NIS2 deadline expires on 17 October and Spain hasn't transposed: what applies in the meantime

17 October 2024. Deadline set by Article 41 of Directive (EU) 2022/2555 for Member States to adopt and publish the provisions needed to transpose NIS2 into national law. The next day, 18 October, the national rules were due to be applicable.

Spain reaches the deadline without an approved law and without a draft bill cleared by the Council of Ministers for parliamentary processing. The only item in the open file is the prior public consultation of 21 September 2023, run by the Ministry of the Interior. Between that consultation and October 2024 there is no Council of Ministers approval, no text sent to Parliament, no publication in the BOE (Spanish Official State Gazette).

This post is operational reading, not legal advice. For any binding decision, consult the official text in the OJEU/BOE and a specialised lawyer.

What NIS2 is in one sentence

Directive (EU) 2022/2555 replaces NIS1 of 2016 (Directive 2016/1148). It changes three structural things:

Wider scope. NIS1 distinguished operators of essential services and digital service providers in listed sectors. NIS2 introduces essential entities and important entities and adds sectors: waste management, food production, chemicals, space, research, broader digital infrastructure, postal and courier services. Annexes I (essential) and II (important).
Tougher obligations. Risk management as board-level responsibility, supply chain management, incident reporting on short deadlines (24h initial notification, 72h interim report, 1 month final report), active supervision by the competent authority.
Administrative penalties. Up to €10M or 2 % of global turnover for essential entities; up to €7M or 1.4 % for important entities. Personal liability of management body members where they fail to act with due diligence (Article 20).

NIS2 entered into force on 16 January 2023. Article 41 gave Member States 21 months to transpose. The deadline expires on 17 October 2024.

State of transposition in Spain as of 17 October 2024

No law, no approved draft. The documented timeline:

21 September 2023: the Ministry of the Interior opens the prior public consultation on the draft NIS2 transposition law. File 05_2023 (Interior PDF). It is the mandatory step before drafting the text. It has no binding effect.
Between October 2023 and October 2024: no Council of Ministers approval of the draft bill. No submission to Parliament. No publication of a draft for post-consultation public hearing.
17 October 2024: deadline expires. Spain fails to comply.

The draft Law on Cybersecurity Coordination and Governance — the vehicle envisaged to transpose NIS2 plus the CER Directive (2022/2557) — will not be approved by the Council of Ministers until January 2025, with the deadline already missed and the infringement procedure opened.

What happens when a directive expires without transposition

Two consequences on separate planes.

EU plane: infringement procedure

The European Commission can open an infringement procedure against the defaulting Member State (Article 258 TFEU). Typical steps:

Letter of formal notice to the Member State (Commission to Government).
Reasoned opinion if the response is unsatisfactory.
Action before the CJEU.
Judgement and possible financial penalty if the judgement isn’t enforced (Article 260 TFEU: lump sum + daily coercive fine).

Spain isn’t the only defaulting Member State on NIS2: in November 2024 the Commission will open proceedings against 23 Member States that have not notified full transposition, including Belgium, France, Germany, Italy, the Netherlands, Poland and Spain, among others.

National plane: limited vertical direct effect

A directive not transposed on time may have vertical direct effect if it meets three conditions (Van Duyn, Becker, Marshall case law): the deadline has expired, the provision is sufficiently clear, precise and unconditional, and it is invoked against a public authority (not between private parties).

For NIS2, in practice, this means:

An individual or entity can invoke clear provisions of NIS2 against an organ of the State. Useful in very narrow scenarios (e.g., challenging an action by the competent authority that contradicts the Directive).
It does not create new obligations on regulated entities towards individuals or towards the Administration until there is a domestic rule transposing them.
It does not enable sanctions on regulated entities: the fines under Article 34 NIS2 require national law to introduce them into the legal order. Today, Spain cannot sanction under the NIS2 regime because there is no national regime in force.

The operational consequence for a Spanish essential or important entity in October 2024: NIS2 obligations are not yet directly enforceable. The NIS1 regime remains in force.

Framework that applies in the meantime

Two rules coexist:

Royal Decree-Law 12/2018 — NIS1 transposition

RD-Law 12/2018, of 7 September, on security of networks and information systems, developed by RD 43/2021. It defines:

Operators of essential services (OES) in NIS1 sectors: energy, transport, banking, financial market infrastructure, healthcare, water supply, digital infrastructure.
Digital service providers (DSPs): cloud computing, search engines, marketplaces.

