The Government approves the Royal Decree-Law for the transposition of the NIS Directive on cybersecurity

The Government has today approved in the Council of Ministers the Royal Decree-Law for the transposition of the European Cybersecurity Directive, known as the NIS Directive. In particular, it transposes into Spanish law Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures to ensure a high common level of security of networks and information systems in the European Union.

From the day of its publication in the Official State Gazette (BOE), the Government will have a maximum period of 30 working days for its validation in the Congress of Deputies.

The Government has worked since its inauguration to achieve this milestone as soon as possible and to meet the deadlines imposed by the Directive in order, among other aspects, to designate the operators of essential services to which the law is addressed.

The Royal Decree-Law will apply to entities that provide essential services for the community and depend on networks and information systems for the development of their activity. Its scope extends to sectors that are not expressly included in the Directive, to give this Royal Decree-Law a global approach, although its specific legislation is preserved. In addition, in the case of network operation activities and the provision of electronic communications services and associated resources, as well as electronic trust services, expressly excluded from this Directive, the Royal Decree-Law will apply only with regard to critical operators. The new regulations will also apply to the providers of certain digital services.

The Royal Decree-Law identifies the sectors in which it is necessary to guarantee the protection of networks and information systems, and establishes procedures to identify the essential services offered in these sectors, as well as the main operators that provide such services, thus complying with the maximum deadline established for this by the Directive, of November 9, 2018.

Transparency

Among other issues, the Royal Decree-Law requires operators of essential services and digital service providers to notify significant incidents that they suffer in the networks and information services they use for the provision of essential and digital services. The rule protects the reporting entity and the personnel who report incidents that occur; it reserves the confidential information of its disclosure to the public or other authorities other than the one notified and allows the notification of incidents when its communication is not obligated.

With the approval of this Royal Decree-Law the Government aims to promote the development of the internal market through the improvement of the level of security in the networks and information systems that support the provision of essential services and digital services, increasing the confidence of users and service providers in the use of information technologies.

The provision of services with trans-European scope will also be facilitated by establishing similar requirements for their providers in all Member States in terms of network and information system security, reducing the fragmentation of these requirements and boosting the European cybersecurity industry.

Finally, it seeks to improve effectiveness in the fight against crimes involving networks and information systems by reducing their effects on public security and, eventually, national security.