Regulatory updates, sector news and GRC trends. NIS2, AI Act, DORA, ISO 27001, ENS and relevant events for security professionals and organisations.
From 18 April 2026, competent authorities may initiate supervisory and sanctioning proceedings against essential and important entities that have not implemented the risk management measures required by the NIS2 Directive. Spain is transposing the directive through the forthcoming Cybersecurity Coordination Act, pending final approval.
The DORA Regulation (Digital Operational Resilience Act) has been fully applicable since 17 January 2025. It affects financial entities, insurers and critical ICT providers. It requires ICT risk management, resilience testing and notification of major incidents within 4 hours.
The Fundación Telefónica hosted the 2nd GRC Forum Congress, organised by the AEC. Around 400 governance, risk and compliance professionals debated the need to turn regulatory complexity (NIS2, DORA, AI Act, GDPR) into strategic advantage. The consensus: GRC is no longer a legal department task but a board-level responsibility.
The Madrid chapter of ISACA held its annual Audit & GRC Congress on 26 March. The event focused on the convergence of internal audit, risk management and regulatory compliance in the context of the new European regulatory framework. Next major event: CiberTodos Congress, October 2026.
An information security management system based on ISO/IEC 27001 covers approximately 80% of the controls required by the ENS and NIS2. For SMEs without prior certification, implementing ISO 27001 as a first step is the lowest-cost, highest-regulatory-coverage strategy.
The 6th C1b3rwall Congress takes place on 2, 3 and 4 June at the National Police Academy in Ávila, under the motto "Cybercrime 3.0". It is one of the reference events for cybersecurity professionals in Spain, with technical, operational and strategic sessions.
The simultaneous entry into force of NIS2, DORA and the AI Act makes 2026 the year of regulatory convergence. Organisations that treated GRC as one-off compliance will need to move towards a continuous governance model. Independent consultants with a multi-framework vision and AI as a working tool have become a strategic resource for SMEs.
The European Commission sent a reasoned opinion to Spain and 18 other member states for failing to transpose the NIS2 Directive by the October 2024 deadline. The forthcoming Cybersecurity Coordination and Governance Act is still going through parliamentary procedure while public administrations adapt their procurement processes to the new requirements.
The draft Cybersecurity Coordination and Governance Act envisages the creation of the National Cybersecurity Centre (CNC), attached to the Office of the President of the Government. The body will lead national policy, set common criteria for sectoral authorities and act as the single point of contact with the EU and ENISA.
The NIS2 transposition draft provides for a Specific Compliance Profile that will allow Spanish entities to accredit compliance with the directive through the National Security Framework (ENS) certification. A strategic opportunity for public bodies and companies that have already started their ENS adaptation process.
Cyber Security World Madrid takes place on 4 and 5 November 2026 in halls 3-5 at IFEMA Madrid. It is consolidating its position as the leading corporate cybersecurity trade fair in Spain, with exhibitors, solution demonstrations and strategic sessions for corporate and institutional security professionals.
The Centro de Ciberseguridad Industrial is organising the 27th edition of its international congress on 23 and 24 September 2026 in Seville. The programme focuses on critical infrastructure protection, IT/OT risk management in hybrid industrial environments and emerging threats in the OT ecosystem, with success stories and expert panels.
The International Information Security Meeting (ENISE), organised by INCIBE, celebrates its 20th edition this year at the Palacio de Exposiciones in León. The event brings together companies, experts, entrepreneurs and investors to share the latest trends and opportunities in the cybersecurity sector at national and European level.
Gartner has published the six trends that will shape cybersecurity in 2026: identity as the new perimeter (centralised IAM and anti-phishing MFA), AI in SOCs for autonomous detection, convergence of European regulations, continuous exposure management, supply chain security and cybersecurity as a board-level topic.
The Google Cloud 2026 report places operational resilience, incident response automation and risk management as strategic priorities. Cybersecurity is shifting from a technology cost to a corporate governance pillar that is decisive for business continuity and digital trust with customers and regulators.
The convergence of NIS2, DORA and the AI Act confirms 2026 as the year in which cybersecurity moves out of the IT department and into the boardroom. Organisations that treat regulatory compliance as a formality are being pushed to transition towards continuous risk governance models, with the CISO as a strategic business partner.
The Port of Vigo suffered a ransomware attack in March 2026 that disrupted logistics and administrative operations, forcing a switch to manual processes to maintain port activity. The incident, covered by Recorded Future, highlights the vulnerability of port infrastructure to increasingly sophisticated ransomware threats.
The Spanish Ministry of Finance opened an investigation following statements by a malicious actor identified as "HaciendaSec" who claimed to have access to personal, banking and tax data of over 47 million citizens. Authorities activated verification protocols to determine the actual scope of the potential breach.
The European Commission confirmed on 24 March a cyberattack targeting its Europa web infrastructure, exploiting vulnerabilities in external cloud services. The incident resulted in limited data extraction from public systems and has triggered a review of the attack surface of European institutional digital infrastructures.
According to CrowdStrike's Global Threat Report, AI-powered attacks have increased 89% between 2025 and 2026. The average propagation time has fallen to 29 minutes, 65% less than in 2024. 75% of recent attacks have used AI tools to automate breaches, generating hyper-personalised phishing campaigns and detecting vulnerabilities in minutes.
Google's chief analyst warned on 11 May that AI is already being actively used to exploit vulnerabilities, not just to detect them. The warning comes as several ransomware families have incorporated AI modules to automatically identify weak points in corporate infrastructure and adapt the attack in real time without human intervention.
In 2026, artificial intelligence is consolidating its role in Security Operations Centres (SOCs), moving from a support tool to the engine of detection and response. Current systems achieve over 96% accuracy in anomaly identification and initiate countermeasures in under 30 seconds, drastically reducing the exposure window to active incidents.