Spain, first EU country to develop National Cyber-security Incident Notification and Management Guide

2019.1.23

  • x: opens new window
  • Whatsapp: opens new window
  • Linkedin: opens new window
  • Send: opens new window

The Spanish National Cyber-security Incident Notification and Management Guidelines are a technical document that creates a benchmark in terms of notifying and managing cyber-security incidents within Spanish territory. It provides information security managers with guidelines on reporting cyber-security incidents at public authorities, critical infrastructures and strategic operators under their control, as well as all other entities governed by Spanish Royal Decree-Law 12/2018 on network and information system security.

The Guide, which consist of eight chapters and four annexes, establish a detailed notification model based on a series of impact criteria contained in the document and classify incidents into five levels of danger: critical, very high, high, average and low. One of the main advancements made through this system is its "one-stop point of contact" for the notification of these incidents. This seeks to increase efficiency in the processing of information and to streamline results.

The most innovative aspect of the Guide is the presentation of a single incident classification system, which was based on an exercise in technical specification, public-private collaboration and coordination between multiple stakeholders. The document lists 38 types of potential incidents in 10 different categories. These are accompanied by a series of descriptions and practical examples aimed at steering communication and supporting the analysis, containment and eradication of the cyber-security incident.

On top of this common framework, the Guide provide for the existence of other special cases based on the existence of legal rules that could require increased effort from organisations within their scope of application. This is the case for those operators designated as "critical" under Spanish Law 8/2011 (PIC), to which apply a series of additional specifications. These include compulsory communications, minimum information to be relayed or a reporting deadline.

The Guide integrates all the common aspects technically required by the national CSIRTs as well as specific requirements of the National Critical Infrastructure Protection System.

Furthermore, it is the essential cornerstone underpinning the national implementation through transposition of the NIS Directive (Royal Decree-Law 12/2018) on the obligation for essential service operators to report cyber-security incidents.

Significant coordination effort

The guidelines were approved on 9 January by the National Cyber-security Council, which is chaired by the State Secretary-Director of the National Intelligence Council, Félix Sanz Roldán, and made up by representatives from various ministerial departments, including the Ministry of Home Affairs. This body is provided for under Spanish Law 36/2015, of 28 September, and supports the National Security Council on issues of cyber-security and within the framework of the National Security System.

Drawing up a document of this nature requires significant coordination given the complexity of relationships within, origins of and consequences from a cyber-security incident. As a result, its development is considered as a demonstration of national advancements in cyber-security and highlights the unifying role played by the Ministry of Home Affairs in this regard as the department that coordinated these efforts.

Preparation of a comprehensive document on the reporting and management of cyber-security incidents began in 2017 within the framework of the Cyber-security Coordination Council set up by the National Cyber-security and Infrastructure Protection Centre (Spanish acronym: CNPIC), managed by the State Secretariat of Security, in partnership with the essential service operators forming part of the National Critical Infrastructure Protection System, which currently consists of more than 170 companies and bodies.

Given the significance of progressing with this work, the National Cyber-security Council commissioned the National Cyber-security Institute (Spanish acronym: INCIBE) to prepare a document in 2018 under coordination by the CNPIC and with assistance from the National Cryptology Centre (Spanish acronym: CCN), the National Cyber-security Institute (INCIBE) and Joint Cyber-defence Command. All these centres respond to benchmark incidents at a national level and were asked to produce a comprehensive document capable of responding to the various existing circumstances based on the content initially developed for the protection of critical infrastructures.

The relevance of this Guide, for the preparation of which a working group was created with the previously mentioned public authorities and supported by cooperation from information security experts and managers from the main essential service operators in Spain, stems from a need for adaptation to the requirements of the recently-approved Spanish Royal Decree-Law 12/2018, on network and information system security, which transposes the so-called NIS Directive (Directive 2016/1148 of the European Parliament and of the Council, concerning measures for a high common level of security of network and information systems across the Union) into Spanish law.

Non official translation