The transposition deadline for the NIS2 Directive — Directive (EU) 2022/2555 — was 17 October 2024. Spain, like the majority of EU Member States, did not meet it. The Spanish Council of Ministers approved the draft Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad — the legislative vehicle for transposition — on 14 January 2025, and the draft entered urgent parliamentary procedure. As of January 2026 the law has still not been published in the Boletín Oficial del Estado (BOE), meaning Spanish entities currently sit between a directly-applicable obligation under EU law and the absence of national implementation. The legal gap has real consequences for both supervisors and entities, and the Commission's enforcement clock is running.
What is the Commission doing?
On 7 May 2025 the European Commission sent a reasoned opinion to 19 Member States — including Spain — that had failed to complete the transposition of NIS2 by the October 2024 deadline. Under Article 258 of the Treaty on the Functioning of the EU, a reasoned opinion is the formal second stage of infringement proceedings. The Commission gave the affected Member States two months to respond and to communicate the measures they had taken or were planning to take. The next escalation step is referral to the Court of Justice of the European Union, which can ultimately impose lump-sum and periodic penalty payments under Article 260 TFEU. Spain's response in July 2025 cited the urgent parliamentary procedure and an updated expected adoption timeline, but the BOE publication has not followed.
What is the draft law actually called?
The vehicle is the Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad — translated as the Draft Law on Cybersecurity Coordination and Governance. It is distinct from Spain's existing Royal Decree-Law 12/2018 that transposed NIS1. The new draft creates a more centralised governance model around the Centro Criptológico Nacional (CCN), the Instituto Nacional de Ciberseguridad (INCIBE), and the Centro de Operaciones de Ciberseguridad de la Administración General del Estado (COCS-AGE), and assigns sectoral competence in defined areas. It transposes the Directive's tiered classification of essential and important entities and aligns penalty ceilings to NIS2 Article 34 — 10 million EUR or 2% of global turnover for essentials, 7 million EUR or 1.4% of global turnover for importants.
What happens to Spanish entities in the meantime?
Three distinct effects apply during the transposition gap. First, NIS2 has direct effect in only limited respects. The Directive's substantive obligations on entities (Articles 20-25) are not directly applicable in the absence of national implementing measures, because they require Member State action to designate competent authorities, establish registration procedures, and define administrative sanctions. Spanish entities cannot be fined under NIS2 today through Spanish law. Second, however, entities operating across multiple Member States — for example a Spanish-headquartered SaaS vendor with operations in Germany, Italy, and Portugal — face the transposed regime in those jurisdictions and must comply locally there. Article 26 of NIS2 confers cross-border competence on the Member State of main establishment for essential entities, which currently means Spanish-headquartered firms operating cross-border face genuine jurisdictional ambiguity. Third, the existing NIS1 transposition (RD-Ley 12/2018) remains in force until expressly repealed, leaving a legacy regime that is narrower in scope and lighter in penalty structure than NIS2 envisages.
Who will be the competent authorities?
The draft assigns supervision based on entity classification:
# Draft competent authority map (Anteproyecto de Ley, January 2025 draft)
CCN-CERT (Centro Criptológico Nacional)
-> Public administration entities
-> Essential entities in critical sectors with national security nexus
INCIBE-CERT (Instituto Nacional de Ciberseguridad)
-> Important entities in non-critical sectors
-> SMEs and digital service providers
ESPDEF-CERT (Defence Ministry CERT)
-> Defence industrial base entities
Banco de Espana, CNMV
-> Financial sector (alongside DORA supervision)
Sectoral regulators
-> Energy (CNMC), Health, Transport, Water
This split is broader than under NIS1, which concentrated most supervision in the Ministry of Interior and CCN. The fragmentation has been one of the topics raised in parliamentary debate, with industry associations arguing that a single-point coordination model would simplify compliance.
What should Spanish entities prepare regardless of timing?
The shape of the final law is unlikely to deviate materially from the Directive's text, and entities can prepare against four documented anchors. First, build the inventory of in-scope status: the size and sector test under NIS2 Article 2 determines obligation, regardless of national implementation timing. Second, complete a self-assessment against Article 21 of NIS2 (Article 24 of the draft Spanish law) covering the ten technical and organisational measures, with documented evidence. Third, exercise the 24-hour, 72-hour, and one-month incident reporting cadence with an internal table-top, even if there is no national reporting endpoint yet. Fourth, document supply chain risk assessments for direct suppliers and service providers, in proportion to the criticality of services received. The draft explicitly mirrors NIS2's supply chain language and entities that have already implemented the obligation will face minimal incremental work once the BOE publication lands.
What about the cross-border effect?
For multinational Spanish-headquartered entities, the practical advice is to plan to the highest-bar transposition in any Member State where they operate. France's Resilience Bill, Germany's NIS2UmsuCG, and Italy's Decree 138/2024 all create live obligations in their territories, and a Spanish parent that fails the substantive cybersecurity measures of NIS2 in its operations abroad faces direct fines in those jurisdictions. The forum-shopping benefit of remaining headquartered in a Member State with delayed transposition is therefore limited — and risks reputational and procurement consequences when customers and partners ask for NIS2 evidence packs.
How Safeguard Helps
Safeguard generates the Article 21 evidence pack that essential and important entities will need on the day Spain's transposition lands: software inventory, SBOM-backed component visibility, supplier risk scoring, and incident workflow aligned to the 24/72-hour/one-month cadence. Even before the BOE publication, the platform enables Spanish entities operating cross-border to meet the highest-bar transposition wherever they have operations — German BSI Act, Italian Decree 138/2024, French Resilience Bill — through a single control framework. Policy gates enforce the ten technical and organisational measures inside CI/CD pipelines so that secure development, vulnerability management, cryptography, and access control are evidenced controls rather than policy statements. When CCN-CERT or INCIBE-CERT eventually open their reporting endpoints, Safeguard's incident integrations will route notifications in the structured format the supervisor expects.