End to passivity in the face of cyber attacks in the offices of Spanish companies. The European Union has already set an official expiration date on community patience due to our country’s delay in adopting the new digital security requirements. As they already warned on May 7, 2025, the EU ultimatum has expired and the European Commission in Brussels now has the power to bring Spain before the Court of Justice of the European Union (CJEU).
After other measures of a similar nature promoted from Europe, such as the DORA Regulation for the resilience of the financial sector, now it is the turn of the rest of the critical and essential sectors of the economy, which must put their efforts into the goal of shielding their networks and systems to move towards a safer digital market in the face of growing cyberattacks.
The new European regulation that puts an end to lack of digital protection
The measure is part of Directive (EU) 2022/2555, known as NIS2, which regulates cybersecurity and incident reporting obligations across the continent as far as member countries are concerned.
The text establishes that States must transpose these regulations so that companies necessarily adopt risk management protocols. The key date, which Spain failed to comply with, was October 17, 2024, when this regulation should have been fully in force.
Based on the reasoned opinion sent months ago, the warning was clear: “the Commission considers that, to date, the efforts of the national authorities have been insufficient.” Once the two-month period granted to correct the error has elapsed, the next step is legal action.
The possible emergency decree and the “cascade effect”
Although the penalty will be aimed directly at the State, the regulations contemplate a total transformation of the productive fabric. The Government is processing the Draft Law on the Coordination and Governance of Cybersecurity (approved in the first round in January 2025), but due to the slowness of the parliamentary process and the threat of the courts, it is not ruled out to approve the law through an emergency Royal Decree-Law.
In this sense, the law will not only affect large corporations. Cybersecurity measures will require auditing security in the supply chain. That is to say, thousands of small and medium-sized enterprises (SMEs) suppliers will be swept away by the new rule, which will have to raise their security standards if they want to continue providing services to regulated entities.
The regulation not only requires computer patches, but also introduces new and severe obligations for boards of directors. For example, the law will make administrators and managers personally responsible for approving and supervising cybersecurity measures. “Technical ignorance” will no longer be a valid excuse.
And in the event of a hack, companies will have to comply with suffocating deadlines: they will have to issue an early warning within a maximum of 24 hours, a formal notification detailing the impact within 72 hours and a final report within a month.
The EU will evaluate the impact through a new central command
The main objective of this regulation is to stop the enormous economic impact that cybercriminals are causing on key European infrastructures.
In fact, to coordinate this colossal task, Spain will create the National Cybersecurity Center, an organization attached to the Presidency of the Government that will unify functions currently distributed between the Ministries of the Interior, Defense and Digital Transformation.
With this roadmap, Brussels seeks to completely transform the way we manage technological risks on a day-to-day basis, starting with a gesture as simple as forcing senior management to respond to the law if their digital defenses fail.