Cybersecurity blog header

How will the Cybersecurity Coordination and Governance Act affect businesses?

- Ciber 4 All Team

The Law on Coordination and Governance of Cybersecurity will affect thousands of Spanish companies

The draft Cybersecurity Coordination and Governance Act contemplates fines of up to 10 million euros for non-compliant companies

Thousands of Spanish companies have been wondering for months when the NIS2 directive would start to be applied in Spain. This European standard imposes comprehensive security measures on companies in critical sectors such as energy or healthcare to prevent cyberattacks and reduce the impact of security incidents.

Although it should have been transposed into Spanish domestic law by October 18, 2024, the Government had not set in motion the process to approve the relevant law until now.

A few days ago, the Council of Ministers approved the preliminary draft of the Cybersecurity Coordination and Governance Law. Now, this regulation will have to be submitted to public consultation. Afterwards, it will return to the Council of Ministers for final approval of the bill. Finally, it will be processed through the urgency procedure in the Congress of Deputies to ensure that it enters into force as soon as possible.

Therefore, there are still a few months to go before the Cybersecurity Coordination and Governance Law becomes mandatory. Still, in view of the challenge it poses for companies, companies must get down to work to adapt to their requirements.

Below, we break down the main measures of the Cybersecurity Coordination and Governance Act that affect companies. For this reason, we will not dwell on relevant issues of the regulation, such as the implementation of the National Cybersecurity Center or the approval of the National Cybersecurity Strategy.

1. Which companies must comply with the Cybersecurity Coordination and Governance Law?

The draft bill of the Cybersecurity Coordination and Governance Law establishes that companies are obliged to comply with this new regulation if they are:

  • Have their tax residence in Spain.
  • Belong to a high criticality sector or a critical sector.
  • Have a workforce of 50 or more workers.
  • Have an annual turnover of more than 10 million euros.

In other words, medium-sized and large companies operating in critical sectors must comply with the Cybersecurity Coordination and Governance Law, but which are these sectors?

1.1. Sectors of high criticality

The standard includes 12 high criticality sectors:

  1. Energy: electricity, district heating and cooling systems, crude oil, gas and hydrogen.
  2. Transportation: air, rail, maritime and inland waterway, road.
  3. Banking. However, some provisions of the law will not apply to them because they will continue to be governed by the DORA regulation.
  4. Financial market infrastructures.
  5. Health.
  6. Drinking water.
  7. Wastewater.
  8. Digital infrastructure.
  9. Management of ICT services provided to companies.
  10. Public administrations, excluding the judiciary, parliaments and central banks.
  11. Space.
  12. Nuclear industry.

1.2. Other critical sectors

In addition to being applied in high-criticality sectors, the Cybersecurity Coordination and Governance Act will also have to be complied with by companies operating in other sectors considered critical:

  1. Postal and courier services.
  2. Waste management.
  3. Chemical mixtures and substances.
  4. Food and beverages.
  5. Manufacturing of sanitary products, IT, electronics, electrical equipment, machinery n.e.c., motor vehicles, trailers and other transport equipment.
  6. Digital service providers.
  7. Research.
  8. Private security.

1.3. Special cases

Beyond this general rule, the Cybersecurity Coordination and Governance Act contemplates special cases to include in its scope of application smaller companies:

  • Providers of public electronic communications networks, trust service providers and providers of domain name system services and domain name registries.
  • Entities that are the sole providers in our country of essential services for critical social or economic activities.
  • Organizations that, if they suffer a disruption in their services, could trigger repercussions for national security, public order, health, the economy or the provision of services. Likewise, organizations that, if they suffer disruptions in their services, could cause systemic risks of relevance must also comply with the Cybersecurity Coordination and Governance Act.
  • Critical entities according to critical infrastructure protection standards.
  • Universities and research centers, only in relation to research projects linked to high criticality sectors or critical sectors.
  • Companies in which public administrations hold 25% or more of their capital or which are controlled by public bodies.
  • Any organization identified by the supervisory authority as essential or important.

