NIS2 Southern Europe 2026: Spain INCIBE, Italy ACN & Portugal CNCS SaaS Compliance Guide
Post #4 in the sota.io EU NIS2 SaaS Compliance Series
Southern Europe presents a distinct NIS2 compliance landscape for SaaS developers: three significant EU economies — Spain, Italy, and Portugal — each transposed the directive with different institutional arrangements, registration timelines, and enforcement calendars. Italy moved fastest with D.lgs. 138/2024 (September 2024); Portugal followed with Lei n.º 89/2024 (October 2024); Spain is still finalising its transposition law but has activated interim INCIBE-CERT notification channels. If your SaaS product serves customers in any of these three markets, this guide maps every compliance requirement from initial scoping through incident reporting.
Part 1: Italy — D.lgs. 138/2024 and the ACN Framework
1.1 Legislative Background
Italy completed NIS2 transposition on 4 September 2024 with Decreto Legislativo n. 138/2024 — one of the earliest in the EU. The decree implements Directive 2022/2555/EU and restructures cybersecurity obligations around the Agenzia per la Cybersicurezza Nazionale (ACN), established in 2021. ACN replaces CNAIPIC (Polizia Postale) and absorbs the former CERT-PA and CERT Nazionale functions.
Key dates:
- D.lgs. 138/2024 publication: GU Serie Generale n. 214 of 12 September 2024
- In force: 16 October 2024
- Registration window opens: Q1 2025 (ACN platform live)
- First enforcement cycle: Q3 2026
1.2 ACN Competent Authorities by Sector
Italy also follows a split-authority model — ACN is the primary authority but sector regulators supervise specific domains:
| Sector | Lead Authority |
|---|---|
| Digital Infrastructure (DNS, TLD, cloud, CDN, data centers) | ACN |
| Telecommunications | AGCOM (Autorità per le Garanzie nelle Comunicazioni) |
| Energy | ARERA (Autorità di Regolazione per Energia Reti e Ambiente) |
| Banking & Financial Markets | Banca d'Italia + CONSOB |
| Healthcare | Ministero della Salute |
| Transport | MIT (Ministero delle Infrastrutture e dei Trasporti) |
| Drinking Water | ARERA |
| Public Administration | ACN (coordinating role) |
For SaaS developers: Cloud providers, data center operators, managed service providers, and digital marketplace operators fall directly under ACN supervision. This covers the vast majority of B2B SaaS companies operating in Italy.
1.3 Registration: ACN Portal
Italian NIS2-regulated entities register via https://www.acn.gov.it/portale/web/guest/nis — ACN's dedicated NIS2 registration platform.
Registration fields required:
- Legal entity name and Italian fiscal code (Codice Fiscale Societario)
- NIS2 sector classification (Allegato I or II)
- Service description and geographic scope
- Annual turnover and employee count (for size classification)
- Designated NIS2 contact (Italian SPOC — Punto di Contatto Unico)
- Technical contact (CSIRT reporting point)
Timeline: ACN issued the first registration round notice in Q1 2025, with a 6-month window. Entities that missed the first window face administrative penalty exposure from Q3 2026. Late registration does not retroactively eliminate the registration obligation.
1.4 Incident Reporting: SIEVERT Platform
Italy's incident notification channel is the SIEVERT system (Sistema di Informazione per Esperti in sicurezza e RilevamenTo di vulnerabilità), operated by ACN's CSIRT Italia.
CSIRT Italia portal: https://www.csirt.gov.it
Notification timeline (D.lgs. 138/2024, Art. 25):
- Early Warning (Pre-notifica): within 24 hours of detecting a significant incident
- Initial Notification: within 72 hours — full incident details, initial impact assessment
- Intermediate Update (Aggiornamento): upon request from ACN CSIRT
- Final Report: within 30 days — root cause analysis, full impact scope, mitigation measures
Significant incident triggers (Art. 23, D.lgs. 138/2024):
- Interruption of service exceeding thresholds (varies by sector; ACN publishes sector-specific guidelines)
- Data breach affecting system integrity or user safety
- Incidents affecting critical infrastructure connectivity
- Incidents with cross-border impact into other EU Member States
Cross-border obligation: If an incident affects users in multiple EU Member States, ACN coordinates with other national CSIRTs. Your 72h notification to ACN CSIRT suffices as the primary reporting act; ACN handles EU-level forwarding.
