World Watch/Spain/Cybersecurity
Language:EnglishSpanishFrenchGermanPortugueseHindi

Cybersecurity · Spain

Cybersecurity - Spain

Comprehensive lawReal Decreto-ley 12/2018 (transposing the NIS Directive) and its implementing Real Decreto 43/2021, plus the Esquema Nacional de Seguridad (Real Decreto 311/2022) for the public sector; partial NIS2 transposition via Real Decreto-ley 7/2025. Competent authorities: INCIBE-CERT (private sector), CCN-CERT (public sector/National Cryptologic Centre, CNI), and ESPDEF-CERT (defence). The full NIS2 law (Ley de Coordinación y Gobernanza de la Ciberseguridad) is still in the legislative process.

Spain already has a comprehensive, horizontal cybersecurity legal framework in force: RDL 12/2018 (transposing the 2016 NIS Directive) with RD 43/2021, the public-sector National Security Scheme (RD 311/2022), and a partial NIS2 transposition via RDL 7/2025. The full NIS2 transposition — the draft Ley de Coordinación y Gobernanza de la Ciberseguridad approved by the Council of Ministers on 14 January 2025 — remains pending parliamentary approval as of 2026, and the European Commission issued a reasoned opinion against Spain in May 2025 for missing the 17 October 2024 deadline. Mandatory incident-reporting and breach-notification duties already apply under the in-force instruments.

In-force comprehensive law (NIS1)

RDL 12/2018 transposes EU Directive 2016/1148 (NIS) and, with implementing RD 43/2021, regulates the security of networks and information systems of essential-service operators and digital-service providers across sectors, sets the strategic/institutional framework, and grants inspection powers.

source 1source 2
Public-sector security scheme (ENS)

RD 311/2022 regulates the Esquema Nacional de Seguridad, mandating security measures and incident-handling capabilities for the public sector and its technology suppliers, with CCN-CERT as central technical coordinator.

source 1source 2
Partial NIS2 transposition in force

Real Decreto-ley 7/2025 partially transposes NIS2; its obligations are enforceable from entry into force while the full transposition law is finalised.

source 1source 2
Full NIS2 law still pending

The Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad, approved by the Council of Ministers on 14 January 2025 (creating a National Cybersecurity Centre and management-accountability rules), remains in the parliamentary process and is not yet published in the BOE.

source 1source 2
Incident-reporting duties

Essential-service operators and digital-service providers must notify incidents with significant disruptive effects; under the ENS, public-sector entities report to CCN-CERT and private collaborating entities report incident responses to INCIBE-CERT.

source 1source 2
EU infringement pressure

Spain missed the 17 October 2024 NIS2 deadline; the European Commission sent a reasoned opinion on 7 May 2025 (alongside 18 other Member States), a step toward referral to the Court of Justice of the EU with possible financial penalties.

source 1source 2

Machine-assisted translation · verified 5/25/2026 · orientation, not legal advice. English version →