Start of main content
The latest standards on networks and information systems bring compliance to cybersecurity
| News | Ciberseguridad / Corporate Compliance
The approval of the NIS Directive, together with Royal Decree-Law 12/2018 on the security of networks and information systems, which seeks to curb cyberattacks of which all companies are already susceptible and establishes sanctions for those who do not adapt the necessary measures, is a first attempt to turn cybersecurity into an almost completely regulated sector of activity. With these rules "compliance on cybersecurity has been born" and, although we need to go further because the current risks are not limited by a single normal, this is a first step in which the EU has been involved and which can alleviate possible major problems.
This was the pronouncement made by the Legal Adviser to the Cortes and the National Security Commission, Vicente Moret, during the conference on New Legal Obligations and Sanctions in Cybersecurity Matters organized by Andersen Tax & Legal in Madrid. Isabel Martínez Moriel, Director of the Privacy, IT & Digital Business area of Andersen Tax & Legal, and José Miguel Soriano, Partner of the firm, also participated.
José Miguel Soriano stressed that Government approved Royal Decree-Law 12/2018 raises a number of legal obligations for companies in strategic sectors such as electricity, water, energy, food, IT, health, transport, among others, using the Internet network system for the provision of services and will soon apply to all sectors.
At this point, Legal Adviser to the Cortes, Vicente Moret specified the scope of application of the standard, which includes, on the one hand, operators of essential services that are necessary for the maintenance of basic social functions, such as health, security, social and economic welfare and need networks and information systems for the development of their services. On the other hand, he said, it applies to digital service providers and includes all agents, whose obligations are limited to communicating that they are engaged in this activity, except if the Administration decides that it should make a specific investigation regarding an incident.
As indicated, the Royal Decree connects the strategic sectors defined in the 2011 rule on critical infrastructure protection, with specific companies that are within the scope of application through the services submitted, with the exemption of micro and small enterprises.
Moret stressed that the standard, which is on the starting blocks and will be developed to adapt to new developments, contemplates an accreditation system that allows exempting from liability companies that adapt to the standards set by the administration, so he insisted on the importance of the compliance system that shows the willingness of companies to avoid risks.
Vicente Moret also analysed the sanctioning arrangements provided for in the Royal Decree, which is based on the principles of legality, typicity and proportionality. Thus, he specified that very serious crimes -such as not correcting the detected deficiencies, repeated non-compliance with the obligation to notify incidents or not going to the CSIRT (Computer Security Incident Response Team) of the National Cybersecurity Institute (INCIBE) when the incident has a disruptive effect- vary between 500,000 and one million euros, serious ones vary between 100,000 and 500,000 euros, while minor ones could mean a warning or a fine of up to 100,000 euros.
The Legal Adviser to The Cortes indicated that Spain has not had many resources to invest in cybersecurity but has been efficient as it ranks 16th among the most cybersecure countries in the world. Thus, he insisted on the importance of continuing to work in this sector, which in our country creates 120,000 jobs a year, not only in the field of technology, and is a market that can generate up to 250,000 million euros of additional growth in the next 5 years.
For her part, the Director of the Privacy, IT & Digital Business area of Andersen Tax & Legal recalled that all companies are exposed to cyber-attacks, such as unauthorized access, disclosure or destruction of unauthorized documentation, among others. At this point, he said that among information security incidents must be distinguished whether it affects personal data, since in that case there are additional obligations for the company.
In her opinion, all companies should take certain preventive measures because most of them, including small ones, work with electronic commerce or activity or service offered through the network, and therefore it is important that they professionalize their security services.
In this regard, Isabel Martínez Moriel said that a way to minimize an incident is to adopt preventive measures, such as training, since sometimes a problem is not determined by an external attack but by an internal misuse, the recording of incidents to evaluate, analyse and take action for the future, or have a proactive responsibility.
Thus, she urged companies to establish an incident response plan, which allows the process to have protocolized, with the minimum content of structured notification and procedure to be followed, and to implement complementary activities such as preliminary risk analysis, training programs and test plan for review in order to test whether the measures taken work on the basis of small threats that have been detected.
End of main content