NIS2 in Spain: What Directive 2022/2555 Requires and How to Demonstrate Compliance with V-PROOF
NIS2 in Spain: What the Directive Requires and How to Demonstrate Compliance to the Regulator
Directive (EU) 2022/2555 extends the requirement to implement verifiable cybersecurity measures to thousands of Spanish entities. A written policy is no longer sufficient—Article 21 requires technical evidence that CCN-CERT and INCIBE-CERT can audit.
Key Points
- The NIS2 Directive must be transposed by October 17, 2024, and Spain is incorporating it through the new Law on Cybersecurity Coordination and Governance.
- Article 21 establishes ten categories of mandatory technical measures—ranging from risk management to supply chain security—that must be verifiable to the regulator.
- Article 20 establishes personal liability for governing bodies: Boards of Directors must approve cybersecurity measures and are individually liable for noncompliance.
- Article 23 requires notification of significant incidents within 24 hours (early warning), 72 hours (notification), and one month (final report)—deadlines that require immediate technical records.
- V-PROOF immutable cryptographic evidence of the implementation of the measures set forth in Article 21 on an asset-by-asset basis, with timestamp that can be verified by any supervisor or auditor.
- The convergence of NIS2 and DORA affects the financial, banking, and market infrastructure sectors: entities already subject to DORA must also comply with NIS2, with no guaranteed overlap.
NIS2: From a Minimum Requirement Directive to a Technical Evidence Requirement
The NIS1 Directive (2016/1148) was Europe’s first attempt to harmonize cybersecurity for critical infrastructure. Its problem: it left too much leeway for member states to set their own requirements, created regulatory fragmentation, and did not include mechanisms for effectively verifying compliance. NIS2 (Directive (EU) 2022/2555) corrects all of these shortcomings.
Published on December 27, 2022, in the Official Journal of the EU, NIS2 drastically expands the scope of NIS1: from a few hundred operators of essential services identified by each Member State to thousands of entities in expanded sectors. It also introduces three structural changes that make it a qualitatively different regulation: personal liability of senior management, much stricter incident reporting deadlines, and an explicit requirement for verifiable measures—not just declared ones.
The Difference Between NIS1 and NIS2
NIS1 asked, “Do you have a security policy?” NIS2 asks, “Can you demonstrate that your security measures work and that your management has formally approved them?” It’s the same leap that exists between a procedures manual and verifiable technical evidence.
In Spain, transposition is being carried out through the new Cybersecurity Coordination and Governance Act, which is undergoing parliamentary review throughout 2025 and 2026. The competent authorities will be the CCN-CERT (for public administrations and the private sector critical infrastructure under the CNI) and the INCIBE-CERT (for the private sector in general). The penalties provided for are up to 10 million euros or 2% of global revenue for essential entities, and 7 million euros or 1.4% for important entities.
Who is required to comply: essential and significant entities
NIS2 divides entities into two categories with different requirements and penalty regimes. The classification depends on the sector, size (medium and large companies), and criticality to society or the economy.
- Energy (electricity, gas, oil, heating, hydrogen)
- Transportation (air, rail, sea, road)
- Banking and Financial Market Infrastructure
- Healthcare sector (hospitals, laboratories, manufacturers of critical products)
- Drinking Water and Wastewater
- Digital infrastructure (IXPs, DNS, TLDs, cloud, CDNs, data centers)
- ICT Service Management (MSPs, MSSPs)
- Central and Regional Government
- Space
- Postal and Courier Services
- Waste Management
- Chemical Manufacturing
- Food production, processing, and distribution
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Digital service providers (online marketplaces, search engines, social media platforms)
- Research institutes
- ICT providers for the above entities
The classification is not merely theoretical: essential entities are subject to ex ante supervision (the regulator may request documentation even if no prior incident has been detected), while important entities are supervised ex post. In both cases, however, the requirement to provide verifiable technical evidence is the same.
