NIS2 in Spain: What Directive 2022/2555 Requires and How to Demonstrate Compliance with V-PROOF

NIS2 in Spain: What Directive 2022/2555 Requires and How to Demonstrate Compliance — V-PROOF
Regulations · Cybersecurity

NIS2 in Spain: What the Directive Requires and How to Demonstrate Compliance to the Regulator

Directive (EU) 2022/2555 extends the requirement to implement verifiable cybersecurity measures to thousands of Spanish entities. A written policy is no longer sufficient—Article 21 requires technical evidence that CCN-CERT and INCIBE-CERT can audit.

Published: July 2026
Regulatory coverage: NIS2 · Art. 21 · Art. 20 · Art. 23
Category: Regulation
NIS2 · EU 2022/2555 European supplier Essential Services

Key Points

  • The NIS2 Directive must be transposed by October 17, 2024, and Spain is incorporating it through the new Law on Cybersecurity Coordination and Governance.
  • Article 21 establishes ten categories of mandatory technical measures—ranging from risk management to supply chain security—that must be verifiable to the regulator.
  • Article 20 establishes personal liability for governing bodies: Boards of Directors must approve cybersecurity measures and are individually liable for noncompliance.
  • Article 23 requires notification of significant incidents within 24 hours (early warning), 72 hours (notification), and one month (final report)—deadlines that require immediate technical records.
  • V-PROOF immutable cryptographic evidence of the implementation of the measures set forth in Article 21 on an asset-by-asset basis, with timestamp that can be verified by any supervisor or auditor.
  • The convergence of NIS2 and DORA affects the financial, banking, and market infrastructure sectors: entities already subject to DORA must also comply with NIS2, with no guaranteed overlap.

NIS2: From a Minimum Requirement Directive to a Technical Evidence Requirement

The NIS1 Directive (2016/1148) was Europe’s first attempt to harmonize cybersecurity for critical infrastructure. Its problem: it left too much leeway for member states to set their own requirements, created regulatory fragmentation, and did not include mechanisms for effectively verifying compliance. NIS2 (Directive (EU) 2022/2555) corrects all of these shortcomings.

Published on December 27, 2022, in the Official Journal of the EU, NIS2 drastically expands the scope of NIS1: from a few hundred operators of essential services identified by each Member State to thousands of entities in expanded sectors. It also introduces three structural changes that make it a qualitatively different regulation: personal liability of senior management, much stricter incident reporting deadlines, and an explicit requirement for verifiable measures—not just declared ones.

The Difference Between NIS1 and NIS2

NIS1 asked, “Do you have a security policy?” NIS2 asks, “Can you demonstrate that your security measures work and that your management has formally approved them?” It’s the same leap that exists between a procedures manual and verifiable technical evidence.

In Spain, transposition is being carried out through the new Cybersecurity Coordination and Governance Act, which is undergoing parliamentary review throughout 2025 and 2026. The competent authorities will be the CCN-CERT (for public administrations and the private sector critical infrastructure under the CNI) and the INCIBE-CERT (for the private sector in general). The penalties provided for are up to 10 million euros or 2% of global revenue for essential entities, and 7 million euros or 1.4% for important entities.

Who is required to comply: essential and significant entities

NIS2 divides entities into two categories with different requirements and penalty regimes. The classification depends on the sector, size (medium and large companies), and criticality to society or the economy.

Essential Entities · Enhanced Regime
  • Energy (electricity, gas, oil, heating, hydrogen)
  • Transportation (air, rail, sea, road)
  • Banking and Financial Market Infrastructure
  • Healthcare sector (hospitals, laboratories, manufacturers of critical products)
  • Drinking Water and Wastewater
  • Digital infrastructure (IXPs, DNS, TLDs, cloud, CDNs, data centers)
  • ICT Service Management (MSPs, MSSPs)
  • Central and Regional Government
  • Space
Key Entities · Standard Regime
  • Postal and Courier Services
  • Waste Management
  • Chemical Manufacturing
  • Food production, processing, and distribution
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital service providers (online marketplaces, search engines, social media platforms)
  • Research institutes
  • ICT providers for the above entities

The classification is not merely theoretical: essential entities are subject to ex ante supervision (the regulator may request documentation even if no prior incident has been detected), while important entities are supervised ex post. In both cases, however, the requirement to provide verifiable technical evidence is the same.

