Spain (ES)

Current status:
The spanish National Cyber Security Strategy has been adopted in 2013.

The spanish strategy is divided into six specific objectives:

OB 1    for the Public Authorities, to ensure that the Information and Telecommunications Systems used by them have the appropriate level of security and resilience
OB 2    for companies and critical infrastructures, to foster the security and resilience of the networks and information systems used by the business sector in general and by operators of critical infrastructures in particular
OB 3    in the judicial and police field operations, to enhance prevention, detection, response, investigation and coordination capabilities vis-à-vis terrorist activities and crime in cyberspace
OB 4    in the field of sensitisation, to raise the awareness of citizens, professionals, companies and Spanish Public Authorities about the risks derived from cyberspace
OB 5    in capacity building, to gain and maintain the knowledge, skills, experience and technological capabilities Spain needs to underpin all the cyber security objectives
OB 6    with respect to inter-national collaboration, to contribute to improving cyber security, supporting the development of a coordinated cyber security policy in the  European Union and in international organisations, and to collabo-rate in the capacity building of States that so require through the development cooperation policy.

National Cyber Security Strategy

Year of adoption The national Cyber Security Strategy was adopted in 2013.
Updates and revisions In October 2014, the National Cyber Security Council adopted the National Cyber Security Plan, after identifying the challenges faced by Spain, by defining the action guidelines for the next two years to achieve optimal implementation of the objectives outlined in the ENCS.
Legal conditions

All relevant Spanish legislation (even if references to European regulations have been also included where necessary) related to information security and cybersecurity in general have been included in a single document by ICNIBE and the Official State Gazette. The document is available here.

Implementation and monitoring

Under the direction of the Prime Minister, the Spanish national cyber security strategy is implemented by three bodies:

  • the National Security Council as the Government Delegated Commission for National Security
  • the Specialised Cyber Security Committee, which will support the National Security Council by assisting the direction and coordination of the National Security Policy in cyber security matters and by fostering coordination, cooperation and collaboration among Public Authorities and between them and the private sector
  • the Specialised Situation Committee which, with the support of the Situation Centre of the National Security Department, will manage cyber security crisis situations which, on account of their cross-cutting nature or extent, exceed the response capabilities of the usual mechanisms.

Operational capacities

 

Risk assessment plan There is no legislation or policy in place in Spain that requires the establishment of a written risk assessment plan.
Progress measures

Royal Decree 3/2010, which regulates e-government within the National Security Framework, requires information security system to be audited at least once every two years, and contains the provision for additional auditing in times of emergency.

 

Current status: NIS Directive and national CERTs/CSIRTs

Computer security incident response teams

CERTSI is the national accredited CSIRT

CSIRT-CV is the security centre of the Valencian community

CESICAT-CERT is the computer emergency response team of Catalonia

CCN-CERT is the national alert and reporting system for Public administration, company and organization of strategic interest (those essential for Spanish security and economy)

AndaluciaCERT is the computer emergency response team for Public administration and governments in Andalucia

CSUC-CSIRT is one of the computer emergency responce team for the Academia and Research sector

EsCERT  is the second computer emergency response team for the Academia and Research sector

RedIRIS is the third computer emergency response team for the Academia and Research sector

Best practices:

In January 2016, ICC Spain in collaboration with the Spain Chamber of Commerce hosted a seminar in Madrid to present a Spanish version of the ICC Cyber security guide for business.The Spanish version of the guide launched at the seminar in Madrid today is the result of the collaboration between ICC Spain, ICC Mexico and ICC Chile with the support of Telefonica.

In February 2016, Huawei Spain and INCIBE signed a Memorandum of Understanding (MoU), which included a commitment from both organizations to promote best practices and information exchanges concerning cyber security protection.

Spain has also established the Centre for Industrial Cybersecurity (CCI) which promotes security best practices in the industrial sector.

Monitoring system

The National Centre for Critical Infrastructure Protection (CNPIC) monitors the national critical infrastructure protection system, which includes owners, operators and users of Spanish critical infrastructure. As a result, CNPIC facilitates cooperation between the public and private sectors through initiatives like sectoral working groups.

Report an incident

The national accredited CSIRT is in charge o coordinating response measures across Spanish networks:

The Incident Response service is aimed at:

  • Citizens and businesses: through the OSI (www.osi.es and telephone 901 111 121) and the e-mail incidencias@certsi.es
  • Staff from academic and research network (Red IRIS): through the e-mail Mailbox of RedIris iris@certsi.es
  • Strategic and Critical Infrastructure Operators: through the e-mail inbox PIC CERTSI pic@certsi.es
Languages Spanish/English
Date of last WISER analysis September 2016

 

Contact us for more info