12 March 2026 Update - The transposition of NIS 2 in Spain
Spain is one of the EU Member States that has not yet completed the formal transposition of Directive (EU) 2022/2555 (NIS 2).
Although the government has prepared draft legislation and advanced the legislative process, the implementing law has not yet been enacted. Spain remains in a pre transposition stage, and the existing cybersecurity legal framework continues to apply until the new law is adopted.
Prior to NIS 2, Spain implemented the original NIS Directive (Directive 2016/1148) mainly through Royal Decree Law 12/2018 on the security of networks and information systems and its implementing regulations. This framework established cybersecurity obligations for operators of essential services and digital service providers and defined incident-reporting requirements and supervisory mechanisms.
The national institutional architecture includes the National Cryptologic Centre (CCN), the National Cybersecurity Institute (INCIBE), and sector-specific authorities. These institutions cooperate in coordinating incident response and cybersecurity supervision across Spain’s critical sectors.
Although the 2018 legislation created a functioning cybersecurity regime, it was designed for the narrower scope of the first NIS Directive and therefore requires significant reform to accommodate the expanded regulatory architecture introduced by NIS 2.
Under Article 41 of the NIS 2 Directive, Member States were required to adopt national implementing measures by 17 October 2024. Spain did not meet this deadline.
In November 2024, the European Commission opened infringement procedures against Spain and other Member States for failing to fully transpose the directive.
This action reflects the Commission’s position that the national implementing legislation had not yet been adopted or formally notified.
To implement the directive, the Spanish government has prepared a Draft Law on Cybersecurity Coordination and Governance (Ley de Coordinación y Gobernanza de la Ciberseguridad). The draft law was approved by the Council of Ministers on 14 January 2025 and is intended to transpose Directive (EU) 2022/2555 into Spanish law.
The proposed legislation is a substantial reform of Spain’s cybersecurity regulatory architecture. Among other things, it establishes a National Cybersecurity Center, which will coordinate cybersecurity policy and act as the national point of contact with EU institutions.
The draft legislation significantly expands the scope of cybersecurity regulation in Spain. The NIS 2 framework applies to organisations operating in sectors considered critical to the economy and society, including energy, transport, healthcare, digital infrastructure, and public administration.
Entities falling within the scope of the law will be classified as essential entities or important entities, and will be required to implement cybersecurity risk management measures, incident reporting procedures, and governance mechanisms consistent with the directive’s requirements.
The proposed legislation also strengthens supervisory powers and introduces administrative penalties for non-compliance.
The Spanish government has granted the draft law urgent legislative status in order to accelerate its adoption and comply with EU obligations. Nevertheless, the law has not yet completed the parliamentary process. As of early 2026, the bill is expected to be formally submitted to the Spanish Parliament for consideration, and further amendments may still be introduced during the legislative debate. Because the law has not yet been enacted or published in the Boletín Oficial del Estado (BOE), it does not yet constitute binding national legislation.
EU - Transposition, Member States