Spain NIS2 Implementation 2026 — INCIBE-CERT, CCN-CERT & SaaS Compliance Guide
Post #3 in the sota.io EU NIS2 National Enforcement Series
Spain is the fourth largest economy in the EU and home to some of Europe's most critical digital infrastructure — the Madrid Internet Exchange (ESPANIX), Telefónica's global backbone, and a dense cluster of cloud data centres serving southern Europe and Latin America. When Spain implements NIS2, the ripple effects reach far beyond the Iberian Peninsula.
Spain's NIS2 transposition follows a distinctive dual-authority architecture that reflects the country's longstanding institutional split between civilian and governmental cybersecurity functions. INCIBE-CERT (Instituto Nacional de Ciberseguridad) handles private sector essential and important entities; CCN-CERT (Centro Criptológico Nacional) handles public administrations and classified environments. For SaaS vendors, this split creates layered compliance obligations that don't exist in most other EU member states.
Spain's NIS2 Transposition: Ley de Coordinación y Gobernanza de la Ciberseguridad
Spain implemented NIS2 through the Ley de Coordinación y Gobernanza de la Ciberseguridad (LCyGC), which entered into force in 2025, building on the earlier Real Decreto-ley 12/2018 (the original NIS transposition) and Royal Decree 43/2021.
The LCyGC expands the scope of mandatory cybersecurity obligations across sectors and strengthens incident reporting, supply chain security, and executive accountability. Key innovations of the Spanish approach:
| Feature | Spain (LCyGC) | NIS2 Baseline |
|---|---|---|
| Authority split | INCIBE-CERT (private) / CCN-CERT (public) | Single or multiple competent authorities |
| ENS integration | Public sector must meet ENS certification | Framework-neutral |
| CNPIC coordination | Critical infrastructure (CNPIC) + NIS2 overlap | NIS2 as primary framework |
| Management liability | Board-level approval mandatory | NIS2 Art.20 applies |
| Penalty ceiling | Up to €10M or 2% turnover (essential) / €7M or 1.4% (important) | €10M / 2% or €7M / 1.4% |
A note on ENS: The Esquema Nacional de Seguridad (ENS, Royal Decree 311/2022) predates NIS2 and is Spain's national framework for public sector ICT security. ENS certification — at levels Básico, Medio, or Alto — is mandatory for ICT systems used by Spanish public administrations. SaaS providers serving Spanish government entities must achieve ENS certification, independent of NIS2 obligations. ENS is to Spanish public sector procurement what BSI C5 is to German public procurement.
The Dual-Authority Model: INCIBE-CERT vs CCN-CERT
Spain's cybersecurity institutional landscape is unique in the EU. Understanding which authority governs your customers determines which regulatory channel you engage with.
INCIBE-CERT — Private Sector Authority
INCIBE (Instituto Nacional de Ciberseguridad) is Spain's national cybersecurity agency for the private sector and citizens. Headquartered in León and operating under the Ministerio para la Transformación Digital y de la Función Pública (MTED), INCIBE serves as:
- The competent authority for private sector essential and important entities in most NIS2 sectors
- The national CSIRT for the private sector (INCIBE-CERT) and for citizens (CERT de Seguridad e Industria)
- The coordination body for critical information infrastructure protection in the private sector
- The point of contact for international CSIRT coordination (EU CyCLONe, FIRST)
INCIBE-CERT operates a 24/7 incident notification portal and manages the vulnerability disclosure programme for Spanish entities.
CCN-CERT — Public Administration Authority
CCN-CERT (Centro Criptológico Nacional CERT) operates under the Centro Nacional de Inteligencia (CNI, Spain's intelligence service), itself reporting to the Ministerio de Defensa. CCN-CERT is responsible for:
- The competent authority and CSIRT for Spanish public administrations at all levels (central, regional, local)
- NIS2 compliance oversight for public sector entities
- ENS audit and certification for public sector ICT systems
- Incident response for government networks and classified systems
- The CCN-CERT early warning network (SAT-INET, SAT-ICS, SAT-SARA)
This institutional split is significant for SaaS vendors: a cloud platform serving a Spanish regional health system (hospital) reports to INCIBE-CERT, while the same platform serving a regional government IT system reports to CCN-CERT. Dual customer types require understanding both regulatory channels.