On the other hand, the regulation also contemplates that companies that have their tax domicile in another state of the European Union but offer their services in Spain or have a permanent establishment in our country fall within its scope of application if they are:

  • Providers of public electronic communications networks or electronic communications services.
  • Providers of services and technological infrastructure, if they have their main establishment in our country.

2. Do all companies have to assume the same obligations?

No, the Cybersecurity Coordination and Governance Law differentiates between essential entities.

Thus, the following are considered essential entities:

  • Companies that:
    • Belong to the high criticality sectors we shelled out before.
    • They are considered large companies because they have 250 or more employees and a turnover of more than 50 million euros or an annual balance sheet total of 43 million euros or more.
  • Companies that provide trust services and top-level domain name registrations. Similarly, DNS service providers are also essential entities. In none of these cases does the size of the organizations matter.
  • Providers of public communications networks and electronic communications services:
    • They are medium-sized companies employing 50 workers without reaching 250 and have an annual turnover of more than €10 million but below €50 million.
  • Entities that had been declared operators of essential services before January 16, 2023, according to RD-law 12/2018.
  • Companies that qualify as essential entities by the control authorities.

The rest of the companies obliged to comply with the Cybersecurity Coordination and Governance Law will be considered important entities.

The National Cybersecurity Center shall draw up a list of essential and important entities operating in our country, review it frequently and update it at least every two years.

Qualification as a critical entity is crucial in terms of compliance with risk management measures, the authorities’ monitoring and enforcement capabilities or the imposition of the highest fines.

The Cybersecurity Coordination and Governance Law will affect the health sector

3. What are the cybersecurity risk management measures to be implemented by companies?

The preliminary draft of the Cybersecurity Coordination and Governance Law indicates that the National Cybersecurity Center must establish “technical, operational and organizational measures” to be complied with by essential entities. These measures must ensure an adequate level of security for:

  • The networks and information systems of the companies.
  • The physical environment of the organizations.

Although it must be the NCC that details precisely the measures to be implemented, at least the following must be required:

  • Elaboration of security policies for networks and systems, as well as a risk analysis.
  • Management of security incidents.
  • Management of backups, disaster recovery and crisis management to ensure business continuity.
  • Strengthening supply chain security.
  • Vulnerability management and disclosure to acquire, develop and maintain secure networks and systems.
  • Evaluation of risk management measures.
  • Use of cryptography and encryption.
  • Implementation of access control and asset management policies.
  • Use of multi-factor and continuous authentication solutions and secure emergency communications systems.

These measures must be applied to the assets and systems that companies use to provide their services and must be included in a systems applicability statement to be provided to the supervisory authority of the industry in which the company operates within 6 months of the company becoming an essential or important entity.

4. How should companies demonstrate compliance with security risk management measures?

The Cybersecurity Coordination and Governance Act provides for two different paths depending on whether companies are essential or important entities:

  • Essential entities will be required to obtain a compliance certification attesting to compliance with the measures.
  • Important entities will be able to choose between obtaining certification or performing a self-assessment of their security posture.

The National Cybersecurity Center will establish the certification process.

5. What are the functions of the information security officer?

One of the key features of the Cybersecurity Coordination and Governance Act is that it obliges companies to appoint an information security officer. This person can be an individual or a collegiate body and must:

  • Develop the company’s security strategy and policies, including cybersecurity risk management measures.
  • Oversee and implement the organization’s security policies.
  • Evaluate compliance with current security regulations.
  • Ensure the implementation of good cybersecurity practices.
  • Manage cybersecurity incidents.
  • Notify the supervisory authority of security incidents affecting the provision of company services and vulnerabilities detected.
  • Receive and monitor the implementation of instructions and guidelines from the control authority.
  • Provide information to the control authority and the reference CSIRTs.
  • Prepare and sign the system applicability document.
  • Verify that suppliers comply with the security criteria set by the company.

What are the requirements to be met by the information security manager? He or she must have specific training and demonstrate technical capacity to perform his or her duties.

