Spain’s NIS2 Reporting Split: Which CSIRT Receives Your Incident Notification — INCIBE-CERT, CCN-CERT, or ESPDEF-CERT

Spain is one of the few EU member states to have designated three legally distinct Computer Security Incident Response Teams under its NIS2 framework — and routing your incident notification to the wrong one is a compliance failure in its own right. Whether your notification belongs with INCIBE-CERT, CCN-CERT, or ESPDEF-CERT depends entirely on your entity type, and most guidance available in English glosses over this split entirely.

Spain missed the EU’s NIS2 transposition deadline of 17 October 2024. The European Commission launched infringement proceedings in November 2024, and on 7 May 2025 issued a formal reasoned opinion for failure to transpose [1]. The Council of Ministers approved the Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad on 14 January 2025, which remains in parliamentary process [2]. Until the law enters force via the Boletín Oficial del Estado (BOE), Spain operates under a pre-transposition framework — but the obligations of Directive (EU) 2022/2555 apply directly to Spanish entities from the transposition deadline, regardless of domestic legislative progress.

This guide explains Spain’s new Centro Nacional de Ciberseguridad (CNCS) umbrella architecture, the three-CSIRT incident notification routing decision, registration obligations, and the penalty regime as defined in the draft law and the directive itself.

Spain’s NIS2 Governance Architecture: The CNCS Umbrella

The draft law creates a Centro Nacional de Ciberseguridad (CNCS) directly attached to the Presidency of the Government — not housed under any single ministry, but at the top of the executive chain [2]. This positioning reflects NIS2’s cross-sector mandate: the CNCS sits above sectoral regulators precisely because no ministry-bound body can exercise coordination authority across energy, health, transport, and digital infrastructure simultaneously.

Under Article 8 of Directive (EU) 2022/2555, each member state must designate a single point of contact responsible for cross-border cooperation with other member states, ENISA, and the European Commission [3]. The CNCS fulfils this role in Spain, taking over from the National Security Department, which held the SPOC function under the pre-transposition framework [1].

The CNCS does not replace all existing bodies. Sectoral competent authorities retain oversight of their domains. The current governance map looks like this:

Body	Role under NIS2 Draft Law	Predecessor function
CNCS (new)	Umbrella NCA, single point of contact, cross-sector coordination, cybersecurity crisis management	National Security Department (SPOC)
CNPIC	Supervision of private-sector essential entities in designated critical infrastructure sectors	Primary supervisor for private-sector operators under NIS1
CCN / CCN-CERT	NIS2 supervision of public sector entities; national CSIRT for public administrations	Same — public sector cybersecurity oversight
Secretary of State for Digital Progress	Supervisory authority for private-sector digital service providers (cloud, DNS, CDN, MSPs)	Digital infrastructure oversight
Sectoral authorities	Energy regulator, financial supervisor, health regulator, etc. — retain domain-level oversight	Various sector-specific bodies

Spain has extended NIS2’s sectoral scope beyond the directive’s Annexes I and II. The draft law explicitly adds the nuclear industry and private security as regulated sectors — two inclusions with no counterpart in the directive itself, reflecting Spain’s national security framework under Law 36/2015 [2].

Financial entities are carved out explicitly. Spain’s draft law establishes that DORA (Regulation (EU) 2022/2554) takes precedence over NIS2 for financial sector entities, which fall under DORA’s stricter supervisory regime rather than NIS2 sanctions [4].

Which Entities Are Covered: Essential vs Important in Spain

NIS2’s entity classification uses sector and size thresholds. Spain’s draft law follows the directive’s definitions without modification for the standard categories. Approximately 12,000 Spanish organisations are expected to fall within scope — compared to fewer than 1,000 under the 2016 NIS Directive [5].