CNPIC — Critical Infrastructure Coordination
A third actor — CNPIC (Centro Nacional de Protección de Infraestructuras y Ciberseguridad), under the Ministerio del Interior — oversees critical infrastructure protection under Ley 8/2011. CNPIC designates critical infrastructure operators and coordinates with INCIBE-CERT and CCN-CERT on incidents affecting essential services. Where NIS2 scope and Ley 8/2011 overlap (energy, transport, water, finance), CNPIC involvement is mandatory.
Who Must Comply: Sectors and Thresholds
The LCyGC applies the NIS2 sector structure directly. Spanish entities in Annex I and II sectors that meet size thresholds are subject to mandatory registration and security obligations.
Essential Entities (Entidades Esenciales)
Large organisations in Annex I sectors:
| Sector | Examples | Authority |
|---|---|---|
| Energy | Endesa, Repsol, REE grid operators, gas DSOs | INCIBE-CERT |
| Transport | AENA airports, Renfe rail, Puertos del Estado | INCIBE-CERT |
| Banking | Santander, BBVA, CaixaBank, cajas rurales | Banco de España co-supervision |
| Financial market infrastructure | BME, SIBE, CCPs | CNMV co-supervision |
| Health | Hospital networks, pharmaceutical manufacturers | INCIBE-CERT |
| Drinking water | Canal de Isabel II, municipal water operators | INCIBE-CERT |
| Digital infrastructure | IXPs (ESPANIX), DNS/TLD operators, cloud data centres | INCIBE-CERT |
| Public administration (central) | Ministerios, AEAT, Agencia Estatal | CCN-CERT |
| Public administration (regional) | Comunidades Autónomas, Diputaciones | CCN-CERT |
| Space | GMV, Indra (satellite operations) | INCIBE-CERT |
Important Entities (Entidades Importantes)
Medium organisations in Annex I and II sectors, including postal and courier services, waste management, chemical manufacturing, food production, medical device manufacturers, digital providers (cloud, CDN, online marketplaces, search engines, managed service providers), and research organisations.
Digital providers, regardless of where they are headquartered, must comply with Spanish NIS2 obligations if they provide services to Spanish NIS2-scope entities. A US SaaS vendor providing cloud services to a Spanish bank is within scope.
Size Thresholds
| Classification | Employees | Turnover | Balance sheet |
|---|---|---|---|
| Large (Essential) | 250+ | €50M+ | €43M+ |
| Medium (Important) | 50–249 | €10M–€50M | €10M–€43M |
| Small/Micro | <50 | <€10M | <€10M |
Small and micro organisations are out of scope unless they are designated by INCIBE-CERT or CCN-CERT as critical based on their unique market position (e.g., sole provider of critical infrastructure services).
Security Requirements: ENS Baseline + NIS2 Measures
Spain's NIS2 security requirements apply the NIS2 Art.21 baseline but with an important overlay for public sector customers: ENS certification is additionally required.
NIS2 Baseline (All In-Scope Entities)
| Measure | Spanish implementation |
|---|---|
| Risk management | Documented risk assessment aligned with ENS risk methodology for public sector |
| Incident handling | INCIBE-CERT or CCN-CERT notification within prescribed timelines |
| Business continuity | BCPs aligned with ENS continuity requirements for public sector |
| Supply chain security | ICT supplier assessments mandatory; CNPIC coordination for critical infrastructure |
| Access control | MFA mandatory for privileged access; ENS identity controls for public sector |
| Encryption | AEAD encryption recommended; CCN-endorsed algorithms for government data |
| Vulnerability management | CCN-CERT advisory integration for government entities |
| Security awareness | Annual training; INCIBE provides free resources for SMEs |
ENS Certification Requirements (Public Sector Only)
The Esquema Nacional de Seguridad operates at three levels:
| ENS Level | Applicable systems | Requirements |
|---|---|---|
| Básico | Low-impact public systems | Basic security controls, biennial self-assessment |
| Medio | Medium-impact government systems | Periodic independent audit, incident reporting to CCN-CERT |
| Alto | High-impact systems (sensitive data, critical services) | Annual CCN-CERT audit, CCN-endorsed products for some controls |
For SaaS vendors: If you provide cloud services to Spanish public administrations, you must achieve ENS certification at the level matching your customers' system classification. ENS Medio or Alto certifications are typically required for health records systems, tax administration platforms, and regional government ERP systems.
