NIS2 in Spain: How the INCIBE-CERT vs CCN-CERT Split Determines Who Regulates Your Organisation
Spain’s approach to NIS2 oversight is unlike most EU member states. Rather than designating a single national cybersecurity authority, Spain operates a structurally divided model where your sector — private or public — determines not just who regulates you, but which cybersecurity incident response team receives your mandatory notifications, which compliance documentation is accepted as evidence, and which enforcement body can ultimately impose penalties.
That split, between INCIBE-CERT for private entities and CCN-CERT for public administrations, has real operational consequences. Reporting a significant incident through the wrong channel creates a gap in your audit trail. Structuring your compliance programme around the wrong framework means missing Spain-specific requirements that regulators already expect you to address.
This guide explains how Spain’s dual-authority model works in practice, where the country’s NIS2 transposition stands as of mid-2026, and what your organisation must do before Spain’s delayed national law enters force.
Does NIS2 Apply to Your Organisation in Spain?
Before identifying which Spanish authority governs you, confirm whether NIS2 applies at all. The directive uses a sector-plus-size filter: you must operate in a covered sector and meet minimum size thresholds, with several categories that bypass the size gate entirely.
| Category | Size threshold | Covered sectors |
|---|---|---|
| Essential entities | 250+ employees or €50M+ annual turnover | Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space |
| Important entities | 50+ employees or €10M+ annual turnover | Postal and courier services, waste management, manufacturing (medical devices, computers, machinery, motor vehicles), food, digital providers (online marketplaces, search engines, social networks), research |
| Auto-included — any size | No threshold | DNS providers, TLD name registries, cloud computing providers, data centre services, content delivery networks, managed service providers, managed security service providers, trust service providers, public communications networks |
Spain’s draft law expands the EU baseline in two directions. Nuclear industry entities are classified as high-criticality and treated as essential entities regardless of size. Private security operators are added as important entities. Financial entities regulated under DORA are carved out — they face equivalent cybersecurity obligations under sector-specific regulation rather than NIS2.
Quick applicability test:
- Private sector organisations: Apply the table above. If your sector is listed and you meet the size threshold — or you fall into an auto-included category — NIS2 applies to your Spanish legal entity.
- Public sector organisations: Central, regional, and autonomous community administrations are in scope regardless of size. Municipalities may be included at Spain’s discretion under the draft law. Excluded regardless of size: judiciary, parliaments, central banks, and bodies operating in national security, public safety, defence, or law enforcement.
- Multinationals: NIS2 applies to your Spanish-registered legal entity. Registrations and incident reports go to Spanish authorities, even if your parent company operates under another member state’s framework.
Spain’s Dual (Actually Triple) Authority Model
Most EU member states centralised NIS2 oversight in a single competent authority. Spain maintains a more fragmented institutional structure — and understanding it is the prerequisite for every compliance decision that follows.
Spain designates three separate CSIRTs (Computer Security Incident Response Teams), each with a distinct jurisdictional scope:
| CSIRT | Scope | Parent body |
|---|---|---|
| INCIBE-CERT | Private sector entities and citizens | Instituto Nacional de Ciberseguridad (INCIBE), Ministry of Economic Affairs and Digital Transformation |
| CCN-CERT | Public administrations and public entities | Centro Criptológico Nacional (CCN), National Intelligence Centre (CNI) |
| ESPDEF-CERT | Defence-sector incidents | Joint Cyberspace Command (MCCE), Ministry of Defence |
CSIRTs handle incident response and technical coordination. Regulatory enforcement sits with separate competent authorities: CNPIC (National Centre for the Protection of Critical Infrastructure) oversees private sector operators of essential services; the Secretariat of State for Digital Progress oversees digital service providers; the National Security Council (DSN) acts as Spain’s single point of contact with EU institutions under NIS2.
Spain’s draft law proposes creating a Centro Nacional de Ciberseguridad (CNC) attached to the Cabinet of the Presidency to coordinate across these bodies, but this entity has no legal force until the law is enacted.
For most organisations, the operational choice comes down to INCIBE-CERT or CCN-CERT. ESPDEF-CERT activates only when a cyber incident — affecting any entity, public or private — has potential implications for Ministry of Defence operations or Armed Forces operability. It is a specialist escalation mechanism, not a general-purpose reporting channel.
INCIBE-CERT — Private Sector CSIRT
INCIBE-CERT is Spain’s reference CSIRT for private law entities and citizens. It sits within INCIBE (Instituto Nacional de Ciberseguridad de España), under the Ministry of Economic Affairs and Digital Transformation.
