Directive or regulation emanating from the European Commission, which establishes measures with the common objective of achieving a high level of cybersecurity in all EU countries. Improving, preparing, and adapting systems and structures against cyberattacks is essential to normalize the functioning of the markets.
The guidelines are actually aimed at the Member States, for them to organize and set the relevant instructions and measures. It came into effect in January 2023, and more specifically in Spain in October 2024. The directive expands the scope of the regulations to more sectors than the original NIS.
By April 2025, Member States should have drawn up a list of essential and important entities, as well as entities providing domain name registration services. Subsequently, Member States will regularly review the list, at least every two years, and update it as necessary.
Version 2 of this NIS directive (Network and Information Security) expands and defines the Critical Sectors. Those affected include:
- Aerospace
- Banking and Financial Market Infrastructures
- Certain structures of Public Administrations
- Digital infrastructure companies, service management companies, and digital services
- Energy and Water (drinking and wastewater)
- Manufacturing of certain products
- Waste management
- Chemical industries
- Research organizations
- Production and distribution of food products
- Healthcare sector
- Postal and courier services
- Transport
Obligations of the affected companies. Establish and implement a cybersecurity measures protocol, including defining cybersecurity policies, risk assessment, incident management and reporting, ensuring the supply chain, among others, as well as having a designated cybersecurity officer. Regarding the measures to be implemented, a minimum list of technical, operational, and organizational measures is contemplated. There are applications with tests to know the degree of implementation.
When did this directive come into effect? Officially in October 2024. Another important date in the implementation process was April 2025, the deadline for states to communicate the list of obligated essential and important entities. Consequently, the affected companies should have the regulations implemented, or at worst, in the process of being implemented. Managers must be clear that failure to do so exposes them to significant penalties.
Expense or investment? Companies must understand that rather than a new requirement, it is a challenge, and importantly an opportunity. Strengthening cybersecurity will generate trust from suppliers and clients, allow for increased competitiveness, and they must not forget that markets are increasingly demanding and global, which entails the need for greater control.
You can access the directive: Directive (EU) 2022/2555
And on the INCIBE website, more information can be accessed:
https://www.incibe.es/incibe-cert/sectores-estrategicos/FAQNIS2
Miguel Ángel Otin Lloro
Secretary General, Huesca Excellent Business Forum
