application (ZTNA).
- Business continuity plan and tested backups.
- Annual staff training.
FAQ
Does NIS2 apply to my SME with fewer than 50 employees? Only if you provide critical services to an essential entity or if your sector explicitly removes the threshold.
How does it differ from ENS? ENS applies to the Spanish public sector and its suppliers. NIS2 applies to strategic private and public sectors. They overlap and reinforce each other.
How much does NIS2 compliance cost? It depends on your starting point. Replacing VPN with ZTNA like ConnectaSec starts at €40/month and covers several key controls without hardware.
Want to validate your NIS2 readiness? Request a demo and estimate savings with our ZTNA ROI calculator.