ENS and NIS2: how both regulations fit together in 2025
Practical mapping of ENS and NIS2 for Spanish organisations facing both: overlaps, specific NIS2-only requirements and an integrated compliance approach.
NIS2 (Directive EU 2022/2555) is already transposed in Spain. Thousands of organisations now fall under its scope, many of them also within ENS scope. The natural question: do I need to comply with both? If so, how do I avoid duplicating work? This article offers a practical map to integrate ENS and NIS2 compliance programmes without re-doing the same work twice.
What each regulation is
ENS
- Sectoral scope: Spanish public sector and its providers.
- Control-focused: 73 prescriptive controls in Annex II.
- Certification-driven: mandatory ENAC-accredited certificate for Medium and High categories.
- Domestic: Spanish law (RD 311/2022).
NIS2
- Sectoral scope: critical and important sectors across all EU, including energy, transport, banking, healthcare, drinking water, waste water, digital infrastructure, space, postal services, public administration, digital providers, manufacturing, food, and chemicals.
- Outcome-focused: establishes cybersecurity requirements but at higher abstraction than ENS.
- Supervision-driven: national competent authorities inspect, sanction, and accept voluntary certifications.
- European: EU directive, transposed nationally.
Who is affected by both
An organisation is subject to both if:
- It falls within NIS2 sectoral scope (essential or important entity), AND
- It is a public-sector body or provides services to the public sector.
Typical examples:
- A regional health service (public sector → ENS; healthcare sector → NIS2).
- An electricity distribution company (energy → NIS2; if also public-owned or serving public bodies → ENS).
- A major digital-service provider (DNS, CDN, cloud, marketplace → NIS2; if selling to Spanish public sector → ENS).
- Water utilities.
- Public-transport operators.
- Large universities.
Estimated overlap in Spain: 5,000-10,000 entities.
Where the two converge
On specific controls, the overlap is very high (70-80%). Both require:
- Risk management and governance.
- Access control.
- Asset management.
- Vulnerability management.
- Incident detection, response and recovery.
- Business continuity.
- Supply-chain security.
- Encryption.
- Logging and traceability.
- Personnel training and awareness.
An organisation already implementing ENS Medium has already done most of the NIS2 ground work.
Where NIS2 adds beyond ENS
Much stricter reporting
- 24 hours: early warning of significant incident.
- 72 hours: incident notification.
- 30 days: final report.
- Ongoing: notifications of significant cyber-threats.
ENS reporting is less prescriptive and typically routed through CCN-CERT. NIS2 layers additional national competent authority notifications.
Management-level accountability
NIS2 places personal legal responsibility on the management body. Board members must approve cybersecurity risk-management measures, oversee implementation, and attend specific training.
Supply-chain focus
NIS2 emphasises third-party cybersecurity requirements, ICT supply-chain risk, and direct supplier assessment. ENS covers this but NIS2 is more prescriptive.
Penalties
NIS2 sanctions can reach €10 million or 2% of global annual turnover for essential entities. ENS non-compliance typically results in exclusion from public tenders or contract termination, not administrative sanctions.
Register of entities
NIS2 requires formal registration of affected entities with national authorities.
Where ENS adds beyond NIS2
Control specificity
ENS specifies very specific technical guides (CCN-STIC) and reinforcements per category. NIS2 is more abstract.
Certification scheme
ENS offers a mature, mandatory certification scheme. NIS2 accepts but does not mandate certifications.
Five dimensions
ENS categorises systems across five explicit dimensions (including traceability and authenticity). NIS2 is more general.
Interoperability
ENS includes interoperability-with-other-administrations requirements that NIS2 doesn’t cover.
An integrated approach
1. Single governance
One Security Committee covering both. Roles clearly assigned. Board-level representation (NIS2 requirement, ENS benefit).
2. Single ISMS
One Information Security Management System serving both regimes. Saves substantial documentation time.
3. Single risk analysis
Using the same methodology (MAGERIT v3 in PILAR) covering the dimensions ENS requires, with sufficient granularity for NIS2.
4. Unified SoA with mapping
Each control mapped to: ENS Annex II reference, NIS2 article, ISO 27001 Annex A reference (optional). Single SoA, three columns.
5. Coordinated controls
Supplier management, incident response, BCP: one procedure for all three regimes.
6. Dual incident response
One playbook that triggers both CCN-CERT/INCIBE-CERT and the competent NIS2 authority notifications within mandated timelines.
7. Integrated training
One awareness programme. Management-specific training layered on top for NIS2.
8. Coordinated audits
Some accredited bodies offer combined audits. Cost savings 20-30%.
Timeline if starting both today
- Month 1: alignment. Gap analysis against both.
- Month 2-3: governance (Committee, roles). Documentation.
- Month 4-6: control implementation. Pre-audit.
- Month 7: ENS certification audit.
- Month 8: NIS2 readiness validated. Registration with authority.
Total: 6-8 months for an organisation starting from scratch, vs. 12-15 months for two independent projects.
If you already have ENS
Congratulations, you have 70-80% of NIS2 done. What’s missing:
- Gap analysis against NIS2 specifically.
- Register with the national competent authority.
- Strengthen incident-reporting (24h/72h/30d timelines).
- Strengthen supply-chain-risk requirements.
- Board-level cybersecurity training.
- Documented management-body approval.
Effort: 2-3 months and a fraction of the cost of a full compliance project.
If you only have NIS2
ENS is additive work on top. You have the governance, you likely have many controls in place. You need:
- Mapping NIS2 controls to ENS Annex II.
- Implementing ENS-specific reinforcements (CCN-STIC).
- Formalising categorisation.
- Preparing for ENAC audit.
- Specific ENS documentation (Security Policy, SoA, STIC procedures).
Effort: 4-6 months typically.
Common mistakes
Running them as separate projects
Two committees, two documentations, two audits. Triple cost with none of the benefits.
Assuming ENS covers NIS2 entirely
70-80% overlap is not 100%. Missing the NIS2-specific reporting timelines is a real legal risk.
Ignoring management training requirements
Board-level training is a NIS2 obligation, not a nice-to-have.
Not registering as a NIS2 entity
Obligation, overlooked often in the first year. Penalties apply.
Treating supplier management as secondary
Both regimes are clear: suppliers are in scope. Neglecting this is the most common gap we see.
Recommended action
- Audit whether you’re in scope for NIS2, ENS, or both.
- If both: plan an integrated programme, not two parallel ones.
- If one: anticipate the other — it’s often coming.
- Assign clear governance and management-level accountability.
- Prepare incident-response that meets NIS2 timelines.
- Document supplier assessment.
- Register formally and pick your certification path.
Final recommendation
ENS and NIS2 are natural partners. Organisations that align them now, at the start of the NIS2 enforcement window, will have stable compliance for years. Those who delay or run them separately will pay more, coordinate worse, and miss obligations. The first post-transposition cycle is the perfect time to integrate.