The economic losses caused by cyber-attacks amounted to 0.8% of world GDP, or some 74.15 trillion euros in 2018. This figure, included in Google's Current Outlook on Cyber Security in Spain, has continued to rise in 2019 and its growth forecast is even worse for 2020.

For this reason, it is logical that governments around the world are delving into different legislation that favors an increase in cyber security. Not surprisingly, an attack on a company providing essential services to a country can put the entire nation in serious trouble for lack of basic supplies.

In this sense, the document that the Spanish Government has in its hands is the draft of the royal decree that precisely develops the royal decree 12/2018, of security of networks and information systems for the operators of essential services and their suppliers.

To clarify the current situation, Vicente Moret, of counsel in the cybersecurity area of Andersen Tax & Legal, has prepared a guide to clear up the main doubts about the new obligations that companies will have to deal with once the final text is approved.

What is the status of the draft with the new government? Is it possible that further amendments will be made?

Same situation as two months ago. It is pending approval by the Council of Ministers and publication.

Will an Information Security Officer (ISO) be mandatory for all companies?

No. The ISM must be appointed by companies that have been designated as essential service operators, regardless of where their registered office is located. The key sectors are energy, health, ICT, nuclear industry, finance or transport, among others.

For digital service providers, this would include online markets, online search engines or cloud computing services.

What are their responsibilities?

They are many and varied. They include drawing up and proposing the organisation's network and system security policies including specific measures; developing procedures; carrying out periodic security audits; notifying incidents to the relevant authority; acting as a trainer of good practices; or interpreting and applying government guidelines. In addition, "it must do so while maintaining due independence from those responsible for information systems and holding a position in the organization that facilitates the development of these functions and real and effective communication with senior management, as established in the draft regulations," insists Andersen Tax & Legal's of counsel.

Are Spanish companies prepared for the new obligations?

Those with more capacity and volume and in certain sectors, such as finance or energy, probably are.

Are they complying with those already established in RD 12/2018?

Obliged companies have already begun to adapt to carry out due regulatory compliance, which also allows them to mitigate possible liabilities in the event of a serious incident.

What sanctions can companies face if they do not comply?

There is a comprehensive penalty regime, with essential service operators and digital service providers being liable. For very serious infringements, the fine will be 500,001 euros up to one million euros; serious infringements will be 100,001 euros up to 500,000 euros; and minor infringements will be punished with a warning or a fine of up to 100,000 euros.

You can see the article in Expansión.