In recent times, the European Union has been reinforcing the regulatory framework on cybersecurity to deal with the growing threat posed by cyberattacks. To this end, it is providing the Member States with a common framework especially focused on cybersecurity aimed at guaranteeing the cyber-resilience of the processes that support different essential services for society.
The NIS Directive or Directive (EU) 2016/1148 was the first cybersecurity law of the European Union and provided a common framework to improve the resilience of the Union’s networks and information systems against cybersecurity risks. It has proven to be a useful Directive, but over the years it has also shown its limitations in the face of increasing cyber threats and the growing reliance on digital solutions.
That is why, at the end of last year, the European Commission presented the new EU cybersecurity strategy based on three main pillars:
- Resilience, technological sovereignty and leadership;
- Operational ability to prevent, deter and respond;
- Cooperation to promote a global, secure and open cyberspace.
This strategy includes, among other objectives, the updating of the NIS Directive (2016/1148 of July 6, 2016) by the so-called NIS2 Directive, the draft of which is already available, and whose approval is expected in the coming months. The Member States will have to transpose it into their national legislation, foreseeably, 18 months after its publication.
This revision of the directive will provide controllers with greater oversight and monitoring tools, places special emphasis on the need to increase cybersecurity in the supply chain, reinforces the importance of top management in organizations to support and be accountable for compliance with cybersecurity measures, and improves the ability to exchange information among the various stakeholders.
It also expands the scope of the current directive by adding new sectors based on their importance to the economy and society. And another important novelty is the new sanctions framework it includes, since it indicates that the non-application of security measures can have negative consequences for the cyber-resilience of entities, and therefore a minimum list of administrative sanctions for non-compliance with reporting and cybersecurity risk management obligations must be established that is common in all Member States.
Along the same lines as the update of the NIS directive, there are two other initiatives within the new EU strategy: the Regulation Commission’s proposal for the Digital Operational Resilience Act, (DORA), as well as the proposal for a Directive on Critical Infrastructure Resilience (CIR).
As regards DORA, it is the framework established by the European Commission to provide a common approach to cyber resilience in the financial sector. DORA applies to credit institutions, crypto-asset service providers, data supply providers, security and reinsurance companies, employment pension funds, etc. In addition, essential third-party providers of ICT services must also be very aware of this regulation, since they will also be subject to its regulation and supervision within the EU framework.
This Regulation provides the tools to regulate the following aspects:
- Security Governance
- Risk Management
- Incident Reporting
- Resilience Testing
- Third-party risks
- Information Exchange
Finally, it should be noted that in Spain the transposition of the NIS Directive was carried out by Royal Decree-Law 12/2018, and precisely has just seen the light, with its publication in the Official State Gazette, the Royal Decree for the development of such transposition.
This Royal Decree 43/2021, of January 26, which develops Royal Decree-Law 12/2018, of September 7, on the security of networks and information systems is applicable to essential services, digital services that are online marketplaces, online search engines and cloud computing services. We will have time to analyze in detail the impact that this royal decree will have on organizations, since there are many media that have echoed its publication, but we emphasize that, among other aspects, it covers the responsibility that security managers in organizations have and establishes the obligation to designate a Security Manager to be the point of contact and technical coordination with the competent authority for each sector.
In addition, this Royal decree establishes the obligation to establish measures for compliance with security obligations, both in the case of in-house networks and services, as well as the case of external providers. In this sense, Annex II of Royal Decree 3/2010, of January 8, which regulates the National Security Scheme in the field of Electronic Administration, should be taken as reference and the security strategy must be formalized in a statement of applicability, which will be signed by the Security Manager.
In summary, the Royal Decree establishes the obligation to define a cybersecurity strategy that establishes a regulatory framework, supported by the ENS, which also provides legal certainty to the cybersecurity structure of organizations and the technological solutions that are deployed, and regulates and establishes the role and responsibility of the CISO.
It is evident from all the aforementioned that the strategic importance of cybersecurity at the European level is a reality and regulation is a fact that we must adapt to.