CRA for Spanish Manufacturers: INCIBE-CERT, CCN and ENAC

Country brief for Spanish manufacturers under the CRA: likely INCIBE-CERT reporting, the CCN/ENAC notified-body split, Spanish-language duties, and funding.

CRA Evidence Team Published January 1, 2026 Updated May 31, 2026
CRA country brief for Spanish manufacturers showing the national institutional chain: CSIRT for vulnerability reports, notified body for conformity certs, market-surveillance authority for enforcement
In this article

Spanish manufacturers face the same CRA obligations as every other EU manufacturer. This page is a country brief for Spain: how vulnerability and incident reports route through INCIBE-CERT, how conformity-assessment bodies get designated under the Spanish split (CCN notifies, ENAC accredits), what the Spanish-language obligations actually require, and what is still available from national funding programmes as the Recovery and Resilience window closes. For the full manufacturer obligation set, see the manufacturer cluster guide.

Summary

  • The CRA is an EU Regulation with direct effect. There are no Spanish-specific exemptions for product manufacturers.
  • INCIBE-CERT is the receiving Spanish CSIRT for CRA vulnerability and incident reports when your main establishment is in Spain.
  • CCN (Centro Criptológico Nacional) notifies Spanish conformity-assessment bodies to the European Commission. ENAC accredits them as the technical step before that notification.
  • The draft Spanish Real Decreto designates Secretaría de Estado de Telecomunicaciones e Infraestructuras Digitales (SETID), within Ministerio para la Transformación Digital y de la Función Pública (MTDFP), as the Spanish CRA market-surveillance authority. The formal national framework applies from 11 June 2026. Verify the final BOE designation before any formal filing.
  • Spanish (Castilian) is required for user-facing product information shipped on the Spanish market. Co-official autonomous-community languages (Catalan, Galician, Basque) are not CRA-mandated.
  • CDTI has live 2026 innovation lines that can fund R&D adjacent to CRA work. Kit Digital convocatorias closed in October 2025. Plan de Recuperación projects must be executed by 31 August 2026 and are not a planning vehicle for the 11 December 2027 deadline.

When this guide applies to you

You are the target reader if your manufacturer "main establishment in the Union" is in Spain. That means the place where decisions related to the cybersecurity of your products with digital elements are predominantly taken. A Spanish-registered sales subsidiary with engineering offshore is not the main establishment. If your engineering team, your SDLC governance, and the people approving security-update releases sit in Spain, this guide is for you.

If your main establishment is elsewhere in the EU and you only ship into Spain, your CRA reports route through the CSIRT of your main-establishment Member State, not INCIBE-CERT. The Spanish-language obligation for user-facing information still applies for any product placed on the Spanish market.

INCIBE-CERT: the Spanish CSIRT route

CRA notifications route through the CSIRT designated as coordinator of the Member State where the manufacturer has its main establishment in the Union. For a manufacturer whose main establishment is in Spain, that CSIRT is INCIBE-CERT.

INCIBE-CERT publishes Spanish-language vulnerability advisories and operates the consumer-product incident response stream. CCN-CERT covers public-sector and classified systems and is not the CRA route for commercial manufacturers placing products on the open market.

The technical channel for the 24h / 72h / 14d reporting cadence is the ENISA single reporting platform, which goes operational on 11 September 2026. A Spanish manufacturer files via that platform with INCIBE-CERT as the receiving coordinator. The CSIRT designation is the routing. The platform is the transport.

Notified bodies: CCN designates, ENAC accredits

Important Class I products need a notified body (Module B+C or Module H) only where harmonised standards, common specifications, or a certification scheme do not fully cover them. Important Class II products use a notified body (Module B+C or Module H) or an available and applicable certification scheme. Critical products (Annex IV) follow Article 32(4): the Article 8(1) certification route where the Commission has triggered it, otherwise the same Article 32(3) routes.

