NIS2 in Spain: What SMEs Need to Do Before August 2026

The EU Network and Information Security Directive (NIS2) entered into force across EU member states in October 2024. Spain transposed it via the Ley de Seguridad de las Redes y Sistemas de Información (LSSI-NIS2). For Spanish SMBs in affected sectors, the clock is running.

Who Is Actually Affected

NIS2 expanded the scope dramatically compared to its predecessor. In Spain, the following sectors are now covered:

• Energy (electricity, oil & gas, district heating)
• Transport (road, rail, air, maritime)
• Banking and financial market infrastructure
• Health (hospitals, pharma manufacturing, R&D)
• Drinking water and wastewater
• Digital infrastructure (DNS, cloud, data centres, CDN providers)
• ICT service management (MSPs, MSSPs)
• Public administration
• Space

The size threshold matters: medium enterprises (50+ employees or €10M+ revenue) in essential sectors fall under NIS2. Some critical entities regardless of size are also in scope. If you are an MSP or MSSP, you are almost certainly in scope.

What NIS2 Actually Requires

The directive mandates a risk-based approach with ten specific security measures:

1. Policies on risk analysis and information system security
2. Incident handling — detection, analysis, containment, recovery
3. Business continuity — backup management, disaster recovery, crisis management
4. Supply chain security — security requirements for direct suppliers and service providers
5. Security in network acquisition, development and maintenance — including vulnerability handling
6. Policies for assessing the effectiveness of cybersecurity risk management measures
7. Basic cyber hygiene and cybersecurity training
8. Cryptography and encryption policies
9. Human resources security — access controls, privilege management
10. Multi-factor authentication and secure communications

The Enforcement Gap Most Companies Are Missing

NIS2 requires incident reporting to INCIBE-CERT (or CCN-CERT for public entities) within 24 hours of becoming aware of a significant incident, with a full report within 72 hours, and a final report within one month.

Most Spanish SMBs have no incident detection capability. They cannot report what they cannot see.

The fine structure is severe: up to €10M or 2% of global annual turnover for essential entities; up to €7M or 1.4% for important entities. Personal liability for senior management has also been introduced — this is new in Spain.

A Practical Prioritisation for SMBs

Given the scope of requirements, most organisations cannot do everything at once. Here is a defensible prioritisation:

Month 1-2: Foundations

• Asset inventory (what systems, what data, what suppliers have access)
• Identify your designated security officer (does not need to be a CISO — can be an external partner)
• Register with INCIBE as a NIS2 entity if you have not done so

Month 3-4: Risk and Gaps

• Conduct a gap analysis against the 10 NIS2 measures
• Implement MFA across all remote access and privileged accounts — this alone closes a major attack vector
• Review and document supplier access

Month 5-6: Incident Capability

• Deploy basic detection: centralised logging, alerting on authentication anomalies
• Define and test your incident response process — at minimum, who calls whom at 2am
• Conduct a tabletop exercise

This is not a compliance checklist. It is a minimum defensible posture. NIS2 enforcement in Spain is expected to intensify from Q3 2026 onward as INCIBE scales its supervisory capacity.

What We Recommend Before Spending Budget

Before investing in tools, do the gap analysis. Many SMBs buy products that do not address their actual exposure. The most common gaps we see in Spanish mid-market organisations:

• No MFA on VPN, email or remote desktop
• No documented incident response procedure
• MSP/cloud supplier contracts with no security requirements
• Backups stored in the same environment as production (useless against ransomware)
• No logging retention beyond 7 days

Fix the process gaps first. Technology follows.

For organisations that need to achieve compliance efficiently, our NIS2 compliance service delivers a gap analysis, remediation roadmap and supporting documentation in 4-6 weeks — with a first-attempt success track record.