Skip to main content
Normas y Estandares Ciberseguridad

Cybersecurity Rules and Standards: Everything Your Business Needs to Know.

In the current context, where cyber threats and data protection are of vital importance, organizations must comply with a variety of cybersecurity standards and regulations to ensure the security of their systems, data privacy, and operational resilience. Among the most prominent regulations are NIS2, DORA, GDPR, ENS, and ISO 27001. Although all of them are related to cybersecurity, each has a different focus and scope. In this article, we will explain the differences between these regulations, the sectors they affect, their application deadlines, and the relevance of ISO 27001 in this context.

  1. Key Differences Between Security Standards and Regulations

Current security standards and regulations differ essentially in two factors:

  1. Scope of application. Each aims to protect the information and digital assets of organizations, but with distinct areas of application based on criteria such as the criticality of the services provided.
  2. Mandatory nature of the regulation. Regulations are enforceable laws, while standards, like ISO, are voluntary. However, in practice, they may be required by providers, making the voluntary nature debatable.
  3. NIS2: The Directive on Security of Network and Information Systems.

Objective: The NIS2 Directive aims to increase cybersecurity in the network and information systems of the European Union, particularly in key sectors essential for the economy and society.

Applicable Sectors:

  • Energy.
  • Transport.
  • Banking.
  • Water and health infrastructures.
  • Digital service providers (cloud, search engines, online marketplaces).

Application Deadline:

The deadline for transposing the NIS2 Directive into EU Member States ended on 17/10/2024. In Spain, the public consultation closed on 10/02/2025, and the law is in its final stages of drafting and approval.

  1. DORA: The Digital Operational Resilience Act.

Objective:

DORA (Digital Operational Resilience Act) seeks to ensure that entities in the financial sector are resilient against cyber incidents, safeguarding the stability of financial markets.

Applicable Sectors:

  • Banks.
  • Insurers.
  • Pension funds.
  • Financial service providers (fintech).
  • Financial market infrastructures.

Application Deadline:

In effect since 17/01/2025, without the need for transposition, as it is a Regulation.

  1. GDPR: The General Data Protection Regulation.

Objective:

The GDPR regulates the processing of personal data in the EU, ensuring the privacy protection of individuals and establishing strict requirements on how businesses must handle and protect such data.

Applicable Sectors:

  • All businesses that process personal data of EU citizens, regardless of their location.
  • Companies offering goods or services to people in the EU.
  • Organizations that monitor the behavior of individuals in the EU.

Application Deadline:

The GDPR has been in effect since 2018, and compliance has been mandatory since then. You can check here the 5 most common mistakes when implementing the GDPR.

  1. ENS: National Security Framework (Spain).

Objective:

ENS is a Spanish regulation that sets a framework for ensuring the security of information systems in the public sector and in companies interacting with the Public Administration, protecting the confidentiality, integrity, and availability of data.

Applicable Sectors:

  • Public administrations (central, regional, and local).
  • Companies that manage public information or interact with the Public Administration.
  • Providers of essential services for the Administration.

Application Deadline:

ENS has been in effect since 2010, with updates in 2020 that enhanced security requirements.

  1. ISO 27001: Information Security Management System.

Objective:

ISO 27001 is an international standard that sets requirements for implementing an Information Security Management System (ISMS). Its goal is to ensure that information is managed securely, protecting its confidentiality, integrity, and availability through a set of controls and policies. ISO 27001 is a voluntary certification that can be obtained by any type of organization, regardless of size or sector.

Applicable Sectors:

Unlike other regulations, ISO 27001 is not sector-specific but can be applied to any organization that wants to protect sensitive information, whether public or private. This includes:

  • Companies of any sector.
  • Service providers.
  • Public and private organizations.

Application Deadline:

ISO 27001 is a voluntary certification, so it does not have a specific “application deadline.” However, organizations wishing to obtain it must undergo a process of implementation and auditing, which can take several months, depending on the complexity of the company’s systems.

Key Differences Between Cybersecurity Standards and Regulations

Scope and Objective of Cybersecurity Standards and Regulations:

  • NIS2 focuses on protecting critical infrastructures and essential services in the EU, such as energy and health.
  • DORA is designed to enhance cyber resilience in the financial sector.
  • GDPR regulates the processing of personal data and the protection of individuals’ privacy.
  • ENS sets security requirements for information systems in the Public Administration and its providers in Spain.
  • ISO 27001 is an international standard for information security management, applicable to any organization.

Affected Sectors:

  • NIS2 affects sectors such as energy, transport, and health.
  • DORA applies to the financial sector.
  • GDPR applies to all companies processing personal data of EU citizens.
  • ENS applies to public administrations and their providers in Spain.
  • ISO 27001 can be implemented by any organization wishing to improve its information security.

Enforceability Deadlines:

  • NIS2 came into effect in 2024.
  • DORA came into effect in January 2025.
  • GDPR has been in effect since 2018.
  • ENS has been in effect since 2010.
  • ISO 27001 is a voluntary certification with no enforceability deadline; its acquisition depends on the organization’s decision.

Compliance Approach:

  • NIS2, DORA, GDPR, and ENS are regulations with a regulatory focus and, in some cases, penalties for non-compliance.
  • ISO 27001 is a voluntary standard with a focus on the continuous improvement of information security.

Conclusion

Each of these cybersecurity standards and regulations plays a crucial role in protecting information but with different approaches. NIS2 and DORA are European regulations targeting specific sectors such as critical infrastructures and the financial sector, while GDPR governs the protection of personal data. ENS, on the other hand, establishes a security framework in Spain.

Author: Victor Roselló, Lawyer.

If you need more informarion, contact us!


    Information on data protection

    Company name
    LEGAL IT GLOBAL 2017, SLP
    Purpose
    Providing the service.
    Sending the newsletter.
    Legal basis
    Compliance with the service provision.
    Consent.
    Recipients
    Your data will not be shared with any third party, except service providers with which we have signed a valid service agreement.
    Rights
    You may access, rectify or delete your data and exercise the rights indicated in our Privacy Policy.
    Further information
    See the Privacy Policy.

    Us
    Services