NIS2 Regulation Implementation

Information is one of the main assets of organizations, and therefore requires adequate protection systems against any threat that could jeopardize it.




The NIS1 Directive was the first EU cybersecurity law and became the first horizontal internal‑market instrument aimed at improving the resilience of networks and information systems in the Union against cybersecurity risks. Following the challenges posed by the accelerated digitalisation of organisations in the EU during the Covid‑19 pandemic, in December 2020 the Commission proposed a revised, future‑proof set of rules to strengthen the level of cyber‑resilience across the Union. The co‑legislators reached a political agreement on 13 May 2022 and formally adopted the new Directive at the end of November 2022. This new regulation became known as NIS2.”

Who does NIS2 affect?

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union establishes a classification of the companies that must comply with the NIS2 Directive, focusing on what are referred to as essential and important entities.

The sectors and subsectors of HIGH CRITICALITY are:

Energy

Electricity.

Urban heating and cooling systems.

Oil.

Gas.

Transport

Air transport

Rail transport

Maritime and inland waterway transport

Road transport

Banking
Financial market infrastructures
Healthcare sector
Drinking water
Wastewater
Digital infrastructure
ICT service management
(business‑to‑business)
Public administration entities

With the exception of the judiciary,
parliaments, and central banks

 

Space

And the OTHER CRITICAL SECTORS to be developed under the NIS2 Directive are:

 

Postal and courier services
Waste management
Manufacture, production and distribution
of chemical substances and mixtures
Production, processing and distribution of food
Research
Manufacturing

Manufacture of medical devices and in vitro diagnostic medical devices.

Manufacture of computer, electronic and optical products.

Manufacture of electrical equipment.

Manufacture of machinery and equipment n.e.c.

Manufacture of motor vehicles, trailers and semi‑trailers.

Digital service providers

Online marketplace providers.

Online search engine providers.

Social networking service platform providers.

Additionally, it is very important to bear in mind that NIS2 does not only affect large companies; according to the Directive, medium‑sized companies in all these sectors must also be considered within its scope of implementation, given that the scope of application of…

This Directive shall apply to public or private entities of any of the types referred to […] that are considered medium‑sized enterprises in accordance with Article 2 of the Annex to Recommendation 2003/361/EC.

This includes companies that employ fewer than 250 persons and more than 50 persons, whose annual turnover does not exceed 50 million euros or whose annual balance sheet total does not exceed 43 million euros, and exceeds 10 million euros in either case.

Implementation Methodology

The implementation project for the NIS2 Regulation is carried out in phases, in which the relevant aspects required for each of them will be addressed.

Phase 1: NIS2 Compliance Gap Analysis

Stage I: Gap Analysis Preparation

A schedule is prepared for the execution of the Gap Analysis, meetings are convened, and the samples of assets to be analyzed during the Gap are selected.
At the end of this stage, the implementation project is formally initiated together with the project sponsors and the relevant profiles involved in its execution.

Stage II: Gap Execution

A thorough analysis of the business is carried out to obtain the necessary knowledge, gathering information from personnel involved in regulatory compliance who are familiar with the current policies, processes, and procedures governing the organization, as well as any documentation generated regarding NIS2 compliance or corporate information security documentation.

This stage also enables the identification of relationships with third parties (service providers) and how they influence compliance with the NIS2 Regulation.

Once the compliance environment is understood, the information obtained will be validated against the requirements established by the Regulation in order to assess the Organization’s compliance status.

Stage III: Gap Report and Delivery of Results

A Results Report is drafted, including an Action Plan with recommendations for full alignment with the Regulation.

The report will contain the following main sections:

  • Executive Summary
  • Methodology Used
  • Current Compliance Status
  • Action Plan

Phase 2: NIS2 Implementation

Stage I: Task Planning

Based on the findings identified in the Gap, the planning of the implementation tasks will be executed. Responsibilities will be assigned for each task, and the project monitoring method will be established.

Stage II: Security Organization

Roles and responsibilities are defined to manage the requirements of the NIS2 Regulation, such as: Information Security Officers, Information Security Committees, Information Owners, etc.

Stage III: Definition of the Security Policy

A Security Policy will be defined and must be approved by Management. This Policy will include the information security objectives and will reflect the commitments to comply with applicable security requirements and to ensure continuous improvement.

Stage IV: Measures for Compliance with Security Obligations

The execution and/or drafting of various activities and documentation must be considered, including but not limited to:

  • Risk Analysis
  • Catalogue of organizational, technological, and physical Security Measures
  • Acquisition of security products or services
  • Incident Management
  • Recovery plans and assurance of operational continuity
  • Continuous improvement
  • System interconnection
  • User activity logging

Stage V: Cybersecurity Training

Training personnel is essential, so a training plan must be defined according to the organization’s characteristics and requirements.

