CRA Compliance in Spain

Spain's CRA enforcement involves coordination between INCIBE (for private sector manufacturers), CCN (for public sector supply chains), and the Secretaría de Estado de Digitalización e Inteligencia Artificial (SEDIA). Market surveillance for CE-marked products is coordinated with the Agencia Española de Consumo, Seguridad Alimentaria y Nutrición (AECOSAN) and sector-specific bodies. Spain has been building cybersecurity enforcement capacity through its National Cybersecurity Strategy, and CRA enforcement is expected to follow a graduated approach with strong emphasis on SME support given the structure of Spain's manufacturing sector.

Spanish private-sector manufacturers submit Article 14 notifications to INCIBE-CERT through its secure incident reporting portal. CCN-CERT handles notifications from manufacturers supplying public sector or critical infrastructure. INCIBE-CERT operates a 24/7 response capability for significant cybersecurity incidents. The Article 14 obligation requires an early warning within 24 hours of discovering active exploitation and a full notification within 72 hours. INCIBE-CERT participates in the EU CSIRTs network and coordinates with ENISA. Manufacturers unsure whether to report to INCIBE-CERT or CCN-CERT should default to INCIBE-CERT, which will route the report appropriately.

Spain's market surveillance for CRA products is coordinated between INCIBE, CCN, and AECOSAN, with customs authorities involved for imported products. The full CRA penalty regime applies: up to €15 million or 2.5% of global annual turnover for violations of essential cybersecurity requirements. Spain's enforcement tradition in consumer product safety has been active through AECOSAN, and CRA cybersecurity enforcement is expected to build on this infrastructure. Spanish manufacturers should be aware that the Esquema Nacional de Seguridad (ENS) imposes additional cybersecurity requirements for public sector procurement, creating de facto higher standards for manufacturers supplying public authorities.

INCIBE provides free cybersecurity services for Spanish businesses including the CiberEmpresa platform with practical implementation guides, and sector-specific resources for industrial manufacturers. The Oficina de Seguridad del Internauta (OSI) provides consumer and SME guidance. INCIBE hosts an annual cybersecurity congress (ENISE) that addresses CRA implementation for manufacturers. The Red de Centros de Competencias en Ciberseguridad coordinates regional cybersecurity support. Spain's national certification laboratory ENAC provides accreditation for conformity assessment bodies supporting CRA product evaluations. CCN publishes the Spanish Security Guides (Guías CCN-STIC) with detailed technical controls aligned to CRA Annex I.