Between €180,000 and €2 million. This will be the cost of the Cybersecurity Law for companies

Almost 6,000 Spanish companies will have to adapt their strategies to optimize their capacity to manage incidents and assume the cost of the Cybersecurity Law

Three months behind the deadline for transposing the NIS2 directive, the Government has approved the draft bill for the Law on Cybersecurity Coordination and Governance. This law aims to increase the resilience of companies operating in sectors that are critical for the economy and society, such as energy, water, transport and healthcare.

What will be the cost of the Cybersecurity Law for the almost 6,000 Spanish companies that are expected to comply with it? What measures in terms of vulnerability management and security incidents does the law impose on companies? Do all companies have to assume the same obligations?

Below, we analyze the cost of the Cybersecurity Law for companies and the impact of this measure on the productive fabric and its maturity in cybersecurity matters.

1. How many Spanish companies will have to comply with the Cybersecurity Law?

Before approving the draft Cybersecurity Law in the Council of Ministers, the ministries involved in the drafting of the law carried out the relevant analysis of its impact.
This document estimates that the following will have to adapt to this law:

• 1,819 essential entities.
• 3,941 important entities.

How is this figure arrived at? The information gathered by the National Institute of Statistics (INE) on the characteristics of companies in our country makes it possible to estimate which companies meet the requirements established by law. Thus, according to the draft bill, companies that are obliged to comply are those that:

• Have their tax residence in Spain.
• Carry out their activities in:
  • Highly critical sectors: energy, transportation, banking, financial market infrastructures, healthcare, drinking or wastewater, digital infrastructure, ICT service management provided to companies, public administrations, space and the nuclear industry.
  • Other critical sectors: postal and courier services, waste, chemicals, food, medical devices, IT, electronics or motor vehicles, digital service providers, research and private security.
• Are made up of 50 or more workers.
• Have an annual turnover of more than 10 million euros.

Beyond these requirements, the authorities may include companies that do not meet them within the scope of the Cybersecurity Law. For example, companies that are the sole providers in Spain of key services from a social or economic point of view.

Thus, the Government estimates that almost 6,000 organizations will have to comply with the regulations and assume the cost of the Cybersecurity Law.

2. Which companies are essential and which are only important?

As noted above, the analysis of the impact of the Cybersecurity Law differentiates between essential and important entities. How is it determined which category each company falls into?

The draft bill establishes that companies that will be considered essential entities are those that:

• Carry out their activities in highly critical sectors.
• Have workforces of 250 or more employees.
• Have an annual turnover of more than 50 million euros or an annual balance sheet total of 43 million euros.

The following will also be considered essential entities:

• Regardless of size, providers of trust services have domain name registrations and DNS services.
• Companies that employ 50 or more workers or have an annual turnover of 10 million euros if they provide public communications networks and electronic communications services.
• All organizations that had already been declared essential service operators according to the criteria of the NIS1 directive.
• Companies that are classified as essential entities by the authorities.

What happens to companies that do not fall under these categories? They will be considered important entities.

Why is it important to specify whether a company is essential or important? The cost of the Cybersecurity Law is notoriously higher for essential entities than for important entities because they are subject to greater obligations.

3. Have companies in our country already adapted to the requirements of the new law?

The report that includes the analysis of the impact of the Cybersecurity Act differentiates between three groups when evaluating the level of implementation of the measures of the law:

• It is estimated that important entities have only implemented 27% of the measures they must comply with.
• With regard to essential entities:
  • Those that already had to comply with the requirements of NIS1 have an implementation level of 95%.
  • While the rest of the essential entities have an implementation level of 48%.

These data show that the Spanish productive fabric must allocate resources and place cybersecurity at the center of its business strategies, not only to comply with regulations but, above all, to increase its capacity to prevent incidents and respond to them successfully.

Likewise, the low level of implementation of the measures imposed by the regulation that NIS2 will transpose implies that:

• The cost of the Cybersecurity Act will be greater for the least prepared organizations.
• Companies should get started as soon as possible by contracting comprehensive cybersecurity services that will allow them to adapt their organizations to the law and increase their resilience to cyberattacks.

