Two operators of essential services that were the subject of cyberattacks recently issued the mandatory notification to the competent authority on this subject, under the new legislation which transposes in Spain the Network and Information Security Directive (known as the NIS Directive). These notifications, the first in Spain under the new regulatory system, were made with the advice of Garrigues, which has coordinated the legal aspect of the investigations and the compliance processes.
The NIS Directive (Directive (EU) 2016/1148 of the European Parliament and of the Council, of July 6, 2016, concerning measures for a high common level of security of network and information systems across the Union) regulates the obligations of operators of critical infrastructures and essential services in Europe in relation to security, for the purpose of protecting these services and infrastructures within the Union. This Directive establishes obligations to notify the authorities when an operator concerned is the subject of a cyberattack.
In Spain, the NIS Directive has been incorporated into national law by Royal Decree-law 12/2018, of September 7, on network and information system security. This Royal Decree-law establishes the competent authorities in relation to coordination of cyber incidents and specifies the notification obligations and other obligations imposed on a critical operator affected by one of these attacks.
During the notification processes, since these are the first in Spain, Garrigues has coordinated the cyber incidents with the CNPIC (National Center for Protection of Infrastructures and Cybersecurity), the CCN (National Cryptology Center), the INCIBE (National Cybersecurity Institute) and law enforcement bodies of the State (Police and Guardia Civil). The firm was also invited to participate in a plenary session of the National Cybersecurity Council for organizational purposes.
It is essential to have good advice on this subject, since one cyberattack alone can cause direct damage to companies, both of an economic and reputational nature, but can also involve a risk of penalties for infringement both of the NIS legislation and of the legislation governing privacy and the GDPR, which, in theory, could amount to 20 million euros or 4% of the annual global turnover of the group concerned.