ZIUR and the CCI Centre join forces to avoid multi-million dollar fines for non-compliance with the NIS2 directive

Back ZIUR and the CCI Centre join forces to avoid multi-million dollar fines for non-compliance with the NIS2 directive

2025 / 01 / 15

80 enpresak baino gehiagok parte hartu dute NIS2 araudiaz sentsibilizatzeko tailerrean.

ZIUR and the CCI Centre join forces to avoid multi-million dollar fines for non-compliance with the NIS2 directive

More than 80 companies are participating in the workshops organised jointly by the two entities to raise awareness in the industry about the NIS2 regulation, which establishes a minimum level of cybersecurity for all Member States of the European Union

ZIUR and the Industrial Cybersecurity Centre (CCI) have joined forces to raise awareness in companies about the new European NIS2 regulation, the non-compliance of which can lead to multi-million euro fines. More than 80 companies have already participated in the first of the workshops organised by both entities, which will continue with this training in a next course on 11 February.

Understanding the cybersecurity implications and obligations that SMEs have “is essential to identify gaps and know key tools that guarantee effective management in this field,” says the director of ZIUR, María Penilla, who insists that “strategic management of cyber risk must be carried out in times of high uncertainty” in order to improve the competitiveness of the Gipuzkoan industrial fabric.

The alliance between ZIUR, belonging to the Provincial Council of Gipuzkoa, and the CCI allows both entities to share strategies, develop joint actions and add capabilities in the face of, for example, this new regulation to help SMEs ensure compliance. “It is essential to protect the corporate strategy from the risks of cyberspace and to do so, the response capacity of the organization must be known. It is important for SMEs to assess whether they are within the scope of the NIS2 Directive and, if so, implement the necessary cybersecurity measures to comply with the regulations and protect their information systems,” says Juan Pulpillo, a CCI expert in legal compliance, who assures that it is the company's management that “must lead the protection of the organization against cyber threats and must face compliance with regulatory obligations.”

The NIS2 Directive, already in force, aims to strengthen cybersecurity throughout the EU, establishes minimum risk management requirements for essential sectors and requires stricter measures to protect critical infrastructures and improve resilience against cyberattacks. “Information security and cyber resilience have become an essential issue for the business continuity of organizations. Adapting an SME to the NIS 2 directive requires a combination of internal analysis, investment in technology, training and external collaboration,” says this CCI expert.

Sanctions and legal liability

This regulation also increases the pressure on industrial organisations, through legal responsibilities and sanctions, to adopt the best cybersecurity practices. In this sense, fines for non-compliance are very significant, as they can reach up to 10 million euros or 2% of the total annual turnover for essential entities; and up to 7 million euros and 1.4 % of the turnover for important entities.

But, in addition, sanctions can also include measures such as the temporary suspension of the provision of services, temporary prohibitions for certain individuals to occupy specific positions, and the imposition of corrective measures to address security deficiencies, as reported by ZIUR's Artificial Intelligence-based Virtual Assistant, available on the centre's website 24 hours a day, 7 days a week to resolve all kinds of doubts about this directive.

Investment, training and collaboration

In the era of digitalisation, managing the vulnerabilities represented by each of the equipment and machines in factories is not an option, but a necessity, especially in Gipuzkoa, where industry is one of the great drivers of its economy. And if there is one thing that the industrial fabric of Gipuzkoa is aware of, it is that attacks have grown exponentially in recent years.

Vulnerabilities can come from software and hardware failures to incorrect network configurations and, as the latest ZIUR report, ‘Life cycle of vulnerabilities’, points out, this consists of three phases: identification and evaluation, communication and mitigation, and verification and continuous improvement. “Using tools that allow these entry routes to attacks to be detected and the risks to be assessed, a clear communication and mitigation protocol against these attacks and constant updating in both policies and staff training, as well as in the verification of the robustness of their protection systems, is essential for any company,” says María Penilla.

This report also presents some of the most effective measures to improve cybersecurity in an increasingly digitalised industrial environment such as that of Gipuzkoa. Continuous monitoring and risk analysis, industrial cybersecurity testing laboratories, self-diagnostics and diagnostic tools.