Network and Information Systems Security

Royal Decree 43/2021, of 26 January, develops Royal Decree-Law 12/2018, of 7 September, on the security of networks and information systems, which transposes into Spanish law Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, on measures to ensure a high common level of security of networks and information systems in the Union. The aim is to regulate the security of the networks and information systems used for the provision of essential services and digital services, and to establish an incident notification system.

Royal Decree 43/2021, of 26 January, aims to develop Royal Decree-Law 12/2018, of 7 September, on the security of networks and information systems, regarding the strategic and institutional framework for the security of networks and information systems, the supervision of compliance with the security obligations of operators of essential services and digital service providers, and the management of security incidents.

Scope of application

This royal decree shall apply to the provision of:

  • The essential services dependent on the networks and information systems included in the strategic sectors defined in the annex of Law 8/2011, of 28 April, which establishes measures for the protection of critical infrastructures.
  • Digital services that are online markets, online search engines and cloud computing services.

They will be subject to this Royal Decree:

  • The operators of essential services established in Spain.
  • Digital service providers that have their registered office in Spain and that constitute their main establishment in the European Union, as well as those that, not being established in the European Union, designate in Spain their representative in the Union for compliance with Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016.

National Platform for Notification and Monitoring of Cyberincidents

The CCN-CERT in collaboration with INCIBE-CERT and ESPDEF-CERT of the Joint Cyberspace Command will make available to all actors involved the National Platform for Notification and Monitoring of Cyberincidents referred to in article 19.4 of Royal Decree-Law 12/2018, of 7 September. The platform will implement the incident notification and management procedure, which will be available during all hours of the day and all days of the year.

Documents

Royal Decree 43/2021, of 26 January, which develops Royal Decree-Law 12/2018, of 7 September, on the security of networks and information systems.

Royal Decree-Law 12/2018, of 7 September, network security and information systems.

Links

National Security Scheme