If your organisation is a private company — Spanish-owned or a subsidiary of a foreign multinational — INCIBE-CERT is your designated incident response team for NIS2 purposes.
What INCIBE-CERT does under NIS2:
- Receives and processes mandatory incident notifications from private sector essential and important entities
- Provides technical assistance during active incidents affecting private organisations
- Coordinates cross-border incident response where Spanish private entities are involved
- Issues cybersecurity advisories, threat intelligence, and technical guidance for the private sector
INCIBE-CERT operates 24 hours a day, seven days a week. Emergency contact: +34 647 300 717. The European Commission’s NIS2 implementation tracker for Spain formally designates INCIBE-CERT as the CSIRT for private sector entities, a role it carries forward and expands from the original NIS Directive framework.
Sector routing in practice: Private banks, healthcare providers, energy companies, logistics operators, cloud and managed service providers, digital marketplaces, and manufacturing companies all route incident notifications through INCIBE-CERT. The competent authorities — CNPIC for essential services operators, the Secretary of State for Digital Progress for digital service providers — retain formal enforcement authority, but your first notification contact under Article 23 of the directive is INCIBE-CERT.
CCN-CERT — Public Sector CSIRT and the ENS Compliance Pathway
CCN-CERT is the CSIRT for Spain’s public sector. It operates under the Centro Criptológico Nacional (CCN), which sits within the National Intelligence Centre (CNI). CCN-CERT’s mandate extends beyond incident response to include national cryptographic standards, classified information security guidance, and coordination of Spain’s public sector CSIRT network.
Scope of CCN-CERT’s NIS2 mandate:
- Central government ministries and agencies
- Regional (autonomous community) administrations
- Autonomous public bodies and state agencies
- Potentially local administrations — Spain’s draft law is expected to extend obligations to municipalities
- Excluded: judiciary, legislative bodies, central banks, and entities involved in national security, public safety, defence, or law enforcement activities
The ENS Pathway — Spain’s NIS2 Head Start for Public Entities
The most significant Spain-specific element for public sector organisations is the relationship between NIS2 and Spain’s Esquema Nacional de Seguridad (ENS) — the National Security Framework established by Real Decreto 311/2022.
According to the CCN’s official NIS2 guidance, Real Decreto 311/2022 “includes all the requirements of the NIS2 Directive.” ENS is mandatory for Spain’s entire public sector and sets prescriptive security requirements across risk management, security categories (Basic, Medium, High), access controls, cryptographic standards, incident management, and supply chain security.
CCN subsequently published CCN-STIC 892 — the Perfil de Cumplimiento Específico (PCE) for NIS2. This control-level mapping:
- Identifies which ENS security measures satisfy each NIS2 Article 21 obligation
- Flags residual gaps between ENS certification and full NIS2 compliance
- Specifies what supplemental documentation closes those gaps
A public entity already certified at ENS Medium or High has documented evidence covering the substantial majority of NIS2 Article 21 obligations. Running the CCN-STIC 892 profile gap analysis against your existing ENS baseline is the most efficient path to NIS2 readiness for Spanish public bodies.
One caution: ENS uses Spain-specific cryptographic algorithm standards and a categorical security tier approach that does not map perfectly to every NIS2 provision. The PCE-NIS2 profile exists precisely to resolve these mismatches at the control level. Treat existing ENS certification as strong corroborating evidence — not as automatic NIS2 compliance.
Transposition Status — What Applies to Your Organisation Now
Spain missed the EU’s transposition deadline of 17 October 2024. The European Commission launched infringement proceedings in November 2024. The Council of Ministers approved a preliminary draft law on 14 January 2025. On 7 May 2025, the Commission issued a formal reasoned opinion requiring Spain to notify full transposition within two months. As of mid-2026, the legislation remains in parliamentary processing and has not been published in Spain’s Official State Gazette.
| Date | Event |
|---|---|
| 16 January 2023 | NIS2 Directive enters into force at EU level |
| 17 October 2024 | Transposition deadline — Spain does not meet it |
| November 2024 | EC infringement proceedings launched against Spain and 22 other member states |
| 14 January 2025 | Council of Ministers approves draft law (Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad) |
| 17 April 2025 | Entity classification list deadline for member states under Article 27 of the directive |
| 7 May 2025 | EC issues formal reasoned opinion — Spain required to respond within two months |
| Expected 2026 | Spanish national law anticipated to enter force |
The prior framework — Royal Decree Law 12/2018, which transposed the original NIS Directive — remains in force and continues to apply to operators of essential services and digital service providers until the new law supersedes it.