ENS certification is conducted by CCN-approved auditors and requires a full security assessment against the ENS control catalogue. Timeline: 6–18 months depending on scope and current security maturity.
Incident Reporting: INCIBE-CERT and CCN-CERT Timelines
Spain follows the NIS2 three-stage notification model:
| Stage | Deadline | Recipient | Content |
|---|---|---|---|
| Alerta temprana (Early warning) | 24 hours | INCIBE-CERT or CCN-CERT | Incident detected, suspected origin, initial scope |
| Notificación del incidente | 72 hours | INCIBE-CERT or CCN-CERT | Full details, severity, impacted services, measures taken |
| Actualización periódica | On request | Same authority | Progress updates |
| Informe final | 1 month post-notification | Same authority | Root cause, remediation, lessons learned, cross-border impact |
Private sector entities — including SaaS providers serving Spanish essential entities — report to INCIBE-CERT via the INCIBE incident notification portal (incibe.es/en-IN/incibe-cert/incidents). Public sector entities report to CCN-CERT via the LUCIA incident management platform (ens.ccn-cert.cni.es).
Significant incidents — those affecting two or more EU member states — must also be reported via the EU CSIRTs Network through INCIBE-CERT's international coordination channel.
The CLOUD Act Conflict: US SaaS in Spanish NIS2 Scope
Spain's NIS2 implementation creates the same structural CLOUD Act conflict documented in France, Germany, and the Netherlands — but with a Spanish-specific dimension: the dual-authority model means US SaaS vendors face two simultaneous enforcement channels rather than one.
The Core Conflict
A US SaaS provider serving a Spanish bank (INCIBE-CERT jurisdiction) and a Spanish regional government IT system (CCN-CERT jurisdiction) simultaneously:
- Must maintain incident logs and audit trails available for INCIBE-CERT inspection
- Must maintain separate ENS-compliant documentation available for CCN-CERT audit
- Remains subject to US CLOUD Act orders (18 U.S.C. § 2713) to produce data stored on European infrastructure
- Cannot legally comply with both a Spanish NIS2 incident disclosure obligation and a sealed US CLOUD Act order simultaneously
INCIBE-CERT's position on CLOUD Act conflicts mirrors ANSSI (France) and NCSC-NL (Netherlands): NIS2 obligations apply regardless of the vendor's jurisdiction. A US SaaS provider cannot cite foreign law to exempt itself from Spanish NIS2 security and incident notification requirements.
ENS Amplifies the Conflict
For vendors serving Spanish public sector customers, ENS certification requires documentation of data flows, encryption keys, and system boundaries — all subject to CCN-CERT audit. If a US CLOUD Act order compels the vendor to hand over encryption keys or data without notifying the Spanish customer, the vendor simultaneously violates:
- NIS2 Art.21 (security of network and information systems)
- ENS control requirements (access control, encryption key management)
- GDPR Art.46 (international data transfers without adequate safeguards)
- Spain's LCyGC supply chain security requirements
This is not a theoretical risk: Telefónica, Indra, and Spanish regional health authorities have all documented CLOUD Act exposure in their ICT supplier risk assessments following US government surveillance revelations.
Structural Mitigation: The Only Reliable Path
No contractual measure fully resolves this conflict. The Schrems II ruling (C-311/18) established that Standard Contractual Clauses do not neutralise CLOUD Act exposure. Spanish data protection authorities — AEPD (Agencia Española de Protección de Datos) — have aligned with EDPB guidance that supplementary measures alone are insufficient for high-risk transfers.
The only reliable structural mitigation is using infrastructure not subject to US jurisdiction:
- OVHcloud (FR, SecNumCloud certified — highest EU assurance for public sector)
- Hetzner Cloud (DE, no US jurisdiction, GDPR-native)
- Scaleway (FR, SecNumCloud, EU AI zones in Paris)
- IONOS (DE, United Internet AG, ENS-compatible deployment)
- Wazuh (ES, Madrid-based open-source SIEM — 0/25 CLOUD Act exposure)
Supply Chain Requirements Under LCyGC
Spain's NIS2 implementation places particular emphasis on supply chain security — reflecting the critical infrastructure concentration and the Indra/Telefónica ecosystem's role in Spanish public sector ICT.
