PAe - approved a royal decree law that reflected the european directive of cybersecurity
accesskey _ mod _ content

Approved a royal decree law that reflected the european directive of cybersecurity

14 september 2018


The RDL 12/2018 gave CCN-CERT as the response to security incidents of reference for the public Sector and as the national coordinator of the technical answer in the cases of particular gravity and requiring a higher level of coordination.

This saturday, 8 september, the official state gazette, published the BOE Real Decreto-ley 12/2018, of 7 september (Opens in new window) , network and information systems, after being approved by the council of ministers of the previous friday. Thus, the spanish legal system the directive (EU) 2016/1148 from the european parliament and of the council of 6 july 2016, better known as NIS Directive, which seeks to identify the sectors they should ensure the protection of networks and information systems and establish the notification requirements of ciberincidentes.

The purpose of the royal decree is to “ regulate the safety and security of networks and information systems used for the provision of essential services and digital services, and establish a system of notification of incidents, ” while “ establishes an institutional framework for the coordination between authorities and relevant cooperation bodies at eu level ”.

All this, as reflected in the foreword, “ mindful of the cross-cutting nature and interconnected world of information and communication (ICT) ”, and its threats and risks, which limits the effectiveness of measures that are used to counter them when they take in isolation.

Therefore, continued its text, “ it is timely to establish mechanisms that, with a comprehensive perspective, to improve the protection against threats to networks and information systems, facilitating the coordination of actions undertaken in this area both nationally and with the countries of our environment, in particular within the european union ”.

The national coordinator CCN-CERT is

Article 11 of this royal decree sets out three CSIRT benchmarks, which will be coordinated with each other and with the rest of national and international teams in the incident response and risk management. Well, for the public Sector the CSIRT reference CCN-CERT (Opens in new window) centre National Cryptologic. In addition, as noted by the RD, CCN-CERT exercise national coordination of technical answer of CSIRT.

The other two are the INCIBE-CERT CSIRT to the community that does not belong to CCN-CERT, citizens and entities of private law (operated jointly by the INCIBE and CNPIC in the management of incidents affecting critical operators) and the ESPDEF-CERT, of the joint command cyber defence capabilities, to cooperate with the other two CSIRT in those situations that they require in support of operators of essential services and, by necessity, in which they have an impact on national defence.

Competent authorities

The report indicates three security authorities (article 9):

  • For the operators of essential services:

In the case that they are, moreover, designated as critical operators under the law 8/2011, of 28 april: the secretariat of state for security of the ministry of Interior, through the National Centre for the protection of infrastructure and Cybersecurity (CNPIC).

If they are not critical operators: “ the corresponding sectoral subject-matter, as determined under the rules of procedure.

  • For suppliers of digital services: the state secretariat for the advancement Digital, of the ministry of Economy and business.
  • For the operators of essential services and digital service providers not being critical operators are included in the scope of application of law 40/2015, of 1 october, from The Legal Regime of the public Sector: the ministry of defence, through the National Cryptologic.

Obligation to notify incidents

The Royal Decree provides for the duty of operators of essential services and providers of digital services (article 19) notify the competent authority, through the CSIRT of reference, the incidents that could have significant distorting effects in these services and includes those notifications of events or issues that have not yet had an adverse impact real (potential risks).

The text also notes that the competent authorities and the reference CSIRT used a common platform to facilitate and automating the notification, communication and information on incidents by way of those who love youtube solution already LUCIA (Opens in new window) CCN-CERT. In Addition To the set, the staff and to bring such incidents “ may not suffer adverse consequences in the workplace or with the company, except in cases in which should be credited with bad faith in action ”.

The operators of essential services and providers of digital services have an obligation to resolve security incidents affecting them, and to seek expert assistance, including reference CSIRT when they cannot resolve by themselves the incidents.

Original source of news (Opens in new window) .

  • Security