Cybersecurity in Spain: the delay of the law in the face of new threats

In recent days, the focus has been refocused on cybersecurity in Spain after it was published that the country has not yet fully transposed the European NIS2 directive. This legislative delay coincides with a complex geopolitical context, marked by international tensions and an increased risk of computer attacks against critical infrastructures.

Beyond the political debate, the situation poses a key question for companies and public bodies: Are Spanish organizations really prepared to face a security breach or a sophisticated cyberattack?

‍

What is known about the delay of the cybersecurity law in Spain?

According to recently published information, the Spanish Government has yet to integrate into its legislation the NIS2 Directive, a European standard that should have been transposed before October 2024.

This directive seeks to reinforce the corporate and public administration IT security, establishing clear obligations to prevent and respond to security incidents.

However, the legislative process has been ongoing for more than a year. In fact:

• In January 2025, the preliminary draft of Cybersecurity Coordination and Governance Act.
• The regulations are still pending final approval.
• This delay could even expose Spain to sanctions by the European Union.

Even more important is the practical impact: the lack of an updated framework creates legal uncertainty for companies and organizations required to comply with these standards.

‍

Why this context increases the risk for critical infrastructure

The regulatory delay occurs at a particularly sensitive time from a geopolitical point of view.

The escalation of the conflict in the Middle East and other international scenarios has increased the risk of cybersabotage, digital espionage and coordinated cyberattack campaigns. In these settings, states and sponsored groups often direct their operations against:

• Energy infrastructures
• Transportation and logistics
• Healthcare sector
• Telecommunications
• Financial systems

All of these sectors are considered critical infrastructures, whose functioning is essential for economic and social stability.

The NIS2 directive precisely expands the number of organizations required to apply security measures, incorporating many medium-sized companies and key suppliers in the supply chain.

‍

How do these types of attacks occur in the current context

Attacks affecting countries or critical infrastructure rarely start with extremely complex techniques. In most cases, incidents are caused by known weaknesses.

The most common vectors are:

1. Phishing aimed at key employees
2. Compromised or reused credentials
3. Unpatched vulnerabilities in services exposed to the Internet
4. Misconfigured remote accesses
5. Lack of continuous network monitoring

Once inside, attackers can stay weeks or months on systems before launching the final phase of the attack, which can include:

• Information theft
• System sabotage
• Ransomware
• industrial espionage

This type of security breaches not only do they affect governments or large corporations; many campaigns start by compromising suppliers or medium-sized companies.

‍

Key lessons for companies in this scenario

Although regulatory developments are important, the reality is that the responsibility to protect systems lies with every organization.

Companies operating in Spain should adopt, at a minimum, these five strategic measures:

1. Perform regular security audits
They allow vulnerabilities to be detected before attackers do so.

2. Continuously monitor the network
Early detection significantly reduces the impact of incidents.

3. Train employees
The human factor remains one of the main attack vectors.

4. Implement incident response plans
Knowing how to act in the face of an attack is key to reducing damage.

5. Aligning security with regulatory frameworks
Regulations such as NIS2, ISO 27001 or ENS help to structure business security.

‍

Cybersecurity as a strategic priority

The current situation shows that the cybersecurity in Spain it can no longer be addressed solely from a technological or legal point of view.

Organizations must understand that:

• Cyber attacks are part of business risk.
• Regulation will continue to tighten in Europe.
• Digital infrastructures are already a critical asset for any company.

Waiting for regulations to compel action is often a strategy that is too late. Companies that invest today in enterprise IT security not only do they reduce risks, but they also improve their resilience and competitiveness.

‍

Apolo Cybersecurity: Anticipating Digital Threats

Incidents and debates such as the current one about cybersecurity in Spain reveal a clear reality: digital protection is already a strategic element for any organization.

In Apolo Cybersecurity we help companies and institutions to anticipate these threats through specialized services such as:

• 24/7 SOC for continuous monitoring
• CISO as a Service
• vulnerability analysis and security audits
• cybersecurity training for teams
• regulatory compliance support (NIS2, ENS, ISO 27001)

If you want to know what your organization's real level of security is and how to prepare for a possible computer attack or security breach, our team can help you with a initial evaluation and strategic recommendations adapted to your company.