Infringement Procedure Open

NIS2 in Spain

Everything you need to know about the NIS2 directive in Espana: transposition law, competent authority, fines, deadlines, and how Reglyze helps SMEs become compliant.

Key facts at a glance

Transposition Law

Anteproyecto de Ley de Coordinacion y Gobernanza de la Ciberseguridad (draft)

Adopted / in force: TBD

Competent Authority

Instituto Nacional de Ciberseguridad (INCIBE)

https://www.incibe.es

Fines — Essential

Up to EUR 10 million or 2% of global annual turnover

Fines — Important

Up to EUR 7 million or 1.4% of global annual turnover

Key deadlines

2024-10-17

EU transposition deadline — missed by Spain.

TBD

Infringement procedure open. Transposition law still in draft (Anteproyecto de Ley).

What Spain businesses need to know

Spain has the slowest NIS2 transposition among major EU economies and faces a formal infringement procedure.
INCIBE will be the primary competent authority and operates INCIBE-CERT for incident handling.
Despite the delay, INCIBE has published an extensive FAQ and preparatory guidance.
Spanish organizations are still subject to the EU directive's principles — courts may apply direct effect.
The draft law aligns closely with the directive minimum, with some additions for critical infrastructure.

Ready to become NIS2 compliant in Spain?

Reglyze is the AI-powered NIS2 compliance platform built for European SMEs. Start free — scoping, gap assessment, and policy generation tailored to INCIBE requirements.

NIS2 in other EU countries