Garrigues Digital_

Legal innovation in Industry 4.0




New developments in cybersecurity: Spain publishes its National Cybersecurity Strategy and the EU publishes a key regulation

Alejandro Padín, partner at Corporate Law and Commercial Contracts area.

The need to ensure cybersecurity is giving rise to the approval of measures to promote the prevention of cybercrime in Spain and to establish a coherent and uniform technical security framework throughout the European Union.

New developments in Spain

Order PCI/487/2019, containing the 2019 National Cybersecurity Strategy approved by the National Security Council, was published in the Official State Gazette on April 26, 2019.

The strategy marks a highly significant milestone in the area of cybersecurity and follows on from the previous strategy published in 2013. The National Cybersecurity Strategy is structured into six objectives, seven lines of action and 65 specific actions, based around four guiding principles: unity of action, anticipation, efficiency and resilience.

One of the major points of the new strategy, beyond technical issues, is the focus on promoting a culture of cybersecurity, with this being one of the fundamental new developments. It alludes to the need to share information and raise awareness of cybersecurity as effectively as possible among all parties involved. The very dynamics of this culture will help reduce the risks associated with cybersecurity.

The National Cybersecurity Strategy also stresses the need to increase the capabilities of both the authorities and businesses in this area, by reinforcing the training of professionals with technical skills and know-how in order to improve the level of preparedness to respond to potential threats.

Given the environment in which these types of threats are carried out, cyberspace, cybersecurity may be one of the areas requiring the most cooperation between the public and private sectors, in terms of managing capabilities, sharing information and implementing joint and coordinated actions.

You can access the document by clicking on the following links:

New developments in the European Union

Just a few days after the publication of the National Cybersecurity Strategy in the Official State Gazette, the EU regulation on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification, known as the Cybersecurity Act, which is mandatory and directly applicable in all Member States, was published in the Official Journal of the European Union on June 7, 2019.

The aim of the Cybersecurity Act, which entered into force on June 28, 2019, is to ensure the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the European Union.

To this end it regulates two fundamental aspects: the new tasks conferred on ENISA and a legal framework for the establishment of European cybersecurity certification schemes.

ENISA is the entity tasked with achieving a high common level of cybersecurity across the European Union. It will act as a central reference point for coordination, management of expertise and advice on cybersecurity for EU institutions, bodies and agencies as well as for private entities as needed to achieve its goals.

The Cybersecurity Act also establishes a European cybersecurity certification framework, aimed at achieving a European cybersecurity certification scheme for ICT products, ICT services and ICT processes. This certification scheme will allow ICT products and services to be evaluated according to three levels of security (basic, substantial and high) and will enable a coherent and uniform technical security framework to be established throughout the European Union.

You can access the document by clicking on the following link: