The NIS Directive has not been implemented in Spain yet.
The public consultation on the transposition of the NIS Directive into Spanish law ended on 21 December 2016 During the 21 day consultation period interested parties were able to send their comments about the transposition to the Spanish Ministry of Energy, Tourism and Digital Agenda (available here). The next legislative steps have not yet been carried out by the Spanish Government as far as we are aware. On 8 January, 2018 a public hearing period ended.
The Spanish Government is working on the transposition of the NIS Directive which it is expected in May 2018.
There is no implementation Act yet.
There is a draft law which was made available to the public in early December 2017. Our input is based on this draft therefore this information may change.
Persuant to Article 2 of the draft this law will apply to:
Pursuant to Article 18 of the draft law, essential operators and digital service providers must notify the competent authority of any incidents that may have significant effects on their services.
Notifications may also refer to events or incidents that may affect the networks and information systems used to provide the services, but that have not yet had a real adverse effect.
Notifications will also refer to incidents that affect the networks and systems of the information used in the provision of the services, whether relating to its own networks/ services or those from external suppliers(this applies even where they are providers of digital services and therefore subject to this law).
The operators must notify such incidents to the competent authority without undue delay. In addition, operators should make intermediate notifications to provide up-to-date information on incidents and a final notification after the incident has been resolved.
Article 36 of the draft law includes information relating to breaches of the draft law.
Infringements are categorised as very serious, serious or minor infringements.
A very serious breach would be, for example, the repeated breach of the obligation to report incidents. A serious infraction would be, for example, a breach of the obligation to report incidents with significant impact on services. A minor breach would be, for example, a breach of the obligation to report incidents without significant impact on services.
The draft includes the following penalties which apply in case of an infringement (Article 37): (i) fines of EUR 500,001 to EUR 1,000,000 for very serious infringements; (ii) fines of EUR 100,001 to EUR 500,000 for serious infringements, and warnings or fines of up to EUR 100,000 for minor infringements.
The sanctioning body will determine the sanctions based on criteria established in the draft law, such as the degree of culpability, number of users affected or the volume of billing of the offender.
Pursuant to Article 9 of the draft law, competent authorities in the field of security of networks and systems of information are the following:
Pursuant to Article 2 of the draft the law will apply to:
Essential services established in Spain. It is understood that an essential services operator is established in Spain when it is resident in or has its registered office in the Spanish territory, provided that this coincides with the place where it carries out the administrative management and management of its businesses activities.
Also this law will be applicable to essential services that operators resident or domiciled in another state offer through a permanent establishment located in Spain.
Last reviewed 28.02.2018
NIS Directive and the energy sector: a patchwork of national implementations
Cyber security: the regulators bare their teeth
D Day for NISD as the EU's Network and Information Systems Directive (NISD) is implemented on May 9, 2018
What is NISR and who is impacted?
What exactly is a Digital Service Provider in the context of NIS Directive? Could you be a DSP and not know it?
NISR: Key deadline ahead as UK DSPs must register by November 1, 2018
NISD: First key deadline as Essential Operators required to register by August 10, 2018
As the implementation date of the NIS Directive approaches we ask: are Digital Service Providers (DSPs) aware of their compliance obligations?
Last month, we launched our 5th Global Women’s Development Programme with 20 associates from across the firm. The p… https://t.co/Z99ScgyKzW
We are now only a week away from our Annual TechLaw Event where we will discuss practical tips and some of the lega… https://t.co/4s8t7pAkza
The EC is proposing to regulate digital operational resilience for the #financialsector which could impact ICT serv… https://t.co/QVt1h6aqZc