Spain
(a) What is the NIS2 implementation status?
Spain has not yet fully transposed NIS2, but a draft law is in place. The draft legislation expands the scope beyond NIS2 (Art. 3), including additional sectors such as nuclear industry (high criticality sector) and private security (other sectors), while excluding financial entities already covered by DORA. The framework is based on the national cybersecurity scheme (ENS) and EU certification schemes (Art. 33). It requires essential entities to appoint a Chief Information Security Officer (CISO), with accreditation for essential entities provided by the Ministry of Interior.
(b) What is the envisaged NIS2 implementation timeline?
Under the Spanish NIS2 framework, the National Cybersecurity Centre (Centro Nacional de Ciberseguridad – CNC) maintains a register of providers of digital services and digital infrastructures in accordance with Article 26.
The registration obligation corresponds to the requirements set out under NIS2 but is implemented through the existing national regulatory framework.
At present, there is no single, uniform national registration deadline beyond the deadline applicable to the preparation of the relevant lists under the national framework.
(c) What does the NIS2 mean for other national cybersecurity legislation?
This Directive will require an update of the Spanish regulations, specifically in 12/2018 Royal Decree-and the 43/2021 Royal Decree.
(d) Who will be the supervisory authority and how are they preparing the market?
Without the transposition of the directive being published in Spain yet, it is difficult to answer this question. However, if we use the competent authority established in the previous NIS1 regulation as a reference, it should be the National Center for the Protection of Infrastructures and Cybersecurity (CNPIC).
(e) What should you be doing/on the lookout for?
Regardless of whether the company is a critical or significant entity, all organisations must review the NIS2 requirements and assess their compliance prior to the October 2024 implementation date. Companies will have a number of requirements that include taking measures around operational cyber risk management, cyber hygiene, incident response, incident reporting and supply chain security, employee training, implementing security protocols and policies, providing training for senior management, as well as taking out cyber insurance to prevent personal liability for board members and executives.
As was the case with the EU's GDPR, companies are advised to start this process much earlier to avoid problems.
Contact
Vicente Arias Máiz E: varias@eversheds-sutherland.es
Pedro Manresa E: pmanresa@eversheds-sutherland.es
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page