The government's other major security oversight: Brussels opened a case in November for failing to approve a new cybersecurity law that will cost companies 2.25 billion euros.
The possibility of a cyberattack that paralyzes critical infrastructure has suddenly returned to citizens' minds after Monday's blackout, and the government has been dragging its feet to prepare for it for some time. In November 2022, the European Commission approved Nis2 , a directive that sought to increase cybersecurity standards throughout the European Union and at all levels of the economy. As of April 2025, the Cybersecurity Coordination and Governance Act, renamed by the government, is still a preliminary draft that has not even reached the Congress of Deputies and has only been before the Council of Ministers once, last January, where it was agreed to give it urgent treatment.
In fact, Spain and 22 other member states were disciplined last November by the European Commission for their delay in transposing this legislation, which seeks to tighten the minimum cybersecurity requirements that companies considered relevant to the digital society must apply.
The change is neither small nor cheap. The Spanish government estimates that 5,760 companies will have to invest to one degree or another to comply with the criteria established by the new legislation, resulting in a total bill of €2.25 billion . Of these, only 300 are considered essential under the current regime, which gives an idea of the paradigm shift that the new regulation represents. Sectors such as industry in its entirety, waste treatment, and courier services will now be subject to this regulation provided that companies have more than 250 employees or €50 million in turnover , and even those that exceed €10 million in some cases.
The public sector is not far behind, as the entire institutional public sector at the national and regional levels will fall under the umbrella of the Law, as will municipalities with more than 20,000 inhabitants .
NATIONAL CYBERSECURITY CENTEROne of the measures included in the new legislation is the creation of a National Cybersecurity Center. This center will act as a crisis management body and point of contact for companies in the event of a cyberattack. It will also be the entity that sets the necessary standards for both the rest of the public and private sectors. This entity will also have the power to create the list of essential entities that must comply with the requirements of this law.
However, although a single unit is being created, it does not have, for example, sanctioning powers, which will fall to the Ministries of the Interior and Digital Transformation. This has drawn criticism from some entities, such as the Esys Foundation (Security and Digital Society Company), which has called for this entity to effectively consolidate all functions into a single centralized authority. The creation of this entity will take up to 12 months after the text is approved, which will further delay the implementation of the new structure to detect cyberattacks.
Among other things, the legislation will require companies to report incidents and establish severe penalties of up to 2% of global turnover for those who have not been diligent in managing these cybersecurity policies. These obligations also apply to external providers, the source of some of the most high-profile data breaches in Spain in recent months.
Furthermore, one of the elements that has generated the most unrest among companies is that members of the governing bodies will be held jointly responsible for any violations committed by the company, a measure that will likely strengthen the involvement of the top management of large companies.
The regulations also create the position of an information security officer, who will act as the point of contact and technical coordination. Their responsibilities include developing cybersecurity strategies and policies, as well as ensuring compliance with regulations.
elmundo
