• The standard identifies the sectors in which it is necessary to guarantee the protection of networks and information systems, and establishes requirements for reporting cybersecurity incidents.
  • The transposition of the Directive seeks to increase user confidence and boost the national development of digital services

The Government has approved today in the Council of Ministers the Royal Decree-Law for the transposition of the European Directive on cybersecurity, known as the NIS Directive. Specifically, it transposes the Directive (EU) 2016/1148 of the European Parliament and of the Council, of July 6, 2016, concerning the measures aimed at guaranteeing a high common level of security of networks and information systems in the European Union.

From the day of its publication in the Official State Gazette (BOE), the Government will have a maximum period of 30 business days for its validation in the Congress of Deputies.

The Government has worked since its inauguration to achieve this milestone as soon as possible and meet the deadlines imposed by the Directive to, among other aspects, designate the essential service operators to whom the law is directed.

The Royal Decree-Law will be applied to entities that provide essential services for the community and depend on the networks and information systems for the development of its activity. Its scope extends to sectors that are not expressly included in the Directive, to give this Royal Decree-law a global approach, although its specific legislation is preserved. Additionally, in the case of network operation activities and the provision of electronic communications services and associated resources, as well as trusted electronic services, expressly excluded from said Directive, the Royal Decree-law will only be applied in Regarding critical operators. The new regulations will also apply to providers of certain digital services.

The Royal Decree-Law identifies the sectors in which it is necessary to guarantee the protection of networks and information systems, and establishes procedures to identify the essential services offered in these sectors, as well as the main operators that provide said services, thus fulfilling with the maximum period established for this by the Directive, of November 9, 2018.


Among other issues, the Royal Decree-Law requires essential service operators and digital service providers to notify the significant incidents they suffer in the information networks and services they use to provide essential and digital services. The standard protects the notifying entity and staff who report incidents that have occurred; confidential information of its disclosure is reserved to the public or to other authorities than the one notified and the notification of incidents is allowed when its communication is not required.

With the approval of this Royal Decree-Law, the Government seeks to boost the development of the internal market through the improvement of the level of security in the networks and information systems that support the provision of essential services and digital services, increasing the confidence of users and service providers in the use of information technologies.

The provision of services with a trans-European scope will also be facilitated by establishing similar requirements for all providers in the security of networks and information systems, reducing the fragmentation of these requirements and promoting the European cybersecurity industry.

Finally, it seeks to improve effectiveness in the fight against crimes that involve networks and information systems by reducing their effects on public security and, eventually, on national security.

Source of the new