Essential and important entities must:
- Assess ICT vendors for cybersecurity risk before procurement and periodically thereafter
- Document the security posture of digital service providers in the supply chain
- Include NIS2 security clauses in ICT vendor contracts
- Notify INCIBE-CERT or CCN-CERT if a supply chain incident affects their services
- Coordinate with CNPIC if the supply chain incident affects critical infrastructure
For SaaS vendors in the Spanish market, this means your customers — Spanish banks, hospitals, energy operators, regional governments — are required by law to assess your cybersecurity posture. Expect security questionnaires, third-party audits, and contractual clauses referencing LCyGC obligations. ENS certification significantly streamlines this process for public sector customers.
Managed Service Providers (MSPs) and Cloud Providers
Under the LCyGC, Managed Service Providers and cloud computing services are explicitly classified as important entities if they meet size thresholds. This means:
- Spanish MSPs are NIS2-scope entities and must comply directly with LCyGC obligations
- Foreign MSPs serving Spanish in-scope entities are subject to the same supply chain assessment requirements
- Cloud providers (IaaS, PaaS, SaaS) used by Spanish essential entities must demonstrate NIS2-level security regardless of their own jurisdictional classification
Penalties and Enforcement
The LCyGC implements NIS2's penalty structure:
| Violation type | Essential entities | Important entities |
|---|---|---|
| Severe violations (e.g., failure to implement security measures, non-notification of significant incidents) | Up to €10M or 2% global annual turnover | Up to €7M or 1.4% global annual turnover |
| Serious violations (e.g., incomplete notifications, inadequate supply chain assessments) | Up to €4M or 0.8% | Up to €3M or 0.6% |
| Minor violations (e.g., administrative non-compliance) | Up to €100K | Up to €100K |
Management accountability: Under LCyGC Art. XX (mirroring NIS2 Art.20), the management body of essential and important entities is personally responsible for approving and overseeing cybersecurity policy. Failures in cybersecurity governance can result in personal sanctions against board members and C-suite executives — a significant shift from Spain's pre-NIS2 posture where cybersecurity was typically treated as an IT department matter.
AEPD coordination: Where incidents involve personal data, INCIBE-CERT coordinates with the AEPD (Agencia Española de Protección de Datos) for joint enforcement. A ransomware attack on a Spanish hospital could trigger simultaneous NIS2 enforcement by INCIBE-CERT and GDPR enforcement by AEPD — compounding potential penalties.
EU-Native Alternatives for Spanish NIS2 Environments
SaaS vendors and their Spanish customers looking to eliminate CLOUD Act exposure and simplify NIS2 + ENS compliance have several EU-native infrastructure options.
| Provider | Jurisdiction | CLOUD Act Score | ENS Compatible | SecNumCloud | Use case |
|---|---|---|---|---|---|
| OVHcloud | FR (Lyon) | 1/25 | Yes (via SecNumCloud) | ✅ Qualified | Spanish public sector (Alto/Medio ENS) |
| Hetzner Cloud | DE (FSB) | 0/25 | Compatible | ❌ | Private sector NIS2, ENS Básico |
| Scaleway | FR (Paris) | 1/25 | Compatible | ✅ Qualified | Multi-cloud, EU AI Act compliance |
| IONOS | DE (Karlsruhe) | 1/25 | ENS-deployable | ❌ | Mid-market Spanish enterprises |
| Wazuh (SIEM) | ES (Madrid) | 0/25 | CCN-STIC validated | N/A | SIEM for ENS environments |
| OpenNebula | ES (Madrid) | 0/25 | ENS-compatible | N/A | Private cloud for public sector |
Wazuh is particularly notable: it is a Spanish-origin open-source security platform (born in Madrid as a fork of OSSEC) that is specifically validated by CCN-CERT for ENS environments. Deploying Wazuh for SIEM/XDR in Spanish public sector environments avoids both CLOUD Act exposure and complex ENS certification overhead for the monitoring layer.
OpenNebula (also Madrid-based) provides open-source private cloud management used extensively in Spanish research networks (RedIRIS) and regional government clouds.
