Content

    20 May 2026· 6:00 PM CEST | ⏱️ Approx. 45 min | Free Online

    What you will learn in this webinar

    The entry into force of the NIS2 Directive has put thousands of European companies on alert. But NIS2 is not the only framework demanding attention: Spain’s Esquema Nacional de Seguridad (ENS) and the ISO 27001 certification standard both carry significant weight — and many organisations are unsure which ones apply to them, which to pursue first, or how they relate to each other.

    On 20 May 2026 at 6:00 PM CESTFactorial IT is hosting a free webinar in which Privalex‘s cybersecurity lawyers answer all of these questions with a fully practical approach. No empty theory. No unnecessary jargon.

    The webinar is free and runs approximately 45 minutes. Registered attendees will receive a self-assessment checklist and access to a special offer combining Privalex consultancy with Factorial IT tooling for those ready to take the next step.

    What the session covers

    The agenda prepared by Privalex covers six blocks:

    1. Regulatory context: why compliance pressure is growing and how certification has become a competitive advantage.
    2. NIS2 in depth: scope of application, senior management liability, and mandatory security measures.
    3. ENS: security categories (High, Medium, Basic), who it affects, and alignment with NIS2.
    4. ISO 27001: what it is, how certification works, and what advantages it brings in supply chains.
    5. Which framework does my organisation need?: a decision table by organisation profile.
    6. NIS2 / ENS / ISO 27001 comparison: nature, scope, penalties, incident management, and certification.

    Why Privalex speaks about these certifications

    Privalex is a law firm specialising in privacy, cybersecurity and Information Security Management Systems (ISMS). Our work is precisely this: guiding organisations through the compliance journey, from initial gap assessment to certification audit.

    We do not talk about NIS2, ENS or ISO 27001 because we have read the legal texts. We know them because we take organisations through them: we draft policies, prepare audit evidence, coordinate certification audits and solve the real problems that arise when legal theory meets day-to-day business operations.

    Certification is not the goal. The goal is making your organisation genuinely more secure, and being able to prove it to clients, regulators and auditors.

    Two of our specialist lawyers will present at the webinar:

    Factorial IT: the platform that connects IT and HR

    Factorial IT is the new IT management vertical from Factorial, an all-in-one business software platform trusted by teams managing over 20,000 employees worldwide. Factorial IT was built to solve a specific problem: IT teams managing devices, SaaS access and compliance with too many disconnected tools.

    Its core proposition is integrating IT management directly with HR data, so that when an employee joins or leaves, device provisioning and access revocation happen automatically, no manual work required.

    The connection between the compliance expertise Privalex brings and the tooling Factorial IT provides is deliberate. In the webinar, you will see concretely how the technical controls required by NIS2, ENS and ISO 27001 can be automated through an MDM platform tightly integrated with HR processes.

    NIS2, ENS and ISO 27001: what they are, who they affect, and why they matter

    Here is a quick reference for each framework so you arrive at the webinar with the context already in place:

    NIS2 Directive (Mandatory; EU)

    EU cybersecurity framework for essential and important entities. Transposition obligations already enforceable across member states.

    • Energy, transport, banking, health, water, ICT
    • Direct senior management liability
    • Incident notification within 24 / 72 hours
    • Fines up to €10M or 2% of global turnover

    ENS (Mandatory; Spain)

    Esquema Nacional de Seguridad. Mandatory for Spanish public administrations and their private ICT suppliers.

    • Categories: High, Medium, Basic
    • Applies to public bodies and public-sector IT vendors
    • Aligned with NIS2 core principles
    • Formal certification issued by accredited body

    ISO 27001 (Voluntary; International)

    International ISMS standard. Voluntary but increasingly required in tenders, enterprise procurement and supply chain due diligence.

    • Applies to any organisation in any country
    • Demonstrates compliance to clients and partners
    • Simplifies ENS certification and NIS2 compliance
    • Third-party certification audit required

    NIS2 in detail: the regulation generating the most concern

    The NIS2 Directive (EU 2022/2555) significantly expands the scope of its predecessor, NIS1. The main change is the distinction between essential entities (critical sectors such as energy, transport and health) and important entities (highly critical but with lower potential impact), each carrying different obligations and a different sanctions regime.

