The new Royal Decree-Law 12/2018 on network security and information systems was published in the Spanish Government’s Official Gazette on 8th September 2018 and entered into force on the following day. This royal decree-law is intended for establishing mechanisms, which from a comprehensive perspective, improve protection against threats to networks and information systems by facilitating the coordination of measures taken in this area both at national and EU level. This royal decree-law transposes EU Directive 2016/1148 of the European Parliament and of the Council of 6th July 2016 into Spanish Law.
The royal decree-law applies to entities who render essential services to the community and who depend on networks and information systems for carrying out such activities. Their scope also extends to sectors which are not directly included in the Directive in order to give this royal decree-law a global focus, although the specific legislation is preserved.
Likewise, the royal decree-law shall apply to certain digital service providers, such as on-line markets, on-line search engines and cloud services.
In accordance with the Directive, the royal decree-law identifies the sectors in which it is necessary to guarantee the protection of networks and information systems and which establish procedures for identifying essential services offered in said sectors, as well as the main operators who offer said services, which are, ultimately the beneficiaries of this royal decree-law.
The operators of essential services and digital services providers must adopt technical and organisational measures, which are adequate and proportionate in order to manage the risks, which arise for network security and information systems, which they use, although their management is externalised.
The operators of essential services shall designate and communicate the name of the person, unit or collegiate body responsible for the security of the information as a point of contact and technical coordination with the competent authorities.
The providers of digital services shall determine the security measures which shall be applied, taking into account, as a minimum, the technical advances and the following aspects:
a) The security of the systems and installations;
b) The management of incidents;
c) The management of the continuity of the activities;
d) The supervision, audits and tests;
e) The fulfilment of international regulations.
The royal decree-law also requires that the operators of essential services and digital service providers notify the incidents which occur in the networks and information systems which they employ for rendering essential digital services, and which have a significant disruptive impact thereupon, at the same time as anticipating the notification of events or incidents which may affect essential services.
For notification purposes, the importance of an incident shall be determined bearing in mind, at least the following factors:
a) The number of affected users due to the disruption of essential services;
b) The duration of the incident;
c) The extent or geographic areas affected by the incident;
d) The level of disturbance to the functioning of the service;
e) The reach of the impact on crucial economic and social services;
f) The importance of the affected systems or the information affected by the incident for rendering the essential service;
g) Damage to reputation.
The non-fulfilment of the obligation of notification shall be deemed a breach subject to sanctions of fines of up to Euro 1,000,000.
Mika Tsuyuki
Vilá Abogados
For more information, please contact:
5th of October, 2018