NIS2 and Cybersecurity in Spain: the status of transposition and how it affects businesses

Spain has yet to complete the transposition of the NIS2 Directive, the European reform aimed at raising the common level of cybersecurity in critical and strategic sectors across the European Union (EU). The official transposition deadline expired on October 17, 2024, and although the Spanish government approved the draft Cybersecurity Coordination and Governance Act in January 2025, the national framework is not yet fully in force.

For businesses, this delay does not mean a pause. The essential content of NIS2 has already been defined at the European level, and its requirements are beginning to be implemented in the market through contracts, audits, supplier certifications, and customer requirements—especially in organizations with international operations or those integrated into critical supply chains.

NIS2 reinforces a key concept: organizations must demonstrate governance, responsiveness, business continuity, and effective control over their digital infrastructure. Cybersecurity is no longer viewed solely as a matter of tools, and the network takes on a strategic role.

This delay is not merely a formality: the Commission has activated legal enforcement mechanisms, to the extent that, following the May 2025 ruling, it has already warned that it will refer the case to the Court of Justice of the EU if the delay continues.

It should be noted that the NIS2 Directive, as a European directive, is not currently directly enforceable against private Spanish companies. It must be transposed into national law in order to impose specific obligations and penalties within our legal system.

However, the legislative delay does not leave organizations in a comfort zone. There are three reasons why Spanish companies should review their position:

1. Other regulations already in force cover some of the same ground. These include the National Security Framework (ENS), the GDPR, and the Critical Infrastructure Protection Act. All of them share elements related to risk management, information protection, business continuity, and incident reporting.

2. The market is already applying NIS2 standards contractually. Public agencies, large clients, and multinational operators are beginning to impose cybersecurity requirements on their suppliers, integrators, and technology partners through contracts, specifications, audits, and certification processes.

   This means that a company providing connectivity, cloud, support, maintenance, or network management services may encounter requirements aligned with NIS2 even before the Spanish law is fully enacted.

3. The content of the directive is already known: risk assessment and management, supply chain security, business continuity, incident detection and reporting, system protection, and management body accountability.

   Building these capabilities takes time. Waiting for the final publication of the national regulation may reduce the window for adaptation and increase the risk of non-compliance once the new framework takes effect.

The NIS2 Directive replaces the first NIS Directive of 2016 and significantly expands the scope of cybersecurity regulation in Europe. Its aim is to establish a high common level of cybersecurity throughout the European Union, strengthening the protection of sectors that are essential to the economy and society.

The directive covers 18 critical and strategic sectors, including energy, transportation, healthcare, banking, water, digital infrastructure, ICT services, food, manufacturing, chemicals, waste management, postal services, research, and certain digital services.

NIS2 distinguishes between two categories of entities:

• Essential entities include large companies in highly critical sectors, trusted service providers, DNS providers, public electronic communications networks, and public administration entities.
• Significant entities include all other medium-sized companies—those with more than 50 employees or more than 10 million euros in annual revenue—that operate in any of the 18 affected sectors, including ICT providers, manufacturers, logistics, research, and digital services.

For affected companies, the directive imposes specific and demonstrable obligations:

• comprehensive risk management,
• crisis management and reporting of significant incidents,
• supply chain security,
• business continuity,
• network and system protection,
• the use of encryption measures where appropriate,
• cybersecurity training,
• internal governance with the direct involvement of senior management.

The most significant change is that NIS2 introduces a more rigorous approach to corporate responsibility: cybersecurity becomes an integral part of organizational governance and requires the direct involvement of management bodies.

The penalty regime underscores the seriousness of non-compliance: fines can reach up to 10 million euros or 2% of global revenue for critical entities, and up to 7 million euros or 1.4% for significant entities, with management bodies bearing direct liability if adequate measures have not been taken.

The implementation of NIS2 is progressing at different paces across the EU. Some countries have already completed transposition and are operating under fully implemented national frameworks, while others, such as Spain, are still in the process of drafting legislation. This situation is creating a two-speed Europe with direct implications for business groups, multinational operators, and technology providers operating in various European markets.

Among the states that appear to be most advanced or have completed transposition are Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania. As of May 2026, five Member States have not yet completed the transposition of NIS2: Spain, France, Ireland, Luxembourg, and the Netherlands. All of them are in the legislative process, with drafts or preliminary drafts at various stages of parliamentary review. All of these countries were subject to the Commission’s reasoned opinion in May 2025.

In this regulatory context, SAIWALL Secure SD-WAN, the SD-WAN solution from SAIMA SYSTEMS, can serve as a technological lever to help companies prepare for NIS2. Its value lies in translating the directive’s requirements into tangible network capabilities: visibility, segmentation, encryption, resilience, centralized control, and incident response capabilities.

NIS2 does not merely require internal policies or documentation. It also demands effective technical and organizational measures. For companies with multiple locations, distributed users, cloud environments, or third-party providers, the network is the space where many of these measures must be implemented and monitored.

A well-designed SD-WAN architecture helps secure communications between locations, strengthen business continuity, improve traffic visibility, and enforce security policies centrally. Preparing for NIS2 is not just about defining security policies; it also requires an infrastructure capable of enforcing them, monitoring them, and demonstrating compliance.