Cybersecurity regulation in Spain: GDPR, ENS, NIS2, DORA.

The European cybersecurity regulatory landscape has reached a level of complexity that requires careful navigation. Spanish companies face a mesh of regulations that often overlap, complement each other and sometimes contradict each other. Understanding which one applies to your organisation, what it requires and how to address it strategically is essential to avoid sanctions and competitive disadvantages.

GDPR: the cornerstone of European regulation

The General Data Protection Regulation (GDPR), in force since May 2018, was the trigger of the European regulatory wave. It establishes a unified framework for personal data protection in the EU, with fines of up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious breaches.

Key elements include the principles of lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity-confidentiality and accountability; data subject rights (access, rectification, erasure, opposition, portability, restriction of processing, not to be subject to automated decisions); the obligations of controllers and processors; the figure of the Data Protection Officer (DPO); records of processing activities; data protection impact assessments (DPIA); breach notification to the AEPD within 72 hours; and international data transfers.

Compliance with the GDPR is not optional and continues to be the most-fined regulation in Spain. Practical guide: GDPR for SMEs: compliance in 10 steps.

ENS: the security of the public administration

The Spanish National Security Framework (ENS), updated by Royal Decree 311/2022, is the regulation governing security in the public sector and in private companies that provide ICT services to the Spanish Public Administration. It defines three categories (BASIC, MEDIUM, HIGH) according to the impact a security incident would have, with 73 specific security measures organised in three frameworks (organisational, operational and protection). It is mandatory for the public administration and for ICT suppliers to the Administration.

NIS2: the new directive for essential and important entities

The NIS2 Directive (Directive (EU) 2022/2555), which replaces the previous NIS, came into force in January 2023 and had to be transposed into Spanish law by October 2024. It expands the scope to include essential entities (energy, transport, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and important entities (postal and courier services, waste management, chemicals, food, manufacturing, digital providers, research). It introduces a graduated approach to security and incident notification: 24-hour early warning, 72-hour incident notification, final report within one month. Fines of up to €10 million or 2% of global turnover for essential entities; up to €7 million or 1.4% for important entities. NIS2 directive: cybersecurity for SMEs in Spain.

DORA: digital operational resilience for the financial sector

The DORA Regulation (Regulation (EU) 2022/2554), applicable from January 2025, establishes specific requirements for the financial sector. It covers ICT risk management, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing), management of risk from ICT third-party providers, and information sharing between entities in the sector. DORA: operational resilience in finance.

EU AI Act

The European Artificial Intelligence Act (Regulation (EU) 2024/1689) entered into force in 2024 with a phased implementation timeline through to 2027. It classifies AI systems by risk level (unacceptable, high, limited, minimal) and applies specific obligations to each category. For SMEs that incorporate AI in customer-facing services, this regulation is becoming a strategic concern.

How to coordinate compliance: priority matrix

Faced with this complexity, the practical strategy is to prioritise based on three criteria: legal applicability, business impact, and the cost of non-compliance. For a typical Spanish SME the order is usually: GDPR (always applicable), ENS (if you work with the public sector or plan to), NIS2 (if you are in an in-scope sector), DORA (only for the financial sector) and EU AI Act (if you deploy AI systems classified as high risk).

The good news is that the requirements overlap by 60-80%: information security policies, risk management, incident response, business continuity, supplier management and awareness training are common to all frameworks.

Coordinated compliance strategy

The most efficient approach is a unified information security management system that covers all applicable regulations. The framework recommended for SMEs is ISO/IEC 27001 as a baseline, with specific additions for each applicable regulation. A well-designed implementation can satisfy 70-80% of the requirements common to all standards.

---

Authorship: Ángel Ortega Castro · independent consultant on strategy, quality and digitalisation for SMEs.

Frequently asked questions

What regulations apply in Spain?

GDPR for personal data, ENS for the public sector and its ICT suppliers, NIS2 for essential and important entities, DORA for the financial sector, and the EU AI Act for AI systems by risk category.

What sanctions does non-compliance entail?

GDPR fines of up to €20 million or 4% of global turnover; NIS2 fines of up to €10 million or 2% of global turnover for essential entities. ENS non-compliance prevents contracting with the Spanish Public Administration.

Can my company comply with all of them at the same time?

Yes. Requirements overlap by 60-80%, so a unified ISMS based on ISO/IEC 27001 plus specific additions is the most efficient approach.

Which one should I prioritise?

For a typical Spanish SME: GDPR (always), ENS (if you work with the public sector), NIS2 (if you are in an in-scope sector), DORA (only finance) and EU AI Act (if you deploy high-risk AI systems).