Current status of implementation

The NIS Directive has not been implemented in Spain yet. 

The public consultation on the transposition of the NIS Directive into Spanish law ended on 21 December 2016 During the 21 day consultation period interested parties were able to send their comments about the transposition  to the Spanish Ministry of Energy, Tourism and Digital Agenda (available here). The next legislative steps have not yet been carried out by the Spanish Government as far as we are aware. On 8 January, 2018 a public hearing period ended.

The Spanish Government is working on the transposition of the NIS Directive which it is expected in May 2018.

Implementation Act

There is no implementation Act yet.

There is a draft law which was made available to the public in early December 2017. Our input is based on this draft therefore this information may change.

Determination of operators of essential services (Art. 5 NIS)

Persuant to Article 2 of the draft this law will apply to:

  1. Essential services dependent on networks and information systems present in the following sectors: Transport, Food, Financial and Tax System, Administration, Space,  Nuclear industry, Chemical industry, Research facilities, Water, Energy, Health and Information and Communication Technologies (TIC) and;
  2. Digital services that are online markets, online search engine and/or cloud computing services.
Reporting obligations

Pursuant to Article 18 of the draft law, essential operators and digital service providers must notify the competent authority of any incidents that may have significant effects on their services.

Notifications may also refer to events or incidents that may affect the networks and information systems used to provide the services, but that have not yet had a real adverse effect.

Notifications will also refer  to incidents that affect the networks and systems of the information used in the provision of the services, whether relating to its own networks/ services or those from external suppliers(this applies even where they are providers of digital services and therefore subject to this law).

The operators must notify such incidents to the competent authority without undue delay. In addition, operators should make intermediate notifications to provide up-to-date information on incidents and a final notification after the incident has been resolved.

Sanctions regime

Article 36 of the draft law  includes information relating to breaches of the draft law.

Infringements are categorised as very serious, serious or minor infringements.

A very serious breach would be, for example, the repeated breach of the obligation to report incidents. A serious infraction would be, for example, a breach of the obligation to report incidents with significant impact on services. A minor breach would be, for example, a breach of the obligation to report incidents without significant impact on services.

The draft includes the following penalties which apply in case of an infringement (Article 37): (i) fines of EUR 500,001 to EUR 1,000,000 for very serious infringements; (ii) fines of EUR 100,001 to EUR 500,000 for serious infringements, and warnings or fines of up to EUR 100,000 for minor infringements.

The sanctioning body will determine the sanctions based on criteria established in the draft law, such as the degree of culpability, number of users affected or the volume of billing of the offender.

Competent authorities

Pursuant to Article 9 of the draft law, competent authorities in the field of security of networks and systems of information are the following:

  1. For operators of essential services:
    • Where they are also critical operators designated according to Law 8/2011 of 28 April, the Secretary of State of the Ministry of the Interior, through the National Centre for Protection of Infrastructures and Cybersecurity (CNPIC).
    • Where they  are not critical operators, the sectoral authority corresponding by reason of the matter, as determined by the regulation.
  2. For digital service providers: the Secretary of State for the Society of Information and the Digital Agenda, of the Ministry of Energy, Tourism and Digital Agenda.
Jurisdictional applications

Pursuant to Article 2 of the draft the law will apply to:

  1. Essential services established in Spain. It is understood that an essential services operator is established in Spain when it is resident in  or has its registered office in  the Spanish territory, provided that this coincides with the place where it carries out the administrative management and management of its businesses activities.

    Also this law will be applicable to essential services that operators resident or domiciled in another state offer through a permanent establishment located in Spain.

  2. Digital service providers that have their registered office in Spain as well as those who, without being established in the European Union, designate their representative in the Union for compliance with Directive (EU) 2016/1148 of the European Parliament and the Council of 6 July 2016.
Remarks (if any)

The Spanish legislator will have to coordinate the new obligations with some existing legislation, such as (i) Law 8/2011, of 28 April , which establishes measures for the protection of the critical infrastructures, (ii) Law 36/2015, of 28 September , of National Security, and (iii) with the Real Decree 3/2010, of 8 January , which regulates the National Security Scheme, as special regulations on the security of information systems in the public sector. 

Last reviewed 28.02.2018