NIS2 Country Guide

NIS2 Spain: Draft Cybersecurity Coordination & Governance Law

Understand how Spain plans to transpose the NIS2 Directive through the future Cybersecurity Coordination and Governance Law (Ley de Coordinación y Gobernanza de la Ciberseguridad), the creation of the National Cybersecurity Centre (CNCS), and what essential and important entities should already be doing to prepare.

Get Ready Checklist Get Consultation
Spain NIS2 status: Draft law in Parliament Future law: Cybersecurity Coordination & Governance Law Planned authority: CNCS (National Cybersecurity Centre)

Introduction: NIS2 Directive & the Spanish context

Spain already has a relatively advanced national cybersecurity framework, including the National Security Scheme (Esquema Nacional de Seguridad – ENS) and specific rules for 5G networks and services. Until now, however, regulation has been fragmented across several decrees and sectoral rules rather than a single NIS2-aligned law.

Directive (EU) 2022/2555 (NIS2) requires Spain to consolidate and upgrade this framework. The Government is doing so via the future Cybersecurity Coordination and Governance Law, which will transpose NIS2, integrate the EU Critical Entities Resilience (CER) rules, and create a new National Cybersecurity Centre (CNCS) under the Ministry of the Interior.

Important: as of late 2025, the law is still in parliamentary process. Organisations should nevertheless prepare based on NIS2 and the published draft.

NIS2 implementation in Spain

On 14 January 2025 the Council of Ministers approved the Draft Law on Cybersecurity Coordination and Governance (Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad), which is the main legislative vehicle to transpose NIS2 into Spanish law. The draft was published for public consultation in January and is being processed under an urgent parliamentary procedure.

The draft law merges NIS2 with the EU Critical Entities Resilience (CER) framework and establishes a comprehensive national governance model for cybersecurity, placing the future Centro Nacional de Ciberseguridad (CNCS) at the centre and defining the roles of existing bodies such as INCIBE-CERT, CCN-CERT and sectoral regulators.

Spain missed the EU transposition deadline of 17 October 2024, and at the time of writing the law has not yet been promulgated in the Official State Gazette (BOE). However, the European Commission has launched infringement proceedings, and all signals point to adoption in the short term, with obligations then applying within a phased implementation timetable.

Status

NIS2 is not yet fully transposed in Spain. A draft Cybersecurity Coordination and Governance Law has been approved by the Government and is under urgent parliamentary scrutiny, but is not yet in force.

Legal structure (planned)

A single Cybersecurity Coordination and Governance Law will transpose NIS2 and CER, define scope, obligations, authorities and sanctions, and sit alongside existing instruments like the ENS for public-sector and critical information systems.

Scope

The draft law follows NIS2 in classifying entities as essential or important, expanding coverage to sectors such as waste management, food, scientific research and public administrations in addition to traditional critical sectors.

NIS2 Spain: what you need to know about compliance

Even before the Spanish law is formally adopted, NIS2 gives a clear picture of the obligations that essential and important entities will face. The draft law essentially mirrors those requirements and embeds them into Spain’s legal and institutional landscape.

Who is in scope?

  • Entities in NIS2 Annex I sectors (energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, ICT service management, research, etc.).
  • Size-independent entities, including DNS and TLD operators, providers of trust services, major cloud and data-centre operators and certain managed and security service providers.
  • Additional operators identified by Spain as critical or of high relevance for national security and public services, including certain public administrations.

Core obligations (expected)

  • Implement risk-management measures covering governance, policies, asset management, network and system security, access control, vulnerability management, backup and recovery.
  • Maintain incident-preparedness and business continuity plans, including disaster recovery and crisis-communication procedures.
  • Report significant cyber incidents and certain cyber threats on tight deadlines (initial notification within 24 hours, followed by more detailed reports).
  • Manage supply-chain cybersecurity risk, including contractual requirements for key providers and due diligence on ICT and security suppliers.
  • Ensure that senior management is directly responsible for cybersecurity governance, approves policies and receives regular training and reporting.

Practical approach

In practice, Spanish organisations are advised to treat NIS2 as the “north star” and use the draft law as an interpretive guide, aligning controls with recognised frameworks such as ISO/IEC 27001 or NIST CSF and integrating them with ENS requirements where applicable.

Key message: the legal text may still evolve in Parliament, but the direction of travel is clear. Waiting for the final BOE publication to start preparations is high risk.

Competent authorities & CSIRTs (planned)

Spain already has strong operational capabilities (INCIBE-CERT, CCN-CERT, sectoral regulators). The draft law introduces a more integrated governance model led by a new National Cybersecurity Centre.

Role Authority Notes
Planned national cybersecurity authority & Single Point of Contact Centro Nacional de Ciberseguridad (CNCS) New body under the Ministry of the Interior envisaged by the draft law; will coordinate national cybersecurity policy, supervise NIS2 entities, manage crisis response and act as the main link to EU bodies.
National CSIRT for citizens & enterprises INCIBE-CERT (within INCIBE) Handles incident reporting and support for businesses and citizens, issues alerts, and provides guidance and awareness-raising materials on cybersecurity.
National CSIRT for public sector & classified information CCN-CERT (part of the National Cryptologic Centre, CNI) Focuses on public administrations and systems handling sensitive or classified information, working closely with other authorities for major incidents.
Sectoral regulators Various (e.g. CNMC, Banco de España, CNMV, health and transport authorities) Under the future law, these regulators will support supervision and enforcement in their sectors, in coordination with CNCS and national CSIRTs.