Obligations: security measures, incident notification to INCIBE-CERT (private sector) or CCN-CERT (public sector). The sanctioning regime sets out minor, serious and very serious offences with fines up to €1M.

It remains in force, it remains applicable. Until NIS2 is transposed, NIS1 is the framework the competent authorities (INCIBE — Spanish national cybersecurity institute; CCN-CERT — National Cryptologic Centre CERT; sectoral authorities) use for supervision and, if appropriate, sanction.

Royal Decree 311/2022 — National Security Framework (ENS)

RD 311/2022, of 3 May. This is the security framework for the Spanish public sector. It applies mandatorily to:

Any public entity (central government, regional governments, local authorities, linked bodies).
Private sector operators providing services to the public sector.
Technology providers that handle public-sector information.

The ENS is organised into three levels (basic, medium, high) with 75 security measures. The CCN-CERT supervises compliance.

The CCN holds that RD 311/2022 covers “all the requirements of the NIS2 Directive” insofar as its scope is concerned (public sector + providers). In practice, a public entity complying with the ENS at the level appropriate for its services already covers most of NIS2. For a private entity in a NIS2 sector with no public-sector touchpoint, the ENS is voluntary and doesn’t cover.

ENS → NIS2 gap table

What the ENS does cover and what it doesn’t, against NIS2:

NIS2 obligation	ENS (RD 311/2022)	Gap
Risk management policy (Art. 21.2.a)	`op.pl.1` Risk analysis	Covered
Incident handling (Art. 21.2.b)	`op.exp.7` Incident management	Covered as process; the ENS doesn’t fix 24h / 72h / 1 month deadlines
Business continuity and backup management (Art. 21.2.c)	`op.cont.1` to `op.cont.4`	Covered
Supply chain security (Art. 21.2.d)	`op.ext.1` to `op.ext.4`	Covered for outsourcing; NIS2 requires specific assessment of critical providers and supply chain vulnerabilities
Acquisition, development and maintenance (Art. 21.2.e)	`mp.sw.`, `mp.s.`	Covered
Policies and procedures to assess effectiveness (Art. 21.2.f)	`op.pl.2` Security architecture, `op.mon.*`	Covered
Cyber hygiene training (Art. 21.2.g)	`mp.per.3` Awareness, `mp.per.4` Training	Covered
Cryptography and encryption (Art. 21.2.h)	`mp.info.3`, `mp.com.*`	Covered
HR security, access control, asset management (21.2.i)	`org.`, `op.acc.`, `op.exp.*`	Covered
MFA, secure comms, encrypted voice/video/text (21.2.j)	`op.acc.5` Authentication mechanism, `mp.com.2` Integrity protection	Partially covered; NIS2 requires MFA by default where appropriate and secure emergency communications
Management body liability (Art. 20)	Security policy approved by management	Major gap: NIS2 establishes personal liability for breach, mandatory board training
Notification to CSIRT/competent authority (Art. 23)	ENS incident notification	Gap: NIS2 sets rigid deadlines (24h early warning / 72h notification / 1 month final report) which the ENS doesn’t spell out this way
Register of significant incidents	Implicit in incident management	Gap: NIS2 requires set criteria for what counts as a “significant” incident (Art. 23.3)
Sanctioning regime with NIS2 amounts	LRJSP sanctions / general administrative regime	Total gap: the €10M / 2 % turnover NIS2 fines do not exist until there is a transposing law
Registration in national register of entities	N/A	Gap: NIS2 (Art. 27) requires a register of essential/important entities maintained by the competent authority

What an essential/important entity should do in the meantime

Don’t wait. Even though the NIS2 sanctioning regime is not in force, there is preparatory work that can’t be compressed into three months when the law comes out of the BOE. In priority order:

Inventory and classification. Which Annex (I essential / II important) does your organisation fall under? Do you exceed the size thresholds that NIS2 sets as a supplementary criterion (Art. 2.1)? For the large ones it’s obvious; for medium-sized ones near the thresholds the exercise is non-trivial.
ENS → NIS2 mapping if you have ENS obligations. If your organisation is already categorised at ENS medium or high level, identify the gaps in the table above and which require new work (board liability, rigid reporting deadlines, critical provider assessment).
Incident notification procedure with NIS2 deadlines. Move the internal SLA to 24/72/30. The change is organisational (decision, internal communication, contact with CSIRT) rather than technical.
Supply chain plan. Inventory of critical providers, contractual clauses on security, periodic assessment. NIS2 requires it and the ENS covers it only partially.
Management body training. Article 20 NIS2 requires members of the management body to receive periodic cybersecurity training. If your board has never had a threat-modelling session, schedule one.
Designate a security officer who can act as point of contact with the competent authority once it exists. The ENS already requires it for the public sector.

