NIS2 Directive (Directive (EU) 2022/2555)

TCS Spain is recently in scope of NIS2 and has implemented a compliance program aligned with national implementation requirements. The NIS2 Directive is the EU-wide legal framework designed to achieve a high common level of cybersecurity across the Union and to improve the functioning of the internal market by reducing fragmented national approaches. It replaces the original NIS Directive (2016/1148) and strengthens obligations for both Member States (governance, authorities, CSIRTs) and in-scope organizations (risk management and incident reporting). NIS2 establishes a baseline that Member States implement via national laws, while allowing them to adopt higher cybersecurity standards as long as they remain consistent with EU law.

Download PDF

Scope of Application
1. Core scope rule (sector + size): NIS2 applies to public and private entities in the sectors listed in Annex I (high criticality) and Annex II (other critical sectors) when they are medium-sized or larger and provide services or carry out activities in the EU.
2. Regardless of size — entities that can be in scope even if small: NIS2 also applies regardless of size to specific entity types (e.g., certain electronic communications providers, trust service providers, DNS/TLD entities) and to organizations that are uniquely critical at national/regional level or whose disruption could significantly impact public safety/security/health or create systemic risk. Member States may also extend applicability to local public administration and certain education institutions, especially where critical research is involved.
3. Essential vs Important entities: NIS2 introduces two compliance categories: Essential Entities and Important Entities, which differ mainly in supervision/enforcement intensity. Essential Entities include, among others, large entities in Annex I sectors and certain digital/communications/trust/DNS entities even if smaller, plus any entities designated as essential under the Directive’s criteria. Entities that are in Annex I/II but do not meet the “essential” criteria are treated as Important Entities. Practical orientation: many organizations will first determine sector (Annex I/II), then apply size, and finally check special “regardless of size” triggers and national designation rules.
Executive Summary
1. What NIS2 requires at a high level: NIS2 requires covered entities to implement cybersecurity risk-management measures and to follow incident reporting obligations, while Member States must set up the authorities, crisis-management structures, and CSIRTs to oversee and coordinate cybersecurity. It also introduces rules to support cybersecurity information sharing and establishes supervisory and enforcement obligations for Member States.
2. Key operational expectations for organizations: Organizations in scope should expect formalized controls across governance, prevention, detection, response, recovery, and supplier/third-party risk, aligned to the Directive’s risk-management and reporting requirements. The Directive explicitly strengthens risk management measures and incident notification timelines, and many national guidance sources highlight that it broadens coverage to more sectors and entities than NIS1.
3. Enforcement & penalties (minimum EU thresholds): NIS2 requires Member States to ensure fines are effective, proportionate, and dissuasive and sets minimum maximum thresholds for certain infringements (notably around core risk-management and reporting duties). For Essential Entities, Member States must provide for administrative fines of at least up to EUR 10,000,000 or 2% of total worldwide annual turnover (whichever is higher) for infringements of key obligations (as specified in the Directive). For Important Entities, Member States must provide for administrative fines of at least up to EUR 7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher) for comparable infringements.

Note: Exact enforcement mechanics and additional measures are implemented through national transposition, but the Directive sets these minimum penalty ceilings to avoid weak enforcement across Member States.

At a glance

Determine if you’re in scope (Annex I/II sector + size + special “regardless of size” criteria)
Classify as Essential or Important (impacts supervision intensity).
Implement a risk-management program and ensure capability for timely incident reporting.
Prepare for regulatory engagement and potential significant fines if core obligations are breached.

Perpetually Adaptive Enterprise

About Us

TCS Insights

Upcoming events

Recent recognitions

Want to be a global change-maker? Join our team.

Find the latest news about TCS

Recent Press Releases

Recent News