In progressNIS2
NIS2 in Spain
Spain is transposing NIS2 through a draft national Cybersecurity Governance Act. CCN-CERT and INCIBE share coordination duties.
Transposition law
Proyecto de Ley de Ciberseguridad Nacional (draft)
In force
Pending
Competent authority
CCN-CERT / INCIBE
Max fine (Essential)
€10 million or 2% of global annual turnover
Max fine (Important)
€7 million or 1.4% of global annual turnover
Full enforcement
June 2026
Key Deadlines
Enforcement target
1 June 2026
Competent Authority
CCN-CERT / INCIBE
CCN-CERT oversees public sectors; INCIBE coordinates private entities
https://www.ccn-cert.cni.es ↗Spain distributes duties: CCN-CERT manages national security systems (ENS), while INCIBE handles commercial incident response and security support.
Registration Process
Registration portals will launch on INCIBE and CCN-CERT websites post-enactment.
📊 Quick Test
Check NIS2 Scope →Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
Key Requirements
- 1Register with the competent authority for your sector
- 2Implement risk remediation metrics based on Esquema Nacional de Seguridad (ENS)
- 324-hour warning message for major network anomalies
National Additions
★Spain maps NIS2 requirements closely to its existing Esquema Nacional de Seguridad (ENS) certification levels
FAQ: NIS2 in Spain
What is the role of ENS in Spain?
The Esquema Nacional de Seguridad (ENS) is Spain's established security framework, providing direct templates for NIS2 compliance.
Ready to assess your NIS2 compliance?
Use our free tools to check your NIS2 scope and run a gap assessment.