On 8 September 2018 Spain enacted Royal Decree 12/2018 (security of networks and information systems) its domestic legislation implementing the EU Network and Information Security Directive (EU) 2016/1148 (NIS Directive).  

This comes after the Spanish authorities were urged to implement the NIS Directive following expiry of the implementation deadline in May 2018. The Royal Decree applies to operators of essential services using information systems or networks for the development of their activity, as well as to providers of certain digital services. These entities are required to carry out risk assessments and implement measures aimed to protect networks and systems against cybersecurity incidents and notify competent authorities of certain incidents among other obligations.  

This follows the UK's implementation of the NIS Directive via its 2018 NIS Regulations which we reported on last month here.