🔒 NIS2

Cybersecurity NIS2 Directive

What the NIS2 Directive requires, who it affects, the deadlines and fines it imposes, and why compliance is, above all, a matter of documentable and auditable processes.

Cybersecurity Sep 16, 2024 · Updated 5 Jun 2026 · 7 min read · Dokuflex Team
Dokuflex blog cover about Cybersecurity NIS2 Directive, focused on Cybersecurity and process automation.
Dokuflex editorial cover focused on impact, next steps and demo intent.

NIS2 is Directive (EU) 2022/2555, whose national transposition deadline was 17 October 2024. It raises the cybersecurity bar for many European organisations: isolated technical measures are no longer enough — it demands governance, risk management, management accountability and an incident-response capability with strict deadlines.

Spain was late to transpose it: the draft Cybersecurity Coordination and Governance Act — which brings NIS2 into national law — was approved by the Council of Ministers in January 2025 and continued through the parliamentary process. But the directive's substantive obligations already set the standard expected of essential and important entities. That is why it matters in 2026: this article, updated in June 2026, summarises what NIS2 requires, with what deadlines and fines, and how to prepare by treating it as what it is — a set of documentable and auditable processes.

What NIS2 requires

NIS2 applies to "essential" and "important" entities across 18 sectors — energy, transport, banking, health, water, digital infrastructure, public administration, space, critical manufacturing, etc. — and, in general, to medium and large companies in those sectors. They face concrete obligations:

  • Risk-management measures. Risk analysis, business continuity, encryption, multi-factor authentication (MFA) and supply-chain security, among others.
  • Direct accountability of management. Management bodies must approve and oversee the measures, undergo mandatory cybersecurity training and are liable for the entity's non-compliance.
  • Reporting of significant incidents. With staggered deadlines: an early warning within 24 hours, a notification within 72 hours and a final report within one month.
  • Supply-chain control. The security of suppliers and third parties becomes the covered entity's responsibility, which drags in many suppliers that are not directly regulated.

Deadlines and fines

Two clocks drive NIS2 compliance: the one for reporting each incident and the one for the financial consequences of failing to comply.

  • Early warning: 24 hours from becoming aware of the significant incident.
  • Notification: 72 hours, with an initial assessment of the incident (severity, impact and indicators of compromise).
  • Final report: 1 month from the notification, with a detailed description, root cause and measures applied.
  • Fines. Up to EUR 10M or 2% of total annual worldwide turnover for essential entities; up to EUR 7M or 1.4% for important entities (whichever is higher).

How to prepare: NIS2 as a process

Complying with NIS2 is not about buying a tool: it is about making sure the obligations — incidents, evidence, training, suppliers — live in defined processes, with owners, deadlines and traceability, rather than in scattered emails and spreadsheets.

  • Define the incident logging and escalation process with the 24h/72h/1-month deadlines already built in as milestones, not as a manual task to remember.
  • Document the risk-management measures and management training, leaving evidence retrievable for an audit.
  • Turn supplier control into a process with a case file: onboarding, security assessment, renewal and evidence for each third party.
  • Ensure every review, decision and corrective action is traced: who, when, with what evidence and which plan was activated.

Where Dokuflex fits

The processes NIS2 requires are documentable and auditable — exactly the territory of a document-centric BPM. Dokuflex lets you orchestrate them without custom development:

  • The incident log is modelled as a workflow with SLAs and escalations that watch the 24h, 72h and one-month deadlines and leave a trail of every step.
  • The documentary evidence of measures, management training and action plans is kept in document management with audit-ready traceability.
  • Supplier control (supply chain) is handled as a process with a case file for each third party, connected to your systems via integrations.
  • Access is reinforced with corporate authentication: see how SSO with Active Directory, OAuth, SAML and 2FA fits, aligned with the MFA measures NIS2 requires.
Next step

Turn this need into a measurable process

Dokuflex combines BPM Low-Code, document management, digital signature, integrations and AI to help you automate processes with control, traceability and room to evolve.

Request a demo Back to blog

Frequently asked questions

What is NIS2?

It is Directive (EU) 2022/2555, whose national transposition deadline was 17 October 2024. It raises the cybersecurity bar for essential and important entities across 18 sectors, with risk-management measures, management accountability and incident reporting.

Does it affect my company?

NIS2 applies to essential and important entities across 18 sectors (energy, transport, banking, health, water, digital infrastructure, public administration, space, critical manufacturing, etc.), typically medium and large companies in those sectors. It can also reach you indirectly as a supplier to a covered entity, through the supply-chain security obligations.

What reporting deadlines does it impose?

For a significant incident: an early warning within 24 hours, a notification within 72 hours and a final report within one month. Meeting those deadlines requires having the incident logging and escalation process defined in advance.

What is management's responsibility?

Management bodies are directly accountable: they must approve and oversee the risk-management measures, undergo mandatory cybersecurity training and are liable for the entity's non-compliance.

What fines apply?

For essential entities, up to EUR 10M or 2% of total annual worldwide turnover (whichever is higher). For important entities, up to EUR 7M or 1.4% of worldwide turnover.

Related articles

View all
Dokuflex blog cover about How to implement BPM Low-Code with AI in your company without complicating operations, focused on BPM and process automation.
BPM

How to implement BPM Low-Code with AI in your company without complicating operations

Practical guide to launching a BPM Low-Code with AI project with focus, realistic scope and measurable results from phase one.

Mar 6, 2026 · 8 min
Dokuflex blog cover about 7 advantages of BPM Low-Code with AI for companies looking to automate better, focused on BPM and process automation.
BPM

7 advantages of BPM Low-Code with AI for companies that want to automate better

Summary of the most tangible benefits of BPM Low-Code with AI when the company wants to automate faster, with more control and adaptability.

Mar 6, 2026 · 7 min
Dokuflex blog cover about VERI*FACTU vs SII key differences, focused on VERI*FACTU and process automation.
VERI*FACTU

VERI*FACTU vs SII: key differences

Clear comparison between VERI*FACTU and SII to understand scope, obligations and what each company needs to comply with no overlaps.

Mar 6, 2026 · 6 min