The NIS2 Timeline: Where We Stand and What's Next
Article 21 and the technical records V-PROOF by V-PROOF
Article 21 of NIS2 stipulates that entities must adopt “appropriate and proportionate” technical, operational, and organizational measures to manage cybersecurity risks. The RTS and ITS currently being developed by ENISA and the Commission will specify what level of evidence will be required. These are the four pillars of Article 21 for which V-PROOF direct evidence:
V-PROOF coverage V-PROOF NIS2
| NIS2 Article | Obligation | Coverage | V-PROOF Module |
|---|---|---|---|
| Art. 20 — Governance of Management Bodies | |||
| Art. 20Management Liability | Evidence of formal approval of cybersecurity measures by the governing body | ✓ Complete | V-Seal |
| Art. 21 — Cybersecurity Risk Management Measures | |||
| Art. 21(2)(a)Risk Analysis | Verifiable records of implemented and operational risk management controls | ✓ Complete | V-Seal |
| Art. 21(2)(b)Incident Management | Immutable incident logs with timestamp for detection, classification, and response | ✓ Complete | V-Seal |
| Art. 21(2)(c)Business Continuity | Evidence of business continuity and disaster recovery testing conducted | ◐ Midterm | V-Seal |
| Art. 21(2)(d)Supply Chain | Software Supply Chain Traceability with Verifiable Evidence by Component | ✓ Complete | Git Integration |
| Art. 21(2)(e)Development and Maintenance | Verifiable audit trail of changes to critical ICT systems — vulnerability management | ✓ Complete | Git Integration |
| Art. 21(2)(f)Effectiveness of Measures | Records demonstrating that the effectiveness of cybersecurity measures is being evaluated | ◐ Midterm | V-Seal |
| Art. 21(2)(h)Cryptography | Evidence of the Use of Cryptography to Protect Critical Assets | ✓ Complete | V-Seal |
| Art. 21(2)(g)(j)Training and Access | Policies on Cybersecurity Hygiene and Access Control Training | — Customer Responsibility | Internal Organizational Process |
| Art. 23 — Reporting of Significant Incidents | |||
| Art.2324h / 72h / 1 month | An immutable record of the time the incident was detected and the response actions taken | ✓ Complete | V-Seal |
| NIS2 + EU AI Act Convergence EU AI Act For Entities Using AI in Critical Infrastructure | |||
| NIS2 Art. 21(2)(a)+ EU AI Act . 14 | Verifiable human oversight in AI systems that operate critical infrastructure | ✓ Complete | AI Orchestrator V-Proof |
◐ Partial = V-PROOF that the activity was carried out; the design of the activity (the continuity plan, the effectiveness assessment) is the responsibility of the entity.
NIS2 and DORA: Different Requirements for the Same Entities
A common mistake made by compliance teams in the financial sector is to assume that compliance with DORA automatically implies compliance with NIS2. This is not the case. They are two frameworks with different scopes, competent authorities, and specific requirements—and there is no complete overlap between them.
Banks, financial market infrastructure providers, and digital infrastructure providers fall within the scope of both regulations. DORA is a directly applicable regulation administered by the EBA, ESMA, and EIOPA. NIS2 is a directive transposed by each member state, administered in Spain by the CCN-CERT and INCIBE-CERT. The penalties are separate and cumulative.
The Practical Difference for the CISO
DORA focuses on the operational resilience of financial ICT systems and on third-party supplier risks. NIS2 also covers the security of the entire supply chain (not just critical ICT suppliers), explicitly introduces personal liability for management, and applies to sectors such as healthcare, energy, and public administration—areas that DORA does not address. A bank must comply with both. A single V-PROOF integration V-PROOF the technical evidence requirements of both frameworks simultaneously.
NIS2 and the Security of the ICT Supplier Supply Chain
Article 21(2)(d) of NIS2 requires entities to assess the security of their ICT supply chain, including security aspects related to the relationships between each entity and its direct suppliers. This obligation includes assessing the legal framework under which the ICT supplier operates.
