A draft law to harmonise cybersecurity

The year 2016 marked a paradigm shift in the European Union in terms of information security. It also came at a complex time with a significant increase in cyber-incidents. Aware of the need to harmonise the rules of the game in the field of cybersecurity, Directive 2016/1148 on security in networks and information systems was published, which sought to create homogenisation in this area among all member states of the European Union. 

The so-called NIS Directive was a major step forward in important aspects such as collaboration between entities and transparency in dealing with cybersecurity incidents. It also sought to lay the foundations for the implementation of measures to deal with risks that were emerging in the face of the rise of cybercrime groups. Spain launched its implementation by transposing the NIS Directive with Royal Decree Law 12/2018 on the security of networks and information systems.

As important and innovative as the directive is, something is not quite right. Pandemic by pandemic and changes in the methodology by which cybercrime groups impacted on societies in different countries in the European Union, the need for an evolution became evident. The year 2022 saw two significant events in the regulatory field of information security. One was the evolution of the NIS Directive, through its revision and replacement by the 2022/2555 directive, NIS 2. On the national scene, the new National Security Scheme was published, which, after 12 years since the appearance of its predecessor, also required an evolution.

Both standards converged in the adoption of a new cyber-security strategy focused on fundamental pillars:

-The need to know ourselves through an "honest" risk assessment. For many years, risk analysis seemed to be a mere formality that was done not out of conviction, but as something required by the rules and for which a dossier had to be filled.

We are all susceptible to attack and the various authorities want us to cooperate

-Adopting a real preventive mode. Or better still a predictive modality. We cannot expect to have to react only when we identify an incident. Neither is applying measures in an empathetic way because the person next door is doing it. The person next door has his or her problems and solutions, and they don't have to coincide with ours. We must apply security measures and operational processes in line with who we are, what we protect and what we offer.

-Transparency and humility with regard to cyber incidents. We are all susceptible to attack and the various authorities want us to cooperate. May we fight together against ever-stronger adversaries. One of the elements that is most strongly sought is that of sharing in order to progress, allowing our experience to be of use to others. The same is true for vulnerability detection and remediation.

-We are what we are, because of us and our circumstances. In today's world, any entity has numerous collaborating companies that allow it to grow and, in some cases, are even a neuralgic part of its daily operations. However, we have seen how attackers have peeked through that sometimes weaker supply chain. This is why regulations, including NIS 2, focus on the need for control and assurance in the chain. There is a fundamental purpose. Make it difficult for an opponent to easily find a weak link.

The appearance of the NIS 2 Directive in 2022 required the transposition into national law, as established by EU rules. They gave a seemingly generous deadline for this transposition. October 2024 But the new rule implied significant changes and complex agreements, which are not exactly easy to land.

In mid-January of this year 2025 and after a long process of analysis and consultation, the Government announced, still as a preliminary draft, a Law for the Coordination and Governance of Cybersecurity, which transposes the European Union's NIS 2 Directive into our legislation.

Important changes are included in this preliminary draft, which are of course inspired by the NIS 2. Firstly, the extension of its applicability to numerous sectors, many of which were not even envisaged in the previous Royal Decree-Law transposing the first NIS Directive. In addition, a division is made between essential and important entities, which have different requirements and therefore differential impact in terms of compliance with the standard. The size of the company and its belonging to certain sectors will define to a large extent its recognition as an essential or important entity. However, the rule also leaves room for the authorities to require that an entity, either because it is strategic or because of its specialisation, can be classified as essential or important when a priori it should not be so by sector.

The draft bill focuses on the creation of a new body: the National Cybersecurity Centre

It also lays the groundwork for the very common need for a security officer or collegiate body, which is given the 10 specific core functions for such a role. There are no longer any detours when it comes to knowing what functions a security officer, or the collegiate body that assumes those functions, should have. These include ensuring that external companies and suppliers comply with the information security criteria established by the entity. They also include being the point of contact and coordination with the control authorities and the national reference CSIRTs.

And this coordination with authorities and CSIRTs becomes a core element in the draft bill. We know all too well that relationships are one of the most complex issues to deal with. It requires proper structuring and allocation of responsibilities for a law to be functional. The draft focuses on the creation of a new body to carry out the implementation of this standard and to manage the relationship with the different actors, including the European Union and its counterparts in other countries. This new body will be the National Cyber Security Centre, although not all competences have yet been fully defined. 

The Preliminary Draft also touches on the fundamental aspects mentioned above:

-Situation analysis from a risk assessment point of view.

-The implementation of measures in line with the identification of such risks and the adoption of security operating procedures according to up-to-date standards. Although the regulation does not establish specific technical measures, Article 15 sets out the fundamental objectives to be pursued, as well as their applicability through nationally and internationally tested security frameworks, which will be determined by the National Security Centre. One example is the adoption of the new National Security Scheme 2022 as a key element for NIS 2 compliance.

-The need to react appropriately to an incident or to something that may appear to be an incident. An interesting concept introduced in the NIS 2 Directive is the "near miss". In addition, very specific deadlines are set for reporting to the authorities. The first is 24 hours maximum to notify the existence of a significant incident by means of an alert. These 24 hours are counted from the moment the entity becomes aware of the incident. The second deadline is 72 hours maximum for a full notification with details of the incident, impact and, if any, potential indicators of compromise.  As has already been said, the importance of communication is very important in this draft, and withholding information is a direct breach.

-The supply chain is picked up as one of the important measures to be considered. We must therefore think of the cyber security field as a whole, where we only win if we become stronger together and see that those who collaborate with us do so as well.

Organisations should prepare themselves to know if it applies to them directly, and if we are part of an affected entity's supply chain

And of course, any law worth its salt establishes two fundamental concepts: liability and repercussions for non-compliance. With regard to liability, Article 35 of the draft bill establishes that the members of the management bodies of the entities shall be jointly and severally liable for any infringements committed by them. And as in many other aspects of the evolution of the law, the sanctioning regime has also changed. The previous NIS Directive set penalties of up to EUR 1 million for very serious offences. The new Directive, and therefore also reflected in its transposition, raises the amount to the not inconsiderable figure of EUR 10 million or 2% of turnover. Whichever is greater. 

These figures indicate that this is very serious and organisations need to prepare adequately. Firstly, to know if it applies directly to them, but also to know if we are part of a supply chain of an affected entity. The lists of essential and important entities will be established in April this year. And secondly, we must adapt to what the draft bill proposes: carry out the necessary risk analyses, establish the mechanisms for communication, create the bodies or persons responsible for security if they do not exist, establish the necessary operational procedures, etc. As we can see, the deadlines to be met are very tight and there is no time to lose.

For our part at Izertis, we are already prepared. We are aware of the necessity and advantage of adapting to rules like this, because unfortunately we have had to help many entities that have been affected sometimes by incidents and sometimes by near misses. We have collaborated with many organisations in the implementation of standards such as the National Security Scheme, the DORA Directive or ISO 27001 to name a few. But as this does not stop, we are also ready for the adoption of others that are already underway, such as the CRA directive. And as part of our DNA, we are always improving for whatever the future holds.