1.5 Security Requirements
D.lgs. 138/2024 Art. 24 maps to NIS2 Art. 21 — the 10-point security measure minimum:
| Measure | Italian Requirement (Art. 24) |
|---|---|
| Risk analysis | Analisi e gestione del rischio — annual cycle mandatory |
| Incident response | Piano di risposta agli incidenti documented |
| Business continuity | BCM + Disaster Recovery plans |
| Supply chain security | Contratti con fornitori strategici — security clauses required |
| Secure development | DevSecOps practices for in-scope digital services |
| Vulnerability management | Responsible Disclosure Policy + patch SLAs |
| Cryptography & key management | Crittografia e gestione delle chiavi |
| HR security | Background checks + security awareness training |
| Access control & MFA | MFA obbligatoria per accessi privilegiati |
| Encryption in transit | HTTPS/TLS 1.2+ minimum for all service APIs |
1.6 Penalties
D.lgs. 138/2024 Art. 38:
| Entity Type | Maximum Penalty |
|---|---|
| Essential entities (soggetti essenziali) | €10,000,000 or 2% of global annual turnover — whichever is higher |
| Important entities (soggetti importanti) | €7,000,000 or 1.4% of global annual turnover — whichever is higher |
| Management liability | Individual fines up to €125,000 for repeated non-compliance |
Italy added a specific provision: ACN may issue public disclosure orders for non-compliant entities (Art. 39) — reputational risk beyond financial penalties.
Part 2: Spain — NIS2 Transposition and INCIBE/CCN Framework
2.1 Legislative Background
Spain's NIS2 transposition is still in progress as of May 2026. The primary existing framework is:
- Real Decreto-ley 12/2018 (original NIS1 transposition, modified by RDL 43/2021)
- Esquema Nacional de Seguridad (ENS) — applies to public administration entities (RD 311/2022)
- Draft NIS2 law (Anteproyecto): Published for public consultation Q4 2024; final parliamentary approval expected H2 2026
Despite the pending law, Spain's cybersecurity authorities — INCIBE-CERT and CCN-CERT — have activated interim NIS2-aligned notification channels and published formal guidance for entities expecting coverage.
Practical implication for SaaS developers: Even without enacted NIS2 law, you should register with INCIBE-CERT now. Spain will likely apply NIS2 obligations retroactively to any entity that was in scope during the transposition period.
2.2 Dual Authority Structure
Spain uniquely maintains a dual national authority model:
| Authority | Scope |
|---|---|
| INCIBE-CERT (Instituto Nacional de Ciberseguridad) | Private sector entities — all commercial SaaS, cloud providers, digital services |
| CCN-CERT (Centro Criptológico Nacional) | Public administration, critical national infrastructure, defense-related |
| CNPIC (Centro Nacional de Protección de Infraestructuras Críticas) | Critical infrastructure operators (energy, finance, transport, water) |
For commercial SaaS: Your primary authority is INCIBE-CERT. Unless your SaaS product operates in a sector classified as "critical infrastructure" (energia eléctrica, sector financiero, agua, transporte), you register with INCIBE.
Registration portal: https://www.incibe.es/empresas/nis2 (activated Q1 2025, voluntary pre-registration for NIS2 entities).
2.3 Incident Reporting: INCIBE-CERT Channel
Spain uses two parallel incident reporting channels under RDL 12/2018:
For INCIBE scope (private sector):
- Portal: https://www.incibe-cert.es/notificacion-incidentes
- Timeline: 24h early warning → 72h formal notification (aligned with NIS2 Art. 23)
- Contact: incidentesindustriales@incibe-cert.es (industrial/OT) or ciberseguridad@incibe-cert.es (IT/digital services)
For CCN-CERT scope (public administration):
- Portal: https://www.ccn-cert.cni.es/es/herramientas/lucía.html (LUCÍA platform)
- Timeline: 24h → 72h (same)
Classification scale: Spain uses a 5-level severity scale (INCIBE-CERT taxonomy) — Level 1 (low) to Level 5 (crítico). NIS2 "significant incident" maps to Level 3+.
