Skip to main content
  • Areas
  • Offices
  • Team
  • Talent
Site: English

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAIS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

Close
  • Garrigues Facebook
  • Garrigues LinkedIn
  • Garrigues Twitter
  • Youtube
Menu

Main menu

  • About Garrigues
    • About Garrigues
    • Corporate governance
    • Strategic vision
    • Professional Ethics
    • Our history
    • Awards
    • G-advisory
  • Practice Areas More

    Areas and industries

    Practice areas

    • Accounting Law
    • Administrative Law
    • Banking and Finance
    • Corporate Law and Commercial Contracts
    • Criminal Law
    • E.U. & Antitrust
    • Environmental
    • Human Capital Services
    • Intellectual Property
    • Labor and Employment Law
    • Litigation and Arbitration
    • Mergers & Acquisitions
    • Planning and Zoning
    • Real Estate
    • Restructuring and Insolvency
    • Securities Markets
    • Startups & Open innovation
    • Tax

    Industries

    • Agribusiness
    • Automotive
    • Corporate Governance and Corporate Responsibility
    • Energy
    • Family Business
    • Fashion Law
    • Financial Institutions
    • Insurance
    • Life Sciences and Healthcare
    • Private Equity
    • Real Estate
    • Smart Cities
    • Sports & Entertainment
    • Technology & Outsourcing
    • Telecommunications & Media
    • Tourism and Hotels
    • Transport & Shipping
  • Locations More

    America

    • ChileSantiago de Chile
    • ColombiaBogota
    • United StatesNew York
    • MexicoMexico City
    • PeruLima

    Africa

    • MoroccoCasablanca

    Asia

    • ChinaBeijing
    • Shanghai

    Europe

    Spain

    • A Coruña
    • Alicante
    • Barcelona
    • Bilbao
    • Las Palmas de Gran Canaria
    • Madrid
    • Malaga
    • Murcia
    • Oviedo
    • Palma de Mallorca
    • Pamplona
    • San Sebastian
    • Sta. Cruz de Tenerife
    • Seville
    • Valencia
    • Valladolid
    • Vigo
    • Zaragoza
    • BelgiumBrussels
    • United KingdomLondon
    • PolandWarsaw
    • PortugalLisbon
    • Oporto

    Desks

    • Asia-Pacific Desk
    • Brazilian Desk
    • French Desk
    • German Desk
    • Indian Desk
    • Italian Desk
    • US Desk
  • Team More
    • A
    • B
    • C
    • D
    • E
    • F
    • G
    • H
    • I
    • J
    • K
    • L
    • M
    • N
    • O
    • P
    • Q
    • R
    • S
    • T
    • U
    • V
    • W
    • X
    • Y
    • Z

    Search a lawyer

  • Commitment
    • Garrigues and society
    • Diversity and equality
    • Environment
    • Education and research
    • Garrigues Sustainable
    • Innovation
    • Integrated Report
  • Garrigues news room
    • News
    • Legislative developments
    • Garrigues Op Ed
    • Garrigues Digital
    • Specials
    • Guides
    • Blogs
    • Contacts
  • Calendar of events
  • Work with us More

    Work with us

    • Join Garrigues
    • About us
    • Brochures and videos
    • Employment forums and presentations
    • FAQ
    • Selection process
    • Send your cv

You are here

Home

Hubs

  • CleanTech
  • e-Sports
  • FashionTech
  • FinTech
  • Industry 4.0
  • MediaTech
  • Platforms

Services

  • Antitrust
  • Cybersecurity
  • Data protection & Privacy
  • e-Commerce
  • e-Identity
  • Fintech Diaries
  • Intellectual property
  • IT & Cloud Solutions
  • Labor
  • Litigation and Arbitration
  • Media
  • On-line Reputation
  • Tax
  • Our services
  • Digital team
  • Contact
  • FinTech
  • Industry 4.0
05-18-2018

Cybersecurity in essential services: NIS Directive still to be transposed

Submitted by GarriguesAdmin2 on Mon, 09/04/2018 - 15:02

José Ramón Morales (partner of the Corporate Law and Commercial Contracts and the Technology & Outsourcing industry).

May 9, 2018 marks the end of the period granted to Member States to complete the transposition into domestic law of Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, concerning measures for a high common level of security of network and information systems across the Union (the “NIS Directive”).

