Royal Decree-Law 12/2018 of 7 September on the security of network and information systems

OFFICIAL STATE GAZETTE No. 218 Saturday, 8 September 2018 Sec. I. Page 87675 I. GENERAL PROVISIONS THE HEAD OF STATE 12257 Royal Decree-Law 12/2018, of 7 September, on the security of network and information systems. I The evolution of information and communication technologies, especially with the development of the Internet, has made networks and information systems currently play a crucial role in our society, with their reliability and security being essential aspects for the normal development of economic and social activities. Therefore, incidents that, by affecting networks and information systems, alter these activities, represent a serious threat, as both if they are fortuitous or if they come from deliberate actions, they can generate financial losses, undermine public confidence and, ultimately, cause serious damage to the economy and society, with the possibility of affecting national security itself in the worst-case scenario. The cross-cutting and interconnected nature of information and communication technologies, which also characterizes their threats and risks, limits the effectiveness of the measures used to counteract them when taken in isolation. This cross-cutting nature also means that there is a risk of losing effectiveness if the requirements in matters of information security are defined independently for each of the affected sectoral areas. Therefore, it is appropriate to establish mechanisms that, with an integral perspective, allow improving protection against threats affecting networks and information systems, facilitating the coordination of actions carried out in this matter both at the national level and with the countries in our environment, in particular, within the European Union. II With this purpose, this royal decree-law is issued, which transposes into the Spanish legal order Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, on measures for ensuring a high common level of network and information system security in the Union. The royal decree-law is also based on the existing rules, incident response instruments and state coordination bodies in this matter, which, together with the reasons stated in section I, justifies that its content transcends that of the Directive itself. The royal decree-law will apply to entities that provide essential services for the community and depend on networks and information systems for the development of their activity. Its scope of application extends to sectors that are not expressly included in the Directive, to give this royal decree-law a global approach, although its specific legislation is preserved. Additionally, in the case of network exploitation activities and the provision of electronic communications services and associated resources, as well as trust services, expressly excluded from said Directive, the royal decree-law will apply only with respect to critical operators. The royal decree-law will also apply to providers of certain digital services. Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, subjects them to a maximum harmonization regime, equivalent to a regulation, as their regulation at the national level is considered ineffective due to their intrinsically transnational nature. The function of national authorities is therefore limited to supervising their application by providers established in their country, and coordinating with the corresponding authorities of other countries in the European Union. Following the aforementioned Directive, the royal decree-law identifies the sectors in which it is necessary to guarantee the protection of networks and information systems, and establishes procedures to identify the essential services offered in said sectors, as well as the main operators providing said services, who are, ultimately, the recipients of this royal decree-law. Essential service operators and digital service providers must adopt adequate measures to manage the risks posed to the security of the networks and information systems they use, even if their management is outsourced. The security obligations they assume must be proportionate to the level of risk they face and based on a prior assessment thereof. The development regulations of this royal decree-law may specify the security obligations applicable to essential service operators, including, where appropriate, inspections to be carried out or participation in crisis management activities and exercises. The royal decree-law also requires essential service operators and digital service providers to notify incidents they suffer in the networks and information services they use for the provision of essential and digital services, and which have significant disruptive effects on them, while also providing for the notification of events or incidents that may affect essential services but have not yet had a real adverse effect on them, and outlines the notification procedures. Incident notification is part of the risk management culture that the Directive and the royal decree-law promote. Therefore, the royal decree-law protects the notifying entity and the personnel reporting on incidents that have occurred; it reserves confidential information from disclosure to the public or to other authorities other than the notified one, and allows for the notification of incidents when their communication is not mandatory. The royal decree-law emphasizes the need to take into account European and international standards, as well as recommendations emanating from the cooperation group and the CSIRT (Computer Security Incident Response Team) network established in the community framework by the Directive, with a view to applying best practices learned in these forums and contributing to the boost of the internal market and the participation of our companies in it. In order to increase its effectiveness and, at the same time, reduce the administrative and economic burdens that these obligations impose on the affected entities, this royal decree-law seeks to guarantee its coherence with those derived from the application of other regulations in matters of information security, both horizontal and sectoral, and coordination in their application with the authorities responsible in each case. Regarding horizontal regulations, the links established with Law 8/2011, of 28 April, establishing measures for the protection of critical infrastructures, and Law 36/2015, of 28 September, on National Security, stand out, as well as with Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the field of Electronic Administration, as special regulation in matters of security of information systems in the public sector. Thus, the scope of application of this royal decree-law is brought closer to that of Law 8/2011, of 28 April, adding to the sectors foreseen by Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, the additional strategic sectors contemplated in that law; it relies on it to define the concept of "essential service", and attributes to its collegiate bodies the determination of essential services and essential service operators subject to this royal decree-law. Taking into account Law 36/2015, of 28 September, the National Security Council is attributed the function of acting as a point of contact with other countries of the European Union and a coordinating role in cybersecurity policy through the National