NIS2: What we already know (and what you can do) while we wait for the law
By Carles Latorre on Jun 25, 2026 9:00:00 AM

Validity notice. This article has been prepared using information current as of June 25, 2026. The transposition of NIS2 is still underway, and the technical reference framework is being updated, so some information may change. We will continue to expand and update this article as new developments become available.
In one sentence
The NIS2 Directive is already in force across the European Union and is binding on all Member States, but Spain has not yet transposed it into national law. As a result, many organizations feel they should simply wait. The reality is that waiting is not the only option—there is already a solid foundation you can begin working on today.
What is NIS2 and who will it affect?
NIS2 is Directive (EU) 2022/2555, the European regulation that significantly raises cybersecurity requirements for a wide range of organizations classified as essential or important entities. These include organizations operating in energy, transportation, banking, healthcare, water, digital infrastructure, public administration, manufacturing of certain products, postal services, waste management, and many other sectors.
Compared to the original NIS Directive, the three most significant changes are:
- A broader scope that includes more organizations, including medium-sized businesses operating in affected sectors.
- Clear accountability for executive management in cybersecurity governance. Cybersecurity is no longer solely an IT responsibility.
- More specific obligations regarding risk management, incident reporting, and supply chain security.
If your organization operates in one of these sectors and exceeds certain size thresholds, NIS2 will most likely apply to you. Determining whether it does is the first step worth taking.
Why is there so much uncertainty right now?
There is a great deal of inaccurate information circulating, so it is worth understanding where the uncertainty comes from:
- The deadline for Member States to transpose the Directive expired on October 17, 2024, and Spain has not yet incorporated it into its national legislation.
- A draft law—the Draft Law on Cybersecurity Coordination and Governance—was approved by the Spanish Council of Ministers in January 2025, but it is still progressing through the legislative process and has no confirmed approval date.
- Spain's National Cryptologic Center (CCN) withdrew the previous version of its CCN-STIC 892 guide, which provided a specific compliance profile (PCE-NIS2) designed to align the National Security Framework (ENS) with NIS2. As a result, organizations temporarily lost the official certified roadmap many had been using as a reference.
This explains why many organizations are waiting. However, that does not mean there is nothing organizations can do until the law is finalized.
What we already have (even before the law is approved)
Although the final national framework is not yet complete, several key elements are already firmly in place:
- The NIS2 Directive itself. Its core cybersecurity requirements have already been established and are unlikely to change significantly when Spain completes its transposition.
- Implementing Regulation (EU) 2024/2690, which defines the technical and methodological requirements for specific sectors—including digital service providers and digital infrastructure—and applies directly across all EU Member States.
- Spain's National Security Framework (ENS, Royal Decree 311/2022) continues to serve as a key reference. The CCN has stated that organizations certified under the ENS at the High category, with an appropriate scope, meet the cybersecurity requirements established by NIS2.
- Work at the CCN has not stopped. Guide 892 has not been abandoned—it is being updated. Together with the State Secretariat for Telecommunications and Digital Infrastructure and the Cybersecurity Coordination Office, the CCN is preparing a new version aligned with Implementing Regulation (EU) 2024/2690 and the ENS. Existing ENS certifications remain fully valid.
In short, what is still missing is the final certified national roadmap—not the foundations organizations need to begin preparing.
What you can start doing today
These are actions you are unlikely to regret. They are valuable today and will remain valuable regardless of the final wording of the law.
- Determine whether NIS2 applies to your organization. Evaluating your sector and organizational size will clarify whether you qualify as an essential entity, an important entity, or fall outside the Directive's scope. This decision determines everything that follows.
- Create an inventory of your assets and perform a risk assessment. Without an asset inventory and a risk analysis, it is impossible to prioritize security efforts. These are also the foundation of any cybersecurity framework.
- Involve executive management. Since NIS2 makes leadership accountable for cybersecurity governance, the sooner management becomes engaged, the smoother the transition will be later.
- Begin implementing the measures that are already known. Article 21 identifies several key areas, including incident management, business continuity, supply chain security, encryption, access control, and employee training. None of these efforts will be wasted.
- Prepare your incident reporting process. Reporting deadlines will be demanding, so defining in advance who reports incidents, how they are reported, and when they must be reported is work worth completing now.
- Move toward ENS compliance. Because of the recognized alignment between the ENS High category and NIS2, investing in ENS compliance is one of the safest long-term decisions organizations can make.
What is not worth doing yet
There is no benefit in rushing. Investing heavily before understanding your actual obligations—or estimating the effort required before knowing whether your organization is classified as essential, important, or outside the Directive's scope—is the quickest way to either overspend or underinvest.
The smartest approach is to build the common foundations now and postpone decisions that depend on the final legal text.
We'll keep you updated
This is a rapidly evolving area. Rather than publishing a single article that quickly becomes outdated, ESED is committed to keeping this information up to date. We will continue publishing updates as the legislation progresses, the new CCN guidance is released, and implementation deadlines become clearer. If you want to stay informed about NIS2, this will be your reference point.
Let's talk
If you need to determine whether NIS2 applies to your organization and where to begin, ESED helps organizations assess their obligations and prepare for compliance. Tell us about your situation, and we'll help you identify the right first steps.
You May Also Like
These Related Stories

The importance of cybersecurity in your website for the SEO

Security breaches in hospitals and the healthcare sector


