Spain is currently in the process of drafting the NIS2 Directive implementation regulation in Spain. A first draft bill of the implementation has been made available in January 2025 and the following steps for the final approval of the law are expected to be completed in a short period of time. In this first draft bill, which may be subject to changes, the regulation foresees among other provisions that the individuals members of the management bodies of the essential and important entities shall be jointly and severally liable for the infringements committed by these entities (i.e. with respect to a fine), as well as the requirement for subject entities to appoint a person (or body) “responsible for the information security” (in Spanish “responsable de seguridad de la información”). 

Currently, a draft bill for an Organic Law for the protection of minors in digital environments ("Draft Bill") within the context of its plan to safeguard the health, welfare and safety of children and adolescents in Spain is being negotiated. The Draft Bill would introduce new rules, but most importantly would amend other regulations currently in force, including the Organic Law 3/2018, on data protection and digital rights by increasing the age to provide consent for the processing of personal data from 14 to 16 years old.

Royal Decree-Law 9/2024, of December 23 adopting urgent measures in economic, tax, transport, and social security matters, and extending certain measures to address situations of social vulnerability, entered into force on 25 December 2024. This decree establishes the sanctioning procedure of the DSA in Spain and, among other things, the collaboration between the National Commission on Markets and Competition and the Spanish Data Protection Agency regarding Articles 26.3 and 28.2 of the DSA with respect to certain uses of profiling.