Category	Size threshold	Primary sectors (Annex I)	Supervision approach
Essential entity	250+ employees OR €50M+ annual turnover	Energy, transport, banking, health, drinking water, wastewater, digital infrastructure, public administration, space	Proactive — regular audits, unannounced on-site inspections, random checks
Important entity	50–249 employees OR €10M–€50M annual turnover	Postal and courier, waste management, chemicals, food production, manufacturing, digital services, research	Reactive — enforcement triggered by evidence of non-compliance
Spain additions	As defined in draft law	Nuclear industry, private security	Specialist sectoral oversight

Certain entities qualify as essential regardless of size: sole providers of a critical service to Spain, qualified trust service providers, TLD name registries, public electronic communications networks, and central government administration entities. The supervision asymmetry between essential and important entities is operationally significant — essential entities must prepare for proactive inspections from day one, while important entities face a reactive regime that only activates upon reported or detected non-compliance. For a structured breakdown of how these categories differ in practice, see our essential vs important entity guide and the full NIS2 scope guide.

The Three-CSIRT Routing Decision

This is where Spain’s NIS2 implementation diverges most sharply from every other EU member state. Under Article 10 of Directive (EU) 2022/2555, member states must designate CSIRTs that collectively cover all sectors in Annexes I and II [6]. Most member states designate one or two CSIRTs. Spain maintains three, each with a legally non-overlapping mandate [7] [8].

Your entity type	Incident notification goes to	Parent body	Primary contact
Private companies in any NIS2 sector (energy, transport, health, ICT, food, manufacturing, etc.)	INCIBE-CERT	INCIBE, Ministry of Economic Affairs and Digital Transformation	pic@incibe.es (critical infrastructure operators); incidencias@incibe.es (other entities)
Public sector entities, central and regional government bodies, public administrations, publicly-owned infrastructure operators	CCN-CERT	National Cryptologic Centre (CCN), attached to CNI, Ministry of Defence	CCN coordination channels (published separately per CSIRT designation)
Spanish Armed Forces, Ministry of Defence networks and systems, entities specifically entrusted with defence-related networks	ESPDEF-CERT	Joint Cyberspace Command (MCCE), Ministry of Defence	MCCE channels; ESPDEF-CERT integrated into NATO and EU CERT networks

The routing boundary is entity legal status, not sector. A private hospital routes to INCIBE-CERT. A publicly-owned regional health authority routes to CCN-CERT. Both operate in the health sector under NIS2 — but the CSIRT they must notify is different. CCN-CERT’s mandate explicitly covers the “national coordination of the technical response of computer security incident response teams of the public sector in Spain” [7]. INCIBE-CERT’s mandate covers “citizens and private law entities” [8]. These mandates do not overlap.

ESPDEF-CERT’s scope is narrower still. It covers “the networks and information and telecommunications systems of the Spanish Armed Forces, as well as those other networks and systems specifically entrusted to it that may affect National Defence” [9]. Defence supply chain companies that are not themselves part of the armed forces should seek legal guidance on routing, as this boundary is not yet defined in published domestic regulation.

Cross-border incidents require additional steps. Article 10 obliges Spain to ensure its CSIRTs cooperate and exchange information across borders [6]. If a significant incident may have cross-border impact, Spanish entities must also notify the relevant single point of contact in affected member states and ENISA, enabling activation of the NIS2 Cooperation Group. This cross-border notification runs in parallel with domestic CSIRT notification — not instead of it.

The LUCIA platform (Unified List for Incident and Threat Coordination) is expected to serve as Spain’s national incident notification and monitoring system under the draft law [4]. Once operational, it should route notifications to the correct CSIRT based on entity registration data, reducing the manual routing decision. Until the platform is live and mandatory, entities should use direct CSIRT contact channels.

Incident Notification Timelines: Article 23 in Practice

Once you have identified the correct CSIRT, Article 23 of Directive (EU) 2022/2555 specifies a three-stage notification sequence [10]. Spain’s draft law follows this structure without modification.

Stage	Deadline from awareness	Minimum required content
Early warning	24 hours	Whether the incident involves unlawful or malicious acts; whether it may have cross-border repercussions
Incident notification	72 hours	Updated information, initial severity assessment, indicators of compromise where available
Final report	1 month from initial notification	Full incident description, threat analysis, mitigation measures taken, cross-border impact assessment

Notification is only triggered if the incident causes “severe operational disruption of the services or financial loss” or “considerable material or non-material damage to others” — not every security event meets this threshold [10]. The directive includes a significant protection: “the mere act of notification shall not subject the notifying entity to increased liability,” a provision designed to overcome the longstanding reluctance to report incidents for fear of regulatory consequence [10].

