NIS2 Implementation in the EU |
|
Spain |
|
(Europe)
Firm
Uría Menéndez
Contributors
Leticia López-Lapuente |
|
Status | Ongoing |
Status of the NIS2 Implementation Act | The Spanish Ministry of Interior approved and published on 17 January 2025 the draft Law on Cybersecurity Coordination and Governance (link) which implements the NIS2 Directive. This is a draft not yet passed. As the deadline for transposing the NIS2 Directive expired on 17 October 2024, the Ministry of Interior decided to process this draft law through an urgent procedure. In any case, other ministries and public entities such as the Spanish Data Protection Authority or the Bank of Spain will issue their comments on the current version of the draft law, so the text may yet undergo changes. |
If available, foreseeable significant deviations of the National Implementation Act from the NIS2 Directive | Although it is still a draft law that may undergo changes, the current wording made public contains some deviations from the NIS2 Directive. For example, in a non-exhaustive manner:
|
Expected date of entry into force of the Implementation Act | Unclear. There is not a specific deadline foreseen for now, although the Ministry of Interior has decided to process it through an urgent procedure. |
NIS2 Implementation in the EU
Spain
(Europe) Firm Uría MenéndezContributors Leticia López-Lapuente Martin Montilla Castile
Updated 03 Feb 2025Ongoing
The Spanish Ministry of Interior approved and published on 17 January 2025 the draft Law on Cybersecurity Coordination and Governance (link) which implements the NIS2 Directive. This is a draft not yet passed. As the deadline for transposing the NIS2 Directive expired on 17 October 2024, the Ministry of Interior decided to process this draft law through an urgent procedure. In any case, other ministries and public entities such as the Spanish Data Protection Authority or the Bank of Spain will issue their comments on the current version of the draft law, so the text may yet undergo changes.
Although it is still a draft law that may undergo changes, the current wording made public contains some deviations from the NIS2 Directive. For example, in a non-exhaustive manner:
- The Spanish draft law provides specific guidance about the appointment of the information security officer.
- The Spanish draft law includes “traceability” as a security aspect that may be affected by security incidents. In this regard, the NIS2 Directive includes “confidentiality”, “availability”, “authenticity” and “integrity”, but not “traceability”.
Unclear. There is not a specific deadline foreseen for now, although the Ministry of Interior has decided to process it through an urgent procedure.