NIS2: guía para entidades esenciales e importantes — qué exige la directiva en 2026

RegTech · NIS2 Compliance NIS2 Essential Entities Guide: What the Directive Requires in 2026 NIS2 transposition deadlines passed in October 2024. If you operate in energy, transport, banking, health, digital infrastructure or public administration, you are already subject to enforcement. Here is the complete obligation map.

Key figures: NIS2 covers ~160,000 entities across the EU. Essential entities: max fine €10M or 2% global annual turnover. Important entities: max fine €7M or 1.4% turnover. Incident notification: 24h early warning, 72h full notification, 1 month final report.

Essential vs Important entities — are you in scope? Criterion Essential Entity Important Entity Size Large (≥250 employees or ≥€50M turnover) Medium (≥50 employees or ≥€10M turnover) Sectors (Annex I) Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space Postal, waste management, chemicals, food production, manufacturing, digital providers, research Supervision Ex-ante (proactive, ongoing) Ex-post (triggered by incident or complaint) Max penalty €10M or 2% global turnover €7M or 1.4% global turnover Note: certain entities are in scope regardless of size — DNS providers, TLD registries, cloud providers, data centres, CDNs, and electronic communication networks.

10 mandatory security measures (Art. 21) NIS2 Article 21 requires a risk-based approach covering at minimum:

Risk analysis and information system security policies Incident handling — detection, response, recovery procedures Business continuity — backup management, disaster recovery, crisis management Supply chain security — including relationships with direct suppliers and service providers Security in network and information systems acquisition, development and maintenance Policies and procedures to assess effectiveness of cybersecurity risk-management measures Basic cyber hygiene practices and cybersecurity training Policies on the use of cryptography and, where appropriate, encryption Human resources security, access control policies and asset management Multi-factor authentication (MFA) or continuous authentication solutions

Incident notification timeline 24h Early warning Notify competent authority that a significant incident has occurred. Indicate whether it is suspected to be caused by unlawful or malicious acts. 72h Full notification Update the early warning with initial assessment of the incident — severity, impact, indicators of compromise. 1 month Final report Detailed description of the incident, type of threat, root cause, impact, cross-border effects, and mitigation measures applied.

Management liability — the key change from NIS1 NIS2 explicitly makes management bodies personally liable for cybersecurity failures. This is the biggest cultural shift from NIS1:

Management must approve cybersecurity risk management measures Management must oversee their implementation Management can be held personally liable for infringements Competent authorities can temporarily ban managers from leadership roles for serious or repeated failures All managers must complete regular cybersecurity training Practical implication: "The IT department handles security" is no longer a valid board position. Cybersecurity is now a board-level governance obligation, not an operational technicality.

NIS2 compliance checklist ☐ Register with your national competent authority (self-identification obligation in most member states) ☐ Conduct a formal risk assessment covering networks, information systems and physical security ☐ Implement all 10 Art. 21 security measures — document each with evidence ☐ Establish incident response plan with clear 24h/72h/1-month notification workflows ☐ Audit your supply chain — map third-party ICT dependencies and assess their security posture ☐ Brief and train management — board-level approval and personal liability documentation ☐ Deploy MFA across all privileged access and critical systems

FAQ Does NIS2 apply to non-EU companies?

Yes, if you provide services to EU entities or operate infrastructure used within the EU. Non-EU companies must designate an EU representative.

Is NIS2 the same as ISO 27001?

ISO 27001 certification is not mandatory under NIS2, but it demonstrates alignment with many of the Art. 21 requirements. Regulators in several member states treat ISO 27001 as strong evidence of compliance.

Can AI help with NIS2 compliance?

RAG-based AI can index your regulatory obligations, map them to your existing controls, and provide instant answers to internal compliance queries — dramatically reducing the time legal and security teams spend on policy Q&A. IgeraRegTech NIS2 does exactly this.

NIS2 compliance Q&A — answered instantly IgeraRegTech NIS2 indexes the full directive and your internal policies, so your team gets instant, cited answers to any compliance question.

Explore IgeraRegTech NIS2

Updated: June 2026 | Sources: Directive (EU) 2022/2555 (NIS2), ENISA NIS2 Implementation Guidance 2024, European Commission NIS2 FAQ | This article is informational; consult a cybersecurity legal specialist for entity-specific compliance advice.

NIS2: guía para entidades esenciales e importantes — qué exige la directiva en 2026

COMPARTIR

Productos relacionados

IgeraRegTech NIS2

Artículos relacionados

RAG vs ChatGPT para Contratación Pública: La Diferencia Clave

GDPR + EU AI Act: cómo se solapan y qué debe hacer tu empresa en 2026

Guía de entidades DORA: ¿está tu organización en scope del Reglamento?