Spain’s draft law designates an appointed Responsable de la seguridad de la información (information security responsible person) as the formal contact with authorities who carries the notification obligation [5]. This role differs from a standard CISO designation: Spain’s draft ties it to an accreditation framework under Ley 5/2014 de Seguridad Privada, creating a certification pathway specific to Spain that does not exist in other member state implementations.

For a full breakdown of incident classification thresholds, significant incident criteria, and cross-border notification triggers, see our Article 23 incident notification guide and the complementary incident reporting workflow.

Registration Requirements: Who Must Register and Where

For most entities, NIS2 obligation is automatic. There is no self-registration step and no waiting to be identified by an authority — compliance obligations attach the moment an entity meets the sector and size thresholds.

The exception is a defined group of digital infrastructure providers that must register in the EU-wide database maintained by ENISA under Article 26 of the directive. This applies to: DNS service providers, top-level domain (TLD) name registries, cloud computing service providers, data centre service providers, content delivery networks, managed service providers, managed security service providers, online marketplace operators, online search engines, and social networking platforms [3].

Spain’s Secretary of State for Digital Progress supervises these digital service providers in the private sector during the pre-transposition period; the National Cryptologic Centre retains supervision over public-sector digital service providers [1]. Once the CNCS is operational, it will coordinate cross-sector oversight of these entities.

For the wider NIS2 entity population, registration involves two concrete steps:

1. Self-identification: Determine whether your entity meets sector and size thresholds. INCIBE provides a dedicated NIS2 self-assessment tool (eres-NIS2) for private-sector entities at incibe.es [8]. Public sector entities should consult CCN guidance directly.
2. Designate the Responsable de la seguridad de la información: Appoint the formal security responsible and register this person’s details with the competent authority. Spain’s draft law makes this appointment mandatory and subject to sanctions if omitted [5].

See our entity registration guide for the full ENISA database process and documentation requirements for digital service providers operating cross-border.

Management Accountability: Spain’s Solidary Liability Provision

Spain’s draft law introduces a provision with no direct parallel in most member state implementations: solidary liability for management bodies. Executive leadership can be jointly held liable for cybersecurity infringements — the obligation cannot be isolated in a technical department or delegated away from the board [5].

NIS2 Article 20 already requires senior management to approve and oversee cybersecurity risk management measures. Spain’s draft law extends this into explicit joint liability at the entity and management level simultaneously. Board members and C-suite executives face personal exposure to administrative sanctions if the entity fails to implement adequate measures or breaches notification obligations.

Management training obligations are also independently sanctionable. Entities must ensure their management bodies receive cybersecurity training sufficient to identify and manage cyber risk — failure to demonstrate this training is a ground for enforcement action in its own right, separate from any substantive cybersecurity failure [5].

Entities already aligned with Spain’s Esquema Nacional de Seguridad (ENS) — the national security framework governing public administration IT systems — gain a practical compliance advantage. The draft law anchors compliance evidence to ENS-based approaches and a specific compliance profile (CCN-STIC 892 guide) [4]. ENS-certified entities can map existing controls to NIS2 Article 21 security measures more efficiently than organisations starting from scratch, reducing implementation timelines and consultant costs.

Penalties and Enforcement

Spain follows the NIS2 directive’s penalty framework. Fines are calculated as the higher of the fixed ceiling or the turnover percentage — whichever produces the larger figure in a specific case.

Entity type	Maximum administrative fine	Legal basis
Essential entity	€10,000,000 or 2% of total worldwide annual turnover	Article 34(4) of Directive (EU) 2022/2555
Important entity	€7,000,000 or 1.4% of total worldwide annual turnover	Article 34(5) of Directive (EU) 2022/2555

Fines are triggered by breach of Article 21 (security risk management measures) or Article 23 (incident notification obligations) [12]. Spain’s draft law introduces a graduated fine structure within the €10,000–€2,000,000 range for less severe infringements, giving competent authorities calibration tools below the maximum ceiling [5].

Financial penalties operate alongside — not instead of — a graduated enforcement toolkit available under Article 32 of the directive [11]:

• Binding instructions to remediate deficiencies, with specified implementation timelines
• Regular and targeted security audits by independent bodies
• On-site inspections and off-site monitoring, including unannounced checks by trained personnel
• Temporary suspension of entity certifications or authorisations
• Temporary prohibition on individuals from holding management positions
• Public disclosure of non-compliance findings

The management suspension and executive ban provisions are not theoretical remedies in Spain’s framework. Combined with the solidary liability clause, they mean that inadequate cybersecurity governance carries personal career risk for executives — not just organisational financial risk.