The Spanish institutional split is:

  • CCN (Centro Criptológico Nacional) acts as the notifying authority that formally designates Spanish notified bodies to the European Commission under the CRA.
  • ENAC (Entidad Nacional de Acreditación) is the Spanish national accreditation body and assesses the technical competence of a candidate before CCN notifies it.

The CRA framework for notified bodies applies from 11 June 2026, after which designated bodies can begin issuing CRA conformity-assessment certificates. Until then, the Spanish chain is being stood up.

A Spanish manufacturer can use any EU-notified body, not only Spanish-designated ones. Choosing a Spanish-designated one is a procurement preference (Spanish-language assessment, in-country audit logistics) and not a CRA requirement.

Market surveillance: SETID within MTDFP

The draft Spanish Real Decreto designates Secretaría de Estado de Telecomunicaciones e Infraestructuras Digitales (SETID), within Ministerio para la Transformación Digital y de la Función Pública (MTDFP), as the market-surveillance authority for CRA products in Spain. Treat this as provisional until the final BOE text is published.

INCIBE supports the technical side as a preferred laboratory, but the draft does not give INCIBE public decision-making powers for CRA market surveillance. The practical filing point for manufacturers remains: verify the final BOE designation before sending any formal submission.

Spanish-language requirements in practice

The CRA requires user-facing product information to be in a language easily understood by users and the local market-surveillance authority. For products placed on the Spanish market, that is Spanish (Castilian).

Must be in Spanish:

  • The user instructions and product information shipping with the product.
  • The manufacturer contact details (name, address, email or other digital contact) wherever they appear, including on the product itself, packaging, or accompanying document.
  • The end-of-support date disclosure shown at the point of purchase.

Can be multilingual:

  • The product label and CE marking.
  • Packaging text.
  • Online documentation, provided a Spanish version is reachable.

English is normally accepted for:

  • Internal technical documentation. Market-surveillance authorities can request a Spanish translation if they make a reasoned request, so plan for that contingency even if you do not translate proactively.

Catalan, Galician, and Basque are co-official in their respective autonomous communities. The CRA does not require translation into co-official languages. Specific regional procurement contracts or sector regulators (for example, certain public-sector tenders) may add their own language clauses, separately from the CRA.

Selling cross-border from Spain

Spanish manufacturers selling into Portugal, France, Italy, or any other EU Member State carry the same single-routing rule: your reports still go to INCIBE-CERT, because routing follows main establishment, not per-shipment destination. You do not file with the Portuguese, French, or Italian CSIRT.

The language obligation does fan out per market. A product shipped into the French market needs French user-facing content. A product shipped into the Portuguese market needs Portuguese content. The single Spanish-language pack does not cover those markets.

Each receiving Member State's market-surveillance authority can also request your technical documentation in a language easily understood by that authority. If your supply runs broadly across the EU, expect requests in at least one widely-used working language, and treat early translation of the most-requested technical-documentation sections as a practical hedge.

National funding programmes

The funding picture has shifted as the Recovery and Resilience window closes. Be precise about what is open before you plan a line item against any of these.

  • CDTI (Centro para el Desarrollo Tecnológico Industrial) has live 2026 lines: NEOTEC (early-stage tech startups), Línea Directa de Innovación (LIC), and Misiones Ciencia e Innovación (large collaborative R&D consortia). CRA-driven work fits where the angle is genuine R&D and innovation, not pure implementation or compliance. CDTI plans to mobilise over 1.8 billion euros across its 2026 lines.
  • Activa Ciberseguridad is a small voucher programme (around 2,140 euros per beneficiary) for industrial SMEs, run by SGIPYME with the autonomous communities and EOI. Useful for an initial cybersecurity diagnosis or a plan-de-ciberseguridad, not for the full CRA tooling investment.
  • Kit Digital is in a transition phase. All Kit Digital convocatorias closed in October 2025. Orden TDF/39/2026 (BOE, 28 January 2026) allows redistribution of remnant funds, but there is no open application window as of 25 May 2026. Check kitdigital.red.es/convocatorias before banking on it.
  • Plan de Recuperación, Transformación y Resiliencia (PRTR) is in its closing window. All Recovery and Resilience projects must be executed by 31 August 2026, with Spain's final payment requests to the Commission due 30 September 2026. PRTR is therefore not a viable planning vehicle for the 11 December 2027 CRA compliance deadline. The 162 million euro RETECH initiative through INCIBE is in its final disbursement phase.

