COMMITMENT TO PUBLIC CYBERSECURITY: THE NATIONAL SECURITY FRAMEWORK
- The origins of public cybersecurity: the ENS of 2010
In 2010, as an unprecedented milestone in our legal system, the Spanish Official State Bulletin published the Royal Decree 3/2010, of 8 January, which regulated the National Security Framework in the field of Electronic Administration (‘Esquema Nacional de Seguridad’, hereinafter ENS), whose purpose was to determine the security policy in the use of electronic media, formulating the basic principles and minimum requirements that should guarantee the security of the information processed and the services provided by the entities of the Public Administrations.
That first ENS, whose scope of application, as mentioned above, included all Public Administration entities, sought to establish confidence that information systems provide their services properly and safeguard information without interruptions or uncontrolled modifications, and without the information reaching unauthorised persons, establishing measures to guarantee the security of systems, data, communications and electronic services, so as to facilitate citizens and the Public Administrations themselves in exercising their rights and fulfilling their obligations through electronic means.
Since 2010 there have been notable changes in Spain and the European Union, including the progressive digital transformation of our society and the reality that information systems are increasingly exposed to the materialisation of threats, with a notable increase in cyber-attacks, both in volume, frequency and sophistication, with agents and actors with greater technical and operational capabilities; threats that occur in a context of high dependence on information and communication technologies in our society and a high interconnection of information systems. All this significantly affects an increasing number of public and private entities, their supply chains, citizens and, therefore, national cybersecurity, which compromises the normal social and economic development of the country and the exercise of citizens’ rights and freedoms, as recognised in the latest National Cybersecurity Strategy of 2019.
Moreover, as previously noted, since 2010 both the European and Spanish regulatory frameworks have been modified, referring to national security, regulation of administrative procedures and the legal regime of the public sector, personal data protection and the security of information networks and systems, and the strategic framework of cybersecurity has evolved.
- Cybersecurity in the National Security System
Law 36/2015, of 28 September, on National Security, considers cybersecurity to be an area of special interest for National Security, as stated in article 10, requiring specific attention as it is essential for preserving the rights and freedoms and well-being of citizens and for guaranteeing the provision of essential services and resources. In accordance with the provisions of its article 4.3, the Royal Decree 1008/2017, of 1 December, approving the National Security Strategy of 2017 and, subsequently, the Royal Decree 1150/2021, of 28 December, approving the National Security Strategy of 2021, were enacted, both of which identify cyberspace as a common global space. The Strategy of 2021 describes cyberspace as a connected space characterised by its functional openness, lack of physical borders and easy accessibility, adding that in global common spaces it is difficult to attribute any irregular or criminal action, given their extension, weak regulation and the absence of sovereignty.
- Cybersecurity in the Public Sector Framework
The Law 40/2015, of 1 October, on the Legal Regime of the Public Sector, extended the scope of application of that first ENS of 2010 to the entire public sector, establishing in its article 3, which regulates the general principles, the need for Public Administrations to establish relations between themselves and with their bodies, public bodies and related or dependent entities through electronic means, which guarantee the interoperability and security of the systems and solutions adopted by each of them and the protection of personal data, and facilitate the provision of services to data subjects preferably by such means, pointing to the ENS as a fundamental instrument for the achievement of these objectives in Article 156.
Likewise, the Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, among the rights of individuals in their relations with public administrations provided for in Article 13, includes the right to the protection of personal data and, in particular, the right to the security of the data contained in the files, systems and applications of public administrations.
As a development of the aforementioned administrative legislation, the Royal Decree 203/2021, of 30 March, approving the Regulation on action and operation of the public sector by electronic means, specifies in different provisions the obligation to comply with the security measures set out in the ENS, such as those referring to the electronic exchange of data in closed communication environments, the agreed password systems and other systems for identification of the persons concerned, the single electronic file or internet portals, among others.
Coinciding in time with the approval of the three aforementioned laws, the Royal Decree 951/2015, of 23 October, amending Royal Decree 3/2010, of 8 January, regulating the National Security Framework in the field of e-Government, updated the ENS in light of the experience and knowledge in its implementation, the current cybersecurity landscape, and the evolution of the legal framework, to adapt it to the provisions of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (known as the “eIDAS Regulation”).
