NIS2 Compliance for Manufacturing in Spain
A practical country and industry compliance guide — obligations, evidence, and next steps.
Direct answer
Manufacturing organisations in Spain must determine essential or important entity status, register with CCN-CERT / INCIBE-CERT, implement Article 21 security measures, and establish 24-hour incident reporting. As an important entity you face ex-post supervision and maximum fines of €7 million or 1.4% of global turnover.
What are the NIS2 obligations for Manufacturing in Spain?
Manufacturing organisations in Spain must determine essential or important entity status, register with CCN-CERT / INCIBE-CERT, implement Article 21 security measures, and establish 24-hour incident reporting. As an important entity you face ex-post supervision and maximum fines of €7 million or 1.4% of global turnover.
- Map OT assets and identify internet-connected production systems
- Segment OT from corporate IT networks
- Assess top 10 suppliers for cybersecurity posture
- Document BCM/BCP for production disruption
| Country | Spain |
| Industry | Manufacturing |
| Regulation | Directive (EU) 2022/2555 |
| Supervision | Spain transposed NIS2 via RDL 14/2022 and the pending Ley NIS2 |
NIS2 applies to medium and large organisations in critical sectors and imposes cybersecurity risk-management measures, supply-chain security, incident reporting to national authorities, and senior-management liability. Essential entities face supervisory audits; important entities face ex-post supervision.
Most member states are ramping supervisory activity through 2025–2026. BSI in Germany, ANSSI in France and NCSC-NL have published enforcement roadmaps.
Manufacturing NIS2 checklist
Action checklistMap your sector (Annex I or II) and size (medium ≥50 employees, €10M revenue; large ≥250 or €50M). Essential entities face stricter and proactive supervision.
Articles 2, 3, Annex I, Annex II
Submit the mandatory registration with your national NIS2 authority (BSI, ANSSI, NCSC-NL, CERT.PL etc). Include entity type, sector, point of contact and services.
Article 3(3)
Cover: risk analysis and information security policies, incident handling, BCM/BCP, supply-chain security, vulnerability management, access control, MFA, encryption, and secure development.
Article 21
Significant incidents require: early warning within 24 hours, full notification within 72 hours, and a final report within one month. Designate an incident response owner and test the workflow.
Article 23
Review direct suppliers and managed-service providers for cybersecurity posture. Document due-diligence decisions and security contractual requirements.
Articles 21(2)(d), 22
Management bodies are personally liable under NIS2 for approving cybersecurity measures and overseeing implementation. Document board-level sign-off and training.
Article 20
What is specific to Spain
Spain transposed NIS2 via RDL 14/2022 and the pending Ley NIS2. CCN-CERT supervises public entities; INCIBE-CERT supervises private essential and important entities. Spanish organisations must align with the Esquema Nacional de Seguridad (ENS) for public-sector overlap.
Priority actions for Manufacturing
- Map OT assets and identify internet-connected production systems
- Segment OT from corporate IT networks
- Assess top 10 suppliers for cybersecurity posture
- Document BCM/BCP for production disruption
Turn this guide into a real assessment
Use EuroComply's free tools to check your specific scope, estimate fine exposure, and build an evidence file.
Informational only. This page is not legal advice — consult qualified counsel for your specific situation. Last reviewed: .