Get Started free
Partner map

NIS2 in Spain

May 29, 2025

Impact of the NIS2 Directive in Spain

NIS2 affects cyber‑resilience across the EU. This blog summarises the EU NIS2 Directive for Spain and how Lupasafe is supporting clients in market. Spain is finalising its transposition through the “Law on Cybersecurity Coordination and Governance”, approved in draft by the Council of Ministers, with full entry into force expected before the end of 2025. The guidelines are administered by government and the CCN Certification 

Sectors and entities in scope 

  • Energy
  • Transport
  • Healthcare
  • Financial services
  • Digital infrastructure
  • ICT service management
  • Public administration
  • Drinking & waste water
  • Space, food & critical raw materials

Key obligations

  • Governance and risk management: appoint a dedicated cybersecurity officer; perform periodic risk assessments; implement security policies.
  • Technical and operational measures: incident detection & response, business continuity, disaster recovery, vulnerability management.
  • Supply‑chain security: assess and manage cyber‑risks originating from suppliers and third parties; embed security clauses in contracts.
  • Incident notification: early warning within 24 h, intermediate report within 72 h, and final report within one month to INCIBE‑CERT.

Timeline and penalties 2025

• Draft Cybersecurity Coordination & Governance Law approved.• Government communication confirming schedule and sanctions.
•  Spanish NIS2 law enters into force. Penalties: Up to €10 million or 2 % of global turnover for essential entities; up to €7 million or 1.4 % for important entities.

Implications for MSPs and clients

  • Need to evidence compliance for customers operating in regulated sectors.
  • Opportunity to expand managed security & compliance services. 
  • Competitive differentiation versus providers without NIS2 reporting capabilities.

Local Spanish compliance support

Lupasafe has both Operations and Product offices in Barcelona. A local support team supports the multi‑tenant SaaS platform purpose‑built for MSPs. Its architecture automates risk detection and streamlines reporting aligned with Spanish NIS2 and National Security Framework (ENS) requirements.

Core platform capabilities assessing NIS2 data

  • Automated risk assessments (continuous scanning of endpoints, networks and cloud).
  • AI‑driven security awareness and phishing simulations to strengthen human defence.
  • Real‑time monitoring and alerting with customisable incident workflows.
  • Supply‑chain risk dashboard to assess and track third‑party security posture.
  • One‑click compliance reports aligned with NIS2, ENS and ISO 27001.

Alignment with NIS2 Spain

  • Risk management – H2, H5, H7 modules map to automated vulnerability analysis.
  • Security culture – H3 & H4 modules fulfil organisational awareness requirements.
  • Governance & reporting – H10 multi‑tenant dashboard and report templates support board oversight.
  • 2025 roadmap – Structured incident workflows (24 h/72 h/1 month) and CCN‑STIC 892 profile.

Support for MSPs and clients in Spain

  • Local language (Spanish and Catalan)
  • Recurring revenue through compliance‑as‑a‑service offerings.
  • Reduced audit cycles and automate customer reporting.
  • Dedicated technical & commercial assistance in Spanish and Catalan.
Andres Espinosa Lupasafe

Andres Espinosa, Head of Spain, Lupasafe    

  • Carrer de Calvet, 5, 1r 2a, Sarrià-Sant Gervasi, 08021 Barcelona, Spain

Cyber and Legal Support for NIS2 Compliance

Lupasafe has a deep local partnership with Moeenia, a Catalan Cyber‑Security and Legal boutique. Moeenia is as a digital “wall” for organisations with expert knowledge of the Spanish legal framework and multi‑disciplinary team make it the perfect ally for distributors and MSPs.

NIS2 service portfolio

  • Free applicability diagnosis and readiness plan.
  • Risk & vulnerability assessment and design of technical & organisational controls.
  • Integrated incident management and legal notification support.
  • Protection of trade secrets and continuous legal advisory.
  • Certification pathways for ENS and ISO 27001.

Collaboration model with distributors

  • Complementary to Lupasafe, offering an end‑to‑end compliance package.
  • Steering committee advising customer management boards.
  • On‑site training & support across Spain.

Benefits from Barcelona

  • Direct interface with regulators (INCIBE‑CERT, CCN‑CERT)
  • Local language and cultural awareness.
  • Rapid reaction times for incidents and audits.

Contact us to find out how we can help your clients with NIS2

Company