Home / Blog / INCIBE and the Official State Gazette to release the first Spanish Code of Cybersecurity Law

INCIBE and the Official State Gazette to release the first Spanish Code of Cybersecurity Law

Posted on 08/18/2016, by Francisco Pérez Bes (INCIBE)
INCIBE and the Official State Gazette to release the first Spanish Code of Cybersecurity Law

Back in 2013, when the National Security and Cybersecurity strategies were released, we knew that meeting the Government's plan to develop a national cybersecurity policy for both the public and for business would be a challenge.

Notwithstanding the debate on the extent of how the technical aspects of cybersecurity would evolve, one of the recurrent discussions regarded the regulatory framework as well as the need to adjust it to technological evolution. This included the empowerment of legal actors, which is also one of the aspects specifically included in the 4th action line of the above mentioned National Cybersecurity Strategy.

However, it is true that significant legislative amendments have occurred over the past few months; in some cases, this has been done to update current legislation, adapting it to the new scenario imposed by cybersecurity and its needs, in others, to regulate certain issues for the first time. The latest amendment to the Spanish Criminal Code, which now includes cybercrime for the first time, is only one example. Another is the amendment to Law 34/2002 on Information Society Services and Electronic Commerce (LSSI, as per the Spanish acronym), for inclusion of a new additional regulation which for the first time regulates the competencies of the CERT within the framework of cybersecurity incident management. Another is the recent release of the so-called Cybersecurity Directive or NIS Directive, which regulates the obligations of the companies and the duties of the CERT to tackle the threat posed by cyber-attacks in a clear, coordinated manner. Mention can also be made of the new EU Regulation on Data Protection, listing obligations of those who process data which may trigger leakage of information in companies.

However, within the framework of this new scenario where new legal actors need to be trained in technical and regulatory aspects regarding cybersecurity, we found it necessary to have a compilation of all current legislation available, as this would help us to primarily know which regulations currently exist in this area. Taking that basis as a starting point we would be able, on the one hand, to assist the legislator in identifying eventual needs for updating or amending current laws and, on the other hand, to develop an integral, accurate and effective training programme addressing those professionals who wish to understand and get a more in-depth approach to this issue. And we are not only talking about lawyers, but also judges, public prosecutors, Civil Guards as well as any other cybersecurity professionals; they must all know which are the limits set by the law and which regulatory tools are available for fighting all kinds of cybercrime and cyberterrorism.

As a result of that point of view and commitment, all relevant Spanish legislation (even if references to European regulations have been also included where necessary) related to information security and cybersecurity in general have been included in a single document, to provide the whole sector with an easy, integral access to those regulations which may affect their activities and interests. Therefore, references —whether total or partial— to laws regulating the protection of critical infrastructure, data protection, telecommunication systems, crime law and cybercrime, etc., can be found therein.

The collection of electronic codes of the Official State Gazette is the appropriate place for distribution thereof; thanks to a cooperation partnership entered into by both entities, the Cybersecurity Law Code is now available to everyone, free of charge, and through a simple, universal access, through the section "electronic codes" of its website www.boe.es.

Direct access from here.

We hope that this initiative helps publicise cybersecurity among citizens, professionals and public and private entities, the aim being to increase knowledge of the issue across all areas (awareness, education, management...) and better train professionals who one way or another have to deal with cybersecurity within their organisations, as is usual nowadays.