According to the nis-2-directive.com transposition tracker, Spain’s draft law introduces a formal National Cybersecurity Center and expands sector coverage beyond the EU baseline — but these provisions have no legal force until parliamentary passage and publication in the Official State Gazette.
The compliance implication: The absence of national transposition does not suspend NIS2 obligations. The core provisions of the directive — Article 21 risk management measures and Article 23 incident reporting — are sufficiently clear and unconditional to produce direct legal effect in member states even without national implementing legislation. Align your programme with the EU directive now. INCIBE-CERT and CCN-CERT accept incident notifications under their current operational mandates.
Ten Mandatory Obligations Under Article 21
Article 21 of NIS2 mandates ten categories of security measures for all essential and important entities. These flow directly from the directive regardless of Spain’s transposition status. Spain’s draft law adopts them in Article 15, with two additional national obligations described below.
| # | Measure | What it requires in practice |
|---|---|---|
| 1 | Risk analysis and information system security policies | Documented risk register; defined review cycle; board-approved policy framework |
| 2 | Incident handling | Written incident response plan; defined escalation paths; designated roles for CSIRT notification |
| 3 | Business continuity, backup, and disaster recovery | Defined RTO and RPO; tested backup procedures; documented crisis management plan |
| 4 | Supply chain security | Cybersecurity assessment of Tier-1 suppliers; contractual flow-down requirements; vendor risk register |
| 5 | Security in system acquisition and development | Secure development lifecycle controls; security requirements in procurement specifications |
| 6 | Effectiveness assessment policies | Regular audits; penetration testing schedule; effectiveness metrics reported to board |
| 7 | Cybersecurity hygiene and training | Staff awareness programme; mandatory management-level training (Article 21(1)) |
| 8 | Cryptography and encryption | Approved algorithm standards; key management procedures; for public sector — align with ENS cryptographic requirements |
| 9 | Human resources security, access control, asset management | Role-based access control; joiners/movers/leavers process; maintained asset inventory |
| 10 | Multi-factor authentication | MFA for all access to sensitive systems; session management controls; privileged access management |
Spain-specific additions in the draft law:
Article 16 — Information Security Officer: Essential and important entities must designate a Responsable de la seguridad de la información — a CISO-equivalent — with documented authority and accreditation aligned with Spain’s professional security regulatory framework.
Article 35 — Management liability: Members of governing bodies bear joint and several personal liability for cybersecurity violations caused by failure to ensure compliance. The EU directive requires management accountability but does not mandate personal joint liability. This provision creates direct legal exposure for board members and C-suite executives — a material expansion beyond the NIS2 baseline.
Incident Reporting — Three-Stage Timeline
A “significant incident” must be reported in three successive stages. Under Article 23 of the directive, an incident is significant if it causes or is capable of causing severe operational disruption, financial loss, or damage to other entities.
| Stage | Deadline | Required content |
|---|---|---|
| Early warning | 24 hours from awareness | Whether incident involves suspected criminal or malicious action; initial scope estimate |
| Incident notification | 72 hours from awareness | Updated severity assessment; impact assessment; initial indicators of compromise |
| Final report | 1 month from incident notification | Root cause analysis; full impact assessment; mitigation actions taken; lessons learned |
Where to send your notifications:
- Private sector entities → INCIBE-CERT (24/7: +34 647 300 717)
- Public sector entities → CCN-CERT
- Incidents with potential Ministry of Defence implications → ESPDEF-CERT (specialist escalation, typically alongside CCN-CERT)
All three CSIRTs feed into Spain’s national central incident monitoring platform being built under the draft law. INCIBE-CERT and CCN-CERT both participate in the EU-level CSIRT Network for cross-border coordination under Article 15 of the directive.
Penalties and Management Liability
| Entity type | Maximum fine | Turnover cap |
|---|---|---|
| Essential entities | €10,000,000 | 2% of total global annual turnover (whichever is higher) |
| Important entities | €7,000,000 | 1.4% of total global annual turnover (whichever is higher) |
Spain’s draft law introduces a minimum fine of €10,000 for minor violations — a floor not specified in the EU directive — and scales penalties by gravity, duration, and prior compliance history. Beyond financial penalties, the enforcement toolkit includes: temporary suspension of service authorisations; prohibition on management personnel from exercising managerial functions at regulated entities; mandatory audits at the entity’s expense; and public disclosure of compliance failures.