2.4 ENS (Esquema Nacional de Seguridad) for Public Sector SaaS
If you sell to Spanish public administration entities (Ayuntamientos, Comunidades Autónomas, Ministerios), your SaaS product may need ENS certification:
- ENS Basic (Básico): for low-impact systems
- ENS Medium (Medio): for medium-impact systems — required for most cloud services to public sector
- ENS High (Alto): for high-impact systems — required for critical public services
ENS certification is issued by CCN-accredited auditors. It is separate from NIS2 compliance but often required as a procurement prerequisite.
2.5 Penalties (Draft NIS2 Law)
Based on the draft transposition law (Anteproyecto de Ley de Ciberseguridad, Q4 2024):
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | €10,000,000 or 2% global annual turnover |
| Important entities | €7,000,000 or 1.4% global annual turnover |
| "Very serious" violations | Additional sectoral sanctions via CNPIC |
Spain's Agencia Española de Protección de Datos (AEPD) coordinates with INCIBE where NIS2 incidents also involve personal data (GDPR dual-notification).
Part 3: Portugal — Lei n.º 89/2024 and CNCS
3.1 Legislative Background
Portugal completed NIS2 transposition with Lei n.º 89/2024, published in the Diário da República on 25 October 2024. The law entered force on 24 November 2024, making Portugal one of the on-time implementers within the EU.
Lei 89/2024 revokes the previous NIS1 transposition (Lei n.º 46/2018) and restructures cybersecurity obligations around:
- CNCS (Centro Nacional de Cibersegurança) as the primary competent authority and national CSIRT
- Sector-specific authorities for supervised domains
- CERT.PT as the operational national CSIRT under CNCS
Key legislative milestones:
- Lei 89/2024 published: 25 October 2024
- In force: 24 November 2024
- Registration deadline: 90 days after formal guidance publication (Q1 2025)
- First enforcement actions: Q4 2026
3.2 CNCS — Portugal's NIS2 Authority
Centro Nacional de Cibersegurança (CNCS)
- Website: https://www.cncs.gov.pt
- NIS2 contact: nis2@cncs.gov.pt
- CERT.PT reporting: https://www.cert.pt/reportar
Sector co-supervision in Portugal follows NIS2 Art. 8:
| Sector | Co-Supervisor |
|---|---|
| Telecommunications | ANACOM (Autoridade Nacional de Comunicações) |
| Banking & Financial Infrastructure | Banco de Portugal + CMVM |
| Energy | ERSE (Entidade Reguladora dos Serviços Energéticos) |
| Transport | ANAC (Autoridade Nacional de Aviação Civil), IMT (Instituto da Mobilidade e dos Transportes) |
| Healthcare | SNS (Serviço Nacional de Saúde) / Ministry of Health |
| Water | ERSAR (Entidade Reguladora dos Serviços de Águas e Resíduos) |
| Digital Infrastructure & Services | CNCS (primary authority) |
SaaS implication: Cloud computing services, online marketplaces, search engines, and managed service providers are directly supervised by CNCS. Registration is mandatory if your entity meets the size thresholds and serves Portuguese market.
3.3 Registration: CNCS Portal
Registration pathway under Lei 89/2024:
- Self-assessment: Use CNCS's classification questionnaire at cncs.gov.pt/nis2 to determine entity type (essencial/importante)
- Portal registration: Submit via CNCS NIS2 portal with Portuguese fiscal identification number (NIF) and LEI code for international entities
- SPOC designation: Appoint a Portuguese-speaking security point of contact (Ponto de Contacto Único)
- Contact verification: Confirm the contact details can be reached 24/7 for incident coordination
International SaaS companies operating in Portugal without a Portuguese legal entity may register via their EU lead authority (if established in another EU state) — but must designate a Portuguese legal representative.
