The Draft Law on Coordination and Governance of Cybersecurity is approved: NIS2 arrives in Spain.

Last Tuesday, the Council of Ministers approved the draft Law on Coordination and Governance of Cybersecurity, a key regulation that transposes into Spanish law Directive (EU) 2022/2555 of the European Parliament and of the Council, known as NIS-2. This initiative, the result of a joint effort between the ministries of the Interior, Defense, and Digital Transformation and Public Function, aims to strengthen the protection of networks and information systems in critical sectors for the socioeconomic development of the country.

The approval of this regulation represents a significant advance in the national cybersecurity strategy, addressing the challenges posed by increasing cyber threats. The text of the draft bill establishes a legal framework that strengthens digital security, guarantees intersectoral and international cooperation, and lays the groundwork for the creation of the National Cybersecurity Center, which will act as a key body in incident management and coordination with other countries in the European Union.

Affected Entities and Sectors of Critical Interest

The draft specifies that cybersecurity regulations apply to public and private entities with tax residence in Spain, as well as to those that, although located in another Member State of the European Union, provide services or carry out activities in Spanish territory. This regulation is particularly relevant for sectors considered essential, such as energy, transport, banking, financial markets, healthcare, digital infrastructure, nuclear industry, and public administrations.

Likewise, sectors of lower criticality are included, among which stand out postal and messaging services, waste management, food production and distribution, digital service providers, and scientific research. These entities will be required to conduct risk assessments and implement measures that ensure the resilience of their networks and information systems, including the notification of significant incidents and the communication of relevant cyber threats to their users.

Information Security Officer Role

One of the most notable innovations of the draft bill is the creation of the position of information security officer, responsible for developing cybersecurity strategies and policies, overseeing their implementation, and ensuring compliance with current regulations. In essential entities, this officer must have specific accreditations, reflecting the importance of their role in the protection of digital assets.

The person in charge will also be the point of contact for technical coordination and incident management, ensuring quick and effective responses to any threat. This underscores the legislator's commitment to professionalization and specialization in cybersecurity.

Creation of the National Cybersecurity Center

The draft bill establishes the creation of the National Cybersecurity Center, which will be attached to the General Secretariat of the Presidency of the Government. This body will be responsible for coordinating cybersecurity actions at the national level, ensuring cooperation with other European authorities, and acting as the crisis management authority in the event of large-scale incidents.

Among the competencies of the National Cybersecurity Center stand out:

• Monitoring and analysis of cyber threats and vulnerabilities at a national scale.
• Provision of technical assistance to affected entities.
• Real-time monitoring of networks and information systems.
• Issuance of early warnings and dissemination of information about threats.

These actions aim to ensure comprehensive and effective protection, consolidating Spain as a benchmark in cybersecurity within the European context.

Control and Supervision Authorities

The draft also defines a governance framework with control authorities responsible for the supervision and execution of the established measures. These include:

• The Ministry of the Interior, through the Cybersecurity Coordination Office.
• The Ministry of Defense, through the National Cryptological Center of the National Intelligence Center.
• The Ministry for Digital Transformation and Public Function, through its Secretariats of State for Telecommunications and Digitalization.

These institutions will be responsible for verifying compliance with technical standards, inspecting systems and networks, and ensuring that cybersecurity measures are adequate and effective.

Urgent Processing

The Council of Ministers has decided to grant urgent status to the processing of this draft bill. This measure aims to expedite its final approval, given that the deadline for the transposition of the NIS-2 Directive into Spanish law expired on October 17, 2024.

The Ministry of the Interior will coordinate the necessary reports from other ministerial departments, as well as from the Council of State and the Spanish Agency for Data Protection, among other bodies. In addition, the approval of this draft bill will be communicated to the European Commission, reinforcing Spain's commitment to digital security.

Conclusion

The approval of the draft Law on Coordination and Governance of Cybersecurity represents a milestone in the protection of digital assets in Spain. The transposition of the NIS-2 Directive not only strengthens national security but also positions our country as a leader in cybersecurity in Europe, ensuring a safer and more resilient digital environment against growing global threats.

Official press release: https://www.interior.gob.es/opencms/ca/detalle/articulo/El-Consejo-de-Ministros-aprueba-el-anteproyecto-de-Ley-de-Coordinacion-y-Gobernanza-de-la-Ciberseguridad/