Management liability (draft law Article 35): Governing body members face joint and several personal liability for violations caused by their failure to ensure compliance. Industry analysis of Spain’s cybersecurity preparedness found that only 34% of Spanish companies conduct regular cybersecurity training, while 73% consider themselves adequately protected — a perception gap that Article 21(1)’s mandatory management training requirement directly addresses, and that Article 35’s personal liability provision makes strategically costly to ignore. Organisations should brief boards explicitly on Article 35, document that briefing as evidence of due diligence, and establish board-level cybersecurity reporting as a standing governance item.
Seven Steps to Start Your Spain NIS2 Programme
- Confirm scope. Check your sector and size against the applicability table above. If uncertainty remains, the NIS2 scope analysis on this site covers every Annex I and II sector definition in detail.
- Identify your authority. Private sector: INCIBE-CERT. Public sector: CCN-CERT. Defence-adjacent entities: assess ESPDEF-CERT escalation obligations with legal counsel.
- Register with your CSIRT. Article 26 of the directive requires entities to provide competent authorities with current contact details — email addresses, IP address ranges, and phone numbers. Do this now; the entity classification list deadline was April 2025.
- Gap-assess against Article 21. Map your current controls against the ten mandatory measures in the table above. Public entities: begin with your ENS certification baseline and run the CCN-STIC 892 PCE-NIS2 gap analysis to identify residual obligations.
- Build your incident reporting chain. Pre-agree the internal escalation path that gets a notification to the correct CSIRT within 24 hours. Document the process, assign named owners, and test it with a tabletop exercise before you face a real incident.
- Designate your CISO. Spain’s draft law will require an accredited Information Security Officer. Appointing now demonstrates management commitment under Article 21 and pre-positions you for the legislative requirement when it enters force.
- Monitor legislative progress. The Spanish law is expected to finalise during 2026. When enacted, it will bring registration portal details, sector authority assignments, and finalised compliance timelines. The full NIS2 directive text is available on this site for reference during programme design.
Frequently Asked Questions
Spain has not formally transposed NIS2 yet. Must my organisation comply now?
Yes, in practical terms. The core provisions of NIS2 — Article 21 risk management measures and Article 23 incident reporting — are sufficiently precise to produce direct legal effect in member states even without national implementing legislation. INCIBE-CERT and CCN-CERT are already operational as designated CSIRTs. The Commission’s formal reasoned opinion of May 2025 confirms that EU institutions treat NIS2 obligations as live in Spain.
My company provides services to both public and private clients in Spain. Which authority applies to me?
Your classification depends on your legal entity type and operating sector — not your customer base. A private company supplying software to government agencies remains a private sector entity and reports to INCIBE-CERT. A public hospital reports to CCN-CERT even if it also serves private patients. Public-private partnerships with ambiguous classification should seek legal advice on their primary designation before Spain’s national law is enacted.
We hold ENS certification. Does that satisfy our NIS2 obligations?
For public sector entities: ENS provides strong documented evidence for most Article 21 obligations and substantially reduces your compliance gap. Use the CCN-STIC 892 profile to identify any residual requirements not covered by your existing certification. For private entities: ENS is voluntary and provides a useful security maturity baseline, but INCIBE-CERT’s supervisory framework operates independently of ENS certification status.
What is ESPDEF-CERT and does it apply to our organisation?
ESPDEF-CERT is the CSIRT of Spain’s Joint Cyberspace Command (MCCE), under the Ministry of Defence. It activates when a cyber incident — affecting any entity, public or private — has potential implications for Ministry of Defence operations or Armed Forces operability. For most organisations it is not a primary reporting channel. If you operate critical infrastructure or systems with direct defence-sector contracts or dependencies, have legal counsel assess whether ESPDEF-CERT escalation obligations apply to your specific situation.
Sources
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
- European Commission — NIS2 Directive Implementation in Spain: digital-strategy.ec.europa.eu/en/policies/nis2-directive-spain
- Centro Criptológico Nacional — NIS2 Directive: ccn.cni.es/en/regulations/nis2-directive
- NIS-2-Directive.com — Transposition in Spain: nis-2-directive.com/Transposition/Spain.html
- Delbion — NIS2 Spain Business Obligations, Deadlines and Penalties
- Copla — NIS2 Spain Transposition: Status, Requirements, and Roadmap
- iSec Auditors — NIS2 Directive Transposition in Spain and Draft Law
- Nucleovisual — NIS2 Implementation in Spain: nucleovisual.com/en/The-implementation-of-the-NIS2-directive-in-Spain:-challenges–delays–and-the-cybersecurity-challenge/
