Four keys on how the changes in the National Security Scheme will affect companies
- Measures have been introduced to facilitate a better response to cybersecurity trends, reduce vulnerabilities and promote continuous surveillance in organizations.
Valencia July 14, 2021.- In relation to the publication of the draft of the Royal Decree that will update the current National Security Scheme (ENS), the managing partners of the Valencian cybersecurity company S2 Grupo, Miguel A. Juan and José Rosell, have analyzed what impact these changes will have on Spanish companies.
Due to the rise in incidents in public and private sector organizations in recent months, a "Cybersecurity Shock Plan" has been approved by the Spanish Government.
This initiative was approved on May 25 by the Council of Ministers and consists mainly in the implementation of a package of urgent actions in the field of cybersecurity. These include the urgent processing and approval of a Royal Decree to replace Royal Decree 3/2010, of January 8, which regulates the ENS in the field of Electronic Administration.
As a result of this urgency, last Tuesday, June 15, the draft of the Royal Decree project regulating the ENS was published, shortening the usual deadlines due to the necessary haste, because the previous one has become too obsolete and needs to be aligned to the 2019 National Cybersecurity Strategy.
1. What changes are they going to make and what is their main purpose?
S2 Grupo experts have highlighted that the need to update the ENS addresses three major issues. First, to align it with the current legislative framework and the 2019 National Cybersecurity Strategy, to facilitate security in the Digital Administration. Second, to introduce the ability to adjust the ENS requirements to adapt to the reality of certain groups or types of systems. And finally, facilitate a better response to cybersecurity trends, reduce vulnerabilities and promote continuous surveillance.
These three main lines introduce important changes and novelties, the following being particularly significant:
- It is more clearly defined which organizations are under the scope of the ENS, including in this update the systems that handle or process classified information, and reinforcing the need for compliance with the ENS by private sector entities, and their supply chain, when they provide services or solutions to public sector entities.
- Updating of the basic principles, where it is worth highlighting the inclusion of the principle of "continuous surveillance", to enable the detection of anomalous activities and provide a timely response, and promote the permanent review of the security status of the systems to detect vulnerabilities and identify configuration defects.
- Allowing to achieve compliance with the ENS in a more effective and efficient way, especially for smaller organizations and/or those with fewer resources. With this objective, the concept of "specific compliance profile" is introduced, which will be a set of minimum requirements published by the National Cryptologic Center to which the organizations of a certain group may apply in order to comply with the ENS. These profiles will be defined according to the similarity that a multiplicity of entities present in terms of the risks to which their information systems are exposed (for example, the case of local entities).
- Updating of the security measures in Annex II, based on the existence of a general requirement and possible reinforcements. In this regard, changes have been introduced to increase the requirements of existing security measures, others to simplify the implementation of requirements that were too demanding and, in addition, new measures have been incorporated to protect organizations against new threats.
“The appearance of this Royal Decree, although it was motivated by the approval of the Cybersecurity Shock Plan, was very necessary. Its last update was in 2015 and since then the degree of evolution in the digital transformation of organizations in both the public and private sectors and the increase in cyber-attacks, added to the situation caused by the pandemic and the new risks introduced by the increase in teleworking has meant that many of its guidelines are not sufficient to guarantee an adequate level of protection”, asserted José Rosell, managing partner of S2 Grupo.
“This update of the ENS aims to be more flexible, adapting in a more reasonable way to the context of all organizations, but without prejudice to the protection sought and required. In our opinion, these changes can be very beneficial for the national ecosystem, since they can encourage a greater degree of adoption of the ENS, which will mean a general improvement in the level of cybersecurity of the Spanish Public Administration and, of course, of a large number of companies in the private sector, either because they provide services directly to public bodies or because they belong to their supply chain”, declared Miguel A. Juan, managing partner of S2 Grupo.
2. How will the changes introduced in the June Royal Decree affect companies?
José Rosell has ensured that the publication of this new Royal Decree updating the ENS will have an impact both on public bodies, as it is mandatory legislation for them, and on private sector organizations that provide services to public sector entities, since they must guarantee the same level of security.
"This update will lead to an improvement in the cybersecurity level of organizations, since it introduces measures aimed at facilitating a better response to cybersecurity trends, reducing vulnerabilities and promoting continuous surveillance," continued Rosell. He has also added that organizations within the scope of application that were already adapted to RD 3/2010 will have a period of two years to adapt to the new Royal Decree from the date of its publication, while the rest will have to comply with it from its entry in force.
3. What recommendations do companies or organizations need to consider?
Miguel A. Juan explained that a transition period of two years is foreseen to adapt to the requirements of the new ENS. However, organizations are recommended to work on the analysis of the implications and changes that this Royal Decree entails from the moment it comes into force. "The best way is to carry out Adaptation Plans whose main objectives are to evaluate the current degree of compliance, taking into account the updating of security measures and the definition of initiatives and projects aimed at overcoming those breaches detected and, at the same time, improve the level of maturity in the organization's security management”, emphasized the managing partner of S2 Grupo.
4. What still needs to be addressed in this matter?
S2 Grupo has emphasized that after the final publication of the new Royal Decree, which will be processed urgently, the adaptation work by the organizations that must comply with it will begin. The changes introduced are based on solid criteria and take into account the opinion of the organizations under the application umbrella and other interested parties (consultants, auditors, regulatory bodies, etc.) since the appearance of RD 3/2010 a little over ten years ago. However, it will be necessary to wait some time to assess whether the objectives pursued with this update of the ENS are truly met, and the level of cybersecurity at the national level and the number of organizations that certify their compliance with the ENS are significantly increased.