In addition, in the case of essential entities, the information security officer shall:

  • Be accredited by the Ministry of Security.
  • Have professionals with specialized knowledge and experience in cybersecurity.
  • Have the necessary resources to perform their functions.
  • Occupy a position of relevance within the company to be able to participate in decision-making and maintain effective communication with the board of directors.
  • Be independent of network and information systems managers.

Thousands of companies will have to implement advanced cyber security structures

6. Are companies obliged to resolve security incidents?

The Cybersecurity Coordination and Governance Act states that organizations are required to:

  • Manage and resolve incidents affecting their networks and systems.
  • Ensure that their suppliers manage incidents affecting their systems and networks.

This obligation must be fulfilled whether it was the company that detected the incident or whether the alert comes from the control authority or the CSIRT.

In order to respond effectively to security incidents, companies can request the assistance of the CSIRT and implement the measures established by the CSIRT to resolve the incident, mitigate its impact and restore normality.

Likewise, when resolving incidents, organizations must implement their security management policies, as well as the specific obligations imposed by the control authorities.

7. What are the security incident notification obligations?

In terms of incident notification, the Cybersecurity Coordination and Governance Act states that organizations must, through their information security officer:

  • Notify the supervisory authority through the CSIRT of any significant incident that has affected their operability or the provision of their services, whether the incident has affected your networks and systems or those owned by your suppliers.
  • Inform the recipients of its services of incidents that may cause them harm and of significant cyber threats. These communications should include measures or solutions that can be implemented to mitigate risks.
  • Provide all information necessary to determine whether an incident is the result of a criminal act. The Cybersecurity Coordination Office will analyze this information, and in the event that a crime is detected, it will be reported to the Public Prosecutor’s Office.

7.1. What information should companies provide to their CSIRT of reference?

  • Within 24 hours of becoming aware of the incident, an early warning must be sent indicating:
    • Whether the incident is suspected to have a malicious origin, i.e., whether it is a cyber-attack.
    • Whether there may be cross-border repercussions.
  • Within 72 hours, submit an incident notification completing the above information and providing an initial assessment of the incident, including the level of dangerousness, impact and indicators of compromise detected.
  • Submit an interim report if requested by the CSIRT or the control authority.
  • Within one month of the incident notification being sent, a final report must be submitted in which the following are included:
    • Make a detailed description of the incident.
    • Establish the type of threat or cause that led to the incident.
    • Detail the mitigation measures put in place.
    • Specify the cross-border impact, if any.
    • List the indicators of compromise (IoCs) and the tactics, techniques and procedures (TTPs) employed by the malicious actors that caused the incident.

Suppose at the time of submitting the final report the incident has not yet been completed. In that case, a status report shall be provided, and the final report shall be submitted within one month of the completion of incident management.

The Cybersecurity Coordination and Governance Act establishes that notification obligations should preferably be fulfilled through the National Platform for Notification and Monitoring of Cyberincidents to be managed by the CCN-CERT.

8. How will compliance with the Cybersecurity Coordination and Governance Act be verified?

In order to ensure compliance with all the obligations of companies, the Cybersecurity Coordination and Governance Act empowers the control authorities to carry out a wide range of actions that allow them:

  • Monitor organizations’ compliance with technical instructions, standards and guidelines on cybersecurity.
  • Verify that the person responsible for information security in a company is fulfilling his or her duties.
  • Carry out checks, inspections, audits, tests and other actions that serve to monitor compliance with security measures in companies.
  • Demand that conducts in breach of the law be stopped, or that measures and recommendations be implemented to remedy deficiencies.
  • Impose coercive measures to correct deficiencies and ensure compliance with cybersecurity requirements: suspension of the company’s certification and requesting jurisdictional bodies to temporarily prohibit the company’s CEO from holding managerial positions. These coercive measures may only be directed against essential entities, not against organizations considered important.
  • Approve penalties for breaches of regulations.

In this regard, the Cybersecurity Coordination and Governance Act imposes on companies the duty to:

  • Collaborate with supervisory tasks.
  • Facilitate inspections by the supervisory authority.
  • Provide all information required of them, such as the results of security audits.
  • Implement the orders and instructions of the supervisory authority.
  • Correct any deficiencies observed as quickly as possible.