With regard to the ENS security measures in the processing of personal data, the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights, ordered in its first additional provision that such security measures be implemented in the event of processing of personal data to prevent their loss, alteration or unauthorised access, adapting the criteria for determining the risk in the processing of data to the provisions of Article 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
On the other hand, its first additional provision also prescribes the implementation of the security measures of the ENS for both public and private sector entities that collaborate with them in the provision of public services that involve the processing of personal data. Finally, and in the same vein, the Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties, has established in its Article 37 the obligation to apply the ENS measures to the processing of personal data by the competent public authorities.
- National Cybersecurity Strategies
As established in the 2017 National Security Strategy, Spain needs to ensure a safe and responsible use of information and communication networks and systems by strengthening capacities to prevent, detect and respond to cyber-attacks by enhancing and adopting specific measures to contribute to the promotion of a safe and reliable cyberspace.
In this regard, on 12 April 2019, the National Security Council approved the National Cybersecurity Strategy of 2019, published by the Order PCI/487/2019, of 26 April, with the aim of setting the general guidelines in the field of cybersecurity in order to achieve the objectives set out in the National Security Strategy of 2017. One of the objectives of this National Cybersecurity Strategy of 2019 is to ensure the full implementation of the National Security Framework.
The figure below shows the most significant regulatory roadmap in the field of eGovernment, cybersecurity and related regulations in recent years.
- The National Security Framework of 2022
In today’s hyper-connected world, implementing security in cyberspace has become a strategic priority. However, the risk in cyberspace is too great for either the public sector or businesses to address alone, as both have a shared interest and responsibility to tackle the challenge together. As the role of technology in society increases, cybersecurity becomes an ever greater challenge.
At the same time as the scenario described above has been consolidating, the implementation of the ENS has been spreading, resulting in a greater accumulated experience of its implementation, as well as a better knowledge of the situation thanks to the successive editions of the National Report on the State of Security (‘Informe Nacional del Estado de la Seguridad’, INES), the body of CCN-STIC security guides and the services and tools provided by the information security incident response capacity, the CCN-CERT, of the National Cryptologic Centre (‘Centro Criptológico Nacional’, CCN).
In short, for all the above reasons it was necessary to update the ENS to meet three (3) main objectives:
- Aligning the ENS with the existing regulatory framework and strategic context to ensure security in e-government.
- Introducing the ability to adjust the requirements of the ENS, in order to guarantee its adaptability to the reality of certain groups or types of systems, taking into account the similarity of a multiplicity of entities or services in terms of the risks to which their information systems and services are exposed, which makes it advisable to include in the ENS the concept of a “Specific Compliance Profile” which, approved and published by the National Cryptologic Centre, allows for a more effective and efficient adaptation of the ENS, rationalising the resources required without undermining the protection pursued and required.
- Facilitating a better response to cyber security trends, reducing vulnerabilities and promoting continuous vigilance by reviewing basic principles, minimum requirements and security measures.
The current ENS, implemented by the Royal Decree 311/2022, of 3 May, extends its scope of application to all public sector entities, to which are added the systems that process classified information, as set out in Chapter I thereof.
Furthermore, and as a particularly new element, the ENS requirements are also applicable to the information systems of private sector entities, when in accordance with the applicable regulations and by virtue of a contractual relationship they provide services to public sector entities for the exercise by the latter of their competences and administrative powers.
Indeed, considering that the digital transformation has led to an increase in the risks associated with the information systems that support public services and that the private sector is also immersed in the digital transformation of its business processes, both types of information systems are exposed to the same type of threats and risks. For this reason, private sector operators that provide services to public sector entities, due to the high degree of overlap between both of them, must guarantee the same level of security that is applied to systems and information in the public sector, in accordance with the special requirements established in the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, as well as the Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offences and the enforcement of criminal sanctions.
The figure below shows a summary of the set of measures included in the ENS:
The Royal Decree was approved in exercise of the powers provided for in Articles 149.1.18, 149.1.21 and 149.1.29 of the Spanish Constitution, which give the State exclusive competence over the bases of the legal system of public administrations, over telecommunications and over public security, respectively.
— Pablo López, Head of the Normative and Cybersecurity Services Area of the National Cryptologic Centre (CCN)
How to cite this post: Lopéz, P., ‘Commitment to Public Cybersecurity: the National Security Framework’, The Key of BAES, 28 de febrero de 2024, https://www.baeslegalcripto.eu/legalcripto/en/public-cybersecurity-the-national-security-framework/
This work is licensed under CC BY-NC-SA 4.0