The context and the NIS Directive

The magnitude, frequency and impact of cyber-incidents are increasing and, in this environment, concern for their possible consequences on services essential to the EU has been given special legislative attention at European level through various instruments, primarily the NIS Directive. This Directive lays down, for all Member States, a framework of similar requirements concerning the security of network and information systems and creates an opportunity for consolidation of a European cybersecurity industry. It also aims to make progress in the fight against cybercrime, reducing the risk it entails for public security and for national security.

The three pillars of the directive are: the creation of capabilities in all Member States in connection with cybersecurity strategy; transnational cooperation; and the supervision, at a national level, of essential industries.

Under the NIS Directive, the first two pillars take the shape of obligations for each Member State to implement a national strategy on the security of network and information systems, to designate computer security incident response teams (CSIRT) and to facilitate strategic cooperation with the CSIRTs of other Member States.

The NIS Directive defines mechanisms to ensure that those regarded as operators of essential services and digital service providers are subject to certain obligations, which refer to: (1) the implementation of security measures appropriate to the security risks faced by the network and information systems they use, so as to ensure the ongoing provision of essential services; and (2) the notification of security incidents capable of having a significant impact on their services, in some cases adding the possibility of informing the general public, where this is justified by objectives related to prevention or reaction, or is otherwise in the public interest. The directive aims to encourage operators to implement a risk management culture that entails an assessment of risk and the application of the appropriate security measures.

The supervisory mechanism and the measures imposed in the NIS Directive vary according to the activity’s degree of risk, distinguishing between activities in essential industries (energy, transport, drinking water supply, health sector, banking and financial market infrastructures), on which an ex ante supervisory procedure and stricter measures are imposed; and those of digital service providers (internet exchange point, DNS service providers, top-level domain name registries), which are subject to less rigorous requirements and ex post supervision.

The NIS Directive requires Member States to identify operators of essential services, and gives them until November 9, 2018 to indicate these operators. In contrast, Member States are not obliged to identify digital service providers, given that the NIS Directive should apply to all digital service providers included within its scope, ensuring that they are subject to a more harmonized approach at Union level with respect to security and reporting requirements.

Under the NIS Directive, Member States must also lay down rules on penalties applicable to infringements.

Actions taken and outlook for transposition in Spain

In November 2017, the Spanish Administration published a preliminary bill on the security of network and information systems, for the purposes of transposing the NIS Directive in Spain, and a public consultation period was opened until January 8, 2018.

In December 2018, the Spanish government approved a new National Security Strategy (NSS) highlighting cyber-threats and threats to critical infrastructures as two of the “Threats and Challenges to National Security”. The new NSS sets specific objectives and lines of action in matters of cybersecurity.

On March 19, 2018, the National Cybersecurity Council assessed and analyzed the status of the preliminary bill on the security of network and information systems intended to transpose the NIS Directive. It also studied the advisability of preparing a new National Cybersecurity Strategy.

The Spanish Government has yet to approve the Draft Law on the Security of Network and Information Systems that is to transpose the NIS Directive into the Spanish legal system or to initiate the parliamentary process for its approval. Even though the term for its enactment ends on May 8, 2018, given the current status of the processing deadlines, it already appears that this deadline will be difficult to meet. The future law transposing the NIS Directive, together with the definitive entry into force of the new European General Data Protection Regulation on May 25, 2018, will be a major turning point in the culture of risk management related to the security of information in the Spanish business arena.

Services:

Cybersecurity

Share

  • Share in Facebook, Open in new window
  • Share in Twitter, Open in new window
  • Share in LinkedIn, Open in new window

Share

  • Share in Facebook, Open in new window
  • Share in Twitter, Open in new window
  • Share in LinkedIn, Open in new window

Related news

GDPR: most SMEs will be unable to avoid the requirement of an RPA for some types of processing
Data protection & Privacy
+1
Cybersecurity
Cybersecurity
FinTech
Industry 4.0
+2
Data protection & Privacy
IT & Cloud Solutions
  • Follow us
  • Follow us
  • Follow us
  • Follow us
  • About Garrigues
    • Corporate governance
    • Strategic vision
    • Professional ethics
    • Our history
    • Awards and rankings
  • Team
    • Search team
  • Extranet and online tools
  • Join us
    • Send your CV

Contact:

  • [email protected]
  • Tel: +34 91 514 52 00

Contact form

 

©2023 J&A Garrigues, S.L.P. All rights reserved

  • LEGAL TERMS & CONDITIONS
  • COOKIES POLICY
  • PRIVACY POLICY
  • SECURITY POLICY
  • RSS