A U.S.-based AI Governance or GRC platform provider is subject to the CLOUD Act (18 U.S.C. § 2713), which allows U.S. authorities to require access to data managed by that provider regardless of where it is hosted. An essential entity under NIS2 that uses such a provider to manage its compliance documentation introduces a legal risk into its supply chain—a risk that Article 21(2)(d) itself requires to be identified and mitigated.
V-PROOF legally headquartered in Spain. Its customers can include it in their NIS2 supply chain assessment with the assurance that it operates under EU jurisdiction, without exposure to the U.S. legal framework.
V-PROOF NIS2
Strengths, Regulatory Use Cases, and Scope Limitations
- Cryptographic evidence that the measures in Art. 21 are implemented and operational—not merely stated in a policy Article 21(2)(a) — Risk management
- An immutable record of the exact time of incident detection and classification—essential for demonstrating compliance with the deadlines set forth in Art. 23 Art. 21(2)(b) + Art. 23
- Commit-to-commit traceability in the critical software supply chain — the level of granularity that supervisors will require under Art. 21(2)(d) Art. 21(2)(d) — Git Integration
- Record of formal approval by the governing body: The Board has cryptographic evidence that it has fulfilled its NIS2 governance function Art. 20 — Management Responsibility
- Supplier with its registered office in Spain: The ICT supply chain assessment under Art. 21(2)(d) does not pose a CLOUD Act risk Article 21(2)(d) — Supply Chain
- Dual coverage under NIS2, DORA, and EU AI Act a single integration for entities in sectors subject to dual obligations Regulatory Convergence 2025–2027
- Operators of essential services in the energy, transportation, and health sectors who need verifiable technical evidence under Article 21 prior to the first inspection Essential entities — Art. 3
- Digital infrastructure providers (data centers, European cloud providers, MSPs) that must demonstrate their security to NIS2 customers Section 8 — Digital Infrastructures
- Central and regional government agencies preparing to comply under the supervision of CCN-CERT Section 10 — Public Sector
- Boards of Directors of critical entities that need to document their NIS2 governance role in light of potential personal liability proceedings Art. 20 — Personal Liability
- Banks and financial institutions subject to both NIS2 and DORA requirements that are seeking a single integration for both frameworks NIS2 + DORA Convergence
- Formal reporting of incidents to INCIBE-CERT or CCN-CERT (Art. 23): V-PROOF the time-stamped incident record; the compliance team is responsible for reporting the incident. Art. 23 — Notification
- Design of the business continuity and disaster recovery plan (Art. 21(2)(c)): V-PROOF that the tests were conducted; it does not design the plan. Art. 21(2)(c) — Continuity
- Staff training in cyber hygiene (Art. 21(2)(g)): V-PROOF certify that the training took place, but does not provide the training itself. Art. 21(2)(g) — Training
- Third-Party Risk Assessment (Art. 21(2)(d) — organizational aspect): V-PROOF the results and measures implemented; the risk assessment is the responsibility of the entity. Art. 21(2)(d) — Assessment
Can your organization demonstrate to CCN-CERT or INCIBE-CERT that its cybersecurity measures are effective?
V-PROOF a 48-hour strategic assessment that maps the NIS2 obligations applicable to your organization, identifies gaps in technical evidence, and defines the scope of compliance for Articles 20, 21, and 23.
Request a NIS2 Strategic AssessmentSources and Regulatory References
- Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022 — EUR-Lex CELEX:32022L2555
- ENISA — NIS2 Implementation Guidelines, 2024 — enisa.europa.eu
- INCIBE — NIS2 Implementation Guide for the Spanish Private Sector — incibe.es
- CCN-CERT — NIS2 Implementation Guide for the Spanish Public Administration — ccn-cert.cni.es
- European Commission — Report on the Status of NIS2 Transposition in Member States, 2025 — digital-strategy.ec.europa.eu
- ENISA — Threat Landscape Report 2025 (references to NIS2 sectors) — enisa.europa.eu
- Regulation (EU) 2022/2554 (DORA) — Reference for Convergence with NIS2 for the Financial Sector — EUR-Lex
