NIS 2 status in Spain
What the directive requires, where the Spanish transposition stands, and how CCN and INCIBE fit in the meantime.
Overview
The NIS 2 directive is the EU layer. It binds every member state, including Spain, with one cybersecurity floor for essential and important entities. Spain has to put that floor into Spanish law and run a supervision regime under it.
Spain missed the 17 October 2024 transposition deadline set in Article 41 of NIS 2. The Council of Ministers approved an Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad on 14 January 2025, but as of mid-2026 the bill is still in the legislative procedure and has not been published in the Boletín Oficial del Estado.
Until the bill becomes law, the previous Real Decreto-ley 12/2018 (the NIS 1 transposition) keeps applying, and supervision continues to be split across the National Cryptologic Centre (CCN) and the National Cybersecurity Institute (INCIBE), with sector authorities for finance and other regulated sectors. The European Commission sent a reasoned opinion on 7 May 2025 over the missing transposition.
EU directive
Directive (EU) 2022/2555 (NIS 2)
The EU-wide cybersecurity directive. Sets the obligations every member state must transpose, including the size and sector tests for essential and important entities. The authoritative Spanish version is published on EUR-Lex.
EU implementation
Commission Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Spain without national transposition.
Spanish transposition (in process)
Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad
Approved by the Council of Ministers on 14 January 2025. The text creates a Centro Nacional de Ciberseguridad attached to the Presidencia del Gobierno as the proposed single national competent authority. The bill is still in the legislative procedure; until it is enacted, the prior Real Decreto-ley 12/2018 (NIS 1 transposition) continues to apply.
Ley de Coordinación y Gobernanza de la Ciberseguridad (draft)
The draft carries the NIS 2 obligations into Spanish law, defines essential and important entities, sets supervision powers, incident reporting duties and sanctions. Until the law is published in the BOE, the directive itself is the operative reference for entities operating in Spain alongside the existing Real Decreto-ley 12/2018.
Proposed Centro Nacional de Ciberseguridad
The draft proposes a Centro Nacional de Ciberseguridad attached to the Presidencia del Gobierno as the single national competent authority and EU contact point. In the interim, supervision is split: CCN for public sector and Esquema Nacional de Seguridad scope, INCIBE for private sector and citizens, with sector regulators competent in their own areas.
Article 41 deadline missed
Article 41 of NIS 2 set the transposition deadline at 17 October 2024. Spain has not met that deadline. The European Commission sent Spain a reasoned opinion on 7 May 2025, which is the second formal stage of an infringement procedure before referral to the Court of Justice of the EU.
Local law applies inside Spain
Operations on Spanish territory follow the Spanish transposition once it is enacted. A German Geschäftsführer running a Spanish subsidiary will read the eventual Ley de Coordinación y Gobernanza de la Ciberseguridad for that subsidiary, not the German BSIG. In the interim period, Real Decreto-ley 12/2018 plus the directive itself remain the reference.
Spain cannot go below the EU floor
The directive is a minimum harmonisation instrument. The fact that the Spanish transposition is delayed does not lower the floor. Essential and important entity duties, incident reporting deadlines and management body accountability remain anchored in the directive and in EU case law on direct effect of unimplemented directives.
INCIBE and INCIBE-CERT
The Instituto Nacional de Ciberseguridad, attached to the Ministry of Digital Transformation. INCIBE-CERT is the reference incident response centre for citizens and private-law entities. For incidents affecting critical private sector operators it is jointly operated with the Ministry of the Interior's cybersecurity coordination office.
CCN and CCN-CERT
The Centro Criptológico Nacional, attached to the Centro Nacional de Inteligencia (CNI). CCN-CERT is the governmental CERT for the public sector, set up in 2006 under Law 11/2002, Real Decreto 421/2004 and Real Decreto 311/2022, which regulates the Esquema Nacional de Seguridad (ENS).
ENISA
The EU cybersecurity agency. Publishes guidance, manages the European vulnerability database and supports cross-border coordination. Not a supervisor for Spanish entities; CCN, INCIBE and sector authorities are, with the proposed Centro Nacional de Ciberseguridad to consolidate the role once the law is enacted.
If Germany has BSIG, Spain has a similar law in force.
Germany itself has not yet enacted the NIS2UmsuCG and is in the same delayed position. Spain is more advanced on the draft side (the Anteproyecto cleared the Council of Ministers on 14 January 2025) but the BOE has not yet published an enacted text. Spanish subsidiaries cannot point to a finalised national law and have to read the directive directly plus the previous Real Decreto-ley 12/2018.
There is no Spanish law in force, so nothing to do yet.
The directive itself takes effect at the EU level on 18 October 2024 and EU case law gives unimplemented directives partial direct effect against the State. The 17 April 2025 deadline for Member States to be able to identify essential and important entities is binding on Spain regardless of the bill. Operators should be preparing scope checks, incident reporting processes and management body sign-off now, not waiting for the BOE.
Our sector regulator will tell us what to do.
Some sectors have a clear regulator (finance with the Banco de España and DORA as lex specialis, energy with CNMC). Many do not have a single line of sight yet because the draft law has not finished defining the supervision architecture. The directive's obligations apply regardless of which national body ends up enforcing them.
Most Spanish mid-market operators we see treat NIS 2 as a problem they can postpone until the Boletín publishes the final law. That is an expensive bet. The directive's 17 October 2024 deadline has already passed, the Commission has already moved to the reasoned-opinion stage on 7 May 2025, and the substantive obligations (management body approval of risk measures, 24h early warning, 72h notification, supply chain clauses) do not change between the draft and any plausible final text.
The practical move is the same as everywhere else in the EU: confirm scope under the directive, prepare for registration once the Centro Nacional de Ciberseguridad portal is announced, set up the four continuous obligations (registration upkeep, incident reporting, supply chain risk management, management body oversight), and document the minimum. Existing CCN and INCIBE guidance plus Real Decreto-ley 12/2018 reporting channels remain usable while the new law is pending.
We build the NIS 2 obligation register on the EU layer, not on any single national transposition. The same checklist works for a Spanish subsidiary referring to the eventual Ley de Coordinación y Gobernanza de la Ciberseguridad, a German parent using BSIG, and a Dutch sister using the Cyberbeveiligingswet. Article references switch per locale; the substantive obligations do not.
For Spanish scope you start with the applicability check against the directive's Annexes I and II, then move to incident reporting cadence, supply chain clauses and management body sign-off. Where CCN, INCIBE or sector regulators publish guidance, we reference it; we do not duplicate it.
- Directive (EU) 2022/2555 (NIS 2), Article 41 transposition deadline. EUR-Lex.
- Commission Implementing Regulation (EU) 2024/2690.
- Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad, approved by the Council of Ministers on 14 January 2025. Departamento de Seguridad Nacional (dsn.gob.es).
- European Commission, reasoned opinion to Spain for failure to notify full transposition of NIS 2, 7 May 2025.
- Real Decreto-ley 12/2018, NIS 1 transposition, Boletín Oficial del Estado.
- CCN-CERT — Centro Criptológico Nacional, founded 2006 under Ley 11/2002 and Real Decreto 421/2004; Real Decreto 311/2022 on the Esquema Nacional de Seguridad.
- INCIBE-CERT — Instituto Nacional de Ciberseguridad, Ministerio para la Transformación Digital.