Cybersecurity Strategy. III The National Cybersecurity Strategy with which Spain has been equipped since 2013 sets the priorities, objectives and appropriate measures to achieve and maintain a high level of security of networks and information systems. Said Strategy will continue to develop the institutional framework of cybersecurity that this royal decree-law outlines, composed of competent public authorities and reference CSIRTs, on the one hand, and public-private cooperation, on the other. Competent authorities will exercise the surveillance functions derived from this royal decree-law and apply the sanctioning regime when appropriate. Likewise, they will promote the development of the obligations imposed by the royal decree-law, in consultation with the sector and with authorities exercising competencies by reason of the matter when referring to specific sectors, to avoid the existence of duplicated, unnecessary or excessively burdensome obligations. CSIRTs are the incident response teams that analyze risks and monitor incidents at the national level, disseminate alerts about them and provide solutions to mitigate their effects. The term CSIRT is commonly used in Europe instead of the protected term CERT (Computer Emergency Response Team), registered in the USA. The royal decree-law delimits the functional scope of operation of the reference CSIRTs provided for in it. These CSIRTs are the entry point for incident notifications, which will allow organizing a rapid response to them, but the recipient of the notifications is the respective competent authority, which will take this information into account for the supervision of operators. In any case, the operator is responsible for resolving incidents and restoring the networks and information systems affected to their ordinary functioning. The use of a common platform for incident notification is foreseen, so that operators do not have to make several notifications depending on the authority to which they must address. This platform may also be used for the notification of violations of personal data security according to Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. IV This royal decree-law consists of seven titles that contain, first, the definitions of the terms used throughout the text, the safeguard of essential state functions, such as national security and other general provisions. Next, in Title II, the form and criteria for identifying essential services and the operators providing them to which the royal decree-law will apply are determined. The order in which they will be identified for the first time is established in the Additional Provision First of the royal decree-law. Title III collects the strategic and institutional framework of network and information system security described above. A specific provision is dedicated to cooperation between public authorities, as a pillar for the adequate exercise of the different concurrent competencies on the matter. Title IV deals with the security obligations of operators, and it foresees the preferential application of sectoral rules that impose obligations equivalent to those provided for in this royal decree-law, without prejudice to the coordination exercised by the National Security Council and the duty of cooperation with competent authorities by virtue of this royal decree-law. In Title V, the most extensive, the notification of incidents is regulated and attention is paid to incidents with cross-border impact and to information and coordination with other States of the European Union for their management. In Title VI, inspection and control powers of competent authorities and cooperation with authorities of other Member States are provided for, and in Title VII, the offenses and sanctions of this royal decree-law are typified. In this regard, the royal decree-law opts to promote the remediation of the offense rather than its punishment, which, if it is necessary to dispense it, will be effective, proportionate and dissuasive, in line with what is ordered by Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016. The royal decree-law closes with a final part that includes the additional and final provisions necessary to complete the regulation. This provision has been submitted to the procedure for information on technical regulatory standards and regulations relating to information society services, provided for in Directive (EU) 2015/1535 of the European Parliament and of the Council, of 9 September 2015, establishing a procedure for information in the field of technical regulations and rules relating to information society services, as well as Royal Decree 1337/1999, of 31 July, regulating the transmission of information in matters of technical standards and regulations relating to information society services. Likewise, it adapts to the principles of good regulation established in Article 129 of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, pursuant to which Public Administrations must act in the exercise of legislative initiative, such as the principles of necessity, effectiveness, proportionality, legal certainty, transparency and efficiency. This royal decree-law is issued by virtue of the exclusive competencies attributed to the State in matters of general telecommunications regime and public security by Articles 149.1.21st and 29th of the Constitution. The royal decree-law constitutes a constitutionally lawful instrument, provided that the end justifying urgent legislation is, as our Constitutional Court has repeatedly required (Rulings 6/1983, of 4 February, F. 5; 11/2002, of 17 January, F. 4, 137/2003, of 3 July, F. 3 and 189/2005, of 7 July, F.3), to address a concrete situation, within governmental objectives, which for reasons difficult to foresee requires immediate normative action in a shorter timeframe than that required by the normal route or by the urgent procedure for the parliamentary processing of Laws. On the other hand, the use of the legal instrument of royal decree-law, in this case, is also justified by the doctrine of the Constitutional Court, which, in its Ruling 1/2012, of 13 January, has endorsed the concurrence of the enabling budget of the extraordinary and urgent need of Article 86.1 of the Constitution, when there is a delay in the transposition of directives. In fact, the deadline for transposition of the aforementioned Directive (EU) 2016/1148, of the European Parliament and of the Council, of 6 July 2016, has already expired on 9 May 2018. The completion of the transposition deadline for this Directive has motivated the initiation by the European Commission of a formal infringement procedure no. 2018/168. Consequently, it is understood that in the whole and in each of the measures adopted by means of the projected royal decree-law, the circumstances of extraordinary and urgent need required by Article 86 of the Constitution as enabling prerequisites for the approval of a royal decree-law concur, by their nature and purpose. In virtue thereof, making use of the authorization contained in Article 86 of the Spanish Constitution, on the proposal of the Vice President of the Government and Minister of the Presidency, Relations with the Courts and Equality, of the Minister of the Interior and of the Minister of Economy and Enterprise and after deliberation of the Council of Ministers, in its meeting of 7 September 2018, I HEREBY ORDER: TITLE I General Provisions Article 1. Object.

