NIS2 in Spain

1. Quick SME Applicability Snapshot in Spain

Does NIS2 apply to SMEs in Spain?

Yes — depending on sector and size.

• Automatic applicability to medium-sized entities (≥50 employees and ≥€10 million turnover or balance sheet total) operating in covered sectors.
• Small or micro entities are included only if formally designated or operating in high-criticality sectors.
• Applies to entities established in Spain and, in certain cases, foreign digital providers serving the Spanish market.

SMEs should assess qualification under Spain's national cybersecurity framework based on sector classification and statutory thresholds.

2. Overview of NIS2 Implementation in Spain

Spain has not yet enacted its NIS2 transposition. The Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad was approved by the Council of Ministers on 14 January 2025 but, as of April 2026, remains pending parliamentary debate in the Cortes Generales. Spain missed the 17 October 2024 transposition deadline and received an EC reasoned opinion on 7 May 2025. The prior NIS1 framework (Royal Decree-Law 12/2018) continues to apply.

Once enacted, the new law will create the Centro Nacional de Ciberseguridad (CNC) as lead authority, EU single point of contact, and crisis coordinator. Three reference CSIRTs are designated — CCN-CERT (public sector), INCIBE-CERT (private entities), and ESPDEF-CERT (Armed Forces). Reporting will be channelled through the Plataforma Nacional de Notificación y Seguimiento de Ciberincidentes.

Spain's draft expands scope beyond the Directive minimum (universities, research centres, large municipalities, private security companies, defence-impact entities, and foreign companies with permanent establishment in Spain), introduces a tiered national fine structure (€10k–€2M, with higher Directive-style caps for the most serious cases), and requires each entity to designate a Responsable de Seguridad de la Información.

3. Scope of Application in Spain

Spain's scope reflects Directive minimum sector categories without confirmed structural expansion.

4. Size Thresholds and SME Applicability in Spain

The baseline thresholds apply:

• ≥50 employees, and
• ≥€10 million annual turnover or balance sheet total.

Entities meeting both criteria within covered sectors are automatically within scope.

Small and micro enterprises may be designated if considered critical to national security, economic stability, or essential service continuity.

Spanish authorities retain formal designation powers where systemic risk justifies inclusion.

5. Entity Classification Framework in Spain

Entities are categorized as:

• Essential Entities — Subject to proactive supervision, including inspections and structured compliance monitoring.
• Important Entities — Primarily subject to reactive supervision triggered by significant incidents or compliance concerns.

Classification is determined by sector and size. Authorities may reclassify entities where operational impact or risk exposure warrants enhanced oversight.

Spain follows the Directive's two-tier supervisory structure.

6. Cybersecurity Risk Management Requirements in Spain

Spain's national regime aligns with the Directive baseline for cybersecurity risk management. In-scope entities must implement proportionate technical and organizational measures addressing:

• Risk analysis and system protection
• Incident detection and response
• Business continuity and crisis management
• NIS2 supply chain Spain risk controls
• Secure acquisition and development of ICT systems
• Access control and identity management
• Encryption and cryptographic safeguards
• Vulnerability management procedures
• Staff cybersecurity training

Measures must reflect state-of-the-art standards and organizational risk exposure. Alignment with ISO/IEC 27001 and Spanish cybersecurity guidance is encouraged.

7. Management Liability and Governance in Spain

Management bodies must formally approve cybersecurity risk management measures and oversee implementation.

Under Spain's framework:

• Boards are accountable for compliance oversight.
• Senior management must ensure sufficient cybersecurity competence.
• Administrative sanctions may address governance failures.
• Temporary suspension of managerial functions may be available under Directive-aligned enforcement mechanisms.

NIS2 management liability Spain expectations elevate cybersecurity governance to executive level responsibility.

8. Incident Reporting Obligations in Spain

9. Supervisory Authorities and Enforcement Model in Spain

Under the current NIS1 framework (still in force), sector-specific ministries serve as competent authorities. Under the proposed Ley (not yet enacted), the Centro Nacional de Ciberseguridad (CNC) will be lead authority, single EU point of contact, and crisis management authority, coordinating the three national CSIRTs (CCN-CERT, INCIBE-CERT, ESPDEF-CERT). A transitional regime keeps sector-specific authorities in place until the CNC is operational.