The Cybersecurity Coordination and Governance Act establishes specific obligations for the management bodies of companies

9. What obligations must company management bodies comply with?

The preliminary draft of the Cybersecurity Coordination and Governance Law establishes that the management bodies of companies:

  • Are responsible for:
    • That the measures for cybersecurity risk management are implemented.
    • Oversee that the measures are properly implemented.
  • They assume responsibility in the event of non-compliance. To the extent that the Cybersecurity Coordination and Governance Act provides that “the members of the management bodies of the entities shall be jointly and severally liable for any breaches committed by them.”
  • They must receive continuous training on cybersecurity in order to be able to:
    • Detect risks.
    • Evaluate risk management measures.
    • Understand the impact of risks on the operation of the organization and the services it provides.
  • They must organize regular training for all company professionals.

In addition, we must remember that the supervisory authorities can apply to the courts to prohibit the CEO of the company from holding managerial positions until the deficiencies detected are remedied and the requirements of the Cybersecurity Coordination and Governance Act are complied with.

10. How much are the fines for non-compliance with the Cybersecurity Coordination and Governance Law?

The penalty regime of the Cybersecurity Coordination and Governance Act provides for various levels of penalties depending on the seriousness of the offenses committed and the type of entity that violated the regulations:

  • Fines of up to €10 million or 2% of the company’s turnover to relevant entities for:
    • Failure to implement measures for security risk management in case this fact has originated a significant security incident.
    • Repeatedly failing to comply with the obligation to report significant incidents.
  • Fines of up to 7 million euros or 1.4% of worldwide turnover for significant entities committing violations of the previous point.
  • Fines of between €500,001 and €2 million for:
    • Failure to take the necessary measures to resolve an incident.
    • Failure to provide sufficient information to determine whether or not an incident is criminal.
    • Failing to comply with specific obligations established by the National Cybersecurity Center “in situations of justified need.”
    • Repeatedly breaching reporting and collaboration obligations with CSIRTs and control authorities.
  • Fines of between 100,001 euros and 500,000 euros for committing serious infringements such as delaying the implementation of security risk management measures, seriously failing to comply with the instructions of the supervisory authority or providing the public with false information on the security standards met by the company.
  • Fines of between €10,000 and €100,000 for minor offenses such as reporting security incidents without incorporating all the information that must be included in the reports or failing to inform individuals and companies of cyber threats that may affect them.

11. What cybersecurity services will help companies comply with the Cybersecurity Coordination and Governance Act?

Given the above, it is clear that companies that will be subject to the Cybersecurity Coordination and Governance Act must have cybersecurity services that will enable them to comply with all the requirements and measures of the standard:

  • Security audits. These are essential to detect vulnerabilities present in corporate systems and assets and to design sound security strategies.
  • Vulnerability management. One of the duties of companies that must comply with the Cybersecurity Coordination and Governance Act is to manage vulnerabilities in an effective way to prevent incidents.
  • Penetration testing services and Red Team exercises to test the implemented security measures and improve the resilience of organizations to cyber-attacks.
  • Threat Hunting and incident response services to detect threats at early stages, determine the scope of the compromise, contain the security incident, expel the malicious actor and resolve the incident in the shortest possible time while safeguarding business continuity.

In short, although there is still a long way to go before the Cybersecurity Coordination and Governance Act is passed, and the regulation may undergo changes during its parliamentary processing, we already know the main obligations it will impose on companies in critical sectors and their management bodies in terms of cybersecurity.

This future regulation highlights the central role that cybersecurity plays today and forces companies to place this area at the heart of their strategies. It highlights the importance of having comprehensive cybersecurity services that allow them to manage vulnerabilities and deal with security incidents successfully.

More articles in this series about Cybersecurity Law

This article is part of a series of articles about Cybersecurity Law

  1. How will the Cybersecurity Coordination and Governance Act affect businesses?
  2. Between €180,000 and €2 million. This will be the cost of the Cybersecurity Law for companies