NIS2 in Spain
Everything you need to know about the NIS2 directive in Espana: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.
Spain has the slowest NIS2 transposition among major EU economies and faces a formal Commission infringement procedure. The transposition law — the Anteproyecto de Ley de Coordinacion y Gobernanza de la Ciberseguridad — is still in draft, with no firm enforcement date. INCIBE will be the primary competent authority and operates INCIBE-CERT for incident handling. Despite the delay, INCIBE has published extensive preparatory guidance, and Spanish organisations remain subject to the directive's principles.
Key facts at a glance
Anteproyecto de Ley de Coordinacion y Gobernanza de la Ciberseguridad (draft)
Adopted / in force: TBD
Instituto Nacional de Ciberseguridad (INCIBE)
https://www.incibe.esUp to EUR 10 million or 2% of global annual turnover
Up to EUR 7 million or 1.4% of global annual turnover
These ceilings come from the directive — see how NIS2 fines are calculated, recent enforcement cases and director personal liability.
Priority sectors for NIS2 in Spain
NIS2 covers 18 sectors across Annex I (essential) and Annex II (important). These are the sectors where Spain's transposition and INCIBE supervision focus most.
Energy and water
Annex I operators — Spanish grid and energy companies, water utilities — are squarely in scope as essential entities and are the focus of INCIBE's preparatory guidance.
Telecoms and digital services
Spain's large telecom and digital-services base — operators, cloud and ICT providers — falls under digital infrastructure and ICT service management, often at the essential or important tier.
Manufacturing and agri-food
Spanish industrial and agri-food clusters fall under Annex II as important entities once above the size threshold, and increasingly face supply-chain compliance requests from larger customers.
Key deadlines
2024-10-17
EU transposition deadline — missed by Spain.
TBD
Infringement procedure open. Transposition law still in draft (Anteproyecto de Ley).
Is your company in scope? Common Spain scenarios
Two worked examples of how NIS2 scoping plays out in Spain. Not sure where you land? Run the free NIS2 scope checker.
Energy is an Annex I high-criticality sector and the distributor is above the size threshold. It should prepare against the directive baseline now, even before the Spanish statute formally passes.
Digital providers are covered, and a company offering cloud services may be in scope regardless of size. It should align with the directive's risk-management and incident-reporting requirements ahead of the Spanish law.
What Spain businesses need to know
Spain has the slowest NIS2 transposition among major EU economies and faces a formal infringement procedure.
INCIBE will be the primary competent authority and operates INCIBE-CERT for incident handling.
Despite the delay, INCIBE has published an extensive FAQ and preparatory guidance.
Spanish organizations are still subject to the EU directive's principles — courts may apply direct effect.
The draft law aligns closely with the directive minimum, with some additions for critical infrastructure.
How INCIBE enforces NIS2 in Spain
INCIBE-CERT handles incident response, and INCIBE has published an extensive FAQ and preparatory guidance ahead of the statute. Because the transposition is late, Spanish courts may apply the directive's direct effect against the State, but formal enforcement against private entities awaits the Spanish law. The draft aligns closely with the directive minimum, with some additions for critical infrastructure. Preparing now — risk-management measures, incident processes and registration readiness — avoids a compliance scramble once the Anteproyecto de Ley is adopted.
NIS2 in Spain: frequently asked questions
- When will Spain transpose NIS2?
- Spain's transposition, the Anteproyecto de Ley de Coordinacion y Gobernanza de la Ciberseguridad, is still in draft, and Spain is under an EU infringement procedure for the delay. No firm enforcement date has been set, but preparation is recommended now.
- Which companies (empresas) are affected by NIS2 in Spain?
- Medium and large entities — 50+ employees or EUR 10M+ turnover — operating in the 18 covered sectors, plus certain digital providers (cloud, DNS, TLD, data centres) regardless of size. INCIBE's guidance helps Spanish organisations self-assess against the directive.
- Who is the competent authority (INCIBE)?
- INCIBE (Instituto Nacional de Ciberseguridad) is expected to be the primary competent authority and operates INCIBE-CERT for incident handling. The draft law also coordinates the roles of other Spanish cybersecurity bodies.
- Should Spanish companies prepare now?
- Yes. INCIBE has published preparatory guidance and the directive's principles already apply. Implementing risk-management measures and incident processes now means a smaller gap to close once the Spanish statute is adopted.
Official sources
Primary references for NIS2 in Spain — verify the latest text and deadlines directly with the authority.