Jacar mascot — reading along A laptop whose eyes follow your cursor while you read.
Tecnología

NIS2: what we learned from the first year of applying it

15 min read 72 reads
NIS2: what we learned from the first year of applying it
Table of contents
  1. Key takeaways
  2. 24-hour notifications: the most disruptive change
  3. Supply chain: pressure reaching SMEs
  4. Personal liability: tone change without consequences yet
  5. Country differences: the fragmentation problem
  6. What has moved the needle most in real practice
  7. My read

Actualizado: 2026-05-03

NIS2 entered force on 17 October 2024 and this April we are just over six months into real application. During that time, several things that looked like paper have become operational practice, some predictions fell short, and a layer of inconsistency between member states has emerged that the directive didn’t prevent well. This post collects what I’ve seen in Spanish companies I work with and contrasts it with public reports from ENISA and national authorities.

The transposition context is covered in the analysis of NIS2: transposition to the Spanish state. For the broader European compliance framework connecting with NIS2, the post on enterprise AI governance offers the organizational pattern that applies equally here.

Key takeaways

  • 24-hour incident notifications are the most disruptive operational change; teams without a prior process have had to improvise.
  • NIS2’s extension to the supply chain is where SMEs feel the most pressure: large companies demand questionnaires SMEs don’t know how to answer.
  • Personal liability of executives (art. 20) has changed the tone of board conversations, but hasn’t yet generated real consequences in Spain.
  • Transposition inconsistency between EU countries complicates compliance for multinational groups.
  • What has moved the needle most in real practice: asset inventory, vulnerability management, and continuity testing.

24-hour notifications: the most disruptive change

Article 23 of NIS2 establishes a cascading notification obligation: initial notice to the competent authority within 24 hours of becoming aware of a significant incident, full report within 72 hours, and final report within one month. This 24-hour window for the initial notice has been the hardest operational change to absorb.

Teams without a documented incident management process have had to build one under pressure. Recurring problems I’ve seen:

No definition of “significant incident.” NIS2 provides criteria (impact on availability, personal data integrity, cross-border consequences), but practical application requires an internal decision threshold. Without that documented threshold, every potential incident generates a long discussion about whether to report, consuming critical time in the worst possible moment.

No clear notification owner. Who makes the notification decision? The CISO? The CEO? Legal? At several companies I’ve seen that when a real incident occurred, nobody knew who had authority to make the notification, resulting in critical hours lost.

No prepared notification templates. The 24-hour initial notice doesn’t require the full incident analysis (that’s the 72-hour report), but it does require minimum information on incident type, affected systems, and estimated impact. Having a basic template ready reduces preparation time at the moment of highest stress.

What has worked in the best-prepared companies: an incident playbook that explicitly includes the NIS2 notification process, with the decision threshold documented, the notification owner identified, the notification template prepared, and the competent authority contact saved.

Supply chain: pressure reaching SMEs

NIS2 extends cybersecurity responsibility to the supply chain. An essential or important entity cannot comply with NIS2 while ignoring the security posture of its critical suppliers. This has created a wave of security questionnaires flowing from large companies to their suppliers, many of which are SMEs without the resources or knowledge to answer them.

The pattern I see repeatedly:

  1. The large client sends a 150-question security questionnaire derived from their third-party risk management program.
  2. The SME supplier has no answers for most questions because it hasn’t implemented the controls being asked about.
  3. The SME has two options: refuse the questionnaire (and lose the client), or answer inaccurately to appear more mature than it is.

Neither is satisfactory, but the second is more frequent. This creates a paper compliance ecosystem that NIS2 aimed to avoid.

The solution beginning to be adopted in some sectors is standardizing the third-party questionnaire using frameworks like ENS (National Security Framework) or ISO 27001 certification as a substitute. An ISO 27001 certified supplier can refer the client to the certificate instead of answering 150 individual questions. But adoption of this practice is uneven.

Personal liability: tone change without consequences yet

Article 20 of NIS2 establishes that management bodies of entities are responsible for supervising cybersecurity risk management measures, and can be held personally liable in cases of serious non-compliance. This provision has had an immediate effect on board conversations: CEOs and directors have started asking about cybersecurity in ways they didn’t before.

However, in Spain and most member states, there are still no public sanctioning resolutions derived from NIS2. The regime is in early application, national authorities are in the process of establishing their supervision procedures, and incomplete transposition deadlines in some states complicate the picture. The effect of personal liability is more attitude change than tangible consequences in this first semester.

What has changed: cybersecurity budgets in companies that previously had no structured program have increased, and the argument “NIS2 requires it” has unlocked conversations the security team had been trying to have for years.

Country differences: the fragmentation problem

NIS2 is an EU directive, but transposition is done individually by member states, and there are significant differences in how it has been implemented:

  • Scope: some states have extended scope beyond the directive’s minimum; others have transposed more restrictively.
  • Size thresholds: the directive sets employee and turnover thresholds to determine whether a company falls in scope, but states have interpretation margin for some sectors.
  • Notification timelines: although the 24/72-hour deadlines are in the directive, interpretation of what constitutes “awareness” of an incident varies.
  • Competent authorities: some states have a single authority; others have several by sector.

For a multinational group with operations in multiple EU countries, this means NIS2 compliance cannot be a single policy: it requires per-country adaptation. Some groups are opting to apply the most demanding standard of the countries they operate in as corporate baseline, which simplifies management at the cost of overcompliance in countries with lower requirements.

What has moved the needle most in real practice

Beyond notification processes and governance, the controls where NIS2 has generated the most work and real value in the companies I’ve accompanied:

Asset inventory. NIS2’s Annex X lists risk management measures explicitly including asset inventory. Companies without an updated inventory of systems, applications, and data have had to build one. The positive side effect: many have discovered forgotten systems with outdated versions they didn’t know were still active.

Vulnerability management. The vulnerability management cycle (scanning, prioritization, remediation, verification) has gone from informal practice to documented process in many organizations. Companies already with Trivy, Grype, or equivalent tools integrated in CI have it easier; those who didn’t have had to build from scratch.

Continuity and recovery testing. NIS2 measures include business continuity and disaster recovery, with documented regular testing. Many companies had continuity plans on paper that had never been tested. The compliance process forced real tests, with instructive results: a significant percentage of plans tested didn’t work as expected.

My read

NIS2 is generating real changes in the security posture of companies subject to it, though unevenly. Companies that already had a structured security program have mainly had documentation and process adjustment work. Those that didn’t have had to build from scratch under regulatory pressure, with variable results.

The most lasting changes are not those generated by fear of sanction, but those generated by the shift in board conversation. Article 20’s personal liability has put cybersecurity on the management agenda in a way security teams had been trying to achieve for years. That shift in attention, if sustained, has more value than any specific technical control.

The second year of NIS2 will be that of the first sanctioning resolutions. When they appear, the market effect will be faster than all prior communication: nothing concentrates board attention like seeing an equivalent sector receive a significant sanction with real names attached.

Was this useful?
[Total: 10 · Average: 4.8]
Post Views: 72

Written by

CEO - Jacar Systems

Passionate about technology, cloud infrastructure and artificial intelligence. Writes about DevOps, AI, platforms and software from Madrid.

440 Articles 35K Reads Rating

Related posts

Industria 4.0

Collaborative robotics on the factory floor: 2026 balance sheet

Los cobots llevan casi quince años prometiendo la fábrica donde humanos y robots comparten espacio sin vallas. En 2026, con un mercado camino de los once mil millones y el 70% de los pedidos llegando desde fuera del automóvil, conviene revisar qué ha cumplido y qué sigue pendiente.

82 12 min 4.4