In an increasingly digitalized world, cyberattacks have become a constant and growing threat. To tackle this challenge, the European Union (EU) has taken a decisive step with the Network and Information Security Directive 2 (NIS2), which updates and expands upon the 2016 regulation. This new regulation, which is already being transposed in Spain through the Coordination and Governance Law of CybersecurityCybersecurity solutions are essential in the digital age., promises to transform corporate culture regarding cybersecurity, affecting more than 33,000 companies in critical and essential sectors.
A Unified Legal Framework for Cybersecurity in the EU
The NIS2 establishes a unified legal framework for EU member states, aimed at protecting network and information systems, as well as their users, from cyber threats. Unlike voluntary standards such as the NIST CSF 2.0, the NIS2 imposes specific legal obligations for essential sectors and digital services, prioritizing security and resilience in a cross-border context.
Jacinto Cavestany, CEO of Evolutio, a company specialized in cloud and cybersecurity services, emphasizes the urgency of this regulation: “Cybercriminals are increasing the sophistication of their attacks, putting not only information at risk but also business continuity. The NIS2 is here to strengthen corporate defenses and ensure a coordinated response to these threats.”
The Five Pillars of NIS2 that Will Transform Organizations
Evolutio has identified five key aspects of NIS2 that will mark a turning point in companies’ cybersecurity strategies:
- Identification of Essential and Important Entities
NIS2 establishes a specific focus on high-criticality sectors, including energy, transport, banking, healthcare, water, digital infrastructure, and public administration. It also includes other sectors such as postal services, waste management, food production, and private security. In Spain, it is estimated that over 33,000 companies with more than 50 employees will be affected. By April 17, 2025, member states must create a list of these entities, to be reviewed every two years. - Planning with Appropriate and Proportional Measures
Organizations must implement risk management measures adapted to their size, potential impact, and the severity of incidents. This includes security policies, threat analyses, detection and response procedures, continuity plans, and ongoing training for employees. The integration of security and regulatory experts will be essential to ensure compliance. - Risk Management in the Supply Chain
Cyberattacks targeted at the supply chain have significantly increased, exploiting vulnerabilities in technological infrastructures. NIS2 requires essential entities to ensure the security of their suppliers through contractual agreements and assessments of quality and resilience. This necessitates advanced solutions that limit unauthorized access and provide greater visibility and control. - Accountability at Senior Management
NIS2 raises the level of accountability for executives, who must approve and oversee cybersecurity measures, acquire knowledge in risk management, and ensure ongoing employee training. The implementation of audits and control mechanisms will be key to ensuring compliance and avoiding penalties. - Mandatory Notification of Significant Incidents
Companies will have to report any incident, cyber threat, or “quasi-incident” to the relevant authorities within specific timeframes: 24 hours for an early alert, 72 hours for an initial notification, and a final report within one month. Noncompliance with these obligations may result in harsher penalties than before.
Impact on Investment and the Future of Cybersecurity
The implementation of NIS2 is already driving spending on cybersecurity in the EU. According to the European Union Agency for Cybersecurity (Enisa), information security accounted for 9% of IT investments in 2023, reaching 1.4 billion euros.
“NIS2 represents a significant advance in the EU’s ambition to strengthen cybersecurity. At Evolutio, we integrate security into our clients’ technological strategies from the outset, helping them prevent threats and comply with regulations,” concludes Cavestany.
In a landscape where cyberattacks are becoming increasingly frequent and sophisticated, NIS2 stands as a key instrument for protecting essential companies and ensuring the resilience of the European digital economy. Organizations that act proactively and strategically will not only comply with the law but will also be better prepared to face future challenges.
Evolutio is a Spanish company with over 30 years of experience in cloud and cybersecurity services. Based in Madrid, its mission is to drive innovation and digital transformation for its corporate and public administration clients, ensuring security and compliance in an increasingly interconnected world.