NIS2 and cybersecurity for law firms: directly obligated or only as suppliers?
Directive NIS2 (EU) 2022/2555 is in force. We analyse whether law firms are directly within scope, the indirect risk as suppliers of essential entities, and the minimum cybersecurity measures every firm must implement.
NIS2 scope for law firms
Most Spanish law firms are NOT directly subject to NIS2 as essential or important entities, unless they supply critical infrastructure operators, qualify as large-scale legal service providers, or act as managed IT service providers.
Indirect risk: NIS2 supply chain requirements mean essential entities (banks, energy companies) can contractually require NIS2-equivalent cybersecurity standards from their law firm advisors.
GDPR Art. 32 applies to all firms: minimum cybersecurity measures required regardless of NIS2 scope:
- 2FA for all client data systems
- At-rest encryption (BitLocker/FileVault), in-transit HTTPS/VPN
- 3-2-1 backup rule with monthly restoration tests
- Auto-updates, critical patches within 72 hours
- Semi-annual phishing simulations (90% of attacks start with phishing)
Most common incidents: 40% phishing/BEC, 35% ransomware, 15% data leaks.
GDPR breach notification: 72 hours to AEPD if risk to data subjects (Art. 33 GDPR). NIS2 notification (in-scope entities): 24h alert + 72h full report + 1-month final report.
Try Lexiel free · 28 days
Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.