Regulatory compliance
We prepare essential and important entities to comply with the NIS2 directive, from start to finish: applicability analysis, gap assessment against article 21, compliance plan, implementation of measures, training of the management body and incident notification procedures within 24 and 72 hours.
Certified team (CISA, CISSP, CISM) and our own system certified to ISO 27001 and ENS HIGH category.
Status in Spain
The directive has been in force in the European Union since January 2023 and the transposition deadline expired in October 2024. Spain has still not completed its own: the draft Law on Coordination and Governance of Cybersecurity was approved by the Council of Ministers in January 2025 and remains in parliamentary processing, while the European Commission keeps an infringement procedure open over the delay, with a reasoned opinion sent in 2025.
Do not wait for the final law. A serious compliance effort takes between six and twelve months: when it is published, the clock will already be running.
The cascade effect is already at work. Large entities that are subject pass NIS2 requirements on to their suppliers by contract, whether or not they fall within the direct scope.
Management is personally accountable. The text provides for personal liability of directors, including temporary disqualification for failure to supervise. Evidence of due diligence is needed from now on.
In a group, the first thing is to know who it applies to. In holdings and structures with several companies, the hardest part is not complying but determining which entities fall in, with what classification and why. Clarifying that perimeter is our first job and it conditions everything else.
Who it applies to
As a general rule, NIS2 reaches organizations in eighteen sectors with fifty or more employees or more than ten million euros in annual turnover, classified as essential or important. And even if you are not on the list, you can be drawn in through the supply chain: if you sell to an entity that is subject, its requirements will end up in your contract. In groups with several companies, the obligation may reach only some subsidiaries and with a different classification, so the first step is to define the perimeter. And it is worth remembering that many of those sectors are industrial: in energy, water or manufacturing, part of compliance is OT security with IEC 62443.
If you have any doubts, the applicability analysis resolves them in a few days.
Service
Applicability analysis and classification: essential, important or affected supplier, and in groups, which companies in the perimeter fall in and with what category.
Gap assessment against the ten article 21 measures: security policies, risk management, continuity and backups, supply chain security, access control, cryptography, basic hygiene and incident management.
Compliance plan prioritized by risk and effort, with an indicative budget so management can decide with data.
Supported implementation of the technical and organizational measures, with our team or alongside yours.
Notification procedures: early warning within 24 hours, notification within 72 and a final report within one month, with templates and a drill included.
Supplier management: contractual clauses, assessment and monitoring of third parties.
Training by role: for the management body, which the rule expressly requires, and for each profile in the organization according to its responsibility, from the technical staff to the whole workforce.
Evidence dashboard ready for a supervision or inspection.
From the rule to practice
The directive speaks in the abstract; we bring it down to controls that are implemented and demonstrated. These are the ones that come up most often in a compliance effort, with no two projects alike.
Continuous detection and response can be covered with Sondriva, our SOC with artificial intelligence, if you do not want to build that capability in house.
Method
Scope, classification and gap assessment, two to three weeks, in on-site or remote sessions.
A prioritized roadmap that management approves; that approval is already the first piece of compliance evidence.
Measures, procedures, training and a notification drill; three to nine months depending on the starting point.
Review of evidence, internal audit and updates in response to regulatory changes.
International groups
NIS2 is a European directive, but each State transposes it in its own way: deadlines, competent authorities, registries and nuances change from one country to another. If your organization operates in several, that means different requirements for one and the same reality.
We support groups with an international presence by defining a common compliance framework, a single policy, a shared risk language and a homogeneous evidence dashboard, and then adjusting the particularities of each region: the authority to which notification is made, the local deadlines and the registries that each transposition requires. A base governed from the group, with the local layers that each subsidiary needs.
Synergies
A certified ISMS covers a good part of the article 21 measures, but it does not amount to complying with NIS2: the directive adds its own legal obligations, such as the notification deadlines, the accountability of the management body or registration with the competent authority. We work with a mapping between frameworks to make the most of what you already have and not duplicate a single document. And since NIS2 expects you to prove your security and not just document it, our infrastructure pentest provides that proof.
The draft transposition reinforces this route: it relies on compliance profiles based on the ENS, with accredited certification of conformity for essential entities and certification or self-assessment for important ones. And the other way around: a well-executed NIS2 compliance effort leaves you a step away from ISO 27001 or the ENS.
What sets us apart: we are auditors as well as implementers. We know what evidence an inspection looks at because we look for it in the audits we carry out, and that changes how we prepare your compliance, designed to defend it, not just to document it.
Questions
In practice, yes. The law that completes the framework is still being processed, but supervisors, tenders and large clients already use NIS2 as a reference. Waiting for the final publication only shortens the time available to comply.
Those in the eighteen sectors of the directive's annexes with fifty or more employees or more than ten million euros in turnover, classified as essential or important. In addition, the suppliers of those entities receive the requirements through contracts even if they are not directly subject.
Up to ten million euros or 2% of worldwide turnover for essential entities, and up to seven million or 1.4% for important ones, always applying the higher amount. The Spanish text also provides for personal sanctions on directors, with possible temporary disqualification.
An early warning within the first 24 hours of becoming aware of a significant incident, a full notification within 72 hours and a final report within one month.
It helps a lot, but it is not enough. ISO 27001 covers much of the technical and organizational measures, and NIS2 adds specific legal obligations: notification within set deadlines, accountability and training of the management body and registration with the authority. With a mapping between the two frameworks, all the previous work is put to good use.
Yes. Supply chain security is one of the article 21 measures: you must assess and monitor the risk of your suppliers, not just sign a clause. We assess your critical suppliers with a checklist and scoring, and help you with the contractual clauses and the follow-up. If you want, we audit those suppliers with our auditor methodology.
For both, and the rule separates it into two articles. Article 20 requires the management body to be trained in order to supervise risk; article 21 requires cybersecurity training and hygiene for the whole organization. What works is a programme by role: governance for the board, incident response and cryptography for the technical profiles, supplier control for procurement and basic awareness for everyone. We design it this way and leave evidence of each session delivered.
Yes. NIS2 is a directive, so each country transposes it with its own deadlines, authorities and registries. For an international group we define a common compliance framework and then adjust the particularities of each region, so that the parent company governs a single policy and each subsidiary meets its local version without duplicating the work.
Yes. The management body must approve the risk management measures, supervise their implementation and receive specific cybersecurity training. We have a course designed for boards and management committees that leaves documentary evidence of its delivery.
Shall we talk?
The applicability analysis settles the question in a few days: whether NIS2 reaches you, in which category and what stands between you and compliance.
Get in touch