Loading...
Email: [email protected]ESES
Enclave Guard

NIS2 in Spain: What Every SMB Needs to Know Before It's Too Late

January 5, 2026 | By Carlos T | Compliance Cybersecurity NIS2

The new European cybersecurity directive is no longer just for large corporations. If your company has more than 50 employees or invoices over €10 million per year, you need to read this. And if you're part of a critical supply chain, so do you.

1. What Is NIS2 and Why Should Your Business Care?

The NIS2 Directive (Network and Information Security 2) is the European regulation that redefines the minimum cybersecurity standards for companies operating in essential and important sectors. It is not a recommendation: it is a legal obligation with real economic and criminal consequences.

The first version of NIS (2016) covered just 15,000 entities across the EU. NIS2 multiplies that number by ten: it is estimated that more than 160,000 organizations now fall within its scope. That jump is not accidental: supply chains have become one of the favorite attack vectors for ransomware groups, and SMBs are increasingly targeted — according to the Verizon DBIR 2025, ransomware is present in 88% of SMB breaches, compared to 39% in large enterprises.

Spain context: On January 14, 2025, the Council of Ministers approved the Cybersecurity Coordination and Governance Bill, which transposes NIS2 into Spanish law. As of this article's publication, the text is still in parliamentary processing — it has not yet been published in the BOE — and is expected to enter into force during 2026. The European Commission already sent a reasoned opinion to Spain in May 2025 over the delay in transposition. The bill creates a new National Cybersecurity Center (CNC), attached to the Presidency of the Government, as the coordinating authority, with CCN-CERT, INCIBE-CERT and the sectoral CSIRTs acting as control and response authorities depending on the type of entity.

In practical terms: if your company falls within the scope of application, don't wait for an official notification. Compliance requires months of preparation, and companies that move first will have a competitive advantage — in addition to avoiding sanctions.

2. Is My Company Affected?

NIS2 applies to companies in 18 critical sectors, divided into two categories:

Sectors of High Criticality (11)

Energy, transportation, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.

Other Critical Sectors (7)

Postal services, waste management, chemical product manufacturing, food, manufacturing (medical devices, electronics, machinery, vehicles), digital providers, and research.

Watch out — the supply chain counts too: Even if your company has fewer than 50 employees, you could be affected if you are a supplier to an essential or important entity. NIS2 obligates regulated entities to manage the risk of their supply chain, which means they will require cybersecurity guarantees from you to keep working with you.

General size criterion: medium or large companies — 50+ employees or annual turnover above €10 million. But there are exceptions in both directions: DNS providers, domain registries, and trust service providers are included regardless of size.

Quick Self-Assessment: Should You Be Worried?

  • Does your company operate in any of the 18 sectors mentioned above?
  • Do you have 50 or more employees, or do you invoice more than €10M per year?
  • Do you provide services or products to a company that is regulated?
  • Do you manage digital infrastructure, cloud services, or critical data for third parties?
  • Do you operate in more than one EU country?

If you ticked one or more boxes, you need to seriously evaluate your position with respect to NIS2.

3. The Fines Are Real

NIS2 is not one of those directives that stays on paper. The sanctions regime is explicit, substantial and — this is key — includes personal liability of management.

  • Essential entities: up to €10 million or 2% of global annual turnover (whichever is greater).
  • Important entities: up to €7 million or 1.4% of global annual turnover.

For context: GDPR has been imposing million-euro fines on companies that failed to protect personal data since 2018. In 2025 alone, Spain's AEPD imposed approximately €40 million in sanctions (14% more than in 2024, according to ECIJA). NIS2 adds an additional layer that did not exist before: directors can be temporarily disqualified from their roles in cases of serious and repeated infringements, if negligence in implementing cybersecurity measures can be demonstrated.

This changes the rules of the game. It is no longer about «if we get hacked, we'll handle it.» It's about demonstrating that you had reasonable measures in place before the incident occurred. And if you didn't, the responsible party — with name and surname — answers for it.

