Spain
(a) What is the NIS2 implementation status?
The Government has published the Preliminary Draft Law on Cybersecurity Coordination and Governance (“Draft Law”), aimed at transposing into Spanish law Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, on measures to ensure a high common level of cybersecurity across the Union (“NIS2”).
The Draft Law has finished in the public consultation phase, which began on 16 January and ended on 10 February 2025.
After the conclusion of the public consultation, the Draft Law will go through the necessary administrative and parliamentary procedures before its final approval. Since the deadline for transposing the NIS2 Directive into Spanish law expired on 17 October 2024, the Government has given urgent status to the processing of this law to accelerate its entry into force and avoid potential sanctions from the European Commission.
(b) What is the envisaged NIS2 implementation timeline?
Although an exact publication date is not yet available, it is expected that, due to its urgent processing, the law will be approved in the coming months. Once all parliamentary and administrative procedures are completed, it will enter into force the day after its publication in the Official State Gazette (BOE).
(c) What does the NIS2 mean for other national cybersecurity legislation?
This Directive will require an update of the Spanish regulations, specifically in 12/2018 Royal Decree-and the 43/2021 Royal Decree.
(d) Who will be the supervisory authority and how are they preparing the market?
Without the transposition of the directive being published in Spain yet, it is difficult to answer this question. However, if we use the competent authority established in the previous NIS1 regulation as a reference, it should be the National Center for the Protection of Infrastructures and Cybersecurity (CNPIC).
(e) What should you be doing/on the lookout for?
Regardless of whether the company is a critical or significant entity, all organisations must review the NIS2 requirements and assess their compliance prior to the October 2024 implementation date. Companies will have a number of requirements that include taking measures around operational cyber risk management, cyber hygiene, incident response, incident reporting and supply chain security, employee training, implementing security protocols and policies, providing training for senior management, as well as taking out cyber insurance to prevent personal liability for board members and executives.
As was the case with the EU's GDPR, companies are advised to start this process much earlier to avoid problems.
Contact
Vicente Arias Máiz E: varias@eversheds-sutherland.es
Pedro Manresa E: pmanresa@eversheds-sutherland.es
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page