For new compliance investment dated against the 11 December 2027 obligation deadline, the realistic public funding picture in Spain is CDTI innovation lines plus any sector-specific programmes via the autonomous communities. Recovery-and-Resilience-funded programmes are not part of that picture from 2027 onward.

Frequently Asked Questions

Which Spanish CSIRT receives my CRA vulnerability notifications?

INCIBE-CERT, when the manufacturer's main establishment is in Spain. The CRA defines main establishment as the place where decisions related to the cybersecurity of products with digital elements are predominantly taken. CCN-CERT does not serve as the CRA coordinator for commercial manufacturers. Reports are submitted through the ENISA single reporting platform from 11 September 2026, with INCIBE-CERT as the receiving coordinator.

Who designates Spanish notified bodies, ENAC or CCN?

CCN (Centro Criptológico Nacional) is the notifying authority that formally designates Spanish CRA notified bodies to the European Commission. ENAC accredits the candidate bodies as the technical step before that notification. Both are involved, with distinct roles. A Spanish manufacturer can still use any EU-notified body for CRA conformity assessment. The Spanish chain matters for procurement, not as a CRA requirement.

Does my ENS or LINCE certification cover CRA conformity assessment?

No, neither substitutes for CRA conformity assessment, though both can produce evidence that supports it. The ENS (Esquema Nacional de Seguridad, Real Decreto 311/2022) is an organisational security framework for public-sector information systems and their suppliers, not a product certification. LINCE is the CCN's lightweight product evaluation that gates inclusion in the CPSTIC catalogue for Spanish public-sector procurement. LINCE has been harmonised at EU level through FITCEM EN 17640:2022, alongside the French CSPN and German BSZ methodologies, so its outputs can feed into your CRA technical documentation as supporting evidence. The CRA's own conformity-assessment routes (Module A self-assessment, Module B+C type examination, Module H full quality assurance) operate as a separate chain. If you hold ENS or LINCE certification, treat it as input to your CRA file, not as a substitute for the conformity assessment itself.

Which Spanish authority is the CRA market-surveillance authority?

The draft Spanish Real Decreto designates Secretaría de Estado de Telecomunicaciones e Infraestructuras Digitales (SETID), within Ministerio para la Transformación Digital y de la Función Pública (MTDFP), as the Spanish CRA market-surveillance authority. The CRA framework of national competent authorities applies from 11 June 2026, and Spain's official BOE designation may still be finalising at the time you read this. Verify the final designation before any formal filing. The CRA reporting flow through INCIBE-CERT operates regardless of how market-surveillance roles are divided.

When will Spain publish its national CRA implementing law in the BOE?

The CRA is an EU Regulation with direct effect, so Spain does not need to transpose it into national law for the substantive obligations to apply on 11 December 2027. What Spain does need to publish before 11 June 2026 is an implementing instrument (typically a Real Decreto or Orden Ministerial) that formally designates the CRA market-surveillance authority, the notifying authority for conformity-assessment bodies, and the national single point of contact. The same or a follow-up instrument is expected to set the Spanish fines scale within the CRA's EU-level ceilings, define the enforcement procedure, and clarify coordination with existing Spanish cybersecurity legislation. As of 25 May 2026, this BOE publication has not yet appeared. Watch the BOE around the 11 June 2026 framework deadline for a designation Real Decreto, and treat any earlier industry attribution of authorities as provisional until that text lands.

Do I need to translate everything into Catalan, Galician, or Basque?

