Spain is implementing a draft cybersecurity law to align with the EU NIS2 Directive, expanding regulations to more “essential” and “important” entities, particularly in critical sectors like energy and finance. Companies must assess their regulatory status and enhance cybersecurity practices, covering incident detection, data protection, and supply chain security. Mandatory registration with the National Cybersecurity Centre is required within three months of designation, with transitional deadlines for service providers. The law emphasizes board-level governance, requiring appointed security officers and regular training. Non-compliance could result in significant financial penalties and reputational harm. Proactive measures are advised for compliance and risk mitigation.
