Publications

Start of main content

Key points of the new cybersecurity regulatory framework

| Publications | Litigation

With reference to Royal Decree 43/2021, of 26th January, implementing Royal Decree-Law 12/2018, of 7th September, on the security of information networks and systems

RD 43/2021 marks a turning point in the cybersecurity regulatory framework. It has a big impact on the cybersecurity governance of the companies included in its scope of application. Its entry into force implies the need to adapt and prepare companies to the new compliance framework, otherwise liability may arise. In addition, this standard can be a powerful tool to boost initiatives aimed at achieving an adequate level of cybersecurity within obliged companies.

Obliged parties

Operators of designated critical essential services; Operators of essential services not designated as critical and operating in the sectors covered; Digital service providers other than small and medium-sized enterprises.

Most relevant content of the Standard

1.- Establishes the competent authorities in the field of cybersecurity.

2.- Instruments the cooperation and coordination of the reference CERTs.

3.- Establishes the necessary measures for the fulfilment of the security obligations for companies, as well as the corresponding documents.

4.- Establishes the framework for supervision by the competent authorities.

5.- Regulates the incident notification obligations.

6.- It establishes the functions of the information security officer of the operators of essential services (CISO).

7.- Approves the National Instruction on Incident Notification and Management.

8.- Establishes a new category of operating companies with an impact on National Defence.

You can dowload the full PDF file here.

For more information, please contact:

Vicente Moret | Of Counsel of Andersen

vicente.moret@es.Andersen.com

End of main content