[Last reviewed: January 2024]
☒ omnibus – all personal data
☒ sector-specific
E.g., telecoms, public healthcare sector, insurance
☒ constitutional
[Last reviewed: January 2024]
[Last reviewed: January 2024]
EU law:
Spanish law:
[Last reviewed: January 2024]
Yes.
The implementation in the Spanish legal framework of the NIS2 Directive is currently in process.
The Whistleblower Directive (Directive EU 2019/1937) was implemented in the Spanish legal framework through Law 2/2023, of 20 February, regulating the protection of whistleblowers and is fully in force at the moment.
European developments
New data- and cyber-related legislation was enacted in the European Union in 2022 and 2023 that will come into force, or be implemented in Member States, in the next few years.
The Digital Operational Resilience Act ("DORA"), which lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities, entered into force in January 2023, and includes a two-year implementation window with the new rules taking effect on 17 January 2025.
The NIS2 Directive, which in particular broadens the scope of application and also extends the relevant obligations in comparison to NIS, requires Member States to apply implementing measures from 17 October 2024.
In December 2023, Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data ("Data Act") was published in the Official Journal of the EU. It shall apply from 12 September 2025. The Data Act contains provisions regarding the access, use, making available and sharing of data (both personal and non-personal data) generated by the use of connected products and related services. Users can also ask data holders to make this data available to third parties..
A political agreement on the EU Artificial Intelligence Act ("EU AI Act") was announced in December 2023. The EU AI Act provides for graduated regulation of AI products based on risk categories: it prohibits certain technologies and imposes obligations on technology producers and deployers based on the risk category into which the AI product falls. The EU AI Act should apply two years after its entry into force, with some exceptions for specific provisions. The EU AI Act awaits formal adoption by the European Parliament and the Council.
A political agreement was also reached on the Cyber Resilience Act, in November 2023. It will introduce new obligations on manufacturers of products with digital elements designed to ensure the cybersecurity of such products. Manufacturers will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. The Cyber Resilience Act awaits formal adoption by the European Parliament and the Council.
There is further data- and cyber-related legislation pending in the EU.
A proposal for an ePrivacy Regulation has been pending at a European level since 2017 to adapt rules for electronic communications to the GDPR and to strengthen privacy protection online. If enacted, it would introduce reforms to the EU law on areas such as direct marketing, cookies and similar technologies and electronic communications data. However, progress has been slow in comparison to other major EU digital files of the EU’s data strategy, such as the Digital Markets Act and the Digital Services Act.
In relation to EU-US data transfers, in July 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. On the basis of the new adequacy decision, personal data can flow from EU companies to US companies participating in the EU-U.S. Data Privacy Framework, as if the US company was based in the EU. The first review of the EU-U.S. Data Privacy Framework will take place in 2024, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice. The adequacy decision is already being challenged in courts.