{"id":6860,"date":"2025-02-18T09:30:00","date_gmt":"2025-02-18T08:30:00","guid":{"rendered":"https:\/\/lawwwing.com\/?p=6860"},"modified":"2025-03-11T13:55:37","modified_gmt":"2025-03-11T12:55:37","slug":"spain-advances-in-cybersecurity-the-nis2-directive-draft-approved","status":"publish","type":"post","link":"https:\/\/lawwwing.com\/en\/spain-advances-in-cybersecurity-the-nis2-directive-draft-approved\/","title":{"rendered":"Spain Advances in Cybersecurity: The NIS2 Directive draft Approved"},"content":{"rendered":"\n<div style=\"height:32px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p><strong>On January 14, 2025<\/strong>, Spain\u2019s Council of Ministers approved the Draft Law on Cybersecurity Coordination and Governance, aimed at transposing Directive (EU) 2022\/2555\u2014better known as <a href=\"https:\/\/lawwwing.com\/retraso-en-la-trasposicion-de-la-directiva-nis-2-en-espana\/\" data-type=\"link\" data-id=\"https:\/\/lawwwing.com\/retraso-en-la-trasposicion-de-la-directiva-nis-2-en-espana\/\" target=\"_blank\" rel=\"noreferrer noopener\">NIS2<\/a>\u2014into Spanish law. The transposition had been delayed on the government's agenda since October 17, 2024.<\/p>\n\n\n\n<p>This directive, in<strong> force since January 16, 2023<\/strong>, seeks to<strong> strengthen the cybersecurity framework<\/strong> across the European Union, replacing the previous NIS Directive (EU) 2016\/1148.<\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">What\u2019s new in the directive?<\/h2>\n\n\n\n<p>One of the main changes introduced by NIS2 is the <strong>expansion of its scope<\/strong>. The regulation no longer applies only to large companies but also extends to <strong>small and medium-sized enterprises<\/strong> (SMEs) operating in critical sectors.<\/p>\n\n\n\n<p>The high-criticality sectors include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Energy and nuclear industry<\/li>\n\n\n\n<li>Transport<\/li>\n\n\n\n<li>Banking<\/li>\n\n\n\n<li>Financial markets<\/li>\n\n\n\n<li>Healthcare<\/li>\n\n\n\n<li>Water supply<\/li>\n\n\n\n<li>Digital infrastructure<\/li>\n\n\n\n<li>Technology services<\/li>\n\n\n\n<li>Public administration<\/li>\n\n\n\n<li>Postal and courier services<\/li>\n\n\n\n<li>Waste management<\/li>\n\n\n\n<li>Chemical industry<\/li>\n\n\n\n<li>Manufacturing<\/li>\n\n\n\n<li>Food distribution<\/li>\n\n\n\n<li><strong>Digital service providers<\/strong><\/li>\n\n\n\n<li>Scientific research<\/li>\n\n\n\n<li>Private security<\/li>\n<\/ul>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">More cybersecurity obligations<\/h2>\n\n\n\n<p>Yes, you read that right. The NIS2 Directive significantly expands cybersecurity obligations for<strong> digital services<\/strong>, covering cloud service providers, distributed computing platforms, data centers, content delivery networks (CDNs), digital trust services, and domain name registrars.<\/p>\n\n\n\n<p>Additionally, <strong>B2B technology companies<\/strong>\u2014such as enterprise software developers, IT infrastructure providers, and managed security service providers (MSSPs)\u2014fall under the directive\u2019s scope. Online marketplaces, search engines, and social networks are also included, as they play a key role in the EU\u2019s digital infrastructure.<\/p>\n\n\n\n<p>These entities must comply with <strong>strict security, risk management, and incident reporting<\/strong> <strong>requirements <\/strong>to ensure greater resilience against cyber threats.<\/p>\n\n\n\n<p>Organizations subject to NIS2 are classified into two categories: <strong>essential<\/strong> and <strong>important<\/strong>, based on their criticality and potential impact on national and EU security. They must conduct individualized risk assessments and implement measures to <strong>protect their networks and information systems.<\/strong><\/p>\n\n\n\n<p>Also, companies will face new reporting obligations\u2014to authorities and, where applicable, to users\u2014when incidents occur. The National Cybersecurity Center will be established as the national authority responsible for directing, promoting, and coordinating all cybersecurity-related activities.