The elephant in the room: AESIA, INCIBE, CCN, sectoral authorities

NIS2 (Art. 8) requires designating one or more national competent authorities and a single point of contact with the EU. Spain hasn’t yet published the definitive institutional architecture: the split envisaged in the draft bill known in January 2025 includes INCIBE (important entities), CCN (public sector + State essential entities), the Department of National Security, and sectoral authorities (banking: BdE — Bank of Spain; financial markets: CNMV — Spanish Securities Market Commission; energy: CNMC — National Commission for Markets and Competition; etc.).

Until the draft bill is approved and published, that split is preliminary. Any essential or important entity needs to track which competent authority it will fall under and start early contact when confirmed.

Realistic calendar of what’s coming

Q4 2024: Commission opens infringement procedures against defaulting Member States. No immediate operational effect on regulated entities.
January 2025: Council of Ministers will approve the draft Law on Cybersecurity Coordination and Governance. 30-day public hearing.
2025: parliamentary processing. No firm timeline from the Government; ordinary laws under urgent processing can be completed in 4-9 months.
2025-2026: BOE publication and entry into force. From that point the adaptation period set by the law begins (NIS2 doesn’t fix an adaptation period after transposition; it depends on what the national legislator decides).
NIS2 sanctions fully applicable: probably from 2026, with no firm commitment.

In this interval, the pressure on essential and important entities isn’t regulatory, it’s structural. Large providers with clients in other Member States (Germany transposes via NIS2UmsuCG, France via the February 2024 draft law) are already subject in those jurisdictions. A multinational with presence across the EU will have to comply with effective NIS2 in countries that do transpose, before it applies in Spain.

Coordination with other regulations in the stack

NIS2 doesn’t live alone. The EU compliance stack applicable to a tech entity in 2024-2025:

GDPR (Regulation (EU) 2016/679). Privacy. In force since 2018.
NIS2 (Directive (EU) 2022/2555). Cybersecurity. Pending transposition.
DORA (Regulation (EU) 2022/2554). Digital operational resilience for the financial sector. Applicable from 17 January 2025, requires no transposition (it’s a regulation).
CER (Directive (EU) 2022/2557). Resilience of critical entities. Same transposition deadline as NIS2; same situation in Spain.
AI Act (Regulation (EU) 2024/1689). Entry into force 1 August 2024, staggered applicability through 2027. Regulation, requires no transposition.

The overlaps require specific mapping per entity. A large financial entity may have simultaneous obligations under NIS2, DORA and the AI Act on the same system.

References

Directive (EU) 2022/2555 — NIS2 text: https://eur-lex.europa.eu/eli/dir/2022/2555/oj
Royal Decree-Law 12/2018 — NIS1 transposition: https://www.boe.es/buscar/act.php?id=BOE-A-2018-12257
Royal Decree 43/2021 — NIS1 development: https://www.boe.es/buscar/act.php?id=BOE-A-2021-1192
Royal Decree 311/2022 — National Security Framework: https://www.boe.es/buscar/act.php?id=BOE-A-2022-7191
Prior public consultation on NIS2 draft bill (21 Sep 2023, Ministry of the Interior): https://www.interior.gob.es/opencms/pdf/servicios-al-ciudadano/participacion-ciudadana/Participacion-publica-en-proyectos-normativos/Consulta-publica-previa/05_2023_consulta_publica_Anteproyecto_Ley_transposicion_Directiva_nis_2.pdf
INCIBE-CERT, NIS2 FAQ: https://www.incibe.es/incibe-cert/sectores-estrategicos/FAQNIS2
National Cryptologic Centre, NIS2 Directive: https://www.ccn.cni.es/es/normativa/directiva-nis2
European Commission, NIS2 transposition tracker: https://digital-strategy.ec.europa.eu/en/policies/nis-transposition
Earlier analysis on this blog: EU AI Act: political agreement and calendar.