Draft Law on Cybersecurity Coordination and Governance

On 14 January 2025, the Council of Ministers approved the Draft Law on Cybersecurity Coordination and Governance, which aims to transpose the NIS2 Directive, in effect since January 2023, into Spanish law.

Scope of application

This draft law applies to both public and private entities with tax residence in Spain or operating in the country from other EU member states.

High-criticality sectors include energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; digital infrastructures; ICT service management (business-to-business); public administration; space and the nuclear industry. The private security sector is also included in sectors of lower criticality, such as postal and courier services; waste management; manufacture, production and distribution of food; manufacturing; digital providers; and research.

Financial entities covered by the Digital Operational Resilience Act (DORA) regarding cybersecurity risk management and notification obligations are excluded.

National Cybersecurity Center

The Draft Law creates the National Cybersecurity Center, which will coordinate cybersecurity-related activities in Spain and act as the point of contact with the European Union. The National Cybersecurity Center will prepare a list of essential and important entities by April 17, 2025, at the latest. However, through regulatory provisions, mechanisms may be established to allow entities to register autonomously.

In addition, the National Cybersecurity Center will be responsible for developing the National Cybersecurity Strategy, which will set the strategic objectives and the necessary measures to maintain a high level of cybersecurity.

Furthermore, various ministries are assigned the role of supervisory authority with oversight over specific sectors namely the Ministry of Defense, the Ministry of Digital Transformation, and the Ministry of the Interior, each responsible for specific types of entities.

Obligations for entities

Entities in scope must adopt technical, operational, and organisational measures to manage cybersecurity risks, including, among others, security policies, incident management, and cybersecurity hygiene measures. Essential entities must demonstrate compliance through accredited certification, while important entities can opt for certification or conduct a self-assessment.

Also, compliance with the National Security Framework will validate the adoption of the necessary measures.

Moreover, the Draft Law requires the appointment of an information security point of contact, who will be in charge of developing cybersecurity strategies and acting as the point of contact with supervisory authorities. In essential entities, this responsible individual must be accredited by the Ministry of the Interior.

Regarding incidents, entities must promptly notify the control authority of any significant incident that occurs in their operations or service delivery, in accordance with regulatory requirements, based on its severity and impact. They must also notify the affected service recipients of any significant incidents that could cause them significant harm, as soon as possible.

These notifications should preferably be made through the information security officer and via the National Cyberincident Notification and Monitoring Platform.

Sanctions regime

The Draft Law establishes a sanctions regime that holds the members of the governing bodies of entities jointly responsible for any infractions committed.

The infractions are classified as very serious, serious, or minor. Sanctions can range from 10,000 to 10 million euros, depending on the severity of the infraction.

Next steps

The Draft Law will be processed urgently, after gathering reports from various agencies and the opinion of the Council of State. Once approved, the final text will enter into force the day after its publication in the Official State Gazette (BOE), incorporating the NIS-2 Directive into Spanish law.

This article was written by Joaquin Munoz and Marzena Ewa.