Key Data Privacy and Cybersecurity Laws
Jump to
Key Data Privacy and Cybersecurity Laws Start Comparison
How are data privacy and cybersecurity laws/regulations implemented?

[Last reviewed: January 2024]

   omnibus – all personal data

   sector-specific

E.g., telecoms, public healthcare sector, insurance

   constitutional

What are the key data privacy laws and regulations?

[Last reviewed: January 2024]

  • EU General Data Protection Regulation
  • Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights
  • Royal Decree 1720/2007, of 21 December, by which the Regulation of development of the Organic Law 15/1999, of 13 December, of protection of personal data is approved
  • Law 11/2022, of 28 June, General of Telecommunications
  • Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal sanctions
What are the key cybersecurity laws and regulations?

[Last reviewed: January 2024]

EU law:

  • Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems ("NIS Directive")
  • Commission Implementing Regulation (EU) 2018/151 of 30 January 2018 laying down rules for application of Directive (EU) 2016/1148 of the European Parliament and of the Council as regards further specification of the elements to be taken into account by digital service providers for managing the risks posed to the security of network and information systems and of the parameters for determining whether an incident has a substantial impact
  • Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 ("Cybersecurity Act")
  • Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union ("NIS2 Directive")
  • Regulation (EU) 2022/2554 of the European Parliament and of the Council on digital operational resilience for the financial sector ("DORA", or Digital Operational Resilience Act)

Spanish law:

  • Law 8/2011, of 28 April, on the measures for the protection of the critical infrastructures
  • Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems
  • Royal Decree 43/2021, of 26 January, developing Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems
  • Law 11/2022, of 28 June, General of Telecommunications
  • Spain is currently in the process of drafting the NIS2 Directive implementation regulation in Spain, no draft text has been made available yet, but a public consultation to gather the views from the stakeholders was held in Autumn 2023.
Are new or material changes to those key data privacy and cybersecurity laws anticipated in the near future?

[Last reviewed: January 2024]

Yes.

The implementation in the Spanish legal framework of the NIS2 Directive is currently in process.

The Whistleblower Directive (Directive EU 2019/1937) was implemented in the Spanish legal framework through Law 2/2023, of 20 February, regulating the protection of whistleblowers and is fully in force at the moment.

European developments

New data- and cyber-related legislation was enacted in the European Union in 2022 and 2023 that will come into force, or be implemented in Member States, in the next few years.

The Digital Operational Resilience Act ("DORA"), which lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities, entered into force in January 2023, and includes a two-year implementation window with the new rules taking effect on 17 January 2025.

The NIS2 Directive, which in particular broadens the scope of application and also extends the relevant obligations in comparison to NIS, requires Member States to apply implementing measures from 17 October 2024.

In December 2023, Regulation (EU) 2023/2854 on harmonized rules on fair access to and use of data ("Data Act") was published in the Official Journal of the EU. It shall apply from 12 September 2025. The Data Act contains provisions regarding the access, use, making available and sharing of data (both personal and non-personal data) generated by the use of connected products and related services. Users can also ask data holders to make this data available to third parties..

A political agreement on the EU Artificial Intelligence Act ("EU AI Act") was announced in December 2023. The EU AI Act provides for graduated regulation of AI products based on risk categories: it prohibits certain technologies and imposes obligations on technology producers and deployers based on the risk category into which the AI product falls. The EU AI Act should apply two years after its entry into force, with some exceptions for specific provisions. The EU AI Act awaits formal adoption by the European Parliament and the Council.

A political agreement was also reached on the Cyber Resilience Act, in November 2023. It will introduce new obligations on manufacturers of products with digital elements designed to ensure the cybersecurity of such products. Manufacturers will have to implement cybersecurity measures across the entire lifecycle of the product, from the design and development, to after the product is placed on the market. The Cyber Resilience Act awaits formal adoption by the European Parliament and the Council.

There is further data- and cyber-related legislation pending in the EU.

A proposal for an ePrivacy Regulation has been pending at a European level since 2017 to adapt rules for electronic communications to the GDPR and to strengthen privacy protection online. If enacted, it would introduce reforms to the EU law on areas such as direct marketing, cookies and similar technologies and electronic communications data. However, progress has been slow in comparison to other major EU digital files of the EU’s data strategy, such as the Digital Markets Act and the Digital Services Act.

In relation to EU-US data transfers, in July 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. On the basis of the new adequacy decision, personal data can flow from EU companies to US companies participating in the EU-U.S. Data Privacy Framework, as if the US company was based in the EU. The first review of the EU-U.S. Data Privacy Framework will take place in 2024, in order to verify that all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice. The adequacy decision is already being challenged in courts.