On January 14, 2025, Spain’s Council of Ministers approved the Draft Law on Cybersecurity Coordination and Governance, aimed at transposing Directive (EU) 2022/2555—better known as NIS2—into Spanish law. The transposition had been delayed on the government's agenda since October 17, 2024.
This directive, in force since January 16, 2023, seeks to strengthen the cybersecurity framework across the European Union, replacing the previous NIS Directive (EU) 2016/1148.
One of the main changes introduced by NIS2 is the expansion of its scope. The regulation no longer applies only to large companies but also extends to small and medium-sized enterprises (SMEs) operating in critical sectors.
The high-criticality sectors include:
Yes, you read that right. The NIS2 Directive significantly expands cybersecurity obligations for digital services, covering cloud service providers, distributed computing platforms, data centers, content delivery networks (CDNs), digital trust services, and domain name registrars.
Additionally, B2B technology companies—such as enterprise software developers, IT infrastructure providers, and managed security service providers (MSSPs)—fall under the directive’s scope. Online marketplaces, search engines, and social networks are also included, as they play a key role in the EU’s digital infrastructure.
These entities must comply with strict security, risk management, and incident reporting requirements to ensure greater resilience against cyber threats.
Organizations subject to NIS2 are classified into two categories: essential and important, based on their criticality and potential impact on national and EU security. They must conduct individualized risk assessments and implement measures to protect their networks and information systems.
Also, companies will face new reporting obligations—to authorities and, where applicable, to users—when incidents occur. The National Cybersecurity Center will be established as the national authority responsible for directing, promoting, and coordinating all cybersecurity-related activities.
The NIS2 Directive introduces a tougher sanctions regime to ensure compliance. Essential entities could face fines of up to €10 million or 2% of their annual turnover, while important entities could be fined up to €7 million or 1.4% of their annual turnover.
Even if a company is not directly subject to NIS2, it could still be impacted if it supplies a business that is. In these cases, customers may require security certifications or assessments, as the entire supply chain must comply with cybersecurity requirements.
That said, we’re still waiting for the final publication and an official list of affected companies to fully understand the directive’s scope—a crucial aspect of this regulation.
If you’re unsure whether your website complies with digital regulations like privacy and cookies, Lawwwing can conduct a legal audit for you.
