Geopolitical tensions have elevated to the urgent category the reinforcement of countries' cybersecurity. The risk of foreign interference and the threat of hybrid conflicts force states to strengthen this flank, especially with an open war in Iran and with the United States in a full rhetorical pulse against the Government of Spain for not supporting its offensive. The question is, is Spain at the forefront to defend itself from potential cyberattacks and digital intrusions that could affect essential services, democratic processes, or key economic sectors?
The President of the Government, Pedro Sánchez, is perfectly aware of this threat, not in vain, in the package he announced almost a year ago (in April 2025) to raise defense spending to 2% of GDP, he specified that 31% of the 10,471 million euros invested would be dedicated to developing, manufacturing and acquiring new telecommunications and cybersecurity capabilities.
The purpose was to create a kind of “digital shield” to guarantee the protection of rights in this area against hackers, stimulating the cloud, 5G, Artificial Intelligence and quantum computing.
It is as vital to invest to strengthen the "digital shield" as to have updated legislation
Just as fundamental as investing is, so is keeping legislation updated and adapted to rapid technological evolution, providing institutions with effective tools to prevent, detect, and respond to these threats; and this is a pending issue for Spain since the war in Iran has caught it with the obsolete cybersecurity law with respect to the European framework.
Pending a transposition that does not arrive
Already in January 2024, the then Minister for Digital Transformation and Public Function, José Luis Escrivá (current governor of the Bank of Spain), promised before the Commission of his branch in the Congress of Deputies a new cybersecurity law that would act as a regulatory umbrella and provide institutionalization to the interventions already carried out by Interior, Defense, and the National Cryptologic Center. It never arrived. And not only did it not arrive, but also, the Government is very behind in regulation on this matter.
It's been over a year since the Preliminary Draft Law on Cybersecurity Coordination and Governance passed through the Council of Ministers in its first reading (specifically, on January 14, 2025). This is the initiative through which the Executive intends to transpose Directive (EU) 2022/2555, commonly known as NIS2 Directive, which should have already been integrated into the Spanish legal system before October 2024.
The delay exposes Spain to a possible sanction by the Court of Justice of the European Union (CJEU), but the most damaging thing is that it puts at risk the obligated parties of the norm for not having a specific and defined legislative framework, generating legal uncertainty.
Critical entities
NIS2 would be applicable to all public and private entities, that have their tax domicile in Spain (or in any other Member State) and carry out their activity in our country. It does not affect all companies, but it does affect a large majority of them, specifically those included in sectors considered of high criticality for the normal functioning of the country:
- Energy (electricity, gas, oil, hydrogen).
- Transport (air, rail, maritime, roads).
- Banking and financial markets
- Healthcare and pharmaceutical products.
- Drinking water and wastewater.
- Digital infrastructure and technology services (e.g., data centers or DNS services).
- Public administration entities and space sector.
- Nuclear industry.
Likewise, it will demand its compliance from other sectors of less criticality, such as postal and courier services, waste management, the production, processing and distribution of food; digital service providers; scientific research and private security.
In general, NIS2 applies to entities that are medium or large enterprises, that is:
- More than 50 employees.
- More than 10 million in turnover/annual (or balance).
Does not include micro and small businesses (fewer than 50 employees and lower turnover) except for exceptions, when their activity is critical or they are sole providers of essential services.
It can also affect non-European entities that provide services within the EU; and may include particular cases regardless of size (for example, top-level domain name service providers, public DNS providers or electronic communications).
What firewall does it have?
The NIS2 Directive, and consequently, the Draft Cybersecurity Law, does not dictate precise technical measures as a standard, but it does outline clear legal obligations for affected entities to strengthen their cybersecurity:
- Risk management measures: Organizations must assess and mitigate security risks to their networks and systems; implement organizational and technical policies and controls for continuous protection; and have documented risk and security management procedures.
- Incident notification: Between 24 and 72 hours are available to notify significant incidents to the competent authority.
- Governance and accountability: The appointment of information security officers is required, and it is proposed that governing bodies assume responsibility for possible non-compliance and/or security breaches (a hot topic that we will delve into later).
- Supervision and cooperation: Member States must supervise entities and establish national authorities to monitor compliance, as well as collaborate with other EU countries for joint risk management.
A justified delay?
The Government is aware of the importance of strengthening security against cyberattacks and hybrid attacks against essential services and democratic institutions, perpetrated by sophisticated criminal groups or, even, by other States. However, the Draft Bill passed its first reading by the Council of Ministers more than a year ago and no further progress has been registered.
The delay may be due to the fact that Europe is preparing a new Cybersecurity package (the one unveiled on January 20), and both this initiative and the Digital Omnibus on AI (in Public Consultation phase until February 8) anticipate new modifications to NIS2 and Spain is waiting to transpose everything into the same article, that of Cybersecurity.
In the Council of State
The legislative calendar in Europe will depend on the pace of interinstitutional negotiations, although Brussels hopes that the regulation can be approved in the coming months. Will the Government of Spain wait to continue with the processing of its Cybersecurity law?
For now, according to what Demócrata has learned, the Draft Cybersecurity Law approved by the Council of Ministers in January 2025 is currently in the Council of State.