Phase 3: Internal Audit

Stage I: Audit Preparation

An Audit Plan will be developed, determining points that may be necessary for certain tasks, time restrictions, the need to process access cards to rooms or buildings, points of contact, interview guidelines, etc.

 

Stage II: Audit Execution

The meetings established in the Audit Plan from the previous phase will be carried out, conducting a review of conformity with the requirements of the NIS2 Regulation.

 

Stage III: Audit Report and Delivery of Results

As a result of the Audit, Internet Security Auditors will deliver:

  • Executive Summary.
  • Audit Report.
  • Action Plan.

What Our Clients Say


At Grupo AR, we highly value the brand protection service provided by Internet Security Auditors for its comprehensive and proactive approach. Their highly qualified team enables us to identify and mitigate risks that could affect the AR Construcciones brand and its different companies. Many thanks for your support!
Nestor Ivan Melo Ballen
Director of Cybersecurity
Grupo AR
As CEO of Beruby, we worked with Internet Security Auditors when we urgently needed to complete a PCI DSS Attestation of Compliance. The entire process was extremely fast, efficient, and professional. Their team provided us with excellent support, demonstrating strong technical expertise and a high level of commitment. Without a doubt, we recommend their services to any company in need of cybersecurity solutions.
Miguel Acosta
Global CEO
Beruby
At Grupo Arbulu, we have worked closely with Internet Security Auditors on the implementation of advanced cybersecurity measures. Thanks to their expertise, we have significantly strengthened our ability to detect and mitigate cyber risks. Their thorough audits and tailored solutions have reinforced our security infrastructure, ensuring the protection of our data and the continuity of our operations.
Marcos Montes de Oca
CIO
Grupo Arbulu
As CISO at Intaremit S.A., the importance we place on logical security is extremely high. Not only because the PCI‑CPP standard requires us to perform four internal and external vulnerability scans and an annual internal and external penetration test, but also because of the security and peace of mind our company aims to provide to each and every one of our customers.We have been working and collaborating with IsecAuditors for more than 10 years thanks to their experience, commitment, and close support, and I therefore recommend them without hesitation.
Sergio Sainz de la Maza
CISO
Intaremit S.A.
As CFO of Fleurop – Interflora Spain, we have been working with Internet Security Auditors for years in the areas of consulting and GDPR compliance. As Interflora is a company fully oriented toward online commerce, the professional services provided by ISEC Auditors give us the support, security, and peace of mind that all our activities remain aligned with GDPR requirements.
Francisco Tébar Prada
CFO Southern Europe (Spain, Italy, Portugal and Romania)
Fleurop - Interflora España
As CFO of Saint Louis University – Madrid Campus, I have had the opportunity to work with Internet Security Auditors, S.L. They have been an indispensable partner in implementing the requirements established by GDPR: preparing the record of processing activities, developing privacy policies, drafting the necessary data‑protection agreements with our service providers, and complementing all of this with thorough training for our staff—an essential element to ensure full compliance with the law. I would like to highlight their availability to address questions and their ability to translate the legal framework into concrete and understandable actions. Their periodic internal audits are efficient and allow us to stay up to date, correcting any deviations in a timely manner.I highly recommend Internet Security Auditors, S.L. to anyone seeking a successful implementation and ongoing oversight of personal data protection within their organization. 
Victoria Villarreal Palazón
Vice-Rector & Associate Vice President Chief Financial Officer
Saint Louis University, Spain
Working with Internet Security Auditors has been a positive experience in every respect. Their team combines strong technical expertise with a great willingness to collaborate, which has strengthened our security posture and regulatory compliance.
Andres Mejia
Head of GRC
PAYVÁLIDA
On behalf of Outsourcing SAS BIC, we would like to express our sincere appreciation for the commitment, professionalism, and dedication demonstrated throughout the implementation of the PCI DSS compliance project in our call center. Thanks to your expertise and guidance at every stage of the process, we were able to establish a secure environment that meets the industry’s most demanding payment‑security requirements, significantly strengthening our security controls and data‑protection practices. We especially value your team’s willingness to provide clear solutions, effective training, and smooth communication, all of which were key to achieving our objectives on time and with full confidence.
Yulian Colmenares
Information Security Officer
OUTSOURCNG SAS BIC
Working with Internet Security Auditors has been a highly satisfactory experience. Their support throughout our migration to the ISO/IEC 27001:2022 standard, the execution of internal audits, and the PCI DSS certification process has been essential in strengthening our information security management system. We especially value the professionalism and interpersonal skills of their team, which have made this collaboration a relationship of trust and great value for Neurona.
Ricardo Andrés Cárdenas Galvis
Information Security and Continuity Officer
Neurona
The strategic support provided by Internet Security Auditors as our CISOaaS has been essential in strengthening our internal team. Their expertise perfectly complements the work of our CISO and has enabled us to accelerate the maturity of our cybersecurity program.
CISO
RACC

Do not hesitate to contact us if you need more information

Send us your questions and we will contact you as soon as possible.

CAPTCHA