8 obligations of the Cybersecurity Law for company executives

Supervise risk management, undergo continuous training, respond jointly for infringements… We review the obligations of the Cybersecurity Law for company executives

This year, the Cybersecurity Coordination and Governance Act is expected to be approved. This regulation transposes the NIS2 directive and will affect some 5,000 Spanish companies… and their executives.

Why? The current draft of the bill sets out various obligations under the Cybersecurity Law for company executives who are considered essential or important entities under the law.

What criteria will be used to determine whether a company is an important entity?

1. Operating in one of the 20 critical sectors of the Spanish economy and society.
2. Having 50 or more employees.
3. Having recorded a turnover of more than €10 million in the previous year.

In what cases will companies be classified as essential entities? When they:

1. Carry out their activities in highly critical sectors: energy, transport, banking, health, drinking water or wastewater, etc.
2. Have 250 or more employees.
3. Have a turnover of more than 50 million euros per year or an annual balance sheet of 43 million euros.

What is the purpose of the obligations of the Cybersecurity Law for managers? Ensure that the management bodies of companies are directly involved in the cybersecurity management of the organizations they run and take responsibility for their companies’ non-compliance.

Below, we outline the main obligations of the Cybersecurity Law for executives in order to help them be aware of the responsibility they will have in managing security risks in the companies they run.

1. Implement and supervise the implementation of cybersecurity risk management measures

Article 14 of the law establishes that the management bodies of companies considered essential or important must:

1. Apply measures for cybersecurity risk management:
   • Network and information system security policies.
   • Risk analysis.
   • Security incident management.
   • Backup management and disaster recovery.
   • Crisis management.
   • Supply chain security.
   • Vulnerability management.
   • Assessment of the effectiveness of the measures adopted.
   • Good cybersecurity practices and staff training.
   • Use of cryptography and encryption mechanisms.
   • Access control and asset management policies.
   • Implementation of multi-factor authentication solutions and secure emergency communication systems.
2. Monitoring the correct implementation of these measures.
3. Assume responsibility for non-compliance with these measures.

In other words, among the obligations of the Cybersecurity Law for company executives, we must highlight that they must direct the implementation of security strategies, and, in addition, they will be held responsible when security measures are not implemented or are implemented poorly.

2. Receive adequate and ongoing training on cybersecurity

Training plays a key role in the obligations of the Cybersecurity Law for company executives. Thus, in its current version, the regulation stipulates that members of company management bodies must receive training that:

1. Adequate.
2. Periodic.
3. To acquire the knowledge and skills necessary to:
   • Detect security risks affecting their organizations.
   • Assess their companies’ risk management.
   • Understand the impact of security incidents on the services their companies provide.

In this way, the future law seeks to ensure that all executives have essential cybersecurity knowledge so that they can make decisions related to security strategies.

3. Organize training for the entire workforce

The obligations of the Cybersecurity Law for managers not only revolve around the training of members of management bodies but also include the duty to organize cybersecurity training for all professionals who are part of companies.

According to the future law, this training must be periodic and have content “similar” to the training for managers.

This measure aims to ensure that all employees in a company have a minimum level of knowledge about cybersecurity and are aware of the risks to which companies are exposed. This will help prevent bad practices and unsafe actions, such as downloading a document from an unverified email address.

4. Appoint an information security officer

One of the pillars of the Cybersecurity Law is the figure of the information security officer.

The decision-making bodies of companies must designate “a person, unit, or collegiate body as responsible for information security.”

Information security officers must be technically qualified and have solid training in cybersecurity.

In addition, in the case of essential entities, these individuals must be accredited by the Ministry of the Interior.

Similarly, the legal text stipulates that information security officers in essential entities must hold positions that enable them to:

1. Perform their duties.
2. Participate in all matters related to the security of the company.
3. Maintain fluid and effective communication with the company’s board of directors.

5. The wide range of functions of the information security officer

In practice, this means that information security officers will, in many cases, be managers, as is already the case with CIOs (Chief Information Officers), who are called upon to perform this role in companies.

What are the obligations of information security officers?

1. Develop the cybersecurity strategy and submit it for approval, including the technical and organizational risk management measures required by law.
2. Coordinate the implementation of security policies and perform regular security checks.
3. Ensure that the company complies with regulations.
4. Act as a trainer in best practices.
5. Report security incidents and vulnerabilities detected to the supervisory authorities.
6. Receive and monitor the implementation of instructions and guidelines from the supervisory authorities in order to optimize the security strategy and remedy any deficiencies detected.
7. Prepare and send documentation to the supervisory authority and the CSIRT.
8. Prepare the “systems or assets applicability document.”
9. Ensure that suppliers comply with the company’s security criteria.

6. Ensure that deficiencies are remedied and the requirements of the supervisory authority are met

The future law will empower the supervisory authority to set a deadline for an essential entity to take the necessary measures to remedy deficiencies or comply with the requirements of the law.

Thus, among the obligations of the Cybersecurity Law for company executives is the duty to ensure that such measures are taken. Otherwise, the supervisory authority may:

1. Temporarily suspend or request the suspension of a certification or authorization of the non-compliant company.
2. Request that any person exercising management responsibilities at the level of chief executive officer be temporarily prohibited from performing their duties.

In other words, chief executive officers or legal representatives of companies considered essential entities must personally ensure that the measures required by the authorities are complied with if they do not wish to be temporarily removed from their positions.

7. Supervise compliance with the Cybersecurity Law

Similarly, the draft bill establishes that:

• Natural persons acting as representatives of essential entities.
• The competent decision-making bodies.

Are responsible for supervising compliance with the law. To the extent that they must assume “responsibility for failure to comply with this duty.”

8. Be jointly and severally liable for infringements committed by their companies

Without straying from the subject of responsibility, we should point out that among the obligations of the Cybersecurity Law for company executives is the duty to be jointly and severally liable for infringements committed by companies.

Thus, the future regulation stipulates that responsibility for infringements lies with companies, but that the members of their management bodies will be “jointly and severally liable.”

This issue is of enormous importance, as the draft bill provides for fines ranging from €10,000 to €10 million or 2% of the global turnover of the non-compliant company.

In short, the obligations of the Cybersecurity Law for company executives who must comply with this regulation are as follows:

1. Require management bodies and officers to place cybersecurity at the center of their strategies and ensure that companies have the appropriate cybersecurity services to address risks.
2. Seek to ensure an optimal level of training and awareness among executives of companies operating in critical sectors, but also among their employees.
3. Hold executives responsible for companies’ cybersecurity breaches, with a view to preventing such breaches from occurring.