3.4 Incident Reporting: ReportCIBER
Portugal's incident notification platform is ReportCIBER operated by CERT.PT:
Portal: https://www.cert.pt/reportar
Timeline aligned with NIS2 Art. 23:
- Alerta precoce (Early Warning): within 24 hours of detecting significant incident
- Notificação do incidente: within 72 hours — full incident details
- Relatório intercalar: upon request from CNCS
- Relatório final: within 30 days — complete incident report
Significant incident definition (Art. 20, Lei 89/2024):
- Service unavailability affecting >5% of Portuguese users for >30 minutes
- Data integrity compromise or unauthorized access
- Incident originating from malicious actors with cross-border implications
- Incidents affecting critical national infrastructure interconnection
3.5 Penalties (Lei 89/2024)
Art. 37–41 of Lei 89/2024:
| Entity Type | Maximum Penalty |
|---|---|
| Entidades essenciais | €10,000,000 or 2% of global annual turnover |
| Entidades importantes | €7,000,000 or 1.4% of global annual turnover |
| Management liability | Personal fines up to €100,000 for board-level negligence |
| Publication sanction | Public disclosure of violation on CNCS website |
Portugal also established a graduated response system: first-time violations trigger remediation orders before fines; repeated violations attract maximum penalties.
Part 4: Cross-Country Comparison — Spain vs Italy vs Portugal
| Parameter | Spain | Italy | Portugal |
|---|---|---|---|
| Transposition law | Pending (draft Q4 2024) | D.lgs. 138/2024 ✅ | Lei 89/2024 ✅ |
| In force | Interim RDL 12/2018 | 16 October 2024 | 24 November 2024 |
| Primary authority | INCIBE-CERT (private) | ACN | CNCS |
| Registration portal | incibe.es/empresas/nis2 | acn.gov.it/portale/nis | cncs.gov.pt/nis2 |
| Incident platform | INCIBE-CERT portal / CCN LUCÍA | CSIRT.gov.it / SIEVERT | cert.pt/reportar |
| Early warning | 24h | 24h | 24h |
| Full notification | 72h | 72h | 72h |
| Essential entity max fine | €10M / 2% | €10M / 2% | €10M / 2% |
| Important entity max fine | €7M / 1.4% | €7M / 1.4% | €7M / 1.4% |
| Public admin requirement | ENS certification separate | ACN coordination | CNCS coordination |
| GDPR coordination | AEPD + INCIBE dual-report | Garante + ACN | CNPD + CNCS |
Part 5: GDPR Dual-Notification Requirements
All three countries require parallel GDPR notification when a NIS2 incident involves personal data. The NIS2 72h report to the national CSIRT does NOT substitute for GDPR 72h notification to the data protection authority:
| Country | Data Protection Authority | GDPR Portal |
|---|---|---|
| Spain | AEPD (Agencia Española de Protección de Datos) | aepd.es/es/areas/notificaciones-de-brechas |
| Italy | Garante Privacy (Garante per la Protezione dei Dati Personali) | gpdp.it/web/guest/notifica-violazione |
| Portugal | CNPD (Comissão Nacional de Proteção de Dados) | cnpd.pt/cidadaos/direitos/notificacao-de-violacoes |
Action required: If your incident platform triggers a NIS2 report, your incident response runbook must simultaneously route a GDPR breach notification. Many teams build a single incident classification step that auto-generates both notifications.
Part 6: Multi-Jurisdiction Registration Strategy
Operating across Spain + Italy + Portugal requires managing three separate registrations. Key strategy points:
6.1 EU Single Registration Principle
Under NIS2 Art. 26, digital service providers (cloud, CDN, online marketplace) may register with the competent authority of the EU Member State where they have their main establishment — typically where their EU headquarters or primary data processing operations sit.
- Primary registration in your main establishment country
- Notification to other Member State authorities where you provide services
If your EU entity is in Ireland or Germany, your primary registration is with IDA/NCSC-IE or BSI — with notification to INCIBE, ACN, and CNCS as service-providing countries.
If you are a non-EU SaaS company serving EU customers, you must designate an EU representative in a Member State and register there.
