New Spanish Regulation on Cybersecurity

18 September 2018

Alexander Benalal, Pablo Berenguer, María Berlanga

Subjects affected and main obligations involved

Last September 8, 2018 the Royal Decree-law 12/2018, on security of networks and information systems, which transposes Directive (EU) 2016/1148 of 6 July 2016 concerning the measures for a high common level of security of network and information systems across the Union (commonly known as "NIS Directive"), was published in the Spanish Official Gazette.

Such decree-law imposes certain obligations on operators of essential services and digital services providers defined in this new regulation. Amongst others, operators of essential services and digital services providers shall notify the competent authority the incidents that may have a significant disruptive effect into the services provided in accordance with the terms laid down in the decree-law. Also, these operators / service providers shall take appropriate and organisational measures to manage the risks posed to the security of networks and information systems which they use in their operations as well as those measures that prevent and minimise the impact of incidents that will affect them. The subsidiary regulation of the mentioned decree-law will provide the specific measures for the fulfilment of such obligations. 

Following the obligations imposed by the European Union in the NIS Directive, the National Commission for the Protection of Critical Infrastructure under the Secretary of State for Security of the Ministry of the Interior will approve a first list of essential services and identify the operators that must be subject to the decree-law on the following dates: 

Before November 9, 2018: essential services and operators corresponding to the strategic sectors of energy, transport, health, financial system, water, and digital infrastructures.

Before November 9, 2019: essential services and operators corresponding to the rest of the strategic sectors included in the appendix of Law 8/2011, of April 28.

In addition to the operators that provide essential services, the aforementioned decree-law will be applicable to those digital service providers that have their registered office in Spain and/or that constitute their main establishment in the European Union, as well as those that designate in Spain their representative in the Union for compliance with the NIS Directive. The decree-law establishes that for the purposes of this regulation, digital services will be considered those services of the information society (as defined in the Spanish Law of Services of the information society and electronic commerce) designated as online marketplace, online search engines online and/or cloud computing services.

Operators of electronic communications networks and services and trusted electronic service providers that are not designated as critical operators under Spanish Law 8/2011, of April 28, as well as those digital service providers considered as micro and small enterprises as defined in Commission Recommendation 2003/361/EC are not subject to the mentioned Royal Decree-law.

Fines in case of infringement of the obligations imposed in this new cybersecurity regulation could amount up to 1,000.000 euros in case of very serious infractions and reprimand or fines of up to 100,000 euros in case of minor infractions.