The accelerating digitalisation of our economy and society has significantly increased exposure to cybersecurity threats. These threats no longer only affect technological systems: they have a direct impact on Europe’s economic, social and geopolitical security.
To respond to this context, the European Union has strengthened its cybersecurity regulatory framework with Directive (EU) 2022/2555, known as NIS2, which replaces the original NIS Directive of 2016.
What changes with NIS2?
NIS2 reinforces the preventive and collaborative approach to cybersecurity. Key new features include:
- Expansion of the scope of application: Includes new sectors considered critical, such as health, food, water, public administration, digital infrastructure or critical manufacturing.
- Entity classification: introduces a distinction between critical and significant institutions, allowing for differentiated supervision based on risk.
- Tighter obligations: Strengthens risk management, requires continuity and recovery plans, improves cybersecurity in the supply chain, defines organisation measures like access control and establishes the obligation to report serious incidents within 24 hours.
- Clear governance: This includes the responsibility of management bodies of essential and important entities and requires the designation of responsible persons and internal mechanisms to manage cyber security in a structured way.
Overall, the NIS2 raises the regulatory bar and drives a change in mindset: cybersecurity is now understood as a matter of national and European security, with a direct impact on the EU’s digital sovereignty and strategic autonomy.
Transposition process in Spain
In Spain, the Ministry of the Interior, with the collaboration of the Ministry of Economic Affairs and Digital Transformation, in addition to the other Ministries involved, is leading the process of regulatory adaptation. We are in a decisive phase, with the transposition process underway and in the coming months we expect the regulation to be approved and fully in force. It is estimated that the new regulation will affect more than 5,000 companies in 18 different sectors.
The competent authorities will be designated sectorally (CCN-CERT, INCIBE-CERT, CNPIC, etc.), and the new framework is expected to maintain a multi-level collaborative model, with a central role for the National Cybersecurity Council, whose legal status is yet to be defined.
Spain will also have to update its national cybersecurity strategy, strengthen supervision and inspection mechanisms, and establish proportionate sanctions for non-compliance. The Spanish Data Protection Agency will have an additional role when incidents involve personal data.
Transposition process in Germany
In Germany, a legislative process was launched in the Federal Parliament (Deutscher Bundestag) in autumn 2024 to implement NIS2 into national law. Due to the dissolution of the German federal government in November 2024, the legislative process could not be completed. A new federal government has been in office in Germany since May 2025 and now has announced that it will present a new draft for the implementation of NIS2 into national law within the first 100 days of taking office.
Implications for business: new obligations and process changes
The transposition will entail new obligations for thousands of entities, especially in sectors such as telecommunications, energy, transport, health or digital services. Companies will have to:
- Assess your risks on an ongoing basis and implement preventive measures such as multi-factor authentication, network segmentation or encryption.
- Monitor your suppliers and subcontractors, including specific cybersecurity clauses in contracts. The supply chain plays a key role.
- Monitor their activity in real time, through Security Operations Centres (SOCs), and have incident response plans in place.
- Report relevant incidents within 24 hours of detection.
In this context, public-private collaboration will be essential to meet the new requirements and to foster the sharing of threat intelligence.
An approach consistent with the European regulatory ecosystem
The NIS2 does not operate in isolation. It is part of an interconnected European regulatory framework that also includes:
- The DORA Regulation, which strengthens digital operational resilience in the financial sector.
- ENS5G, which adapts cyber security to next generation mobile networks.
- The CER Directive, which sets requirements for the physical and organisational resilience of critical entities.
These frameworks complement each other. As developed in the post “DORA, NIS2 and CRA: Deciphering European cybersecurity regulation”, NIS2 provides the horizontal basis on which more specific sectoral obligations are articulated.
Although it is important that the transposition of the NIS2 in Member States is not only based on the need to homogenise the cybersecurity regulatory framework as much as possible and seek consistency with the different regulations such as the CER, DORA, CSA, etc., it is also important to delve deeper into other key issues. Among them, is the necessary creation of a Single Point of Information and reporting of the different incidents to all competent authorities to simplify the process. Likewise, it is essential to ensure the proportionality and efficiency of all obligations imposed on different subject entities, avoiding the creation of barriers to free trade or competitive disadvantages for companies depending on the main location in the EU.
Telefónica’s commitment
At Telefónica, we believe that cybersecurity is a key enabler of digitalisation and trust. For this reason:
- We actively participate in the design of public policies at European and national level.
- We have a global network of 24/7 operational SOCs and expert teams serving companies and institutions.
- We develop solutions that facilitate compliance with current and future regulations.
We work to anticipate risks, promote a culture of safety and facilitate an effective transition to the new regulatory framework.
We have extensive experience in security risk management, in the protection of companies and public administrations and in the application of regulations with similar requirements, such as DORA. In addition to adapting our own processes, we actively assist other sectors complying with these regulations.
Structural change for a more resilient Europe
The transposition of the NIS2 in Spain marks a turning point by taking an additional step and focusing on the continuity of essential services and consolidating European digital autonomy in the face of an unstable geopolitical scenario.
Telecommunications operators, as a transversal infrastructure, play a central role in this strategy. At Telefónica we assume this commitment, reinforcing not only our technical capabilities, but also the trust of our customers, administrations and society.
