This draft Royal Decree affects the provision of essential services and certain digital services in various areas, including the space industry, government, the chemical and nuclear industries, research facilities and the food industry.
It is intended to improve the security of information networks and systems used in the performance of essential services offered in the main sectors of economic and social activity, which are increasingly subject to incidents that are sometimes so serious that they have a significant impact on performance of the services and result in considerable harm to the affected users.
ROYAL DECREE XX/20XX IMPLEMENTING ROYAL DECREE-LAW 12/2018 OF 7 SEPTEMBER 2018 ON THE SECURITY OF INFORMATION NETWORKS AND SYSTEMS
Royal Decree-Law 12/2018 of 7 September 2018 on the security of information networks and systems transposes Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, and in its third final provision, grants the government the power to implement the provisions of said Royal Decree-Law into the law.
In accordance with the above, this Royal Decree completes the designation of competent authorities for the security of information networks and systems, as per Royal Decree-Law 12/2018 of 7 September 2018, by specifying those corresponding to essential service operators that are not considered critical operators and that do not fall under Law 40/2015 of 1 October 2015 on the Public Sector Legal Framework, with attention to the strategic sectors indicated in Law 8/2011 of 28 April 2011 laying down measures for the protection of critical
Moreover, this Royal Decree implements the cases for cooperation and coordination between the reference CSIRTs, which occur over the National Cyber-incident Notification and Monitoring Platform. In particular, it implements the provisions of the Royal Decree-Law in situations affecting operators with an impact on national defence, as well as the actions indicated for particularly serious cases that require a higher level of coordination than that required in ordinary situations, as well as the action required when the activities of the reference CSIRT may affect a critical operator in some way.