4. The 10 Minimum Cybersecurity Requirements

Article 21 of NIS2 establishes ten risk management measures that every regulated entity must implement. They are not optional or generic: they are concrete requirements that authorities will verify.

  1. Risk analysis and information system security policies.
  2. Security incident management (detection, response, notification).
  3. Business continuity, backups and crisis management.
  4. Supply chain security and direct suppliers.
  5. Security in acquisition, development and maintenance of networks and systems.
  6. Effectiveness assessment of cybersecurity measures.
  7. Basic cyber hygiene practices and staff training.
  8. Cryptography policies and, where appropriate, data encryption.
  9. Human resources security, access control and asset management.
  10. Multi-factor authentication (MFA) and secure communications.

In addition, NIS2 introduces an incident notification obligation with very strict deadlines: early warning within 24 hours, full notification within 72 hours, and final report within one month. If you don't have a defined incident response process, you're going to have a serious problem when something happens.

5. How to Comply Without Going Crazy: 5 Practical Steps

The good news: complying with NIS2 doesn't require reinventing the wheel. If you already have some level of cybersecurity maturity (even basic), it's a matter of closing gaps, documenting what you do, and formalizing processes. These are the five steps we recommend:

  1. Gap Assessment. Compare your current situation against the 10 requirements of Article 21. Identify what you have, what's missing, and what the priority is based on the real risk to your business. Don't try to tackle everything at once — prioritize by impact.
  2. Incident Response Plan. Define what happens when something goes wrong. Who receives the alert? Who decides to isolate a system? How do you notify the authority within 24 hours? If these questions don't have a clear answer today, this is your most urgent step.
  3. Supply chain audit. Review your critical suppliers: do they have security certifications? Do they encrypt data in transit? Do they have contracts with cybersecurity clauses? NIS2 makes you responsible for the risk that your suppliers introduce into your operation.
  4. Staff training and awareness. According to the Verizon DBIR 2024, around 68% of breaches involve a non-malicious human factor. Installing firewalls is not enough — your team needs to know how to identify phishing, manage passwords, and report anomalies. NIS2 explicitly requires cyber hygiene training, and management's responsibility includes having received adequate training.
  5. Managed security partner (MSSP). Unless you have the budget for a 24/7 in-house security team, the most efficient route is to outsource monitoring, threat detection, and incident response to a specialized provider. This isn't delegating responsibility: it's executing it intelligently.

6. Why an MSSP Is the Smart Choice for SMBs

Let's be realistic: most Spanish SMBs don't have — nor do they need — a full-time CISO. A senior security director costs between €80,000 and €120,000 per year, not counting tools, training, or support team. For a 50-200 employee company, that expense doesn't make sense.

An MSSP (Managed Security Service Provider) gives you access to the same capabilities — 24/7 monitoring, threat analysis, incident response, compliance documentation — at a fraction of the cost. And most importantly: with professionals who live and breathe cybersecurity every day, not an IT generalist doing what they can between support tickets.

At Enclave Guard, we work specifically with SMBs and growing companies that need to comply with regulations like NIS2 without paralyzing their operations. Our approach includes:

  • Continuous monitoring of infrastructure and endpoints with advanced threat detection.
  • Incident response with reaction times aligned to NIS2 notification deadlines.
  • Compliance documentation ready for audits — policies, procedures, incident logs.
  • Periodic risk assessments and penetration tests to validate the effectiveness of measures.
  • Custom training for your team, adapted to your sector and maturity level.

Conclusion

Complying with NIS2 doesn't have to be a bureaucratic nightmare. With the right partner, it's an investment that protects your business, strengthens customer trust, and positions you ahead of your competition.

This article is informational and does not constitute legal advice. For a personalized assessment of your situation regarding NIS2, contact a specialized professional.

At Enclave Guard we're ready to help you

Get in touch with us and discover how we can optimize your IT infrastructure, protect your digital assets, and adapt to your pace of growth.

We work with companies, governments, and public institutions, delivering next-generation cybersecurity, automation, and IT infrastructure solutions tailored to real needs.

Contact Us

Start today and explore our solutions and services for your business.

Reason for Contact