S2 Grupo warns companies that failure to comply with the new European cybersecurity regulations may have unmanageable consequences

The new European regulation highlights the great importance of the cybersecurity strategy for the EU and for the first time establishes sanctions for companies, in case of non-compliance, that can have a devastating economic impact for companies
10 Feb 2021
2 Minutes of reading

Valencia, February 10, 2021.- On the occasion of the reinforcement of the regulatory framework in the field of cybersecurity by the European Union, the Valencian company S2 Grupo has stressed that this issue should be one of the axes of the companies and is key adapt to regulations because, otherwise, the consequences of a sanction may be unaffordable for businesses.

Faced with the growing threat posed by cyber-attacks, the European Union has had to update the NIS directive to provide member states with a common framework that has focused on cybersecurity to ensure the cyber-resilience of the processes that support essential services for the society.

S2 Grupo has stressed that the new EU cybersecurity strategy is based on three fundamental aspects: resilience, technological sovereignty and leadership; the operational capacity to prevent, deter and respond; and cooperation to promote a global, secure and open cyberspace.

This strategy means that the Member States will have to transpose it into their national legislation, foreseeably 18 months after its publication. This revision of the directive will provide controllers with greater supervision and execution tools, places special emphasis on the need to increase the cybersecurity of the supply chain, reinforces the importance of the top management of organizations to support and be responsible in compliance with cybersecurity measures, and improves the ability to exchange information between the different actors”, explained José Rosell, managing partner of S2 Grupo.

 “In addition, the new directive broadens its scope by adding new sectors based on their importance to the economy and society. And another important novelty is the new framework of sanctions it includes, since it indicates that the non-application of security measures can have negative consequences for the cyber-resilience of entities and, therefore, a minimum list of administrative sanctions for non-compliance with the reporting and cybersecurity risk management obligations that is common in all the Member States must be established”, continued Miguel A. Juan, managing partner of S2 Grupo.

"Faced with this situation, it is essential that companies become aware of the importance of having a team of experts in the application of cybersecurity and compliance with cybersecurity regulations because, otherwise, the consequences can be really harsh for the continuity of business”, added José Rosell.

Precisely, foreseeing that this would happen has been what in 2020 led us to a strategic alliance between S2 Grupo and the international law firm Andersen to be able to offer companies a real solution that allows them to comply with all legislation that has a strong technological component in terms of cybersecurity. This prevents this decisive issue from being addressed in an uncoordinated manner”, explained Miguel A. Juan.

New cybersecurity initiatives in the European Union

S2 Grupo has highlighted that, in the same vein as the update of the NIS directive, there are two other initiatives within the new EU strategy, namely the Commission's proposal for the Regulation for the digital operational resilience of the financial sector (Digital Operational Resilience Act, DORA) and the proposal for a Directive on the resilience of critical infrastructures (CIR).

With regards to DORA, it is the framework established by the European Commission to provide a common approach to cyber resilience in the financial sector. DORA applies to credit institutions, crypto-asset service providers, data supply providers, security and reinsurance companies, employment pension funds, etc. In addition, essential third-party providers of ICT services must also be very aware of this regulation, as they will also be subject to its regulation and supervision within the EU framework.

This regulation addresses aspects such as security governance, risk management, incident notification, resilience testing, third-party risks and information exchange.

Along with this, S2 Grupo has emphasized that in Spain the transposition of the NIS Directive was carried out through the Royal Decree-Law 12/2018, and precisely has just seen the light, with its publication in the Official State Gazette. This Royal Decree establishes the obligation to define a cybersecurity strategy that establishes a regulatory framework, supported by the National Security Scheme that provides legal security to the cybersecurity structure of organizations and the technological solutions that are deployed. In addition, it regulates and establishes the role and responsibility of the CISO.

For all these reasons, S2 Grupo experts have emphasized that the great strategic importance of cybersecurity at the European level is now more than evident and, therefore, adaptation to the new regulatory framework has to become one of the backbone of companies.