NIS2 Directive updates

The Draft Law in Spain Enters the Approval Phase

On January 14, the Council of Ministers of the Government of Spain approved the draft bill on the Coordination and Governance of Cybersecurity, aiming to transpose the EU NIS2 Directive into Spanish law. While some steps remain for its final approval in Parliament and publication in the Official State Gazette (BOE), organizations must start preparing. Below, we share the key updates you need to know.

1. Creation of the National Cybersecurity Center (CNC)

One of the most significant changes is the creation of the National Cybersecurity Center, which will act as the highest national authority in the field. This center will take charge of the direction and coordination of all cybersecurity-related activities in Spain, functioning as:

• The single point of contact with the EU, representing national authorities.

• The authority responsible for defining strategies and coordinating responses to incidents.

2. Classification of entities: Essential and important

The draft bill retains the distinction established in NIS2. Regarding the entities within its scope, there are no changes compared to the NIS2 directive, which specifies the types as follows:

• Essential Entities: Subject to proactive supervision with stricter compliance requirements (Annex 1).

• Important Entities: Subject to reactive supervision, applicable in cases of non-compliance evidence (Annex 2).

If your organization belongs to one of these groups, SNGULAR can help you define your adaptation plan for NIS2.

3. New incident notification platform

Affected entities will need to appoint an Information Security Officer as the direct contact with authorities, responsible for notifying significant incidents through the new National Cyber Incident Notification and Monitoring Platform. This platform is expected to be based on the LUCIA tool (Unified List for Incident and Threat Coordination).

Regarding incident notifications, the draft bill sets out a detailed framework prioritizing cooperation with national CSIRTs, such as INCIBE-CERT and CCN-CERT.

4. Security certification

The draft bill mandates essential entities to conduct periodic evaluations and obtain security certifications. Voluntary certification of the Specific Compliance Profile of the ENS (published in the CCN-STIC 892 guide by the National Cryptologic Center) is recognized as evidence of compliance for essential entities.

5. Sanctions and enhanced oversight by control authorities

While the sanctioning regime remains unchanged from the NIS2 directive, control authorities will have greater powers to ensure compliance. This includes stricter audits and closer monitoring of obligations by affected entities.

6. International cooperation

National and international cooperation is strengthened, particularly with European networks like the CSIRT Network and EU-CyCLONe, to manage cross-border incidents and foster voluntary information sharing among entities to prevent or mitigate incidents.

7. Relationship between NIS2 and DORA: Principle of precedence

As a notable point, the draft bill establishes the principle of DORA’s precedence over NIS2, excluding financial entities under DORA’s scope from the sanctioning regime established by this law. However, they will still be subject to DORA’s stricter sanctioning regime.

Prepare for NIS2

Don’t let these changes catch you off guard. At SNGULAR, we have over 10 years of experience in Risk Management and Compliance (GRC) consulting, working with companies across various sectors.

Our services include:

1. GAP Analysis:

We conduct a comprehensive evaluation of your company’s regulatory compliance. We design a personalized action plan addressing critical points to ensure full alignment with applicable regulations.

2. Adaptation services:

We don’t just evaluate; we also assist in implementing the necessary measures. We execute the GAP analysis and guide your company through the remediation process, ensuring end-to-end regulatory compliance.

Where to start?

We offer a free and no-obligation NIS2 Test, designed to help you understand your company’s compliance status.

This test includes a one-on-one call with one of our experts, where we will assess your situation regarding the NIS2 Directive and provide clear, actionable recommendations.

Would you like to speak with an expert or take our free NIS2 Test?

Access our NIS2 webinar

Additionally, you can deepen your understanding by watching our latest NIS2 webinar to learn all the details.

Read the official news from La Moncloa.