Cybersecurity regulation in Spain (2026)

After opening infringement proceedings in November 2024, the Commission escalated by issuing a reasoned opinion citing Spain's failure to fully transpose NIS2 (Directive EU 2022/2555) by the October 2024 deadline. Spain now risks referral to the Court of Justice of the EU and daily penalty fines.

The National Security Council agreed on 24 April 2025 to begin work on a new National Cybersecurity Strategy, superseding the 2023 edition; the decision was published in the BOE on 23 May 2025 as Orden PJC/522/2025. This signals a continued cycle of strategic renewal as threat landscapes evolve.

Spain's cabinet approved the draft Law on Cybersecurity Coordination and Governance to transpose NIS2, creating a National Cybersecurity Center under the Presidency as the single competent authority, designating CCN-CERT (public sector), INCIBE-CERT (private sector), and the Joint Cyber Space Command as reference CSIRTs, and imposing proportionate security and incident-reporting obligations on essential and important entities.

The National Security Council approved Spain's Second National Cybersecurity Strategy, updating the 2019 edition to address AI-powered threats, hybrid warfare, and supply-chain attacks. Simultaneously, a new Cybersecurity Management and Cooperation Unit was established under the DSN to coordinate cross-sectoral and public-private cyber policy.

The RansomHouse group attacked Hospital Clínic de Barcelona, forcing cancellation of 150 surgeries and ~3,000 outpatient appointments, taking laboratory, pharmacy, and emergency systems offline for weeks. Attackers demanded €4.5 million; the Spanish government refused to pay. The incident intensified debate over mandatory cybersecurity standards in healthcare ahead of NIS2 transposition.

This Royal Decree replaced the 2010 ENS, tightening mandatory security requirements for all public-sector information systems and private suppliers providing services to the state. It introduced tailored compliance profiles for local authorities, universities, and cloud environments, and required entities to achieve full conformity within 24 months.

This Royal Decree developed the 2018 NIS transposition law (RDL 12/2018) in detail: it specified procedures for designating operators of essential services, mandated appointment of a CISO within each operator, and set precise incident-notification thresholds and timelines for reporting to CSIRTs. It remained the primary operative NIS compliance instrument until NIS2 transposition.

Approved by the National Security Council and published via Order PCI/487/2019, this strategy superseded the 2013 edition by addressing ransomware, hybrid threats, and critical infrastructure vulnerabilities. It set objectives for full ENS implementation, critical-infrastructure protection, cybersecurity culture, and support for the domestic cybersecurity industry.

RDL 12/2018 implemented Directive (EU) 2016/1148 (NIS), imposing binding security measures, risk-assessment obligations, and mandatory incident notification to CCN-CERT (public-sector entities) or INCIBE-CERT (private-sector operators) on operators of essential services and digital service providers. It established a supervisory and sanction framework, and was the foundation of Spain's modern cybersecurity legal order.

Created by agreement of the National Security Council on 5 December 2013 and formally constituted on 24 February 2014, the Consejo Nacional de Ciberseguridad became Spain's apex inter-ministerial cybersecurity body, coordinating policy across public administrations, intelligence agencies, and the private sector, and advising the President on national cyber-risk.

Law 8/2011 and implementing Royal Decree 704/2011 created CNPIC (National Centre for Critical Infrastructure Protection) and required designated operators across 12 strategic sectors (energy, water, transport, ICT, finance, health, etc.) to appoint security officers, prepare specific protection plans, and report cyber-incidents — the first legally binding cybersecurity obligations for critical-sector operators in Spain.

The original National Security Scheme mandated minimum information-security measures for all Spanish public administrations and e-government services delivered to citizens. It introduced a risk-based security categorisation system (low / medium / high), mandatory audits, and a controls catalogue — establishing the foundational cybersecurity framework for the public sector that remains operative today in updated form.