NIS2 Regulations: Obligations and requirements for companies

NIS2 Regulations: Is your company prepared to comply with the European directive?

The NIS2 Directive requires companies in essential sectors to adopt advanced protection and risk management measures. In Spain, this means that thousands of companies must adapt to new requirements for security, risk management, and incident reporting.

NIS2-required companies

We help you comply with NIS2

NIS2 Directive: Is your company prepared to comply with the new regulations?

Organizations included in these categories must implement new security measures and prepare for strict cybersecurity audits to comply with the NIS2 Regulations.

Which companies must comply with the NIS2 Regulations?

NIS2 expands the scope of the previous regulations (NIS1), including more sectors and companies. There are two main categories of affected entities:

High-criticality sectors

Companies with more than 250 employees or an annual turnover exceeding 50 million euros that operate in critical sectors:

⚡ Energy

🏦 Banking and financial infrastructures

🏥 Healthcare sector

🚆 Transportation

📡 Digital infrastructure

💧 Drinking water and sanitation

🏛 Public administration

🛜 ICT service providers

🚀 Space

Other critical sectors (NIS2 expansion)

Companies with more than 50 employees or revenues exceeding 10 million euros, operating in strategic sectors such as:

🔬 Research and development

🧪 Chemical industry

🍽 Food production and distribution

📦 Postal and courier services

💻 Digital service providers

🏭 Industrial manufacturing

♻️ Waste management

Ask us any question

Do you need personalized advice?

Explain the current situation of your company and what you need. We will call you and analyze your case to assess whether your company is at risk of regulatory non-compliance. Our services adapt to all company sizes.

Obligations of the NIS2 Regulations for companies

Failure to comply with the regulations may result in fines of up to 10 million euros or 2% of global turnover, whichever is greater.



Cybersecurity risk management in the company

Identification and mitigation of digital threats.



Continuity and recovery plan

Implementation of backups and disaster recovery protocols.



Supply chain protection

Risk assessment with suppliers and third parties.



Access monitoring and control

Security in networks, passwords, and multi-factor authentication.



Cybersecurity incident notification

Mandatory communication of cyberattacks within 24 to 72 hours.



Cybersecurity training

Training for employees and managers.

Impact of NIS2 on the supply chain

The NIS2 Directive has a direct or indirect impact on most companies. If your company belongs to one of the critical sectors mentioned above, even if it has fewer than 50 employees, you will likely need to adapt due to your business relationships with customers or suppliers who are subject to the regulations.

➡️ Companies with direct impact

If your company meets any of these conditions, you must comply with the requirements of NIS2:

✔ More than 50 employees and a turnover exceeding 10 million euros.
✔ Belonging to a strategic or critical sector in cybersecurity (energy, transport, healthcare, banking, etc.).
✔ Dependence on digital infrastructures and essential services.

🔗 Companies with indirect impact (supply chain)

If you work with companies that must comply with NIS2 (suppliers, partners, customers in regulated sectors), it is possible that:

They will require certifications such as ISO 27001 to ensure information security.
You may have to demonstrate compliance with good practices in cybersecurity.
You must adopt specific digital security protocols to maintain the business relationship.

NIS2 Directive and impact on companies by supply chain

If you still don’t know how the NIS2 Regulations affect you, at Edorteam we help you identify your level of compliance and implement the necessary measures.

We speak your language

💡 Comply with the NIS2 Regulations with the help of Edorteam

At Edorteam, we understand that adapting to new cybersecurity regulations such as the NIS2 Directive can seem complex, full of technical requirements and complicated concepts. That’s why we strive to explain everything to you in a simple and direct way, ensuring that you understand each step we take to protect your company.

With over 30 years of experience protecting companies, we are specialists in cybersecurity and regulatory compliance. Our team advises you so that your company complies with regulations without complications.

N

NIS2 Regulations and cybersecurity consulting services

Audit and risk analysis.
Implementation of security measures.
Cybersecurity training for employees.
Cyber incident management and notification.
Preparation for ISO 27001 and ENS certifications.

