Spain’s NIS2 Cybersecurity Overhaul: Prepare for the New Cybersecurity Framework

The law will broaden the range of “essential” and “important” entities subject to cyber regulations and impose stricter risk management, governance, and incident reporting obligations. Companies in critical sectors should assess their status and prepare now for the upcoming compliance requirements. We offer a few preliminary recommendations to stay ahead.

Who Is Covered? Assess Essential vs. Important Status

Spain’s draft Cybersecurity Coordination and Governance Law –seeking to transpose the EU NIS2 Directive- broadens the regulatory scope when compared to its predecessor. Companies operating in critical sectors such as energy, transport, healthcare, finance, and digital infrastructure must assess whether they are deemed as “essential” or “important” institutions for the purposes of the law. Generally, medium-sized and larger organizations in key sectors -those with 50+ employees and meeting specific financial thresholds- are likely to be included. However, certain entities, such as qualified trust service providers, DNS operators, and top-level domain registries, would be regulated irrespective of size. Moreover, even companies with a foreign headquarters but a permanent establishment in Spain may fall under this regime if their cybersecurity management is centered in Spain.
 

It is advisable for companies to map their operations against the draft bill’s criteria as soon as possible. A detailed self-assessment should help companies determine their status in advance and ensure they are prepared for regulatory scrutiny.

Enhancing Cybersecurity Operations and Organization

Once a company’s regulatory status is determined, the focus should shift to reinforcing its cybersecurity framework. The draft bill requires a robust risk management program covering technical, operational, and organizational measures. This includes:

• Incident detection and response: Establish real-time monitoring with a Security Operations Center (SOC) or external CSIRT partnerships.
• Data protection and continuity planning: Implement measures such as encryption, multi-factor authentication, and rigorous backup strategies.
• Supply chain security: Assess and secure vendor networks, ensuring that third-party risks are managed effectively.

Many organizations are aligning their practices with recognized standards like ISO/IEC 27001 or Spain’s National Security Framework (ENS). By performing a gap analysis and updating  controls now, companies would not only reduce risks but also streamline the future compliance processes.

It is advisable for companies to conduct an internal audit of their cybersecurity measures and invest in training programs to keep their staff and leadership updated on evolving threats and trends.

Registration Obligations and Deadlines

A key component of the draft bill is the mandatory registration of all in-scope entities. The National Cybersecurity Centre will compile a registry that requires companies to submit detailed information -such as company details, contact points, technical data (e.g., IP ranges), and cross-border operational data- within three months of being designated as an “essential” or “important” institution by the Spanish National Cybersecurity Centre.

For multi-national groups, clarity on whether group-wide or individual registration applies is still under discussion, but early preparation is crucial. The draft sets transitional deadlines, with digital service providers and infrastructure operators expected to complete their registration by early 2025 (which, given the current status of the draft would likely be delayed).

It is advisable for companies to begin collating the necessary documentation and designate an internal team to oversee the registration process as soon as the law is enacted.

Governance: Security Officers, Board Duties, and Training

Enhanced governance under the upcoming law requires that cybersecurity becomes a boardroom priority. Senior management and board members must ensure robust security risk management practices are in place. Every regulated entity must designate a dedicated information security officer (or CISO) to serve as the primary contact with regulators and coordinate internal cybersecurity measures. For “essential” or “important” institutions, this role requires accreditation from the Spanish Ministry of Internal Affairs. Additionally, the law mandates ongoing training for both the security officer and board members to ensure they are well-versed in emerging cyber threats and regulatory requirements.

It is advisable for companies to establish a regular training schedule and update your governance framework so that cybersecurity oversight is integrated into all strategic decisions. Companies should empower their appointed security officer with clear authority and resources to lead these initiatives.

Working with Regulators: Reporting Incidents and Cross-Border Compliance

The new regulatory framework intensifies interaction with supervisory authorities. Regulated entities must report significant cybersecurity incidents through a multi-stage notification process:

• Early Warning: Notify regulators within 24 hours of incident detection with a preliminary alert.
• Detailed Report: Follow up within 72 hours with a comprehensive incident report including technical details.
• Final Report: Submit a final, in-depth report within one month after resolving the incident.

In addition, the draft bill outlines protocols for informing customers when their services are affected and mandates cross-border cooperation for incidents impacting multiple EU member states.

It is advisable for companies to develop and test their incident response plan to ensure they can meet these strict timelines. It is equally advisable to maintain comprehensive logs during incidents to facilitate accurate and timely reporting, and establish clear communication channels with the designated national CSIRT and other supervisory authorities.

Enforcement: Sanctions and Liability Risks

Non-compliance with the upcoming law would carry significant financial and reputational risks. The enforcement framework features a tiered system of fines:

• Minor infringements: Fines up to EUR 100,000.
• Serious violations: Fines may reach up to EUR 500,000.
• Very serious breaches: Fines can escalate to EUR 2 million, or even higher amounts for “essential” or “important” institutions, potentially reaching up to EUR 10 million or 2% of global turnover.

Beyond fines, regulators may impose public reprimands and corrective orders, including mandatory audits and, in extreme cases, business restrictions until compliance is achieved. Senior management may also face personal accountability under this regime.

It is advisable for companies to develop a documented compliance program, perform regular internal audits, and ensure all cybersecurity efforts are well documented. This preparation would not only help mitigate fines but would also serve as evidence of due diligence during potential investigations.

Osborne Clarke Comment

By taking these proactive measures, companies would not only mitigate risks of substantial fines and reputational damage but would also strengthen their overall cybersecurity posture. In today’s digital landscape, robust cybersecurity is both a regulatory necessity and a competitive advantage. Thus, we see sizeable advantages for planning in advance to turn these regulatory challenges into opportunities for enhanced resilience and business continuity.