Spain
(a) What is the NIS2 implementation status?
In Spain, the transposition of the directive has not been carried out as of now and is currently in the process of development.
As of 17 January 2023, the transposition period of Directive NIS2 by EU Member States has commenced, and it will conclude on 17 October 2024.
Likewise, with a deadline of 17 January 2025, Member States must have communicated the applicable sanctioning regime for non-compliance, and by 17 April 2025, they should have compiled a list of essential and important entities.
(b) What is the envisaged NIS2 implementation timeline?
In Spain, we still do not have information on when the directive will be implemented. It is unlikely that Spain will meet the transposition deadline, with expectations pointing to its publication by the end of this year or the beginning of the next.
(c) What does the NIS2 mean for other national cybersecurity legislation?
This Directive will require an update of the Spanish regulations, specifically in 12/2018 Royal Decree-and the 43/2021 Royal Decree.
(d) Who will be the supervisory authority and how are they preparing the market?
Without the transposition of the directive being published in Spain yet, it is difficult to answer this question. However, if we use the competent authority established in the previous NIS1 regulation as a reference, it should be the National Center for the Protection of Infrastructures and Cybersecurity (CNPIC).
(e) What should you be doing/on the lookout for?
Regardless of whether the company is a critical or significant entity, all organisations must review the NIS2 requirements and assess their compliance prior to the October 2024 implementation date. Companies will have a number of requirements that include taking measures around operational cyber risk management, cyber hygiene, incident response, incident reporting and supply chain security, employee training, implementing security protocols and policies, providing training for senior management, as well as taking out cyber insurance to prevent personal liability for board members and executives.
As was the case with the EU's GDPR, companies are advised to start this process much earlier to avoid problems.
Contact
Vicente Arias Máiz E: varias@eversheds-sutherland.es
Pedro Manresa E: pmanresa@eversheds-sutherland.es
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page