The Cyber-Resilience Act, as discussed in our article “CYBER RESILIENCE ACT. PROCEDURES REQUIRED FOR DIGITAL PRODUCTS IN THE EU” came into force on the 10th of December 2024.
Alongside the Cyber-Resilience Act, an important piece of cybersecurity legislation in the EU is the Network and Information Systems Directive (NIS Directive) The NIS Directive was a pioneering piece of EU legislation which, in the context of increasing security incidents, has been introduced to safeguard the cross-border nature of the internet. It was adopted on the 6th of July 2016 and entered into force on the 8th of August 2016, with the aim of ensuring digital security between Member States.
In order to enhance Member States’ cybersecurity capabilities through broader, clearer and stronger oversight tools, the NIS Directive was repealed, giving way to Directive (EU) 2022/2555 (the NIS2 Directive), which entered into force on 16 January 2023. The national legislation of each Member State must adapt to the NIS2 Directive by the 17th of October 2024 (article 41 of the NIS2 Directive).
In this article we will analyse the main amendments to the NIS2 Directive and the status of transposition in Spain.
I.- Amendments introduced by the NIS2 Directive
1) Scope of application of sectors
The scope of application of the NIS Directive was limited to operators in the energy, transport, banking, financial market infrastructures, health, water, energy and digital service providers sectors.
With the NIS2 Directive, the following sectors will be now also be covered:
- HIGH-RISK SECTORS (ANNEX I of the NIS2 Directive)
Energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration, space.
- OTHER CRITICAL SECTORS (ANNEX II of the NIS2 Directive)
Postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing of certain products (defined in Annex II), digital service providers, research.
Entities within the scope of NIS2 may be identified or designated as essential or important depending on factors such as their size, sector or the critical nature of their activities.
2) Sanctions.
Under the NIS Directive, sanctions for non-compliance were to be set by each Member State.
Under the NIS2 Directive, essential entities will be sanctioned with administrative fines of a maximum of at least EUR 10 million, or a maximum of at least 2% of the total worldwide annual turnover, whichever is higher. Furthermore, important entities may be sanctioned with administrative fines of a maximum of at least EUR 7 million or a maximum of at least 1.4% of the total worldwide annual turnover, whichever is higher.
3) Obligations.
Two main aspects of the obligations introduced by the NIS2 Directive are worth highlighting:.
(a) Incident reporting.
Although the NIS Directive did not require a deadline for incident reporting, Article 23.4 (a) of the NIS2 Directive requires early warning within 24 hours of becoming aware of a significant incident. Paragraph (b) of the same article requires a notification which shall include an initial assessment of the significant incident, including its severity and impact, as well as indicators of compromise etc.
And paragraph (d) of the same article requires a final report on the details of the incident, which shall include the type of threat, or root cause, the applied and ongoing mitigating measures implemented, and the cross-border impact of the incident, no later than one month after the submission of the notification under paragraph (b).
(b) Cybersecurity risk management.
Article 21.2 of the NIS Directive2 requires that essential entities adopt cybersecurity risk management measures, including the following elements:
a) Policies on risk analysis and information system security.
b) Incident handling.
c) Business continuity, such as backup management and disaster recovery, and crisis management.
d) Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.
e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure.
f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
g) Basic cyber hygiene practices and cybersecurity training;
h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption;
i) Human resources security, access control policies and asset management;
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
II.- Status of application in Spain
As mentioned above, Member States were supposed to have made the NIS 2 Directive into national law by the 17th of October 2024, but at this point Spain had not yet completed the process.
On the 14th of January 2025, the Council of Ministers approved the preliminary draft Law on the Coordination and Governance of Cybersecurity.
The approved draft bill specifies that the public or private entities affected by this regulation are those with tax residence in Spain or, having their residence in another EU Member State, offer their services or carry out their activity in Spain.
The draft bill establishes the figure of the information security officer as the person or body designated by the entities to be responsible for the functions of point of contact and technical coordination. In the essential entities (the most relevant depending on their size), the information security officer must obtain the status of accredited personnel.
As regards the governance regime, the draft bill introduces the National Cybersecurity Strategy and creates the National Cybersecurity Centre, a single contact body with the European Union attached to the General Secretariat of the Presidency of the Government, which will be responsible for the direction, promotion and coordination in this area, will ensure cross-sector and cross-border cooperation with other competent authorities and will be the cybersecurity crisis management authority.
In addition, the draft bill identifies a series of entity cybersecurity incident response teams whose tasks include monitoring and analyzing cyberthreats, vulnerabilities and incidents detected at national level, as well as providing assistance, if requested, to affected entities and responding to cybersecurity incidents.
It will now pass to Parliament for consideration in Spain. Operators subject to the NIS2 Directive and this law should follow the legislative situation in Spain and make the necessary preparations.
Satoshi Minami
Vilá Abogados
For more information, please contact:
22nd January 2025
