	NIS2 Implementation in the EU
	Spain
	(Europe) Firm Uría Menéndez Contributors Leticia López-Lapuente Martin Montilla Castile Updated 03 Feb 2025
Status	Ongoing
Status of the NIS2 Implementation Act	The Spanish Ministry of Interior approved and published on 17 January 2025 the draft Law on Cybersecurity Coordination and Governance (link) which implements the NIS2 Directive. This is a draft not yet passed. As the deadline for transposing the NIS2 Directive expired on 17 October 2024, the Ministry of Interior decided to process this draft law through an urgent procedure. In any case, other ministries and public entities such as the Spanish Data Protection Authority or the Bank of Spain will issue their comments on the current version of the draft law, so the text may yet undergo changes.
If available, foreseeable significant deviations of the National Implementation Act from the NIS2 Directive	Although it is still a draft law that may undergo changes, the current wording made public contains some deviations from the NIS2 Directive. For example, in a non-exhaustive manner: The Spanish draft law provides specific guidance about the appointment of the information security officer. The Spanish draft law includes “traceability” as a security aspect that may be affected by security incidents. In this regard, the NIS2 Directive includes “confidentiality”, “availability”, “authenticity” and “integrity”, but not “traceability”.
Expected date of entry into force of the Implementation Act	Unclear. There is not a specific deadline foreseen for now, although the Ministry of Interior has decided to process it through an urgent procedure.

NIS2 Implementation in the EU

Back XLS

Status

Ongoing

Status of the NIS2 Implementation Act

The Spanish Ministry of Interior approved and published on 17 January 2025 the draft Law on Cybersecurity Coordination and Governance (link) which implements the NIS2 Directive. This is a draft not yet passed. As the deadline for transposing the NIS2 Directive expired on 17 October 2024, the Ministry of Interior decided to process this draft law through an urgent procedure. In any case, other ministries and public entities such as the Spanish Data Protection Authority or the Bank of Spain will issue their comments on the current version of the draft law, so the text may yet undergo changes.

If available, foreseeable significant deviations of the National Implementation Act from the NIS2 Directive

Although it is still a draft law that may undergo changes, the current wording made public contains some deviations from the NIS2 Directive. For example, in a non-exhaustive manner:

The Spanish draft law provides specific guidance about the appointment of the information security officer.
The Spanish draft law includes “traceability” as a security aspect that may be affected by security incidents. In this regard, the NIS2 Directive includes “confidentiality”, “availability”, “authenticity” and “integrity”, but not “traceability”.

Expected date of entry into force of the Implementation Act

Unclear. There is not a specific deadline foreseen for now, although the Ministry of Interior has decided to process it through an urgent procedure.

NIS2 Implementation in the EU

Spain

NIS2 Implementation in the EU

Spain

Members