Skip to main content
Chatbot. It will open in a new tab
Center for the Gobernance of Change
    • Technological Change, Politics and Policy
    • Technology and Economic Prosperity
    • Emerging Technologies and Security
              An empty office space with multiple computer desks and a dark ambiance.

              Cyber Readiness: NIS2 in Spain.

              A systemic diagnosis of the gaps between the current cybersecurity maturity of organizations newly subject to the NIS2 Directive and the requirements imposed by the regulation
              • Home
              • Research
              • Cyber Readiness: Nis2 In Spain.

              INTRODUCTION

              Directive (EU) 2022/2555 —commonly referred to as NIS2— is the cornerstone of the EU’s renewed cybersecurity framework. Adopted in January 2023, its objective is to significantly strengthen the resilience of the Union’s essential systems in the face of an increasingly complex, hostile, and geopolitically sensitive cyber threat landscape. In Spain, its transposition will take place through the upcoming Law on Cybersecurity Coordination and Governance.

              Compared to its predecessor, NIS2 considerably expands the directive’s scope, extending cybersecurity obligations to a broader set of strategic sectors and entities — such as public administrations, manufacturers of critical products, and digital social platforms. It includes new requirements on governance, risk management, and incident reporting, and introduces a paradigm shift in accountability by making the top management of firms explicitly responsible for non-compliance.

              This shift comes at a time when many organizations in Spain still face deep operational cybersecurity challenges, including lack of leadership literacy and ownership of cyber risks, supply chain vulnerabilities, and the limited technological readiness of current cybersecurity systems in the face of generative AI and other emerging technologies. Addressing these challenges will be key not only to comply with the new directive but to enhance the country’s security and competitiveness in an evolving landscape.

              A digital map of Europe represented with dot patterns and numerical values.
              THE PROJECT
              Assessing structural readiness to enable a more future-ready national cybersecurity landscape.

              The Center for the Governance of Change (CGC) at IE University, in partnership with ISMS Forum, is developing a systemic diagnosis of the gaps between the current cybersecurity maturity of organizations newly subject to the NIS2 Directive and the requirements imposed by the regulation by providing a rigorous, actionable model that assesses and strengthens the structural resilience of Spanish organizations. 

              By focusing on structural readiness rather than mere compliance status, the research will identify the key organizational, technological, procedural, and governance barriers that must be addressed through targeted reforms and strategic support — ultimately enabling a more secure, resilient, and future-ready national cybersecurity landscape.

              Our goal is twofold:

              • To empower subject organizations to elevate the strategic role of their CISOs, enabling better alignment between cybersecurity, governance, and business objectives.
              • To support national competitiveness and compliance by generating evidence-based insights that guide organizations, regulators, and policymakers in strengthening cyber resilience.

              The project takes an applied-research approach combining desk research, expert validation, and field data collection. It will take place in four phases:

              1. Foundational Research & Model Design: Development of a validated framework of organizational resilience enabling entities to assess their structural and strategic readiness, benchmark performance, and identify clear pathways for improvement.
              2. Data Collection: A survey with cybersecurity and business leaders across key NIS2 sectors to understand the state of governance, responsibilities, and reporting of technological risk.
              3. Analysis & Benchmarking: Collected data will be analyzed to produce the first national baseline of cybersecurity maturity and resilience in Spain, identifying sectoral patterns and critical gaps in NIS2 preparedness, highlighting key barriers to strategic resilience, and benchmarking Spanish organizations against the broader EU implementation landscape.
              4. Stakeholder Engagement & Dissemination: Organization of a series of private and public roundtables, convening policymakers, sectoral leaders, and CISOs to discuss results, validate findings, and co-design next steps for implementation.

              Research Team

              In partnership with

              • A logo featuring the text 'isms forum'.