Spain operates a multi-authority supervisory model. Sector ministries currently supervise under NIS1; the proposed law would centralize coordination under the CNC, with CCN-CERT, INCIBE-CERT, and ESPDEF-CERT providing incident response support. These arrangements are not yet legally operative.

Supervisory powers include:

• Requests for documentation and information
• Security audits
• On-site inspections
• Binding compliance instructions
• Participation in EU cybersecurity coordination mechanisms

The enforcement structure aligns with Directive-level cooperation requirements. These powers are not yet legally operative pending enactment of the Ley de Coordinación y Gobernanza de la Ciberseguridad.

10. NIS2 Fines and Sanctions in Spain

Spain applies Directive-aligned administrative penalties.

NIS2 fines Spain enforcement may also include:

• Binding remediation orders
• Public identification of non-compliant entities
• Suspension of authorizations or certifications
• Managerial suspension powers

Criminal liability applies only where explicitly provided under Spanish legislation.

11. NIS2 Supply Chain and Vendor Security in Spain

Entities must manage third-party cybersecurity exposure through:

• Vendor risk assessments
• Contractual security flow-down provisions
• Continuous ICT supplier monitoring
• Concentration risk analysis
• Incident propagation mitigation

Spain's approach aligns with Directive baseline expectations regarding supplier risk management.

12. Registration and Self-Identification Duties in Spain

Entities within scope must:

• No NIS2 registration obligation currently exists in Spain — the Ley de Coordinación y Gobernanza is not yet enacted; registration requirements will be established once the law is passed; entities should begin voluntary self-assessment now to determine likely essential/important classification
• Provide corporate identification details
• Disclose sector classification
• Maintain updated reporting contacts

There are no active NIS2 registration or compliance deadlines in Spain. Once enacted, the law will set registration deadlines and require designation of a Responsable de Seguridad de la Información per entity. Use INCIBE sector guidance and self-classification tools to prepare.

Self-identification will be mandatory once the law is enacted. Voluntary scope assessment now (sector classification + size thresholds) is strongly advised.

13. Interaction With GDPR and Other Laws in Spain

The General Data Protection Regulation continues to apply concurrently.

Overlap considerations include:

• 72-hour personal data breach notification
• Supervisory authority coordination

14. Cross-Border Applicability

Entities with their main establishment in Spain are supervised by Spanish authorities for cross-border services.

Foreign digital providers offering services in Spain may be subject to national obligations depending on establishment structure.

Representation requirements follow Directive standards for non-EU providers serving the Spanish market.

15. Implementation Timeline in Spain

• Directive adoption: 2022
• Directive adoption: 2022
• National legislative amendments: Anteproyecto approved by Council of Ministers 14 Jan 2025; public hearing/consultation Jan–Feb 2025; pending parliamentary debate in the Cortes Generales as of Apr 2026
• Entry into force: Not yet enacted; NIS1 RD-Law 12/2018 continues to apply
• Commission notification: EC reasoned opinion 7 May 2025; CJEU referral remains possible
• Compliance milestone: No NIS2 deadlines currently active; registration, classification, and risk-management obligations will be set following enactment

Spain missed the EU NIS2 deadline and remains under EC infringement proceedings. The Ley de Coordinación y Gobernanza is pending parliamentary adoption; NIS1 continues to apply. Entities should use this period for voluntary scope assessments and compliance preparation.

16. Key Takeaways for SMEs in Spain

• Medium-sized entities in covered sectors will be in scope once the law is enacted; the draft expands scope beyond the Directive minimum (universities, research centres, large municipalities, private security companies) — begin voluntary scope assessment now.
• Small entities may be designated if critical to national or economic stability.
• Board-level governance oversight is mandatory.
• Incident reporting will follow 24h / 72h / 1 month deadlines once enacted, submitted to the relevant CSIRT — CCN-CERT (public) / INCIBE-CERT (private) / ESPDEF-CERT (Armed Forces).
• Financial penalties can reach €10 million or 2% of global turnover.
• Vendor risk management is required.
• The draft law is not yet enacted but enactment could occur at any time. Conduct voluntary scope assessment using INCIBE tools, align internal governance with the ENS (Esquema Nacional de Seguridad) framework, and prepare to appoint a Responsable de Seguridad de la Información upon enactment.

FAQ: NIS2 Spain SME Guide