Source: European Parliament
The Network and Information Security (NIS) 2 Directive[1] sets out measures for a high common level of cybersecurity across the Union, including by defining cybersecurity risk-management measures to be taken by essential and important entities in Europe’s critical sectors, such as public administration.
As the deadline for transposition of the directive has passed on 17 October 2024, the Commission has opened infringement procedures[2] against 23 Member States, including Spain, that have failed to notify transposition measures. The Commission called on all Member States to swiftly and fully transpose the directive into their national legislation.
The protection of personal data in the EU is ensured by the General Data Protection Regulation (GDPR)[3] which applies also to national authorities.
When acting in their capacity as controllers or processors in the sense of the GDPR, national authorities must put in place technical and organisational measures to ensure a level of security appropriate to the risk posed to the personal data being processed.
Consequently, the ability to prevent, detect and address a data breach (including more complex breaches like cyberattacks) in a timely manner should be seen as essential elements of these measures.
If a data breach occurs, the GDPR[4] provides for measures to address the impact of the data breach, including an obligation on national authorities acting as controllers to notify the breach to the competent national data protection supervisory authorities and to the data subjects in case the breach is likely to result in a high risk to their rights[5].
Spain and the Spanish data protection authority[6] have the primary responsibility to monitor and enforce the application of the GDPR by Spanish national authorities.
- [1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive).
- [2] https://ec.europa.eu/commission/presscorner/detail/en/inf_24_5988
- [3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88.
- [4] Articles 33 and 34.
- [5] The European Data Protection Board (EDPB) has published Guidelines 9/2022 on the data breach notifications, https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf
- [6] Agencia Española de Protección de Datos (AEPD).