NIS2 in Spain: what it is, who it affects, and what your company has to do in 2026
The NIS2 is already in force in Europe. If your company has more than 50 employees or a turnover of more than 10 million in regulated sectors, it has legal cybersecurity obligations.

There is a European cybersecurity regulation in force since January 2023. It is called NIS2. If your company has more than 50 employees or has a turnover of more than 10 million euros in certain sectors, you already have legal obligations to comply with.
What is NIS2 and why does it affect Spanish companies?
NIS2 is the most ambitious cybersecurity law approved by the European Union to date. It was published in the Official Journal of the EU on December 27, 2022, and entered into force on January 16, 2023. Its objective is for companies operating in key sectors to have a minimum level of digital security that protects their operations, their data, and the people who depend on them.
The previous regulation, known as NIS1, covered a small number of sectors and left too much room for each country to interpret it. NIS2 expands the scope, specifies obligations, and establishes penalties that can reach up to 10 million euros, in addition to personal liability for the directors of the affected companies.
Which companies are affected by NIS2 in Spain?
NIS2 applies to companies that meet two conditions at the exact same time. The first is size: more than 50 employees or more than 10 million euros in annual turnover. The second refers to the sector in which the company operates: energy, transport, banking, healthcare, digital infrastructure, food industry, manufacturing of critical products, postal services, and waste management, among others, to complete a total of 18 regulated sectors.
If you do not fit those criteria but you work as a supplier to a company regulated by NIS2, the directive also reaches you. Regulated companies are obliged to demand cybersecurity guarantees from their suppliers, and whoever cannot prove them may lose the contract.
The Spanish law adapting NIS2 is still undergoing parliamentary processing as of June 2026. When it is published in the BOE (Official State Gazette), the obligations will come into force from day one, with no room for improvisation. Preparing now is the only way to reach that moment with everything in order.
What NIS2 requires your company to do
NIS2 does not ask for intentions. It asks for implemented, documented, and verifiable measures. This is what it means in practice.
Know what you have and what risks you face. Before protecting something, you need to know what systems you use, what data you handle, what access exists, and which suppliers have access to your systems and data. The directive requires a formal, updated, and documented risk analysis.
Two-step verification on critical access points. If someone gets your password without this second step, they can log into your email, documents, and customer data. It is one of the simplest and most effective measures to implement.
Backups that actually work. Simply having them is not enough. NIS2 requires them to be tested and that the company has the capacity to recover from an incident without depending on anyone's ransom.
A clear protocol if something goes wrong. If a serious incident occurs, the directive requires notification within less than 24 hours. Without a previously defined protocol, meeting this deadline is impossible.
Team training, including management. If an incident occurs, the first question the authority will ask is whether management knew the risks and acted accordingly.
Demand guarantees from your suppliers. Contracts with suppliers who have access to your systems and data must include cybersecurity requirements. If a supplier is the weak link, the liability still lies with your company.
NIS2 Sanctions: what happens if you do not comply
Non-compliance has consequences on two levels.
The first affects the company. Penalties depend on size and sector, but can reach up to 10 million euros or 2% of global annual turnover. Furthermore, the authority can demand external audits paid for by the company itself and make the non-compliance public.
On the other hand, the second level goes beyond fines. NIS2 establishes personal liability for those who lead companies. If it is shown that management did not supervise compliance with cybersecurity obligations, the responsible executive can be temporarily disqualified from exercising management roles. The law requires management to know the risks, approve the necessary measures, and be able to prove it.
If you want to understand how a single decision by your team can become an incident, this article explains it to you.
Why Spanish companies must act now
Implementing the measures required by NIS2 takes between six months and a year. When the law is published in the BOE, it will enter into force on day one, with no period for adaptation. Companies that wait for that moment to start will be too late.
And the risk does not wait for the law. According to the INCIBE Cybersecurity Balance 2025, 122,223 incidents were managed in Spain that year, 26% more than in 2024. According to the report "Cybersecurity as an Asset" by Vodafone Business and INCIBE, 60% of SMEs that suffer a serious cyberattack close down in less than six months.
Preparing now is not just about complying with a law. It is about protecting what you have built.
How to comply with NIS2 without complications
Cydoo is a managed cybersecurity service designed for SMEs. We analyze where your company stands, implement the measures required by NIS2, monitor your security 24/7, and respond if something fails. When an audit comes, you will have all the necessary documentation to prove that you made the right decisions.
No expanding your team. No technical jargon. No fine print.
Request your free diagnosis. In less than 48 hours, we will tell you where your company stands, what three things you should prioritize, and how much it would cost to solve them. Stop worrying about cyber threats in a single click.
Frequently Asked Questions
Do I have to comply with NIS2 if Spanish law is not published yet?
The directive is binding at the European level since January 2023. When the law is published in the BOE, the requirements come into force on day one. Starting now is the only way to be prepared.
What happens if I am a supplier to a company regulated by NIS2?
Regulated companies are going to require you to prove cybersecurity measures as a condition to remain a supplier. Failure to comply can cost you the contract before any formal review arrives.
Does NIS2 require having an in-house technical team?
No. The law requires measures to be implemented and documented, not managed by an internal team. A managed cybersecurity service like Cydoo covers all requirements without you having to hire anyone.
Do you want to protect your business?
Discover which plan fits your needs and start working with peace of mind.
See plans


