Cybersecurity Law Code
There is a European Directive, Directive 2016/1148, regarding the measures aimed at guaranteeing a high common level of security in the networks and information systems of the Union. This Directive has a couple of articles related to the security of networks and information systems for essential service operators and digital service providers.
Thus, Article 14 establishes that “Member States shall ensure that operators of essential services take adequate and proportionate technical and organizational measures to manage the risks that arise for the security of networks and information systems” used in their operations. Given the situation, these measures will guarantee a level of security of the networks and information systems that is adequate in relation to the risk posed.”
In other words, the Member States will ensure that the measures that are proportionate or appropriate to the risk posed are complied with. And also so that measures are adopted in order to minimize, reduce or prevent incidents that affect security.
Likewise, the competent authority or the CSIRT (acronym for Computer Security Incident Response Teams) must also be notified without undue delay of incidents that will have significant effects on the continuity of essential services provided so that they can be taken. Institutional or national measures in this regard, where appropriate.
In addition, in June 2019 the EU Cybersecurity Regulation entered into force, and introduced:
- A certification system for the whole EU,
- A new and strengthened mandate for the EU Agency for Cybersecurity.
Thanks to it, the EU has put in place a single EU-wide certification framework that will build trust, increase the growth of the cybersecurity market, and facilitate trade across the EU.
In Spain we have a Cybersecurity Law Code, published in the Official State Gazette, which cites the main rules to be taken into account in relation to the protection of cyberspace and ensuring the aforementioned cybersecurity.
Regarding cybersecurity at a technical and organizational level, it is also necessary to take into account the new European Data Protection Regulation – Regulation (EU) 2016/679; as well as the existence of other types of international protocols or rules, especially those related to the international transfer of data, such as the Privacy Shield.
These are just some of the rules that aim to protect cyberspace, but there are many more detailed ones that regulate even more specific aspects.
Therefore, cybersecurity covers many subjects related to criminal and civil law, and the protection of honor or privacy, among others, that are also applied in the real and physical world. What has to be taken into account is the online dimension in which these illicit or illegal actions are produced, and the resulting impact due to the fact of occurring in the digital world.
Also, on on 15 September 2022 The European Commission published a proposal for a Cyber Resilience Act (the ‘Regulation’), which aims to:
- ensure that cyber security is considered during the development of hardware and software products and is continuously improved throughout that product’s life cycle; and
- improve transparency so that users can take cybersecurity into account when selecting and using a product with digital elements.
The Regulation will impact a broad range of parties in the technology supply chain, who should consider how the additional cyber-security requirements will impact their manufacturing and distribution processes. Whilst the majority of the obligations will come into effect 24 months after entry into force, manufacturers will only have twelve months to comply with the Act’s reporting obligations.