NIS2

Information Security

NIS2

What is the NIS2 Directive?

The NIS2 Directive is a European Union legislation that establishes stricter security requirements for networks and information systems.

This regulation affects key sectors such as energy, health, transport and digital services, and its objective is to improve cybersecurity across Europe, protecting critical infrastructure and ensuring greater resilience against cyberattacks.

NIS2 Key Requirements

Cyber risk management: Companies must implement security policies, manage risks, and identify potential threats.

Protective measures: Companies are required to adopt appropriate security measures, such as data and systems protection, continuous monitoring, and employee training.

Incident notification: Companies must notify the relevant authorities of cybersecurity incidents within a short period (generally 24 hours).

What are the benefits of complying with NIS2?

Improved Cybersecurity and Data Protection

Complying with NIS2 strengthens your company’s cybersecurity infrastructure, protecting networks and information systems against cyberattacks and external threats. Implementing rigorous security measures such as multi-factor authentication and data encryption ensures that sensitive data belonging to your customers and employees is protected.

Regulatory Compliance and Avoiding Sanctions

With this directive, the EU establishes strict cybersecurity requirements for companies in key sectors. Complying with these requirements ensures your company is aligned with European regulations, avoiding financial penalties that can be imposed on organizations that fail to meet the requirements.

Strengthening the trust of Clients and Partners

Complying with this directive demonstrates that your company takes information protection and cybersecurity seriously, increasing the trust of your customers and business partners. Companies that comply with international standards, such as NIS2, have a clear competitive advantage over those that do not. This strengthens business relationships and can lead to more business opportunities.

Continuous Improvement and Adaptation to Technological Changes

Implementing this legislation requires your company to stay abreast of the latest cybersecurity trends and technologies. The regulations encourage constant adaptation and continuous improvement of your infrastructure and processes, allowing you to maintain a competitive edge in an increasingly digital market.

Reduction of Long-Term Risks and Costs

Digitizing and automating cyber risk management in compliance with NIS2 not only improves operational efficiency but also reduces long-term costs. By preventing security incidents, such as ransomware attacks, your company can avoid recovery costs and business interruption expenses.

Greater Organizational Resilience

NIS2 compliance encompasses not only cybersecurity measures but also the creation of incident response protocols and business continuity plans. These plans ensure your company can continue operating even in the event of a severe cyberattack, enhancing your organizational resilience. This results in a greater capacity to recover from cyber incidents.

Access to New Market Opportunities

Complying with this legislation opens the door to new business opportunities in highly regulated sectors, such as finance, healthcare, energy, and transportation, which require their suppliers to meet cybersecurity standards. Companies that comply with the regulations will be better positioned to access public and private contracts and tenders, especially in the context of global digital transformation.

Promoting an Organizational Culture of Safety

Implementing NIS2 within your company contributes to the development of an organizational culture focused on security and data protection. Fostering a preventative and awareness-based mindset at all levels of the organization helps every employee understand their role in cybersecurity, reducing the risk of human error that could compromise the company’s security.

How to comply with NIS2?

Risk assessment

Identifying the vulnerabilities of your systems and network is the first step.

Adoption of security measures

Implement appropriate protection tools and policies for your company, such as firewalls, antivirus, data encryption, and multi-factor authentication, to ensure that networks and systems are protected against threats.

Continuous Training

Train your employees in safe cybersecurity practices.

Notificación de incidentes

Establish a clear protocol for reporting security incidents within the timeframes set by NIS2 (generally 24 hours).

Constant maintenance and updating

Digitalization and cybersecurity are ongoing processes.

Collaboration with authorities and partners

Maintain open communication with the relevant authorities and your business partners to exchange cybersecurity information and comply with NIS2 requirements.

Frequently asked questions

What is NIS2?

It is European Union legislation designed to improve cybersecurity in all member states. Its aim is to strengthen the protection of critical infrastructure and digital services against cyberattacks by establishing stricter security requirements for companies operating in key sectors such as energy, transport, healthcare, and digital services.

Who does NIS2 apply to?

It affects companies and organizations that operate in key sectors, such as:

Essential entities:

Companies classified as large enterprises and belonging to one of the 11 critical sectors:
Highly important sectors (such as energy, banking, healthcare, transportation, etc.).
Trusted internet service providers.
Companies that manage domain names and DNS.
Public communication networks and services. Public entities and medium-sized companies of particular importance.
Other entities that each country considers essential.
Important entities:

Entities in highly critical sectors or critical sectors that are not considered essential entities.
The NIS2 Directive applies to any entity in the relevant sectors that meets the criteria for a medium-sized enterprise under European law. This means having at least 50 employees or an annual turnover or balance sheet total exceeding €10 million.

In certain cases (for example, if your company provides services to an essential or important entity), the NIS 2 Directive also applies regardless of size or sector.
Road transport subsector.
Maritime and river transport subsector.
Digital infrastructure sector.
Air transport subsector.
Drinking water sector.
Wastewater sector.
Postal services sector.
Space sector.
Research sector.

Medium and large companies in these sectors must comply with regulations, which require the implementation of security measures and the reporting of cybersecurity incidents.

Penalties or fines for non-compliance with NIS2

The NIS2 Directive grants national authorities a minimum list of enforcement powers over affected entities in the event of non-compliance, including:

Warning for non-compliance.
Adopt binding instructions or corrective requirements.
Order the cessation of conduct that violates the directive.
Order that risk management measures or information obligations be guaranteed in a certain manner and within a certain timeframe.
Order that natural or legal persons to whom services are provided or activities are carried out that are potentially affected by a significant cyber threat be informed.
Order that the recommendations made as a result of a security audit be implemented within a reasonable time.
Appoint a supervisor with well-defined tasks for a specific period of time to monitor compliance.
Order that the aspects of non-compliance be made public.
Impose administrative fines.
The certification or authorization of an essential service entity may be suspended if the deadline for taking action is not met.
Temporarily prohibit those responsible for management at the level of chief executive officer or legal representative from exercising management functions (applicable only to essential entities, not important entities).

Additionally, in a proportionate and dissuasive manner, the following sanctions may be imposed:

- - A maximum of at least 10,000,000 euros or up to 2% of the total annual worldwide turnover of the company to which the essential entity belongs in the preceding year, whichever is higher.
  - A maximum of at least 7,000,000 euros or 1.4% of the total annual worldwide turnover of the company to which the important entity belongs in the preceding year, whichever is higher.

What are the deadlines for complying with NIS2?

The timeframe for companies to implement the measures required by the directive depends on the national legislation of each EU member state. Generally, companies are expected to implement the security measures within the first few months after the law is transposed into national law. For companies already in operation, the timeframes vary depending on the sector and the size of the company.