This post is also available in: Español
On September 8, 2018 Royal Decree Law 12/2018 of September 7, 2018 on the security of networks and information systems was published, belatedly transposing—the deadline for transposing the directive was May 9, 2018—Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, concerning measures for a high common level of security of network and information systems across the Union, also known as the “Security Directive” or “NIS Directive.”
The NIS Directive is intended to (i) ensure a high level of security for networks and information systems in all the Member States by establishing minimum common requirements, without prejudice to specific regulations applicable to certain sectors of the economy and national steps to safeguard their essential security interests; (ii) maintain public order and national security; and (iii) enable criminal infringements to be detected, investigated, and tried.
As we already mentioned in this blog, some of the main measures in the NIS Directive are:
- the obligation to identify and report the operators of essential services and digital service providers of the Member States to the European Commission (EC);
- reporting to the EC and to the competent national authority incidents having a “significant disruptive effect” i.e., cybersecurity incidents that could have significant effects impacting the continuity of the essential services provided;
- developing and reporting to the EC a national strategy on the security of networks and information systems;
- establishing a governance framework in coordination with EU structures by designating one or more competent authorities, a national single point of contact, and one or more computer security incident response teams (CSIRTs); and
- establishing a network for the exchange of information by Member States for national and international cooperation and setting up a cooperation group at EU level.
This royal decree law expands (i) its scope of application to other sectors not expressly envisaged in the directive, (ii) is aimed at entities providing essential services that depend on networks and information systems and at the providers of certain digital services, and (iii) regulates the security of networks and information systems used to provide essential services and digital services.
Its features include: (i) identifying the essential services and the operators that provide them every two years; (ii) the a priori obligation to implement appropriate and proportionate technical and organizational measures to preventively manage the risks posed to networks and systems; (iii) a system (a posteriori) for notifying significant incidents that occur in networks and information systems for providing essential and digital services; and (iv) setting up a strategic security framework and designating competent authorities for coordination among authorities and bodies for European cooperation.
The system for notifying incidents to the competent authority is effected through the mentioned CSIRT and concerns both networks and internal services as well as external providers. It also protects the notifying entity and the staff reporting incidents and allows incident reporting even where notification is not mandatory (because it did not produce an actual adverse effect). This system includes the obligation to notify the supervisory authority for data protection matters of security breaches that might involve personal data, already envisaged in the General Data Protection Regulation, and establishes a common platform for reporting incidents in line with both regulations and for standardizing procedures.
In response to the NIS Directive’s requirement to lay down national penalties, the royal decree law imposes sanctions ranging from a warning to fines of up to €1 million, depending on such factors as degree of culpability, continuity or persistence, the number of users affected, repeat offenses, volume of billing, and steps taken to uncover or mitigate the effects.
The approval of this royal decree law is expected to foment development of the internal market and enhance the network and information system security, increase user and service provider confidence, and foster the provision of European-wide services by standardizing minimum security requirements.
This post is also available in: Español