6.2 Multi-Country SPOC Structure
Recommended SPOC structure for Southern Europe:
EU Main Establishment SPOC (primary reporting)
├── Spain SPOC (INCIBE-CERT notification)
├── Italy SPOC (ACN / CSIRT Italia coordination)
└── Portugal SPOC (CNCS / CERT.PT liaison)
Each national SPOC should:
- Speak the local language (Spanish/Italian/Portuguese) for authority communications
- Have 24/7 incident escalation access
- Be documented in your incident response plan
Part 7: 30-Point Southern Europe NIS2 Compliance Checklist
Spain (10 points)
- 1. Determine if your entity falls under INCIBE-CERT (private) or CCN-CERT (public/critical infra) scope
- 2. Pre-register at incibe.es/empresas/nis2 (even before final law enactment)
- 3. Map NIS2 sector applicability under Real Decreto-ley 12/2018 interim framework
- 4. Designate INCIBE-CERT notification contact (incidentesindustriales@incibe-cert.es or ciberseguridad@incibe-cert.es)
- 5. If selling to public sector: assess ENS certification requirement (Básico/Medio/Alto)
- 6. Configure SIEM alert rules for Level 3+ INCIBE taxonomy events (significant incident trigger)
- 7. Establish AEPD parallel notification track in your incident runbook
- 8. Train Spanish SPOC on CCN's LUCIA platform (if any public-sector customers)
- 9. Monitor Anteproyecto de Ley de Ciberseguridad for final law enactment (H2 2026)
- 10. Document supply chain security clauses in contracts with Spanish sub-processors
Italy (10 points)
- 11. Classify as soggetto essenziale or soggetto importante under D.lgs. 138/2024
- 12. Register on ACN NIS2 portal: acn.gov.it/portale/web/guest/nis
- 13. Designate Italian SPOC with 24/7 availability and Italian language capability
- 14. Configure SIEVERT notification workflow — 24h pre-notifica → 72h notifica → 30-day report
- 15. Implement all 10 security measures from D.lgs. 138/2024 Art. 24 (documented)
- 16. Add Garante Privacy parallel notification track for data breach incidents
- 17. Review supply chain contracts — strategic supplier security clauses mandatory
- 18. Establish Italian-language incident report templates (ACN accepts English but Italian preferred)
- 19. Note public disclosure risk — ACN can publish non-compliance orders (Art. 39)
- 20. Verify management liability exposure — directors face €125,000 personal fines for repeated violations
Portugal (10 points)
- 21. Self-classify using CNCS questionnaire at cncs.gov.pt/nis2
- 22. Register on CNCS portal with Portuguese NIF or designate EU representative
- 23. Designate Portuguese-speaking SPOC (nis2@cncs.gov.pt as primary contact)
- 24. Configure ReportCIBER notifications: cert.pt/reportar — 24h alerta → 72h notificação
- 25. Verify ANACOM coordination for telecom-adjacent services
- 26. Establish CNPD parallel GDPR track in incident runbook (cnpd.pt)
- 27. Implement Lei 89/2024 Art. 20 thresholds — >5% users / >30 minutes = reportable event
- 28. Test graduated response — CNCS issues remediation orders before fines on first violations
- 29. Add Portuguese legal representative contact if no PT legal entity
- 30. Document ERSE/ANACOM/BdP co-supervision contacts for relevant sectors
Next in the Series
This is Post #4 of 5 in the sota.io EU NIS2 SaaS Compliance Series:
- Post #1 — NIS2 Germany BSIG 3.0: Complete Developer Guide
- Post #2 — NIS2 DACH: Austria NISG vs Germany BSIG Comparison
- Post #3 — NIS2 Western Europe: France ANSSI + Netherlands NCSC
- Post #4 — You are here — NIS2 Southern Europe: Spain + Italy + Portugal
- Post #5 — NIS2 21-Country Finale: Complete EU SaaS Stack
Got a NIS2 compliance question for your Southern European operations? The sota.io platform helps EU-regulated teams manage compliance workflows across multiple Member State authorities — one platform for your Spain + Italy + Portugal registrations.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.