Contact our experts now

Take advantage of the Consulting Kit to comply with the NIS2 Regulations at no cost to your company

Thanks to the Consulting Kit, companies with between 10 and 249 employees can receive non-refundable aid to implement cybersecurity solutions, including an audit of adaptation to the NIS2 Directive. In addition, these aids are 100% compatible with the Digital Kit, you can request the Consulting Kit even if you are a digital agent!

Why Edorteam?

At Edorteam, we have a team of cybersecurity experts and extensive experience in implementing audits for companies in all sectors. We ensure that your company is protected against digital threats, complies with current regulations and is prepared for the digital future.

Contact our experts and avoid penalties

Contact us now or call us at 973 248 601 to receive a cybersecurity audit proposal 100% tailored to the needs of your business.

Discover how to improve your company’s cybersecurity!

We call you

Frequently asked questions about the NIS2 Directive

What is the difference between NIS2 and the original NIS?

NIS2 is an update to the European Union’s first cybersecurity regulation, the NIS Directive, in force in Spain since 2021, through Royal Decree 43/2021, which regulates the security of networks and information systems in companies in essential sectors.

These regulations were created to improve security in essential sectors and protect European society and the economy from increasingly complex and frequent digital threats.

The NIS2 Directive introduces stricter cybersecurity requirements, including more sectors and actors, establishes shorter deadlines for incident notification, and strengthens sanctions for companies that do not comply with the regulations.

Who must comply with NIS2?

NIS2 applies to companies and entities in essential sectors such as energy, transport, financial services, health, and water supply, among others. It also affects digital service providers such as cloud services and data exchange platforms. You can consult the detailed list here.

What are the main requirements imposed by the NIS2 Directive on companies?

The main requirements include the implementation of appropriate cybersecurity measures, the notification of security incidents within 24 hours, the designation of those responsible for the security of the network and information systems, and the performance of regular security audits. You can consult a list of the main obligations of NIS2 here.

How does NIS2 affect small and medium-sized enterprises?

The NIS2 Directive considers systemic risk, which means that small companies, with fewer than 50 employees, if they play a critical role in the supply chain, must also adapt to NIS2.

With NIS2, you have the responsibility to assess and manage risks not only in your own company, but also in your supply chain. That is, even if your operations are under control, a failure in one of your suppliers may put the supply chain at risk, like a domino effect.

Therefore, if your company belongs to one of these sectors considered essential, it is recommended that you get up to date with NIS2, regardless of your number of employees, as you run the risk that one of your clients will ask you to prove that you meet their minimum security requirements to continue working with you.

What happens if a company does not comply with the NIS2 Directive?

Companies that do not comply with the requirements established by NIS2 may face significant financial penalties and, in serious cases, the interruption of their commercial activities. Fines can reach up to 2% of their global annual turnover.

What types of incidents must be reported under NIS2?

Under NIS2, security incidents that affect the availability, integrity, or confidentiality of essential services must be reported to the competent authorities. This includes cyberattacks, security breaches, and any other incident that may affect the provision of essential or trusted services.

Does NIS2 establish any training obligation for company personnel?

Yes, NIS2 requires companies to provide ongoing cybersecurity training to their staff. This includes both employees and managers, in order to ensure that everyone understands the security policies and procedures.

What role do service providers play in NIS2?

Service providers that are subcontracted by companies in essential sectors must also comply with the requirements of NIS2. Companies must ensure that their service providers comply with cybersecurity regulations to protect the supply chain. You can read more information about it here.

What security measures must companies implement under NIS2?

Companies must implement risk-based cybersecurity measures, including access controls, intrusion detection and prevention systems, cryptography, vulnerability management, audits, and incident response plans, among others.

What bodies supervise compliance with NIS2?

Compliance with NIS2 is supervised by the national cybersecurity authorities of each country. In Spain, the draft Law on Coordination and Governance of Cybersecurity has been approved and the foundations have been laid for the National Cybersecurity Center, which is key to managing crises and coordinating national strategies.

This draft law also aims to strengthen collaboration between Interior, Defense and Digital Transformation to ensure a comprehensive response to cyber threats.