The CRA requires user information in a language easily understood in the Member State of supply. For Spain that is Spanish (Castilian). Co-official autonomous-community languages are not required by the CRA itself. Specific regional procurement contracts or sector regulators may add their own language clauses, separately from the CRA.

Can CDTI or Kit Digital pay for my CRA compliance tooling?

CDTI: where the work is genuine R&D and innovation (new detection methods, SBOM analysis tooling, vulnerability handling pipelines), yes. CDTI's 2026 plan mobilises over 1.8 billion euros across NEOTEC, LIC, Misiones, and other lines. Pure compliance work (audits, conformity-assessment fees, internal process build-out) is harder to fit, since CDTI is innovation-funding. Kit Digital: convocatorias closed October 2025, no open window as of 25 May 2026. Orden TDF/39/2026 allows remnant redistribution but does not reopen calls. Plan de Recuperación is in its closing window with project execution due 31 August 2026, so it cannot fund work scheduled against the 11 December 2027 deadline.

I ship from Spain into other EU Member States. Where do I report incidents?

Through INCIBE-CERT, regardless of which Member States you ship into. The CRA ties notification routing to main establishment, not to per-shipment destination. The language obligation does fan out per market: French-language product information for products shipped to France, Portuguese-language for products shipped to Portugal, and so on. Pre-stage at least the most-requested technical-documentation sections in a widely-used working language to absorb cross-border reasoned requests.

For Spanish manufacturers preparing for 11 December 2027

  1. Confirm your manufacturer obligations using the manufacturer cluster guide.
  2. Verify your main establishment is in Spain and document the rationale. The location of cybersecurity decision-making, not the registered office, is what matters.
  3. Map your CRA reporting flow to INCIBE-CERT as receiving CSIRT, with a tested submission to the ENISA single reporting platform once it goes live on 11 September 2026.
  4. If your conformity-assessment route needs a notified body, scope ENAC-accredited and CCN-notified bodies as the home option, plus at least one cross-border alternative for resilience.
  5. Translate user instructions and product information into Spanish. Add per-market translations for any other EU Member States you ship into.
  6. Scope CDTI lines (NEOTEC, LIC, Misiones) against any R&D-flavoured CRA work. Do not plan against Kit Digital or Plan de Recuperación for 2027 compliance investment, since both are in closing windows.
  7. Re-check the final BOE designation once published and update your SETID, CCN, ENAC, and INCIBE-CERT contact map before any formal filing.
  8. Read the supplier due diligence questionnaire for the manufacturer-side component-due-diligence framework.

This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for specific CRA compliance guidance.

CRA Spain Vulnerability Management
Share

Related Articles

Back to all articles

Does the CRA apply to your product?

Answer 6 simple questions to find out if your product falls under the EU Cyber Resilience Act scope. Get your result in under 2 minutes.

Check Now

Ready to achieve CRA compliance?

Start managing your SBOMs and compliance documentation with CRA Evidence.

Start 14-Day Free Trial

Deep dive into CRA topics

Evergreen guides covering the specific requirements, processes, and roles defined by the Cyber Resilience Act.

EU Declaration of Conformity

What the Declaration of Conformity must contain, who signs it, and when it is required.

Read guide →
Conformity Assessment

How conformity assessment works under the CRA and when a notified body is required.

Read guide →
Technical Documentation

What CRA technical documentation must contain (Annex VII section by section) and how manufacturers should structure it.

Read guide →
Products

How the CRA classifies products by risk level, with product-specific classification guides.

Read guide →
SBOM Requirements

What the CRA requires for SBOMs and how BSI TR-03183 defines quality criteria.

Read guide →
Vulnerability Reporting

How the 24-hour ENISA notification requirement works and what counts as an actively exploited vulnerability.

Read guide →
Importer Obligations

What Article 19 requires of importers and how to verify manufacturer compliance.

Read guide →
Support Period Planning

What the CRA support period obligation means for security updates and end-of-life planning.

Read guide →
View full CRA compliance guide