NIS2: Spain is making progress in cybersecurity, but most companies still do not comply with the European directive.

Since the entry into force of the NIS2 Directive In October 2024, the Spanish companies They are facing one of the biggest regulatory challenges in cybersecurity in recent years.Six months after its implementation, reality shows that the level of compliance is clearly insufficient in many sectors, which is worrying both experts and authorities.

Although the perception of security within organizations is high, several reference studies reflect a mismatch between self-perceived confidence and the effective measures actually adopted by companies. Only 34% train their staff in cybersecurity regularly and more than a quarter have no responsible persons at all, but More than 70% consider that they are prepared against digital threats.

Key NIS2 Obligations and New Features

La NIS2 Directive replaces and expands the scope of its 2016 predecessor, requiring a greater number of entities - especially those considered essential or important— to deploy rigorous risk analysis policies, business continuity plans, and incident management. Continuing education at all levels, including management layers, becomes a legal requirement.

Furthermore, the legislation imposes an obligation to report any serious incident within 24 hours and raises the bar in organizational, technical, and training aspects. This affects sectors as diverse as energy, transportation, banking, healthcare, and digital infrastructure, which must demonstrate greater resilience in the face of increasingly complex threats.

Implementation difficulties and lack of talent

One of the bottlenecks the most relevant is the shortage of qualified cybersecurity professionals. Reports of ENISA They warn about the difficulty in filling key positions in areas such as forensic analysis, operations, and security architecture, both in Spain and the rest of the European Union. The impact is especially worrying in sectors with a low level of digital maturity and high criticality, such as healthcare, information technology, and public administration.

Official figures indicate that the average compliance rate among major entities barely exceeds 27%, and only those previously regulated achieve implementation above 90%. It is essential to strengthen both the organizational culture of safety such as resources allocated to digital risk management.

Related article:

Secure Erase vs. Traditional Deletion: What Exactly Happens When You Delete a File

Technical, organizational and human requirements

The regulations require that organizations:

• Implant risk analysis policies and updated security for your information systems.
• Have available clear incident procedures, including continuity plans, disaster recovery and crisis management.
• Check the security of the supply chain and actively manage relationships with critical suppliers.
• Control the lifecycle of networks and systems, including secure development and maintenance.
• Periodically evaluate the effectiveness of the measures taken.
• Secure the training and awareness of all staff, from technicians to members of the management team.
• Implement access controls, strong authentication, and, where required, cryptography to protect information.
• Keep secure communication channels and asset management and physical security policies.

Strategies and solutions for regulatory compliance

To meet these challenges, companies must not only invest in technology, but also develop ongoing programs of training adapted to all levels and promote shared governance between administrations and the private sectorTools such as endpoint detection and response (EDR/XDR) systems, managed monitoring (MDR) services, and advanced awareness and training platforms are some of the resources recommended by experts and specialized companies like Kaspersky.

Combining technological solutions, frequent audits and a continuous improvement strategy is essential to comply with new obligations.Furthermore, having reliable technology partners can make the difference in achieving the required standards and reducing the risk of sanctions.

Related article:

When everything connects: technological convergence explained with real-life examples

Consequences of non-compliance

The Spanish legislation for the transposition of NIS2 contemplates a much stricter sanctioning regime. The fines They will be graded according to the severity of the non-compliance and the inspections They will focus especially on strategic sectorsCoordination between national and European bodies will be intensive to ensure effective oversight.

El Failure to comply with these requirements may result in high financial penalties., in addition to putting reputation and business continuity at risk. Therefore, organizations of all sizes must review their preparedness, strengthen training, and recruit experts to ensure compliance within established deadlines.

The paradigm shift imposed by NIS2 implies that cybersecurity is no longer just a necessity, but a key strategic objective in business management. Integrating digital risk management into all processes and structures is essential to ensure that companies do not fall behind in the new European context.

Alberto Navarro

I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.

If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.