1. This royal decree-law aims to regulate the security of networks and information systems used for the provision of essential services and digital services, and to establish an incident notification system.
2. Likewise, it establishes an institutional framework for the application of this royal decree-law and coordination between competent authorities and with relevant cooperation bodies in the community framework. Article 2. Scope of application.
3. This royal decree-law will apply to the provision of: a) Essential services dependent on networks and information systems included in the strategic sectors defined in the annex of Law 8/2011, of 28 April, establishing measures for the protection of critical infrastructures. b) Digital services, considered as determined in Article 3 e), which are online marketplaces, online search engines and cloud computing services.
4. The following will be subject to this royal decree-law: a) Essential service operators established in Spain. An essential service operator will be understood to be established in Spain when its residence or registered office is located in Spanish territory, provided that these coincide with the place where the administrative management and direction of its business or activities are effectively centralized. Likewise, this royal decree-law will apply to essential services that operators resident or domiciled in another State offer through a permanent establishment located in Spain. b) Digital service providers that have their registered office in Spain and constitute their main establishment in the European Union, as well as those that, not being established in the European Union, appoint in Spain their representative in the Union for compliance with Directive (EU) 2016/1148 of the European Parliament and of the Council, of 6 July 2016, on measures for ensuring a high common level of network and information system security in the Union.
5. This royal decree-law will not apply to: a) Network and electronic communications service operators and trust service providers that are not designated as critical operators by virtue of Law 8/2011, of 28 April. b) Digital service providers when they are micro-enterprises or small enterprises, according to the definitions contained in Commission Recommendation 2003/361/EC, of 6 May 2003, on the definition of micro-enterprises, small and medium-sized enterprises. Article 3. Definitions. For the purposes of this royal decree-law, the following shall be understood: a) Networks and information systems, any of the following elements: 1st. Electronic communications networks, as defined in number 31 of Annex II of Law 9/2014, of 9 May, General Telecommunications Law; 2nd. Any device or group of devices interconnected or related to each other, in which one or more of them perform, by means of a program, the automatic processing of digital data; 3rd. Digital data stored, processed, retrieved or transmitted by means of the elements contemplated in numbers 1st and 2nd above, including those necessary for the operation, use, protection and maintenance of said elements. b) Security of networks and information systems: the ability of networks and information systems to resist, with a certain level of reliability, any action that compromises the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data, or the corresponding services offered by such networks and information systems or accessible through them. c) Essential service: service necessary for the maintenance of basic social functions, health, safety, social and economic well-being of citizens, or the effective functioning of State Institutions and Public Administrations, which depends for its provision on networks and information systems. d) Essential service operator: public or private entity identified considering the factors established in Article 6 of this royal decree-law, which provides said services in any of the strategic sectors defined in the annex of Law 8/2011, of 28 April. e) Digital service: information society service understood in the sense contained in letter a) of the annex of Law 34/2002, of 11 July, on information society services and electronic commerce. f) Digital service provider: legal person providing a digital service. g) Risk: any circumstance or fact reasonably identifiable that may have an adverse effect on the security of networks and information systems. It can be quantified as the probability of realization of a threat that produces an impact in terms of operability, physical integrity of persons or material or image. h) Incident: unexpected or unwanted event with consequences detrimental to the security of networks and information systems. i) Incident management: procedures followed to detect, analyze and limit an incident and respond to it. j) Representative: natural or legal person established in the European Union who has been expressly designated to act on behalf of a digital service provider not established in the European Union, to whom a competent national authority or a CSIRT may address, in substitution of the digital service provider, regarding the obligations that, by virtue of this royal decree-law, the digital service provider has. k) Technical standard: a standard in the sense of Article 2.1 of Regulation (EU) No 1025/2012 of the European Parliament and of the Council, of 25 October 2012, on European standardization. l) Specification: a technical specification in the sense of Article 2.4 of Regulation (EU) No 1025/2012 of the European Parliament and of the Council, of 25 October 2012. m) Internet Exchange Point ("IXP"): a network installation that allows interconnecting more than two autonomous systems.