With its entry into force at the beginning of 2023, the European Commission established a transition period during which the different Member States had to proceed with the transposition of the Directive before October 17, 2024. More than a year after this date, the transposition process in Spain has still not been completed.
As a consequence of this non-compliance, the European Commission initiated infringement proceedings in November 2024 against 23 countries, including Spain, with the aim of pressuring the affected countries to complete the incorporation of the NIS2 Directive into their legal systems as soon as possible.
Faced with this situation, the Spanish government was forced to take an important step in its adaptation process in January 2025, when the Council of Ministers approved the Draft Law on Cybersecurity Coordination and Governance, which sought to transfer into national legislation the requirements established at the European level by the NIS2 Directive.
After its initial approval, the Draft Law entered the phase of public hearing and consultation between January and February of the same year, where citizens, companies, associations, and other organizations were able to submit contributions, suggestions, or comments on its content. However, as of November 2025, the Draft Law is still in the parliamentary processing stage, and therefore has not yet been published in the Official State Gazette.
This means that, as of today, Spain still does not have an official national framework that allows for the effective application of the obligations established by the NIS2 Directive, which implies that public and private entities operating in essential and important sectors remain in a situation of legal uncertainty.
Although we do not yet have the final version, it is advisable to analyze the characteristics presented in the Draft Law in order to get an idea of the requirements that we may expect once the approval process is completed.
Public hearing and consultation of the Draft Law on Cybersecurity Coordination and Governance, through which Directive (EU) 2022/2555 of the European Parliament and of the Council of December 14, 2022, on measures to ensure a high common level of cybersecurity throughout the Union, is transposed.
- Text of the Draft Law
- Text of the Regulatory Impact Assessment Report
- Annex I
- Annex II
- Date of publication: January 16, 2025
- Deadline for submitting contributions: February 10, 2025
Publication of the Draft Law on Cybersecurity Coordination and Governance on the website of the Ministry of the Interior
In general terms, the Draft Law presented by the Spanish Government is aligned with the main obligations defined by the NIS2 Directive:
▪️Governance – Responsibility of Senior Management
▪️General measures for security risk management
▪️Information security officer
▪️Incident notification obligations
Article 14 of the Draft Law reinforces governance in the field of cybersecurity, maintaining the responsibilities established by the NIS2 Directive for the management bodies of essential and important entities, emphasizing the idea that cybersecurity must be a strategic matter for organizations.
Among these responsibilities, the following stand out:
▪️Apply the necessary measures for cybersecurity risk management, ensuring they
are appropriate to the organization’s context and proportional to the identified risks.
▪️Oversee the effective implementation of cybersecurity risk management measures,
carrying out rigorous monitoring of compliance within the organization.
▪️Assume ultimate responsibility in the event of non-compliance.
▪️Receive periodic training in cybersecurity in order to make appropriate decisions,
and periodically organize similar training for the rest of the organization’s
employees, with the aim of ensuring a strong security culture throughout the
organization.
Article 15 of the Draft Law states that the risk management measures to be implemented by essential and important entities will be based on those set out in equivalent national, European, and international technical standards, including at least the requirements defined in Article 21 of the NIS2 Directive.
The measures defined in Article 21 of the NIS2 Directive, and expanded in Implementing Regulation (EU) 2024/2690 published by the European Commission on October 17, 2024, are the following:
| Article | Risk Management Measures |
| Article 21.2.a | Information systems security policies and risk analysis |
| Article 21.2.b | Incident management |
| Article 21.2.c | Continuity, backups, disaster recovery, and crisis management |
| Article 21.2.d | Supply chain security and relationships with suppliers and direct service providers |
| Article 21.2.e | Acquisition, development, and maintenance of networks and information. Vulnerability management |
| Article 21.2.f | Policies to evaluate the effectiveness of cybersecurity risk management measures |
| Article 21.2.g | Basic cyber hygiene practices and cybersecurity training |
| Article 21.2.h | Cryptography and encryption policy and procedures |
| Article 21.2.i | Human resources security, access control policies, and asset management |
| Article 21.2.j | Multifactor or continuous authentication, voice communications, and emergency communications |
Article 16 of the Draft Law establishes the need for essential and important entities to appoint an Information Security Officer, a key figure to ensure compliance with cybersecurity obligations and to coordinate all actions related to the protection of the organization’s systems and data. Among their main functions, the following stand out:
▪️Define and implement the organization’s cybersecurity strategy.
▪️Continuously assess, mitigate, and review risks.
▪️Maintain updated evidence, policies, and records to ensure compliance with the
obligations required by the Directive.
▪️Promote the organization’s cybersecurity culture together with senior management.
▪️Ensure compliance with notification obligations, reporting the necessary
information to supervisory authorities within the defined deadlines.
Within the risk management measures to be implemented by entities falling under the scope of NIS2, the Directive particularly emphasizes the obligation to report security incidents with significant impact—that is, those that have caused or may cause serious operational disruptions to services resulting in considerable damage to the affected entity or to other natural or legal persons.
In this regard, Article 18 of the Draft Law establishes a series of actions aligned with the requirements of the Directive, which each organization must comply with if affected by a security incident of this nature:
▪️Initial notification: Within a maximum of 24 hours after detection of the incident.
▪️Interim report: Must be submitted within a maximum of 72 hours and include a
preliminary assessment of the impact and severity of the incident.
▪️Final report: Within a maximum of 1 month after the initial notification, including a
detailed description of its impact, severity, and the measures adopted.
Although the transposition process of the NIS2 Directive into Spanish legislation has not yet been completed, its finalization is expected by the end of 2025. This means that its formal approval could take place at any time, thereby impacting numerous public and private entities that fall within its scope of application.
For this reason, being aware of the main characteristics of this Directive, as well as the adaptations already presented in the Draft Law, will enable faster alignment and reduce the margin for improvisation when the regulation finally comes into force.
Starting preparations now helps minimize risks, avoid potential penalties, and, above all, demonstrate a proactive stance in terms of cybersecurity and regulatory compliance. Therefore, in upcoming articles we will examine in detail some of the main approaches organizations can use to facilitate compliance with the NIS2 Directive and to establish action plans aligned with other widely recognized security standards.
References:
🔗 Directive (EU) 2022/2555 of the European Parliament and of the Council, of 14 December 2022, on measures for a high common level of cybersecurity across the Union: https://eur-lex.europa.eu/eli/dir/2022/2555/oj?locale=es
🔗 Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024, laying down technical and methodological requirements for cybersecurity risk management measures under Directive (EU) 2022/2555: https://eur-lex.europa.eu/legal-content/ES/TXT/?uri=CELEX:32024R2690
🔗 Draft Law on Cybersecurity Coordination and Governance (Spain): https://www.interior.gob.es/opencms/es/servicios-al-ciudadano/participacion-ciudadana/participacion-publica-en-proyectos-normativos/audiencia-e-informacion-publica/
🔗 Unpacking the main novelties of the NIS2 Directive: https://blog.isecauditors.com/2023/02/desentranando-las-principales-novedades-de-la-directiva-nis2.html
🔗 CCN Portal – NIS2 Directive resources: https://www.ccn.cni.es/es/normativa/directiva-nis2
🔗 INCIBE Portal – Strategic sectors and NIS2 guidance: https://www.incibe.es/incibe-cert/sectores-estrategicos/NIS2-necesitas-saber