The NIS2 Timeline: Where We Stand and What's Next

December 27, 2022
Publication in the Official Journal of the European Union
Directive (EU) 2022/2555 is published in the Official Journal of the EU. It repeals the NIS1 Directive (2016/1148).
October 17, 2024
Deadline for transposition in the Member States
Member States were required to transpose NIS2 into their national law. Spain, like several other Member States, did not complete the transposition by the deadline—a situation that does not exempt entities from complying with the substantive requirements of the Directive.
2025–2026
Parliamentary Process in Spain
The Cybersecurity Coordination and Governance Act is moving forward in Parliament. Entities in affected sectors should prepare to comply without waiting for the law to be passed: the Directive’s provisions are already enforceable.
TODAY — 2026
Period of Highest Risk of Noncompliance
Entities that have not implemented the measures set forth in Article 21 or documented the Board of Directors’ approval (Article 20) are in violation. INCIBE and CCN-CERT have launched awareness campaigns and issued initial requests for information.
2026–2027
Initial Formal Inspections and Penalties
Once the Spanish transposition law is approved, CCN-CERT and INCIBE-CERT will have formal authority to conduct inspections and impose penalties. Entities without verifiable technical records of their cybersecurity measures will face the highest penalties.

Article 21 and the technical records V-PROOF by V-PROOF

Article 21 of NIS2 stipulates that entities must adopt “appropriate and proportionate” technical, operational, and organizational measures to manage cybersecurity risks. The RTS and ITS currently being developed by ENISA and the Commission will specify what level of evidence will be required. These are the four pillars of Article 21 for which V-PROOF direct evidence:

Art. 21(2)(a) — Risk Analysis
Verifiable records of the implementation of risk management controls
Organizations must demonstrate that their risk analysis policies are not just documents—but rather controls that have been implemented and are operational. The difference between “we have a policy” and “we can prove that it works” is exactly the gap that V-PROOF .
V-PROOF Evidence V-Seal generates a cryptographic seal for each security control implemented: what measure was established, who approved it, when, and what its status is. The hash anchored on the blockchain can be verified by INCIBE-CERT or CCN-CERT without requiring access to internal systems.
Art. 21(2)(b) — Incident Management
Immutable incident logs with timestamp for notifications under Article 23
Article 23 requires an early warning within 24 hours, notification within 72 hours, and a final report within one month. To meet these deadlines credibly, the entity needs technical records of the exact moment the incident was detected—a record that is technically impossible to alter retroactively.
V-PROOF Evidence Every incident recorded through V-PROOF an immutable timestamp . The entity can demonstrate to the regulator exactly when it detected the incident and what actions were taken—with cryptographic evidence that cannot be altered after the fact.
Art. 21(2)(d) — Supply Chain
Software Supply Chain Traceability with Verifiable Evidence
NIS2 explicitly establishes supply chain security as a requirement, including software security aspects. Entities that develop or integrate third-party software must be able to demonstrate the traceability and integrity of that software to the regulator.
V-PROOF Evidence Git Integration cryptographically seals every commit, version, and deployment of the software used in critical systems. The code’s chain of custody is verifiable commit by commit—exactly the level of granularity that NIS2 auditors may require.
Art. 20 — Management Governance
Evidence of formal approval by the governing body
Article 20 is a structural innovation in NIS2: management bodies must not only approve cybersecurity measures—they are personally liable if the entity fails to comply. The board’s approval must be documented and verifiable.
V-PROOF Evidence V-PROOF the approver’s identity, their institutional role, and the timestamp of each approval of security measures. The governing body has cryptographic evidence that it has fulfilled its governance function—evidence that can be defended in any personal liability proceeding.

