Cybersecurity: the NIS Directive is transposed to the Spanish legal system to regulate the security of networks and information systems

Upon the expiration of the term provided to the Member States (which ended on 9 May 2018) in order to incorporate the Directive (EU) 2016/1148 (the "NIS Directive") into their legal system, the Council of Ministers approved Royal Decree-Law 12/2018, of 7 September, on the security of networks and information systems, which develops and adapts the NIS Directive to the needs and characteristics of the Spanish legal system regarding cybersecurity. This Royal Decree-Law (and its future legal development) completes another regulation already existing in our legal system, which addresses certain specific aspects of this matter (among others, Law 8/2011, of 28 April, for the protection of critical infrastructure or Law 36/2015, of 28 September, on National Security).

In the first section, the Royal Decree-Law defines the scope of the legislation, which includes, on the one hand, the provision of essential services which rely on networks and information systems included in those strategic sectors defined by Law 8/2011, mentioned in the previous paragraph. The sectors include, among others, the food, energy and the chemical and nuclear industries as well as digital services that are deemed as online marketplace, online search engines and cloud computing services.

That being said, the Royal Decree-Law regulates one of the most significant points of this regulation, which is the notification of incidents. Such notifications, which must be made through the Computer Security Incident Response Teams (the "CSIRT"), must be carried out whenever the incidents "have significant disruptive effects" on the essential services. For this reason, the Royal Decree-Law offers a series of parameters that help define this concept in order to determine whether a certain event could be included or not within said category. It also defines the term "essential services" as the necessary service for the maintenance of basic social functions, health, safety and social welfare of citizens, among others. Such notifications shall always be made anonymously and the personnel who report on this type of incident will not be subject to reprisals. In the event that the complainant is an entity, it cannot be subject to greater responsibility.

For this reason, the regulation establishes the use of a common platform to report incidents, in such a way that the operators do not need to carry out several reports based on the authority they must address, given that, in most cases, incidents in this scope occur globally, affecting more than one territory. Certainly, and as with the technical and organisational measures, mentioned further on, the system shares certain similarities with the notification to the competent authority in terms of personal data protection, as provided in the General Data Protection Regulations, in the event of a personal data breach.

The CSIRT must coordinate among themselves (the regulation appoints three CSIRTs for notification purposes, according to the classification of the legally bound reporting party), to respond to incidents, analyse risks, supervise incidents and disseminate alerts, providing solutions to mitigate its effects.

Another aspect to highlight in the Royal Decree-Law is that the essential services and digital service providers need to take, as a preventive measure, appropriate and proportionate technical and organisational measures to minimise risks in networks and prevent possible incidents. For these purposes, the regulation provides a series of indicative criteria with which these measures should be based on, until the Royal Decree-Law is fully developed and determines the concrete measures to be implemented.

Moreover, through the Royal Decree-Law, the National Cybersecurity Strategy is created, which develops the strategic and institutional framework of cybersecurity and appoints the competent authorities to coordinate between national authorities and European cooperation bodies. Thus, the National Security Council is given the power to serve, through the Department of National Security, as a liaison between the different Member States, as required from the NIS Directive, as well as with the CSIRT network and the cooperation group, which as previously mentioned, was created by the NIS Directive, having precisely the objective of exchanging information and good policy practices.

Another element to bear in mind from the regulation is the single point of contact, which will be channelled through the National Security Council and whose main objective is to serve as a liaison in order to guarantee cross-border cooperation between competent authorities on this matter. Likewise, it will be responsible for sending an annual report to the European Commission summarising the notifications received by the competent authority.

The penalty system is another matter developed by this Royal Decree-Law, which defines what type of infractions are categorised as very serious, serious or minor, and determines the amount that could be imposed as a penalty and that could reach, in the case of very serious infractions, up to 1,000,000 euros.

In conclusion, it is undeniable that this Royal Decree-Law represents a major step forward in terms of cybersecurity in our country. For example, in 2017, the National Cybersecurity Institute resolved more than 123,000 cybersecurity incidents at the request of citizens and entrepreneurs, an increase from 2016 of 6.77%. These figures highlight the growing attention and importance of networks and information systems, both in public and private organisations and at national and community levels, which has greatly multiplied the risk to which they are exposed in their daily activity, revealing the need for a common system and approach to these challenges.