The Spanish draft law transposing NIS2 is still in parliament in 2026, but the directive's technical obligations have applied since October 2024. Practical map: the ten minimum security measures, the 24-hour, 72-hour and one-month incident notification window, and the new supply-chain security obligations.
In 2023, software supply chains became attackers' favourite target: MOVEit exposed data from hundreds of organisations through a zero-day flaw, 3CX shipped a trojanised installer to millions of users, and npm and PyPI kept receiving malicious typosquatted packages. The practical defence combines SBOM, artefact signing with Sigstore, SLSA maturity levels, and continuous dependency scanning.
The NIS2 Directive expands European cybersecurity from 7 to 18 sectors, mandates 10 minimum technical measures and 24-hour incident notification, and imposes fines of up to 10 million euros or 2% of global turnover, with personal liability for management bodies that fail to comply.
The CIO role has been under growing pressure for years. Automation cuts the operational load, merging with the CDO and CTO creates ambiguity over who leads what, and digital transformation demands skills that were not previously required. The CIO who evolves remains indispensable; the one who does not gets left behind.
Cybersecurity combines technical controls (encryption, MFA, network segmentation), team training and an incident response plan to reduce the risk of ransomware, phishing, malware and identity theft. No single measure is enough: effectiveness depends on applying every layer at once and auditing the system regularly.
4 min2124.4
We use first- and third-party cookies to analyze site traffic. You can accept them, reject them, or configure your choice.
Learn more about cookies
Cookie preferences
NecessaryEssential for the site to work. Always on.
AnalyticsHelp us understand how the site is used (Google Analytics).