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" width=\"1024\" height=\"682\" src=\"https:\/\/lawwwing.com\/wp-content\/uploads\/2025\/02\/cyber-4610993_1280-1024x682.jpg\" alt=\"\" class=\"wp-image-6827\" style=\"object-fit:cover;width:800px;height:300px\" srcset=\"https:\/\/lawwwing.com\/wp-content\/uploads\/2025\/02\/cyber-4610993_1280-1024x682.jpg 1024w, https:\/\/lawwwing.com\/wp-content\/uploads\/2025\/02\/cyber-4610993_1280-300x200.jpg 300w, https:\/\/lawwwing.com\/wp-content\/uploads\/2025\/02\/cyber-4610993_1280-768x512.jpg 768w, https:\/\/lawwwing.com\/wp-content\/uploads\/2025\/02\/cyber-4610993_1280.jpg 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Stricter penalties<\/h2>\n\n\n\n<p>The NIS2 Directive introduces a tougher sanctions regime to ensure compliance. <strong>Essential entities<\/strong> could face fines of up to <strong>\u20ac10 million or 2% of their annual turnover<\/strong>, while <strong>important entities<\/strong> could be fined up to <strong>\u20ac7 million or 1.4% of their annual turnover.<\/strong><\/p>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Who will be affected?<\/h2>\n\n\n\n<p>Even if a company is not directly subject to NIS2, it could still be impacted if it <strong>supplies a business that is<\/strong>. In these cases, customers may require security certifications or assessments, as the entire supply chain must comply with cybersecurity requirements.<\/p>\n\n\n\n<p>That said, we\u2019re still waiting for the final publication and an official list of affected companies to fully understand the directive\u2019s scope\u2014a crucial aspect of this regulation.<\/p>\n\n\n\n<p>If you\u2019re unsure whether your website complies with digital regulations like privacy and cookies, <strong>Lawwwing<\/strong> can conduct a <a href=\"https:\/\/lawwwing.com\/escaner-de-cookies\/?_gl=1*99zf1f*_up*MQ..*_ga*ODM0ODkxODU4LjE3MzkxODkxMTI.*_ga_PVQTMLESR8*MTczOTE4OTExMi4xLjAuMTczOTE4OTExMi4wLjAuMA..\" data-type=\"link\" data-id=\"https:\/\/lawwwing.com\/escaner-de-cookies\/?_gl=1*99zf1f*_up*MQ..*_ga*ODM0ODkxODU4LjE3MzkxODkxMTI.*_ga_PVQTMLESR8*MTczOTE4OTExMi4xLjAuMTczOTE4OTExMi4wLjAuMA..\" target=\"_blank\" rel=\"noreferrer noopener\">legal audit<\/a> for you.<\/p>\n\n\n\n<div class=\"wp-block-buttons has-base-background-color has-background is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-1 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button is-style-fill\"><a class=\"wp-block-button__link has-background wp-element-button\" href=\"https:\/\/app.lawwwing.com\/en\/signup\/\" style=\"background-color:#5533ff\" target=\"_blank\" rel=\"noreferrer noopener\">Get it Free<\/a><\/div>\n<\/div>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On January 14, 2025, Spain\u2019s Council of Ministers approved the Draft Law on Cybersecurity Coordination and Governance, aimed at transposing Directive (EU) 2022\/2555\u2014better known as NIS2\u2014into Spanish law. The transposition had been delayed on the government's agenda since October 17, 2024. This directive, in force since January 16, 2023, seeks to strengthen the cybersecurity framework [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":6894,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[364,462,461,445,460,463,464],"tags":[360,465,447,403,378,466,429,426,467],"class_list":["post-6860","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-2025-3","category-cybersecurity","category-directive","category-european-union","category-nis2-2","category-pymes-2","category-tecnology","tag-2025-2","tag-cybersecurity","tag-european-union","tag-fines","tag-laws","tag-nis2-3","tag-security","tag-seguridad","tag-tecnology"],"acf":[],"_links":{"self":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/6860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/comments?post=6860"}],"version-history":[{"count":6,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/6860\/revisions"}],"predecessor-version":[{"id":7201,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/6860\/revisions\/7201"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/media\/6894"}],"wp:attachment":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/media?parent=6860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/categories?post=6860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/tags?post=6860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}