Cybersecurity Law Code
There is a European Directive, Directive 2016/1148, regarding the measures aimed at guaranteeing a high common level of security in the networks and information systems of the Union. This Directive has a couple of articles related to the security of networks and information systems for essential service operators and digital service providers.
Article 14 states that «Member States shall ensure that operators of essential services shall take appropriate and proportionate technical and organizational measures to manage the risks to the security of the networks and information systems» used in their operations. Adequate and proportionate measures to manage the resulting risks to the security of the networks and information systems» used in their operations. Given the situation, these measures will guarantee a level of security of the networks and information systems that is adequate in relation to the risk posed.”
The competent authority or the CSIRT (acronym for Computer Security Incident Response Teams) must also be notified without undue delay of incidents that will have significant effects on the continuity of essential services provided so that they can be taken. Institutional or national measures in this regard, where appropriate.
In addition, in June 2019 the EU Cybersecurity Regulation entered into force, and introduced:
- A certification system for the whole EU,
- A new and strengthened mandate for the EU Agency for Cybersecurity.
The EU has established a single EU-wide certification framework that builds trust. It increases the growth of the cybersecurity market and facilitates trade across the EU.
In Spain we have a Cybersecurity Law Code, published in the Official State Gazette. Ensuring the aforementioned cybersecurity.
At a technical and organizational level it is necessary to take into account the new European Data Protection Regulation. Regulation (EU) 2016/679. As well as the existence of other types of international protocols or standards. Especially those related to the international transfer of data, such as the Privacy Shield.
These are just some of the rules that protect cyberspace. But there are many more detailed ones that regulate even more specific aspects.
Therefore, cybersecurity covers many subjects related to criminal and civil law, and the protection of honor or privacy, among others, that are also applied in the real and physical world. The resulting impact due to the fact of occurring in the digital world.
Also, on 15 September 2022 The European Commission published a proposal for a Cyber Resilience Act (the ‘Regulation’), which aims to:
- improve transparency so that users can take cybersecurity into account when selecting and using a product with digital elements.
The Regulation will affect a wide range of parties in the technology supply chain. Here you will need to consider how the additional cybersecurity requirements will affect your manufacturing and distribution processes. Although most of the obligations will take effect 24 months after entry into force. Manufacturers will only have 12 months to comply with the Act’s reporting obligations.