4. What is the cost of the Cybersecurity Act for important and essential companies?

The analysis carried out by the Government also offers estimates of the cost of the Cybersecurity Law for companies. Thus, it is expected that:

• Important entities that must adapt their cybersecurity structures from scratch will have to invest almost 180,000 euros on average.
• For companies considered important that present an average level of implementation of NIS2 measures (27%), the cost of the Cybersecurity Law will be 131,000 euros.
• Essential entities that have yet to implement all the measures of the law have to invest up to 2.15 million euros.
• Meanwhile, for companies considered essential that present an average level of implementation (48%), the cost of the Cybersecurity Law will be around 1.19 million euros.
• Finally, essential companies that were already regulated previously and obliged to comply with NIS1 will have to invest 107,000 euros to adapt to NIS2.

In light of these figures, it seems clear that it is important for companies to get started as soon as possible by implementing the cybersecurity services and mechanisms that will enable them to comply with the law when it comes into force and thus better manage the adaptation from a financial point of view.

How much will the Cybersecurity Law cost the productive fabric of our country as a whole? The Government estimates that the 6,000 entities obliged to comply with the law will spend a total of almost 2.25 billion euros.

5. What are the main measures that companies will have to implement in terms of cybersecurity?

So far, we have addressed the cost of the Cybersecurity Law, but we have not mentioned how the resources that companies will have to allocate will be spent.

5.1. From risk management to training

In a nutshell, let’s review the main measures established by the law:

• Security risk management:
  • Design and implementation of effective security policies for the protection of corporate networks and information systems.
  • Conducting risk analyses.
  • Vulnerability management.
  • Security incident management.
  • Continuous backups, disaster recovery mechanisms and crisis management protocols to prevent business operations from being affected by security incidents.
  • Measures to increase supply chain protection.
  • Evaluation of risk management mechanisms.
  • Use of cryptography and encryption, as well as multi-factor authentication solutions to protect information.
  • Establishment of access control and asset management policies.
• Incident resolution:
  • Companies must have incident response services in place to mitigate the impact of incidents affecting their corporate systems and networks, resolve them and ensure a return to normalcy in the shortest possible time.
  • Companies are also obliged to ensure that their suppliers are capable of resolving security incidents affecting them.
• Notification of security incidents to the authorities and to the people who may be affected by them, following strict deadlines and information requirements.
• Appointment of a person responsible for information security who will oversee the implementation of all measures and serve as a point of contact for the authorities should they need to obtain information.
• Continuous cybersecurity training programs for managers and all staff.

5.2. Certifications, self-assessments, fines and suspensions

To guarantee the implementation of all the measures included in the law, it is expected that:

• Essential entities will obtain a certificate of conformity issued after a rigorous analysis of their cybersecurity structures.
• Important entities will choose between the previous mechanism or carrying out a self-assessment of the security posture of their organizations.
• The supervisory authorities can carry out inspections, audits and tests; request information; demand compliance with the measures of the law; impose fines of up to 10 million euros in the most serious cases of non-compliance; or issue coercive measures such as the suspension of a company’s certification or the prohibition of its CEO from exercising his or her functions until the deficiencies detected are resolved.

These last actions that the supervisory authority can take show that the cost of the Cybersecurity Law for companies increases notably in the event that not all the security measures required by the law are implemented.

6. The cost of the Cybersecurity Law vs. the cost of serious security incidents

When talking about the cost of the Cybersecurity Law, it is essential to bear in mind that it is an investment that companies must make in one of the most important issues of our time: protecting their digital assets and, with them, their business models.

Despite the exponential growth in cyberattacks and security incidents over the last decade, there are still companies that do not place cybersecurity at the heart of their business strategies.

In this sense, the Cybersecurity Law can be a wake-up call for medium and large companies operating in sectors of enormous economic and social importance to implement a catalog of cybersecurity services that will enable them to protect themselves against threats and minimize the impact of cyberattacks.

6.1. Financial, legal and reputational repercussions of incidents

After all, we must not lose sight of the fact that the cost of the Cybersecurity Act is minimal when compared to the economic impact that a serious security incident can have:

• Economic losses derived from the impact suffered in the day-to-day activity of the company or the impairment of business continuity.
• Theft of intellectual and industrial property and theft of critical information about customers or business strategy.
• Direct costs are linked to the resolution of an incident.
• Heavy fines for non-compliance with regulations such as the Cybersecurity Act or the General Data Protection Regulation.
• Legal disputes with customers, employees or business partners who have been affected by security incidents in which companies acted negligently.

In other words, the cost of the Cybersecurity Act should be seen as an investment that will enable companies to acquire quality cybersecurity services that will allow them to improve the management of risks, vulnerabilities and incidents in order to increase their level of protection against cyber threats.