    One of the aspects that concerns companies most is senior management liability: executives can be held personally responsible if adequate security measures were not implemented. This means NIS2 compliance cannot remain a purely IT department matter, it requires board-level ownership.

    ENS in detail: the Spanish framework affecting the entire public sector and its suppliers

    The Esquema Nacional de Seguridad (governed by Royal Decree 311/2022) is mandatory for all Spanish public administrations and for private companies supplying technology products or services to them. If your company sells software, cloud services or infrastructure to the Spanish government or its agencies, ENS applies to you directly.

    The categorisation system (High, Medium, Basic) determines the level of rigour required for the controls that must be in place. The growing alignment between ENS and NIS2 means organisations subject to both can increasingly work towards a single integrated framework.

    ISO 27001 in detail: the certification that opens doors globally

    Unlike NIS2 and ENS, ISO/IEC 27001:2022 is voluntary, but its relevance grows every year. In international tenders, contracts with large enterprise clients and due diligence processes, ISO 27001 certification has become a standard requirement.

    Moreover, having an ISMS certified under ISO 27001 significantly simplifies NIS2 compliance and the ENS certification process, as many controls overlap. For organisations subject to multiple frameworks, ISO 27001 is often the most efficient entry point.

    Frequently Asked Questions (FAQs)

    Which companies does NIS2 apply to in Spain?

    NIS2 applies to essential and important entities in sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space. It also covers additional high-criticality sectors such as postal and courier services, waste management, chemicals, food production, critical equipment manufacturing, digital providers and research organisations.

    In Spain, NIS2 transposition is progressing through national legislation. If you are unsure whether your organisation falls within scope, the webinar is the right place to find out.

    What is the difference between ENS and ISO 27001?

    ENS is mandatory for Spanish public administrations and private companies that supply ICT services or products to them. ISO 27001 is voluntary and applies to any organisation in any country.

    That said, the two frameworks are highly complementary: achieving ISO 27001 certification makes the ENS certification process significantly easier, because a large number of controls overlap. The webinar will explain this alignment in practical detail.

    Does my organisation need all three at the same time?

    It depends entirely on your organisation’s profile. NIS2 is mandatory if you fall within its scope. ENS is mandatory if you are a public body or a private ICT supplier to the Spanish public sector. ISO 27001 is voluntary but may be strategically necessary if you want to access certain markets, win public tenders or satisfy enterprise customer requirements.

    The webinar includes a decision table by organisation type to help you make this call in an informed way.

    When does NIS2 take effect in Spain?

    The NIS2 Directive required transposition into national law by all EU member states before 17 October 2024. Spain’s full transposition continues through national legislation, but the obligations arising from the directive are already enforceable, competent authorities can require compliance from affected entities now.

    What is the difference between an audit and a certification?

    An audit is an assessment of your organisation’s compliance with a given framework. It can be internal (carried out by your own team) or external (by an independent third party). The outcome is a report of findings and recommendations.

    certification is the formal outcome of a successful third-party audit: an accredited body issues a certificate publicly attesting to your compliance. ENS and ISO 27001 have formal certification processes; NIS2 does not have a specific certificate but does require verifiable evidence of compliance. The webinar will explain this distinction with practical examples.

    How can an MDM solution help with NIS2 or ISO 27001 compliance?

    An MDM (Mobile Device Management) platform automates technical controls these frameworks explicitly require: device encryption, security policy enforcement, remote lock and wipe in the event of loss or theft, and automatic generation of audit-ready reports.

    Factorial IT adds HR integration on top of this, meaning access controls update automatically when an employee joins or leaves, eliminating one of the most common risk vectors: orphaned credentials that remain active after someone has left the organisation.

    What are the NIS2 penalties for non-compliance?

    NIS2 introduces a significantly stricter sanctions regime than its predecessor. For essential entities, fines can reach €10 million or 2% of total global annual turnover, whichever is higher. For important entities, the cap is €7 million or 1.4% of global turnover.

    Beyond the financial penalty, senior management of essential entities can be held personally liable if adequate risk management measures were not implemented. This is one of the most significant changes from NIS1 and a major reason why board-level engagement with NIS2 compliance is now essential.

    Does the webinar include downloadable materials?

    Yes. All registered attendees will receive a self-assessment checklist to evaluate their organisation’s current compliance posture. There will also be a special offer for attendees who want to take the next step, combining Privalex consultancy with Factorial IT tooling in a joint pack.