SaaS Vendor Compliance Roadmap for Spain
For a SaaS vendor currently serving or planning to serve Spanish essential or important entities:
Phase 1: Scope Assessment (Months 1–2)
- Map your Spanish customers: Identify which are essential entities (INCIBE-CERT scope) vs. public sector (CCN-CERT/ENS scope)
- Determine NIS2 classification: Are you a digital provider (cloud, CDN, MSP) under LCyGC? Size threshold analysis
- CLOUD Act exposure assessment: Document which data and metadata are accessible under US CLOUD Act orders
- ENS requirement identification: Which ENS level applies to your public sector customers' use case?
Phase 2: Baseline Security (Months 2–6)
- Implement NIS2 Art.21 security measures (risk management, MFA, encryption, vulnerability management, BCPs)
- Establish incident detection and notification workflows for INCIBE-CERT (private) and CCN-CERT (public) channels
- Begin ENS control mapping if public sector customers require certification
- Initiate supply chain security questionnaire process for your own ICT vendors
Phase 3: ENS Certification (Months 6–18, public sector only)
- Engage CCN-approved ENS auditor for gap assessment
- Remediate ENS control gaps (identity management, encryption, audit logging, incident response)
- Complete ENS audit and obtain certification at required level (Básico/Medio/Alto)
- Integrate ENS certificate into Spanish public sector procurement responses
Phase 4: Ongoing Compliance (Continuous)
- Annual ENS recertification review
- INCIBE-CERT / CCN-CERT alert feed integration for sector-specific threat intelligence
- Regular supply chain security assessments of your ICT vendors
- Board-level cybersecurity governance review (NIS2 Art.20 / LCyGC management accountability)
Key Contacts and Resources
| Resource | URL | Purpose |
|---|---|---|
| INCIBE-CERT incident reporting | incibe.es/en-IN/incibe-cert/incidents | Private sector incident notifications |
| CCN-CERT LUCIA platform | ens.ccn-cert.cni.es | Public sector incident notifications, ENS audit |
| ENS certification portal | ens.ccn-cert.cni.es/es/esquema-nacional-de-seguridad | ENS certification process |
| CNPIC critical infrastructure | interior.gob.es/opencms/es/servicios-al-ciudadano/proteccion-civil-y-emergencias | Critical infrastructure designation |
| INCIBE SME resources | incibe.es/empresas | Free cybersecurity tools and templates |
| AEPD (data protection) | aepd.es | GDPR enforcement coordination |
What This Means for SaaS Vendors
Spain's NIS2 implementation creates a more complex compliance environment than most EU member states — primarily because of the dual-authority model and the ENS overlay for public sector customers. The practical implications:
-
Two compliance channels: Private sector customers → INCIBE-CERT. Public sector customers → CCN-CERT + ENS. Serving both requires navigating both tracks simultaneously.
-
ENS is not optional: If your SaaS product is used by Spanish public administrations at any level — Ministerios, Comunidades Autónomas, Ayuntamientos, hospitals, schools — ENS certification is expected. Expect customers to make it a procurement requirement.
-
Wazuh and local alternatives: Spanish public sector customers increasingly prefer CCN-CERT validated tools. Integrating Wazuh for logging/SIEM can accelerate ENS certification and demonstrate sovereignty alignment.
-
CLOUD Act exposure is a real procurement obstacle: Major Spanish public sector buyers (AEAT, Seguridad Social, regional health authorities) have explicit CLOUD Act risk assessments in their ICT procurement frameworks. A US SaaS vendor without structural isolation from US jurisdiction faces a documented procurement barrier.
-
Management accountability is personal: After LCyGC implementation, Spanish boards and CISOs are personally liable for cybersecurity governance failures. Expect procurement teams to request evidence of your own board-level cybersecurity oversight — not just technical controls.
Spain's dual-authority model mirrors the complexity of the country's public administration structure. For SaaS vendors willing to invest in ENS certification and structural CLOUD Act isolation, the Spanish market — the EU's fourth largest economy — offers significant long-term opportunity. For those who don't, the compliance barriers will compound with each NIS2 enforcement cycle.
Next in the series: Italy NIS2 Implementation — ACN and Decreto Legislativo NIS2
See also:
- France NIS2 Implementation — ANSSI Enforcement & SECNUMCLOUD
- Netherlands NIS2 Implementation — NCSC-NL & Cyberbeveiligingswet
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.