This post is also available in: Español
Royal Decree 43/2021 (“RD 43/2021”) published on January 28, implements many aspects of Royal Decree-Law 12/2018 (“RD 12/2018”) on the security of network and information systems. RD 43/2021 is the main cybersecurity provision, keeping Spanish law in line with the EU harmonized framework under Directive 2016/1148 (the NIS Directive).
RD 43/2021 extends, for critical infrastructure operators and industries, the legal framework specifically provided for cybersecurity matters. RD 43/2021 and RD 12/2018 lay down obligations for two major groups of companies based in Spain:
(i) Providers of essential services related to network and information systems in strategic sectors, as defined by Act 8/2011. According to Act 8/2011, strategic sectors include: public authorities; the space industry; the nuclear industry; the chemical industry; research facilities; the water sector; energy; health; information and communications technology; transport; the food sector; and the financial and tax system.
(ii) Digital service providers including online marketplaces, search engines and cloud computing services.
RD 43/2021 seeks to clarify the main requirements and procedures necessary to ensure (i) the best risk management for network and information systems in critical sectors; and (ii) proper coordination between the operators involved in these high-risk situations.
Below, we list a few of the organizational and performance obligations that apply to any operators subject to this framework:
- Defining technical and organizational measures to successfully manage cybersecurity risks: according to RD 43/2021, these measures must be listed in the statement of applicability of security measures, and they should include comprehensive security policies, risk management, preventive measures, response and recovery measures, lines of defense, periodic re-assessments and task segregation policies. RD 43/2021 provides that these policies and measures should address key security aspects, including (i) risk analysis and management (including third party risks); (ii) the listing of security, organizational, technological and physical measures; (iii) recovery and continuity management plans; and (iv) system interconnection, among others.
- Designating a security manager: a natural person, entity or collegial body acting as security manager in the company; and point of contact cooperating with the competent authorities. Operators subject to RD 43/2021 must report their security manager’s identity to the competent authorities within 3 months from the entry into force of RD 43/2021. They must also notify any dismissals and new designations in that post within 1 month from the relevant dismissal or designation. Security managers should be the reference point for the operator regarding the security of network and information systems. Security managers’ duties include:
(i) preparing and submitting for approval the relevant security policies and the statement of applicability;
(ii) monitoring and implementing the technical and organizational measures defined in the security policies;
(iii) forwarding any notifications of incidents to the competent authorities; and
(iv) monitoring the application of competent authorities’ instructions and guidelines.
The purpose of RD 43/2021 is that security managers play a substantial role, and thus provides the following requirements regarding security managers:
(a) having staff with expertise and experience in the field of cybersecurity from an organizational, technical and legal standpoint;
(b) having the necessary resources for them to perform their duties;
(c) having a position in the operator’s organization allowing them to perform their duties; and
(d) ensuring that they remain independent from network and information system managers.
- Notification and management of security incidents: RD 43/2021 requires operators to notify the competent authorities of any incidents (i) that could have “significant disruptive effects” on the operator’s services or, considering their seriousness, (ii) potentially affecting the network and information systems used for the provision of essential services, even if the incident does not have a significant effect on the operator’s activities. This notification obligation is without prejudice to other legal requirements, e.g., the obligation to notify personal data breaches to the competent authority under article 33 of the General Data Protection Regulation. To make these notifications, RD 12/2018 and RD 43/2021 provide for the creation of a National Platform for the Notification and Follow-up of Cyberincidents, managed by the National Cryptographic Center together with the National Cybersecurity Institute and the Joint Cyberdefense Board. In case of a security incident, essential service operators must make the following notifications to the competent authority:
(a) The first notification should be made as soon as there is evidence of the circumstances provided in RD 43/2021.
(b) As many intermediate notifications as necessary to update or fully report the information provided in the first notification, as well as to report the incident status.
(c) A final notification after the incident has been solved, (i) providing a comprehensive overview of the incident; (ii) assessing the likelihood of the incident occurring again; and (iii) stating any corrective measures applied or planned by the operator to prevent future incidents.
The Annex to RD 43/2021 provides the applicable criteria to successfully manage these notifications, rating the incidents’ seriousness and impact. These criteria are based on the National Cybersecurity Council’s Guidelines for the notification and management of cyberincidents, which follows the incident classification criteria of the European Union Agency for Cybersecurity (ENISA).
Author: Albert Agustinoy
This post is also available in: Español