The NIS2 Directive (Directive (EU) 2022/2555) represents a significant advancement in the European Union’s cybersecurity strategy, expanding its scope to include a greater number of sectors and companies, including small and medium-sized enterprises (SMEs). This regulation aims to strengthen the resilience of critical infrastructures and ensure a high level of security in information networks and systems.
Who Does NIS2 Affect?
NIS2 applies to public and private entities operating in sectors deemed essential or important. This includes sectors such as energy, transport, banking, healthcare, drinking water, digital infrastructure, postal services, waste management, manufacturing of critical products, among others. SMEs operating in these sectors or part of their supply chain are also subject to NIS2 provisions.
Obligations for SMEs Under NIS2
SMEs within the scope of NIS2 must implement a series of technical and organizational measures to manage cybersecurity risks. These measures include:
- Developing information security policies.
- Implementing cybersecurity training and awareness programs for staff.
- Establishing incident management procedures and business continuity plans.
- Ensuring security in the supply chain and in the procurement, development, and maintenance of systems.
- Adopting protective measures such as data encryption and multi-factor authentication.
Additionally, SMEs must notify the competent authorities of any significant security incidents within a specified timeframe, typically between 24 to 72 hours, depending on the severity of the incident.
Preparation and Challenges for SMEs
Despite the importance of these measures, many SMEs face significant challenges in complying with NIS2. According to the “Cyber Preparedness Report in Spain 2023” prepared by Hiscox, 43% of SMEs acknowledge not having a formal incident response plan. Furthermore, a study by INCIBE indicates that 70% of Spanish SMEs lack a budget allocated to cybersecurity.
These figures reflect a significant gap between the requirements of NIS2 and the reality of the business landscape, particularly regarding financial and human resources dedicated to cybersecurity.
Recommended Steps for SMEs
To adapt to NIS2, SMEs are advised to:
- Conduct a cybersecurity audit to identify vulnerabilities and assess risks.
- Develop and implement appropriate security policies and procedures.
- Train staff in cybersecurity practices and risk awareness.
- Establish incident management protocols and business continuity plans.
- Monitor and manage security in the supply chain.
Furthermore, SMEs may consider adopting recognized standards such as ISO 27001 or the National Security Scheme (ENS) to structure their compliance efforts.
Conclusion
NIS2 imposes new cybersecurity obligations affecting a broad spectrum of companies, including SMEs. Although adaptation can present challenges, particularly in terms of resources, it is essential for protecting the integrity of information systems and ensuring business continuity in an increasingly digital environment exposed to cybersecurity threats.