NIS2 timeline & key dates (Spain)

3 May 2022 — Royal Decree 311/2022 updates the National Security Scheme (ENS), strengthening cybersecurity requirements for Spanish public-sector systems.
14 December 2022 — NIS2 Directive adopted at EU level, setting 17 October 2024 as the transposition deadline for Member States.
17 October 2024 — EU deadline passes; Spain has not yet transposed NIS2, triggering European Commission infringement steps.
14 January 2025 — Council of Ministers approves the Draft Law on Cybersecurity Coordination and Governance, announcing urgent processing and creation of the CNCS.
January–February 2025 — Public consultation on the draft law; stakeholders provide comments on scope, obligations and governance model.
2025 — Parliamentary debate and urgent procedure continue; several legal and industry analyses highlight legal uncertainty until the law is finally adopted and published in the BOE.
Expected from 2026 — Once adopted, the law will enter into force and provide a phased implementation period for essential and important entities to comply with risk-management, reporting and governance obligations.

Sector-specific notes for Spain

  • Energy: electricity, gas and oil operators, as well as major grid and generation assets, are expected to be classified as essential entities with strict resilience obligations, especially after recent large-scale outages.
  • Transport: rail, air, maritime and road transport operators, ports and airports will fall in scope, reflecting Spain’s role as a key logistics hub in Europe and the Mediterranean.
  • Digital infrastructure & telecom: electronic communications networks, data centres, cloud and major digital platform providers will face strong requirements on uptime, incident reporting and continuity planning.
  • Finance & DORA interplay: banks and financial market infrastructures will need to align NIS2 obligations with existing EU financial ICT-risk frameworks such as DORA, avoiding duplicated controls.
  • Public administration & services: central, regional and local administrations, as well as certain public entities, will be explicitly covered, building on ENS and extending obligations to broader digital services.
  • Waste, food & research: sectors newly highlighted by NIS2 (waste management, food supply, scientific research) will also be affected, particularly where they operate critical facilities or support essential services.

Penalties for non-compliance (expected)

The draft law mirrors NIS2’s strong sanctions regime. While final figures may still be adjusted during parliamentary debate, companies should expect penalties in the same order of magnitude as the Directive.

  • For essential entities, fines up to the higher of €10 million or 2% of worldwide annual turnover for the most serious infringements.
  • For important entities, fines up to the higher of €7 million or 1.4% of worldwide annual turnover.
  • Additional fines for procedural breaches such as late or incomplete incident reporting, failure to cooperate with authorities or failure to implement corrective measures.
  • Corrective measures may include mandatory remediation plans, enhanced supervision, follow-up audits and, in extreme cases, temporary restrictions on operations.
  • Management bodies may face specific consequences for repeated or serious negligence in fulfilling governance obligations for cybersecurity.

How to prepare for NIS2 in Spain

  1. Check if you are likely in scope: map your business against NIS2 Annex I & II sectors and Spanish critical sectors; consider size, revenue and the essential nature of your services.
  2. Monitor the Spanish draft law: follow updates on the Cybersecurity Coordination and Governance Law and any changes introduced during parliamentary debate.
  3. Run a NIS2 readiness assessment: benchmark your current cybersecurity governance, controls, incident response and documentation against NIS2 Article 21 and the obligations outlined in the draft law.
  4. Align with ENS where applicable: if you already fall under the National Security Scheme (ENS), align your NIS2 preparations with ENS requirements to avoid duplicated work.
  5. Strengthen detection & incident reporting: make sure you can detect, investigate and classify incidents quickly, and that you have processes to notify authorities within 24 hours when required.
  6. Address supply-chain risk: identify critical suppliers and update contracts with clear cybersecurity, audit and incident-notification clauses consistent with NIS2 expectations.
  7. Use recognised frameworks: build or refine your information security management system using ISO/IEC 27001, NIST CSF or similar to structure your compliance roadmap.
  8. Engage leadership early: inform boards and senior management about expected obligations and sanctions so they can allocate funding, set risk appetite and support a multi-year roadmap.
Run Eligibility Check Start Readiness Test

Official links & resources

🇪🇸 Ministry of the Interior — information on the draft Cybersecurity Coordination & Governance Law
📄 Draft Law on Cybersecurity Coordination & Governance (Spanish)
🛡️ INCIBE & INCIBE-CERT — cybersecurity for citizens and companies
🛡️ CCN-CERT — National Cryptologic Centre
📊 European Commission — NIS2 implementation in Spain
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Spain

Has Spain fully transposed NIS2?
Not yet. As of late 2025, Spain is still in the process of adopting the Cybersecurity Coordination and Governance Law. The draft has been approved by the Government and is going through Parliament under an urgent procedure but has not yet been published in the BOE.
What law will implement NIS2 in Spain?
The future Cybersecurity Coordination and Governance Law (Ley de Coordinación y Gobernanza de la Ciberseguridad) is the main instrument that will transpose NIS2 and the CER Directive into Spanish law.
Who will be the main NIS2 authority?
The draft law creates a National Cybersecurity Centre (CNCS) under the Ministry of the Interior as the central authority and single point of contact, working alongside INCIBE-CERT, CCN-CERT and sectoral regulators.
Should we wait for the law to be approved before acting?
No. Because the draft closely reflects NIS2 and the direction is clear, organisations likely in scope should already be running gap assessments, planning risk-management measures, improving incident reporting and engaging their leadership.
How high can fines be?
In line with NIS2, fines are expected to reach up to €10 million or 2% of worldwide annual turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities, plus additional sanctions and corrective measures for specific breaches.
Is ISO 27001 mandatory?
ISO/IEC 27001 is not expected to be mandatory by name, but the law will require robust, risk-based security measures. Aligning with ISO 27001 or similar frameworks is a practical way to structure and evidence compliance in Spain.
Information provided for general guidance; always consult the final Spanish Cybersecurity Coordination and Governance Law, CNCS/INCIBE/CCN-CERT publications and legal counsel for definitive NIS2 compliance requirements in Spain.