The European Union’s Directive on measures for a high common level of cybersecurity across the Union (aka NIS2) is no longer a distant regulatory cloud on the Spanish horizon. Most of Europe has been racing toward (or past) the EU transposition deadline, and Spain is still working through its own national version — with a few local twists you’ll want on your radar.
I know what you’re thinking: another set of acronyms to track while trying to keep the lights on and the hackers out. But this one isn’t just a “tick-the-box” exercise; it’s a real shift in how leadership is expected to treat cyber risk.
In this article, I’ll break down where Spain stands with the NIS2 transposition and what your team should do to be ready.
TL;DR: The Essentials
Spain is working on an anteproyecto (draft bill) known as the Ley de Coordinación y Gobernanza de la Ciberseguridad, intended to transpose NIS2 into Spanish law.
- Status: Still draft/anteproyecto, but not published in the BOE (Boletín Oficial del Estado, Spain’s Official State Gazette) yet. Once it is published, it enters into force the next day.
- Scope: Broad coverage of “essential” and “important” entities, with sector contact points listed in annexes (including nuclear industry and private security).
- Biggest change: Management accountability is explicit — including solidary liability for infringements.
- Action: If you’re already aligned with the ENS (Esquema Nacional de Seguridad), you’re not starting from zero — the draft ties compliance evidence to ENS-based approaches (including a “Perfil de Cumplimiento Específico”).
Timelines and Legislative Milestones
If you feel like you missed a deadline, you’re not imagining it. The EU transposition deadline has passed, and the European Commission has already pushed Spain via infringement steps. (So yes: there’s pressure.)
What’s important operationally is this: as of January 2026, this is still not in the BOE, so it’s not “live” as Spanish law yet, but waiting for a last-minute scramble is still a bad plan.
Here’s the a simple timeline view (with the obvious caveat: dates can shift in Parliament):
| Phase | Date / Status | Description |
| EU Transposition Deadline | 17 October 2024 | Deadline for Member States to transpose NIS2 into national law. |
| Spanish Draft Approval | 14 January 2025 | Council of Ministers approved the draft bill. |
| Infringement Steps | Late 2024 – 2025 | Commission escalation because transposition wasn’t done on time. |
| Parliamentary Processing | Ongoing | Still in the legislative pipeline (not yet BOE-published). |
| Entry into Force | Day after BOE publication | The draft law says it applies the day after it’s published in the BOE. |
One detail people miss
The draft text itself contains transitional timelines that assume much earlier dates (e.g., it references building the list of essential/important entities before 17 April 2025).
Given where we are now, those dates would almost certainly need updating in the final law — but they still show the intended direction: Spain wants a defined list, not endless ambiguity.
Structure and National Specificities
The Spain NIS2 implementation doesn’t just copy-paste the EU text; it adds some local flavor that you need to be aware of.
The CNC is real — but it won’t replace every sector authority overnight
The draft sets up a Centro Nacional de Ciberseguridad (CNC), and it’s explicitly attached to the Cabinet of the Presidency of the Government (“Gabinete de la Presidencia del Gobierno”).
That said, the system is not “one single regulator for everything.” The draft also keeps sectoral authorities of control, including (among others) the Ministry of Interior for a chunk of entities, and it gets very specific for areas like private security.
It’s not “CISO accreditation”, it’s an accredited security-responsible role
A key Spanish twist is that entities must designate a “Responsable de la seguridad de la información” (responsible for information security) as a formal point of contact and technical coordinator.
And yes, there’s an “accreditation” angle — but the draft ties it to “personal acreditado” under Spain’s Ley 5/2014 de Seguridad Privada, with the details to be defined via regulation. It’s broader than “your CISO needs a badge,” and it’s written in a very Spanish-legal way.
Scope add-ons: nuclear + private security are explicitly called out
- Nuclear industry appears as “alta criticidad” (high criticality).
- Private security shows up as a defined sector with a specific point of contact (Interior / Secretaría de Estado de Seguridad).
Governance and Accountability
This is the part most teams miss: the “get out of jail free” card has been revoked for executives.
The draft is blunt: the entity is responsible, and management bodies can be jointly liable for the entity’s infringements.
Also, while the exact “how” will be refined, the draft clearly contemplates training obligations for management bodies (it even appears on the sanctionable obligations list).
Fines and Enforcement
The penalties are, frankly, eye-watering. The draft follows the familiar NIS2 pattern for the biggest tickets:
| Entity Type | Max Administrative Fine | % of Global Turnover |
| Essential | €10 million | 2% |
| Important | €7 million | 1.4% |
Those caps appear in the draft’s sanctions article.
And the “graduated scale” is very real:
- Leve (minor): €10,000 to €100,000
- Grave: €100,001 to €500,000
- Muy grave: €500,001 to €2,000,000 (with the higher NIS2-style caps available for certain very serious cases).
On enforcement powers: the draft includes provisional measures, and in practice, that can mean suspending a certification/authorization tied to the service, which is the regulatory equivalent of “your business model is about to have a very bad week.”
Short Checklist: How to Prepare
Here’s the simple checklist, with the wording cleaned up where the original was too confident / slightly off:
- Self-assess: Determine if you’re likely “Essential” or “Important” based on sector + size. (Then map your sector authority, not just “the CNC.”)
- Review governance: Don’t keep cyber risk “in the basement.” Management accountability is explicit, and training obligations are in scope.
- Audit your security lead: Make sure you can staff the Responsable de la seguridad de la información role properly, and track the coming “personal acreditado” details.
- Map your supply chain: Get your third parties under control (this is core NIS2 logic and shows up through risk-management expectations).
- Align with ENS: If you can anchor evidence to an ENS approach (including the “Perfil de Cumplimiento Específico”), you’ll be in a stronger position when supervision ramps up.
- Draft an incident plan: Make sure you can hit 24h early warning, 72h notification, and final reporting timelines (plus the one-month final report).
Using a platform like Copla can still reduce compliance anxiety (centralized evidence, easier audit readiness, less spreadsheet pain). Just make sure whatever you use supports the actual workflow the draft describes: governance evidence, role assignment, reporting timelines, and auditability.
Make NIS2 Compliance a Calm, Continuous Operating System, Not a Last-Minute Audit Project
Copla is built for teams that need NIS2 compliance without burning out staff or blowing the budget. It combines an automation-first GRC platform with experienced CISO oversight. That gives you four clear advantages:
- Cuts compliance workload by up to 80%
- Automates key NIS2 tasks across controls, evidence, and registers
- Guides execution step by step with clear ownership and built-in prompts
- Gives you CISO-level leadership without hiring a full internal team
On top of that, teams typically save €60K+ per year versus adding in-house capacity for the same workload, while staying continuously audit-ready, not “ready when the audit starts.”
The only compliance management platform you’ll need
Copla brings together capabilities such as asset and risk registries, evidence mapping, audit verification, regulatory reporting, vulnerability management, awareness training, and incident tracking — all in one place.
Your Next Steps in the Spanish Cyber-Shift
Spain’s NIS2 transposition is a major upgrade to the country’s cyber posture, but as of January 2026, it’s still not “law of the land” until it’s published in the BOE.
The smart move isn’t waiting; it’s using the extra time to get governance, the security-responsible role, ENS-aligned controls, and incident reporting muscle in place now, so when enforcement starts, you’re not trying to invent a program in 30 days.
