How Does the NIS2 Regulation Affect Spain?

On January 14, the Spanish government announced the approval of the preliminary draft of the new Spanish cybersecurity law, whose name was chosen as the “Cybersecurity Coordination and Governance Law”.

This law arises as a transposition of the Network and Information Security 2 Directive (NIS2), approved by the EU in 2022, and with the aim of “reinforcing the protection of networks and information systems, which are subject to serious cyber threats and risks that require adapted, coordinated and innovative responses”. With this, the intention is to position this new law as the most important cybersecurity regulation in Spain.

The following are the most important points contained in the preliminary draft of the law.

Creation of the National Center for Cybersecurity

In order to constitute a single competent national authority for cybersecurity, it is proposed to create the National Cybersecurity Center, which will carry out functions of direction, coordination and supervision, as well as the promotion of the activities provided for by the law.

On the other hand, it will also act as a single point of contact for cross-border and cross-sector cooperation, in addition to acting as a national authority for cybersecurity crisis management and as a national cybersecurity incident response team, coordinating the network of national reference CSIRT (Cybersecurity Incident Response Teams): CCN-CERT; INCIBE-CERT and ESPDEF-CERT.

Entities classification

The new law classifies entities into two types based on their level of criticality in relation to national security, market and other key aspects of cybersecurity:

Essential Entities

These are organizations whose service interruption or failure could have a significant impact on public safety, public order, public health, or cause critical systemic risks. Given their relevance, they are subject to a series of measures:

• Risk management measures: Implement individualized risk assessments and take measures to ensure the security of your systems.
• Incident Notification: Report any significant incidents through the National Cyber Incident Notification and Tracking Platform.
• Designation of information security officers: Each entity should have a point of contact in charge of coordinating with the competent authorities.

Essential entities are classified as those that meet the established size and criticality criteria:

1. Large companies (≥250 employees and annual turnover > €50 million or annual balance sheet total > €43 million).
2. Providers of public electronic communications networks or electronic communications services if they are medium-sized companies (50-249 employees and annual turnover or annual balance sheet total between €10 and €50 million).
3. Qualified trust service providers and top-level domain name registries, as well as DNS service providers, regardless of size.
4. Entities of the General State Administration and Administrations of Autonomous Communities.
5. Entities identified by the control authorities as essential due to the critical impact of their services.
6. Critical entities according to applicable regulations.
7. Entities that before January 16, 2023 were already identified as operators of essential services according to Royal Decree-Law 12/2018.

Important Entities

They are considered less critical than the essential ones, but equally relevant to ensure an adequate level of cybersecurity in specific sectors:

1. Any entity of the sectors listed in Annexes I and II of the law that does not meet the requirements to be an essential entity.
2. Municipalities with more than 20,000 inhabitants and their institutional public sector entities.
3. Entities identified by the control authorities as importants, based on the criticality of the service provided.

Creation of a catalog of measures necessary for cybersecurity risk management.

The draft bill specifies a list of security requirements that entities must implement to ensure the security of their systems and networks:

• Incident Response and Crisis Management: Implement clear and effective procedures for detecting, responding to and recovering from cybersecurity incidents. These procedures should include periodic drills and cybersecurity audits.
• Vulnerability Management and Disclosure: Establish protocols to identify, manage and report vulnerabilities in systems, and share the information obtained with other relevant entities and authorities.
• Cybersecurity Testing: Conduct regular tests, such as penetration exercises, to identify potential weaknesses in systems.
• Effective Use of Encryption: Adopt advanced encryption solutions to protect sensitive data in transit and at rest.
• Supply Chain Protection: Assessing and ensuring the security of suppliers and external partners, especially in critical sectors such as digital infrastructure, energy and healthcare.
• National Platform for Notification and Monitoring of Cyberincidents: It will be created for the purpose of facilitating the exchange of technical information and coordination among stakeholders. All regulated entities are required to use this platform to report significant incidents.

With regard to cybersecurity risk management measures and notification obligations, the following are contemplated:

• Each entity shall designate an information security officer responsible for coordinating and supervising the implementation of the above measures, who shall also act as a liaison between the organization and the national authorities.
• Entities must notify any significant incident that affects the continuity of their services or information security. These notifications must be made within the deadlines established by law, prioritizing speed in order to contain possible impacts.

Control authorities (such as the National Cybersecurity Department and CSIRTs) will oversee the correct implementation of these measures.

Penalty regime

The sanctioning regime proposed for this law classifies infractions as very serious, serious and minor, with their respective sanctions.

• Very serious infractions: Failure to implement critical cybersecurity risk management measures; failure to report a significant incident affecting the continuity of essential services; gross negligence resulting in significant risks to national security or the economy; failure to comply with authorities’ requirements in relation to incidents or audits…
• Serious infractions: Partial non-compliance with cybersecurity risk management measures; incomplete, erroneous or late notifications; resistance to cooperate with the competent authorities during investigations…
• Minor infractions: minor deficiencies in the implementation of technical or organizational measures; delays in the designation of the Information Security Officer or its communication to the authorities…

The applicable sanctions range from administrative fines to corrective measures or non-economic sanctions.

• Administrative fines:
• • Very serious infractions: Up to €10,000,000 or 2% of annual worldwide turnover (whichever is greater) for essential entities and up to €7,000,000 or 1.4% of annual worldwide turnover (whichever is greater) for major entities. *
  • Serious infractions: will be sanctioned with fines from 100,001 € to 500,000 €. *
  • Minor infractions: will be sanctioned with fines from 10,000 € to 100,000 €.

* Very serious and serious infringements may be accompanied by an accessory sanction of a public warning in the “Official State Gazette”.

• Non-financial penalties: From temporary suspension of the provision of services to exclusion from aid programs or public contracts.
• Corrective actions: Continuous monitoring by authorities, mandatory safety audits or imposition of action plans to address specific deficiencies.

Violations committed by Public Sector entities will not be subject to administrative fines or non-financial sanctions, but they may be warned with corrective measures.

In addition, it should be noted that no personal financial penalties are established.

Conclusions

The Cybersecurity Coordination and Governance Law, derived from the standards established in the European NIS2 Directive, represents an evolution with respect to the NIS1 Directive, which, although it marked a milestone in the regulation of cybersecurity, left areas for improvement that are now addressed with an approach that is more adapted to the constantly changing digital environment. In economic and practical application terms, it is estimated that this law will cost approximately 2,250 million € for the Spanish business fabric, directly affecting almost 4,000 major entities and 1,819 essential entities. 

Furthermore, with the creation of the National Cybersecurity Center as a single authority, the aim is to strengthen coordination and supervision, improving the response to cyberthreats both at national level and in the field of international cooperation. In short, this law marks a crucial step forward in the governance of cybersecurity, strengthening the protection of strategic infrastructures and fostering a culture of digital security in a context of growing technological interdependence.

Cybersecurity and compliance with InprOTech

With the introduction of this new draft bill, it is crucial to be prepared for the changes that will directly impact the protection of systems and data. At InprOTech, we offer industrial cybersecurity consulting services to help your company comply with the new Cybersecurity Coordination and Governance Law and NIS2 regulations. If you are interested, you can contact us by clicking here.

In addition, our team of experts at Inprosec offers NIS2 audit services for companies in any sector. Click here and we will help you ensure compliance and protection of your critical assets.