When I first saw the expansion of the NIS2 scope in Spain, it felt like the digital equivalent of a seismic shift—one that could shake even the most stable infrastructures if not properly braced for. For organizations operating across critical and essential sectors, the revised Network and Information Security Directive (NIS2) is no longer a compliance backwater. It’s a cornerstone of digital resilience, national governance, and industry accountability.
Spain’s approach to the NIS2 directive is not just a legal transposition—it’s an institutional overhaul. The proposed reforms signal a clear intention to modernize cybersecurity governance while drawing from lessons learned under the original NIS1. Let’s unpack what’s happening, when, and most importantly, what your organization should be doing now.
Where things stand: Spain NIS2 implementation framework
In January 2025, Spain’s Council of Ministers approved the Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad, which acts as the legislative vessel for NIS2 and the Critical Entities Resilience (CER) Directive. This draft law not only merges the two frameworks but also establishes the Centro Nacional de Ciberseguridad (CNC)—Spain’s new lead authority for cybersecurity oversight under the Ministry of Interior.
This centralization echoes France’s ANSSI model and gives the CNC supervisory and coordination powers over sector-specific authorities, the CCN-CERT for public sector response, and INCIBE-CERT for private industry.
Before we explore enforcement and timelines, let’s look at the key legislative journey.
Spanish NIS2 implementation timeline
Here’s how Spain is progressing from EU directive to national regulation:
Key milestones in NIS2 Spain transposition
| Date | Milestone | Status |
| 14 Dec 2022 | NIS2 published in the Official Journal of the EU | Completed |
| Jan 2024 | Public consultation on draft law | Completed |
| 14 Jan 2025 | Council of Ministers approves draft bill | Completed |
| Feb 2025 | Fast-track registration in Congress and Senate | Completed |
| Q3 2025 | Parliamentary hearings and legislative amendments | In Progress |
| Q1 2026 | Expected enactment and publication in Boletín Oficial del Estado (BOE) | Projected |
| H1 2026 | CNC launches registration portal, incident reporting becomes enforceable | Projected |
This structured approach aligns with EU expectations while ensuring Spain’s national cybersecurity strategy integrates operational resilience across all sectors.
The scope explosion: who’s included now?
Under the original NIS directive, Spain regulated fewer than 1,000 entities. With NIS2, that number is expected to surge to around 12,000 organizations across 18 sectors. This includes newly covered verticals like medium-sized manufacturers, cloud services, and regional governments.
Entities are split into two primary classes:
NIS2 entity classification in Spain
| Class | Criteria | Examples |
| Entidades Esenciales (EE) | ≥ 250 employees or €50 million turnover | Large utilities, hospitals, ministries |
| Entidades Importantes (EI) | ≥ 50 employees or €10 million turnover | Logistics hubs, manufacturers |
| Size-agnostic inclusions | Key service providers regardless of size (e.g., DNS, telcos, cloud) | All digital infrastructure |
It’s worth noting that public entities, while exempt from fines, are not exempt from compliance. All ministries and municipalities with more than 50,000 inhabitants are treated as essential entities.
How Spain is implementing the NIS2 directive
The new bill is more than a regulatory update—it’s a blueprint for digital sovereignty. Here’s how the law is structured:
Structure of the Spanish NIS2 transposition law
| Chapter | Function |
| Cap. I–II | Sets definitions, strategic objectives, and establishes the CNC |
| Cap. III | Details risk management, board accountability, and supply-chain security |
| Cap. IV–V | Covers cross-border registration and national incident-reporting |
| Cap. VI | Grants CNC and regulators powers for audits and corrective actions |
| Cap. VII | Outlines sanctions, director liability, and exemptions for public institutions |
| DA 1ª | Formally establishes the CNC as the lead NIS2 agency in Spain |
The bill also incorporates a “safeguard clause” allowing micro-enterprises to request exemptions if they prove negligible systemic impact.
Sanctions and supervisory enforcement
Unlike NIS1, NIS2 carries teeth. Spain’s sanctions model introduces financial, operational, and reputational penalties, particularly for private-sector entities.
Spain NIS2 directive sanctions and fines
| Entity type | Maximum fine | Additional measures |
| EE | €10 million or 2% of global turnover | Suspension of certifications, public naming |
| EI | €7 million or 1.4% of turnover | Periodic penalties for non-compliance |
| Others | Graduated: from €10,000 (minor) to €2 million | Corrective orders, warnings, reporting officials |
Notably, board members are personally liable for cyber governance lapses and must formally approve internal cyber strategies. The CNC may escalate to disciplinary action for public officials violating requirements.
Industry-wide impacts
The law’s expanded scope reshapes regulatory obligations across key verticals. The table below outlines what’s changing and what companies need to do.
Impact of the Spain NIS2 directive by sector
| Sector | What’s new | Key obligations |
| Energy & utilities | Adds hydrogen & LNG infrastructure | SBOM exchange, continuous monitoring |
| Healthcare | ≈800 hospitals now considered EE | Incident reporting, board cyber accountability |
| Transport & logistics | Road operators, logistics hubs covered | OT segmentation, crisis simulations |
| Manufacturing | Mid-sized firms newly covered | OT/IT segregation, contract clauses for vendors |
| Digital infrastructure | All cloud/data services considered essential | Zero-trust, 24/7 SOC, ENS High alignment |
| Public sector | All large municipalities included | Reporting duties, mandatory CISOs, corrective compliance reviews |
For a more technical breakdown, the Spanish National Cybersecurity Institute provides detailed sector-specific guidance on its official INCIBE site.
What companies should be doing now
By mid-2026, most compliance obligations will be in full effect. Preparation now is not just prudent—it’s essential.
Organizations should:
- Self-assess scope: Use NACE codes and staffing levels to determine classification.
- Prepare for registration: Get entity data ready for CNC’s self-registration portal.
- Conduct a gap analysis: Match internal protocols against NIS2 Article 21.
- Implement SOPs: Build out incident playbooks for 24-hour and 72-hour reporting.
- Educate leadership: Brief your board and document strategic decisions.
A helpful resource is the Plataforma Nacional de Notificación y Seguimiento de Ciberincidentes, which will host incident submission portals and templates.
Are you prepared for the next incident?
Spain’s NIS2 directive isn’t just a legal exercise—it’s a real-world shift toward operational resilience, executive accountability, and cross-sector digital vigilance. With enforcement timelines approaching and oversight set to ramp up, organizations can’t afford to wait.
If you’re unsure where your organization stands, start with INCIBE’s classification tools, loop in your legal and cybersecurity leads, and align your governance strategy to the CNC’s upcoming protocols. Because in the age of digital infrastructure, cyber resilience isn’t optional—it’s structural.
