Start of main content

Companies that manage essential services will be obliged to have an Information Security Officer

| News | Litigation

Vicente Moret analyses the new features of the new regulation, which among others, imposes the directive figure of the Information Security Manager, during a webinar of ISACA Madrid Chapter and the Spanish Alliance for Security and Crisis (aesYc)

RD 43/2021 was published in the 28th January BOE, which develops the Regulation of Development of the RD of Transposition 12/2018 that transposed the NIS Directive of 2016 in our country.

To explain the importance of the new regulation, ISACA Madrid and aesYc, held a webinar with the presence of 1,600 registrants and the collaboration of Derecho de la Red, ASCOM (Spanish Association of Compliance), the Atlantic Arc of Cybersecurity in the Digital Environment (ACED), CyberMadrid, ENATIC (Digital Advocacy), the institutional support of the National Cryptologic Centre (CCN) and the Prosecutor's Office of the Computer Criminology Chamber.

Creating a culture of cybersecurity

Vicente Moret, Legal Advisor to the Spanish Parliament and Of Counsel at Andersen, oversaw dissecting the novelties presented by the new regulation "which in terms of cybersecurity is here to stay" and described the conference as the ideal "to create a culture of cybersecurity", which is increasingly necessary.

This expert highlighted the central aspects of the new Royal Decree, which prolongs the transposition of the NIS Directive 12/2018, which means that both regulations must be interpreted together. For Moret, "the trend in the regulation of cybersecurity and cyberspace is consolidated. The RD covers the institutional framework, the regulation of cybersecurity by the Administration, the management of incidents, the governance of companies' cyber information, with its essential Chief Information Security Officer (CISO)" and affects operators of critical essential services, non-critical services and digital services, "with different models of obligation depending on which company you are".

Thus, he pointed out that there is a cadre of those involved among companies that manage water, energy, financial, public administrations, food and health, which are not critical and are included in the standard. Another category is operators involved in National Defence, with specific obligations of legal obligation.

He also indicated that the standard establishes the obligation to have a security policy, a third-party supplier management policy to control risk, to have recovery plans, the obligation to report incidents and the declaration of applicability, (which indicates what the company is committed to in relation to the administration).

CISO and powers of the administration

The RD also establishes the National Security Scheme as a starting point for compliance with the law, shows convergence between data and cybersecurity regulation, as well as the status of the CISO, the person responsible for security, who becomes a kind of superman, who must have multiple capacities and added responsibilities.

"It can be a person or a group, but it must always be a natural person. A lot of organisational, technical and legal expertise is required. Thus, he or she is placed exceedingly high on the ladder within the company or organisation, independent of the systems area and with the capacity to carry out audits," explained Moret.

The administration also has a framework for sanctioning and describes what its powers are regarding the organisations affected, such as forcing an external audit to be carried out.

For Moret, "now is the time to put cybersecurity in its rightful place, as every company is obliged to implement policies and automate risk management".

You can read the full article at Confilegal or watch the webinar here.

End of main content