V-PROOF coverage V-PROOF NIS2

NIS2 Article Obligation Coverage V-PROOF Module
Art. 20 — Governance of Management Bodies
Art. 20Management Liability Evidence of formal approval of cybersecurity measures by the governing body ✓ Complete V-Seal
Art. 21 — Cybersecurity Risk Management Measures
Art. 21(2)(a)Risk Analysis Verifiable records of implemented and operational risk management controls ✓ Complete V-Seal
Art. 21(2)(b)Incident Management Immutable incident logs with timestamp for detection, classification, and response ✓ Complete V-Seal
Art. 21(2)(c)Business Continuity Evidence of business continuity and disaster recovery testing conducted ◐ Midterm V-Seal
Art. 21(2)(d)Supply Chain Software Supply Chain Traceability with Verifiable Evidence by Component ✓ Complete Git Integration
Art. 21(2)(e)Development and Maintenance Verifiable audit trail of changes to critical ICT systems — vulnerability management ✓ Complete Git Integration
Art. 21(2)(f)Effectiveness of Measures Records demonstrating that the effectiveness of cybersecurity measures is being evaluated ◐ Midterm V-Seal
Art. 21(2)(h)Cryptography Evidence of the Use of Cryptography to Protect Critical Assets ✓ Complete V-Seal
Art. 21(2)(g)(j)Training and Access Policies on Cybersecurity Hygiene and Access Control Training — Customer Responsibility Internal Organizational Process
Art. 23 — Reporting of Significant Incidents
Art.2324h / 72h / 1 month An immutable record of the time the incident was detected and the response actions taken ✓ Complete V-Seal
NIS2 + EU AI Act Convergence EU AI Act For Entities Using AI in Critical Infrastructure
NIS2 Art. 21(2)(a)+ EU AI Act . 14 Verifiable human oversight in AI systems that operate critical infrastructure ✓ Complete AI Orchestrator V-Proof

◐ Partial = V-PROOF that the activity was carried out; the design of the activity (the continuity plan, the effectiveness assessment) is the responsibility of the entity.

NIS2 and DORA: Different Requirements for the Same Entities

A common mistake made by compliance teams in the financial sector is to assume that compliance with DORA automatically implies compliance with NIS2. This is not the case. They are two frameworks with different scopes, competent authorities, and specific requirements—and there is no complete overlap between them.

Banks, financial market infrastructure providers, and digital infrastructure providers fall within the scope of both regulations. DORA is a directly applicable regulation administered by the EBA, ESMA, and EIOPA. NIS2 is a directive transposed by each member state, administered in Spain by the CCN-CERT and INCIBE-CERT. The penalties are separate and cumulative.

The Practical Difference for the CISO

DORA focuses on the operational resilience of financial ICT systems and on third-party supplier risks. NIS2 also covers the security of the entire supply chain (not just critical ICT suppliers), explicitly introduces personal liability for management, and applies to sectors such as healthcare, energy, and public administration—areas that DORA does not address. A bank must comply with both. A single V-PROOF integration V-PROOF the technical evidence requirements of both frameworks simultaneously.

Data Sovereignty · NIS2 Relevance

NIS2 and the Security of the ICT Supplier Supply Chain

Article 21(2)(d) of NIS2 requires entities to assess the security of their ICT supply chain, including security aspects related to the relationships between each entity and its direct suppliers. This obligation includes assessing the legal framework under which the ICT supplier operates.

A U.S.-based AI Governance or GRC platform provider is subject to the CLOUD Act (18 U.S.C. § 2713), which allows U.S. authorities to require access to data managed by that provider regardless of where it is hosted. An essential entity under NIS2 that uses such a provider to manage its compliance documentation introduces a legal risk into its supply chain—a risk that Article 21(2)(d) itself requires to be identified and mitigated.

V-PROOF legally headquartered in Spain. Its customers can include it in their NIS2 supply chain assessment with the assurance that it operates under EU jurisdiction, without exposure to the U.S. legal framework.

