NIS2 in Spain: a technical translation of 2026 obligations

Key takeaways

• NIS2 (EU 2022/2555) is enforceable since 17/10/2024 even though Spain’s transposition is still in parliament; the Commission issued a motivated opinion in May 2025 for the delay.
• Ten technical minimum measures (Art. 21) set the baseline: risk analysis, incident management, continuity, supply chain, cryptography, MFA, training.
• Notification window: 24h early warning → 72h initial report → 1 month final report to the national authority (CCN-CERT / INCIBE-CERT).
• Supply chain is the most painful shift: you must evaluate and monitor critical ICT providers, not only secure yourself.
• ENS (Spanish Security Framework) and NIS2 integrate in practice: if you already comply with ENS HIGH, much of NIS2 is covered by construction.

State of the transposition: draft and Commission’s motivated opinion

Timeline:

• 27 Dec 2022: Directive (EU) 2022/2555 (NIS2) published.
• 17 Oct 2024: transposition deadline for member states — Spain misses.
• 14 Jan 2025: Council of Ministers approves the draft Cybersecurity Coordination and Governance Act.
• May 2025: European Commission issues motivated opinion against Spain for the delay.
• 2026: parliamentary processing still ongoing at end of H1.

The fact that the BOE hasn’t published the national law does NOT mean the obligations are unenforceable: the directive has vertical direct effect for public administrations, and the breach exposes the state to sanction, not companies. But once the law publishes, adaptation timelines are short (typically six months).

Who’s in scope: essential vs important entities

NIS2 broadens scope vs NIS1 with two categories:

• Essential (Annex I): energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure (IXP, DNS, TLD, cloud, datacenter, CDN), managed ICT services (MSP/MSSP), public administration, space.
• Important (Annex II): postal/courier, waste management, manufacturing, food, chemicals, digital services (online marketplaces, search engines, social media), research.

Default threshold: medium (≥50 employees or >€10M turnover) and large. Exceptions exist (critical ICT always in, micro always out unless specific risk).

Quick test: if the main activity appears in Annex I/II AND the entity exceeds the thresholds → you’re in. If unsure, ask INCIBE.

The ten technical minimum measures (Art. 21)

1. Risk analysis and risk assessment of information systems.
2. Incident management (detect, respond, recover capability).
3. Business continuity and crisis management.
4. Supply chain security — including relationships with direct providers and suppliers.
5. Security in acquisition, development, and maintenance.
6. Policies and procedures to evaluate measure effectiveness.
7. Basic cyber hygiene + cybersecurity training.
8. Policies on cryptography and, where appropriate, encryption.
9. Human resources security, access control, asset management.
10. Multi-factor authentication (MFA) or continuous authentication, secure communications (voice, video, text).

Not a menu: all ten are mandatory. Proportionality applies to the “how” (system maturity), not the “what”.

Incident notification: 24h / 72h / 1 month

Mandatory cadence on a significant incident:

• ≤ 24h from detection: early warning — indicates suspicion of malicious cause, cross-border impact, initial severity assessment.
• ≤ 72h from detection: initial report — description, severity, impact, IOCs if available.
• ≤ 1 month from detection: final report — detailed description, root cause, applied measures, recommendations.
• On request: intermediate reports when the authority asks.

In Spain, the receiving authority is CCN-CERT for the public sector and INCIBE-CERT for the private sector. AESIA may request information if the incident involves AI systems under the AI Act.

Supply chain: the most painful change

NIS2 introduces an explicit obligation to evaluate suppliers. In practice:

• Inventory of critical ICT providers — those that, if they fail, affect your operating capacity.
• Minimum contractual clauses on security, notification, incident cooperation.
• Right to audit or equivalent (SIG questionnaires, ISO 27001/SOC 2, sustained evidence).
• SBOM monitoring of relevant commercial software.
• Exit plan or substitution for concentrated-risk providers.

The cultural shift: no longer enough to secure your own. The company is responsible for the security posture of its chain.

Connection with ENS and Royal Decree 311/2022

Spain has had its National Security Framework (ENS) since 2010, updated by RD 311/2022. The intersection with NIS2:

• ENS HIGH category covers most of NIS2 Art. 21 measures.
• ENS targets the public sector + AAPP contractors; NIS2 expands to private sector.
• An entity already on ENS HIGH + with mature supply-chain management has little extra work for NIS2.
• Coming from zero, the shortcut is: lift to ENS MEDIUM + extend to provider inventory.

How to prepare before BOE publication

Already-actionable steps:

1. Determine if you’re in scope: check Annex I/II + thresholds.
2. Inventory critical systems and ICT providers.
3. Implement the 10 Art. 21 measures or raise maturity where partial.
4. Define the internal notification chain: detection → triage → regulatory notification.
5. Provider clauses: review existing and new contracts.
6. Training + tabletop exercises annually with realistic scenarios.
7. Logs and traceability: minimum 1 year, 2 years recommended.

For the AI complement, see EU AI Act 2026: technical checklist for Spanish CTOs (pillar Phase 2). For supply-chain context, supply-chain attacks 2023 and the cybersecurity baseline at cybersecurity protection against digital threats.

Official sources: INCIBE FAQ NIS2^[1], CCN-CERT^[2], Directive (EU) 2022/2555 on EUR-Lex^[3].

1. INCIBE FAQ NIS2
2. CCN-CERT
3. Directive (EU) 2022/2555 on EUR-Lex