Compliance Action Checklist for Spanish Entities

The draft law has not entered force, but preparation should begin now. Entities that delay until BOE publication face compressed timelines for implementing Article 21 measures, designating responsible personnel, and establishing incident response workflows.

1. Determine entity classification. Use INCIBE’s eres-NIS2 tool (private sector) or CCN guidance (public sector) to confirm essential or important status and identify applicable sectoral authority.
2. Identify your CSIRT. Private entity → INCIBE-CERT. Public entity → CCN-CERT. Defence-connected → ESPDEF-CERT. Record this routing decision formally in your incident response plan.
3. Appoint the Responsable de la seguridad de la información. Document the appointment and begin any accreditation steps required under Ley 5/2014 de Seguridad Privada.
4. Establish and test a 24/72/1-month notification workflow. Map internal escalation paths to Article 23 timelines. Run a tabletop exercise before the law enters force to identify gaps.
5. Conduct an ENS gap analysis. If ENS-certified, map existing controls to NIS2 Article 21 measures and identify which additional controls are required.
6. Assess supply chain exposure. NIS2 Article 21(2)(d) requires documented security classifications for direct suppliers — begin the classification process for critical vendor relationships.
7. Document management training. Board members and C-suite must receive cybersecurity training. Evidence of this training is a specific enforcement point under Spain’s draft law.

Frequently Asked Questions

Is NIS2 already in force in Spain?
No. The directive’s transposition deadline was 17 October 2024. Spain’s draft law was approved by the Council of Ministers on 14 January 2025 but has not been published in the BOE. Infringement proceedings are active as of May 2025. Once the law enters force, obligations apply to all in-scope entities from that date.

What if my entity spans both public and private operations?
The CSIRT routing decision follows the entity’s legal status, not the nature of its service. A public-private partnership or mixed entity should seek legal advice on how the draft law characterises it. In genuinely ambiguous cases, both CCN-CERT and INCIBE-CERT accept routing queries and can provide guidance before a formal notification is required.

Does Spain’s NIS2 apply to non-Spanish companies operating in Spain?
Yes. The directive applies to entities established in the EU that provide services in Spain and meet sector and size thresholds. Non-EU entities providing services to EU recipients in NIS2 sectors must designate an EU representative. The representative’s member state of establishment determines which competent authority has jurisdiction.

How does Spain’s framework compare with other EU member states?
Spain’s three-CSIRT model is among the most operationally complex in the EU. France has designated ANSSI as its single NCA covering both public and private sectors with a unified reporting structure. Germany operates BSI as a central authority but with federal state complexity. For France’s structure, see our France NIS2 guide.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. “NIS2 Directive Implementation in Spain” — European Commission, Digital Strategy. digital-strategy.ec.europa.eu
2. “Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad” — Department of National Security (DSN), Spain. dsn.gob.es
3. “NIS2 Directive Article 8: Competent Authorities and Single Points of Contact” — nis-2-directive.com. nis-2-directive.com
4. “NIS2 Draft Law Spain Enters the Approval Phase” — Sngular. sngular.com
5. “NIS2 Spain Transposition: Status, Requirements, and Roadmap” — Copla. copla.com
6. “NIS2 Directive Article 10: Computer Security Incident Response Teams” — nis-2-directive.com. nis-2-directive.com
7. “NIS2 Directive” — Centro Criptológico Nacional (CCN), Spain. ccn.cni.es
8. “Incident Response” — INCIBE-CERT, Spain. incibe.es
9. “Joint Cyberspace Command (MCCE)” — Spanish Armed Forces (EMAD). emad.defensa.gob.es
10. “NIS2 Directive Article 23: Incident Notification” — nis-2-directive.com. nis-2-directive.com
11. “NIS2 Directive Article 32: Supervisory and Enforcement Measures” — nis-2-directive.com. nis-2-directive.com
12. “NIS2 Directive Article 34: Administrative Fines” — nis-2-directive.com. nis-2-directive.com