Full sovereignty under the CLOUD Act also depends on the cloud infrastructure on which the customer deploys V-PROOF. For NIS2 essential entities, we recommend combining it with cloud providers that are legally headquartered in Europe.
Strategic Analysis

V-PROOF NIS2

Strengths, Regulatory Use Cases, and Scope Limitations

F
Strengths · What V-PROOF to NIS2
  • Cryptographic evidence that the measures in Art. 21 are implemented and operational—not merely stated in a policy Article 21(2)(a) — Risk management
  • An immutable record of the exact time of incident detection and classification—essential for demonstrating compliance with the deadlines set forth in Art. 23 Art. 21(2)(b) + Art. 23
  • Commit-to-commit traceability in the critical software supply chain — the level of granularity that supervisors will require under Art. 21(2)(d) Art. 21(2)(d) — Git Integration
  • Record of formal approval by the governing body: The Board has cryptographic evidence that it has fulfilled its NIS2 governance function Art. 20 — Management Responsibility
  • Supplier with its registered office in Spain: The ICT supply chain assessment under Art. 21(2)(d) does not pose a CLOUD Act risk Article 21(2)(d) — Supply Chain
  • Dual coverage under NIS2, DORA, and EU AI Act a single integration for entities in sectors subject to dual obligations Regulatory Convergence 2025–2027
Where It Applies · Regulatory Use Cases
  • Operators of essential services in the energy, transportation, and health sectors who need verifiable technical evidence under Article 21 prior to the first inspection Essential entities — Art. 3
  • Digital infrastructure providers (data centers, European cloud providers, MSPs) that must demonstrate their security to NIS2 customers Section 8 — Digital Infrastructures
  • Central and regional government agencies preparing to comply under the supervision of CCN-CERT Section 10 — Public Sector
  • Boards of Directors of critical entities that need to document their NIS2 governance role in light of potential personal liability proceedings Art. 20 — Personal Liability
  • Banks and financial institutions subject to both NIS2 and DORA requirements that are seeking a single integration for both frameworks NIS2 + DORA Convergence
Out of scope · Client's responsibility
  • Formal reporting of incidents to INCIBE-CERT or CCN-CERT (Art. 23): V-PROOF the time-stamped incident record; the compliance team is responsible for reporting the incident. Art. 23 — Notification
  • Design of the business continuity and disaster recovery plan (Art. 21(2)(c)): V-PROOF that the tests were conducted; it does not design the plan. Art. 21(2)(c) — Continuity
  • Staff training in cyber hygiene (Art. 21(2)(g)): V-PROOF certify that the training took place, but does not provide the training itself. Art. 21(2)(g) — Training
  • Third-Party Risk Assessment (Art. 21(2)(d) — organizational aspect): V-PROOF the results and measures implemented; the risk assessment is the responsibility of the entity. Art. 21(2)(d) — Assessment
NIS2 Diagnosis

Can your organization demonstrate to CCN-CERT or INCIBE-CERT that its cybersecurity measures are effective?

V-PROOF a 48-hour strategic assessment that maps the NIS2 obligations applicable to your organization, identifies gaps in technical evidence, and defines the scope of compliance for Articles 20, 21, and 23.

Request a NIS2 Strategic Assessment

Sources and Regulatory References

  1. Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022 — EUR-Lex CELEX:32022L2555
  2. ENISA — NIS2 Implementation Guidelines, 2024 — enisa.europa.eu
  3. INCIBE — NIS2 Implementation Guide for the Spanish Private Sector — incibe.es
  4. CCN-CERT — NIS2 Implementation Guide for the Spanish Public Administration — ccn-cert.cni.es
  5. European Commission — Report on the Status of NIS2 Transposition in Member States, 2025 — digital-strategy.ec.europa.eu
  6. ENISA — Threat Landscape Report 2025 (references to NIS2 sectors) — enisa.europa.eu
  7. Regulation (EU) 2022/2554 (DORA) — Reference for Convergence with NIS2 for the Financial Sector — EUR-Lex
Previous
Previous

GDPR and ENS in the Age of AI: How to Demonstrate Accountability with V-PROOF Cryptographic Evidence

Next
Next

V-PROOF: Spain's first AI governance platform that turns compliance into cryptographic proof