When I started working as a consultant, talking about cybersecurity in organizations was almost always about non-mandatory compliance. Frameworks of best practices, recommendations, voluntary standards. Something that was convenient to have, that provided value to clients or partners, but that rarely conditioned strategic decisions.
Moreover, it was clearly technical territory. It was delegated to specialists, dealt with in terms of systems, controls and configurations, and was far from the tables where the direction of the organization was really decided.
Over time, that landscape has changed dramatically.
First, because incidents ceased to be hypothetical scenarios and became an everyday reality. Then, because their impact ceased to be measured only in technical terms and began to be expressed in terms of service interruptions, loss of confidence, sanctions, legal liabilities and public exposure.
This change in scale has meant that compliance is no longer an advisable option but has progressively become a legislative requirement. But it has also brought to light something less obvious and more uncomfortable:
The NIS2 Directive is a clear manifestation of this paradigm shift.
Cybersecurity is no longer a purely technical issue, but a corporate responsibility, shared and overseen by management. Security is no longer something that is simply delegated: it is a matter of leadership, judgment and accountability.
It is no coincidence that, in recent months, NIS2 has begun to appear in executive committee discussions. It is often mentioned, but rarely explained calmly or in its full dimension. Because NIS2 is not just a new European standard: it reflects an epochal change in the way digital security is understood.
With this directive, the European Union is responding to the steady increase in cyber-incidents and the growing dependence on digital infrastructures and essential services. Cybersecurity is now considered a matter of public, not just business, interest.
October 18, 2024 marked a turning point: the directive came into force. In Spain – as in other Member States – transposition into national legislation is still pending, which generates uncertainty. But this uncertainty leaves no room for inaction.
Executive summary for steering committee
If you are left with only a few key ideas about NIS2, they should be these:
- Cybersecurity is no longer a technical matter.
NIS2 shifts responsibility to management and governance. It is no longer something that is delegated without follow-up, but a matter that requires judgment, oversight and accountability. - Compliance does not equal protection.
The directive does not seek to accumulate controls, but to ensure that organizations manage their risks realistically, especially with regard to service continuity and the supply chain. - NIS2 is not a technical standard, it is a governance framework.
It does not prescribe specific tools or configurations. It requires decisions, processes and evidence to demonstrate responsible security management. - The risk is no longer just internal.
Suppliers, third parties and critical facilities are part of the perimeter of responsibility. Many of the most serious incidents occur precisely in these blind spots. - Preparedness is not a one-off project, but a system.
Diagnosis, governance, risk assessment, proportionate measures, training and continuous review. NIS2 is fulfilled by integrating it into the regular operation of the organization, not by isolated actions.
This is the logic from which the directive should be approached: less reactive urgency and more construction of a system that makes it possible to decide, act and demonstrate coherently.
What NIS2 really is
The NIS2 is a European directive that establishes a common minimum level of cybersecurity for organizations operating in sectors considered critical or essential. It replaces the first NIS Directive and significantly expands its scope, requirements and penalty regime.
It is not a technical standard that tells you how to set up systems or which specific tools to use. Its purpose is different: to ensure that certain organizations manage information security in a responsible, structured and controlled manner.
Thus, NIS2 places less emphasis on the actual technology and more on governance, decision making and the ability to demonstrate sound judgment.
To whom NIS2 applies
One of the first questions many organizations ask is whether NIS2 really affects them. The answer is not always obvious, but the directive relies on three main criteria:
- Location: operate or provide services in the European Union.
- Size: mainly medium and large companies, with relevant exceptions.
- Sector of activity: as long as it is included among the critical sectors defined.
In addition, the NIS2 distinguishes between essential and important entities, a classification that determines the level of supervision and the applicable sanctioning regime.
A few examples help to bring it down to earth. A hospital clearly falls within the scope of essential entities. A cloud services or digital infrastructure provider is directly subject to the directive. A manufacturer may be affected if it is part of a critical supply chain. And many companies that provide digital services to third parties are in, even if they are not always aware of it.
The key is to understand that it is no longer just what you do internally that matters, but who you do it for and what impact your activity has on the system as a whole.
The directive distinguishes between two types of entities according to their criticality. It is essential to identify which group your organization is in to understand the level of supervision you will be subject to:
| Category | Essential Entities | Major Entities |
| Sectors | Energy, Health, Banking, Digital Infrastructure. | Manufacturing, Food, Waste Management, Postal Services. |
| Supervision | Proactive: The authority can audit at any time. | Reactive: Monitored after indications of non-compliance or incident. |
| Maximum Fines | 10M€ or 2% of worldwide turnover. | 7M€ or 1.4% of worldwide turnover. |
What NIS2 requires
The NIS2 introduces a set of clear obligations that, seen from the outside, may seem demanding, but are reasonable if approached from a good management logic.
The first major change has to do with governance. Leadership is no longer optional. Management must be actively involved in cybersecurity management, approve the necessary measures, monitor risks and take responsibility.
Secondly, the directive puts the focus on risk management, with special attention to the supply chain. The question is no longer just “are we protected?”, but “what happens if a key supplier or a service we depend on fails?”.
Based on this analysis, NIS2 requires minimum measures that should not be interpreted as complex technical requirements, but as basic organizational practices: clear policies, access control, continuity plans, incident management and proportionate use of cryptography.
Another key element is the reporting obligations, with strict deadlines that require advance preparation and coordination between different areas. In this context, improvisation is no longer a viable option.
What happens if you do not comply
The sanctioning regime of the NIS2 is significantly more severe than that of the original directive. But reducing its impact to fines would be a mistake.
The real risk is reputational, contractual and operational. Failure to comply can result in loss of confidence, exclusion from tenders, termination of contracts or interruption of critical services. And, in many cases, the most difficult damage to repair is not economic, but credibility damage.
Getting started: a practical and realistic route
Complying with NIS2 is not a one-off project or a box-ticking exercise. It is an ongoing process that must be integrated into the regular operation of the organization.
A reasonable approach usually starts with an honest diagnosis. From there, it is important to define clear governance and conduct a risk assessment to prioritize efforts.
On that basis, a realistic action plan is constructed, accompanied by clear and consistent documentation. Training, testing and periodic review complete the cycle.
Security does not accelerate without paying a price: it requires time, repetition and a certain organizational humility.
Relationship with other frameworks: not starting from scratch
In many cases, the challenge is not to implement something new, but to organize what already exists, to provide it with a governance logic and to be able to demonstrate it consistently.
NIS2 is clearly consistent with frameworks such as ISO 27001, the National Security Scheme or other management systems. Many organizations already have reusable practices and evidence.
Conclusion: NIS2 is not just a requirement, it is an opportunity.
The NIS2 marks a before and after. It imposes obligations, but also opens a clear opportunity to professionalize cybersecurity, strengthen resilience and reinforce market confidence.
It is not a matter of “surviving NIS2”, but of using it as a lever to do things better.
Complying with NIS2 is not about accumulating documents, but about knowing what risks are taken, who decides on them and how to demonstrate that they are managed responsibly.
As the organization grows, that vision is no longer manageable with memory and loose-leaf paper. At that point, having a system that connects risks, decisions, evidence and continuous review allows accountability to remain manageable without being diluted.
At ithikios we work precisely from that logic: to help turn the NIS2 into a governable system over time, not a one-off compliance exercise.
