Prospects for cybersecurity in Spain after the implementation of the NIS2 directive

Cyberthreats currently represent a significant danger to global security, aggravated by the growing sophistication of the techniques employed and an increasingly interconnected infrastructure. In response to this, at the end of 2022, the European Parliament approved the NIS2 Directive which, together with the DORA Regulation, aims to improve and ensure a common level of cybersecurity in the European Union, thus eliminating legislative differences between countries in the field of cybersecurity.

The recent legislation, which replaces the NIS Directive approved in 2016 -still in force until its incorporation next October in the legislative framework in Spain-, modernizes and extends the scope of application of cybersecurity regulations to new sectors and entities that provide essential services, improving resilience and the capacity to respond and recover from cyberattacks by public and private entities. Sectors subject to regulatory changes include healthcare, telecommunications, energy, digital infrastructure, banking and finance, among others.

Among the legal developments included in the regulation, Member States will be obliged to set up Computer Security Incident Response Teams (CSIRTs), as well as to designate a national competent authority, to which organizations will notify in the event of a significant cyber-attack. In addition, organizations will not only have to focus on their infrastructure but will also have to be aware of the cyber security of their service providers, as the value chain is increasingly being exploited by cyber attackers.

However, if there is one thing worth highlighting about the NIS2 directive, it is its wide-ranging implications for public administration, especially at the European level. Among these new requirements for a sector with a high degree of exposure to cyberattacks, the implementation of enhanced security measures to protect sensitive information stands out, which must be complemented with a periodic risk assessment to report on the state of cybersecurity to the authorities designated by each State. It also establishes the obligation to manage cybersecurity throughout the lifecycle of networks and information systems, considering the Internet of Things (IoT) as part of the scope, understood as the process of digitization of all types of common devices.

The entry into force of NIS2 represents a unique opportunity to boost the protection of thousands of organizations in the face of the growing panorama of cyberthreats, in which during the last six months of 2023 there was a 12% increase in ransomware attacks compared to the previous six months, as reflected in the latest edition of the Thread Landscape Report, prepared by S21sec. 

In short, cybersecurity is no longer an option for organizations, but rather an obligation subject to a legal framework that, in the event of non-compliance by the organization, can lead to the cessation of its activity.

Joseba Enjuto, Head of Strategic Advisory S21sec