The spanish National Cyber Security Strategy was adopted in 2013.
The spanish strategy is divided into six specific objectives:
OB 1 - for the Public Authorities, to ensure that the Information and Telecommunications Systems used by them have the appropriate level of security and resilience.
OB 2 - for companies and critical infrastructures, to foster the security and resilience of the networks and information systems used by the business sector in general and by operators of critical infrastructures in particular.
OB 3 - in the judicial and police field operations, to enhance prevention, detection, response, investigation and coordination capabilities vis-à-vis terrorist activities and crime in cyberspace.
OB 4 - in the field of sensitisation, to raise the awareness of citizens, professionals, companies and Spanish Public Authorities about the risks derived from cyberspace.
OB 5 - in capacity building, to gain and maintain the knowledge, skills, experience and technological capabilities Spain needs to underpin all its cyber security objectives.
OB 6 - with respect to international collaboration, to contribute to improving cyber security, supporting the development of a coordinated cyber security policy in the European Union and in international organisations, and to collaborate in the capacity building of States that so require through the development cooperation policy.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
Year of adoption
2013. INCIBE, the Spanish National Cybersecurity Institute, has a mission to strengthen digital confidence, improve cyber security and resilience and contribute to the digital market so that the safe use of cyberspace is encouraged in Spain. Its activities are based on three fundamental pillars: service delivery, research, and coordination.
€24,3M has been invested in INCIBE and €161M in CNI (Centro Nacional de Inteligencia) to strengthen cyber security in Spain. (Sources: official budget for the former and several newspapers reports on the figure for the latter.)
|Updates and revisions||In October 2014, the National Cyber Security Council adopted the National Cyber Security Plan, after identifying the challenges facing Spain. The plan covers the action guidelines up to 2017 to achieve optimal implementation of the objectives outlined in the ENCS.|
|Implementation and monitoring||
Under the direction of the Prime Minister, the Spanish national cyber security strategy is implemented by three bodies:
The Spanish government's annual report on national security includes a chapter devoted to cyber security (chapter 3).
|Operational capacity building||
Spain has several national and regional computer emergency response teams (CERTs).
The National Centre for Critical Infrastructure Protection (CNPIC) acts as the national competent authority for network and information security in Spain (NIS).
CERTSI is the national accredited CSIRT for security and industry. This accredited CSIRT is in charge of coordinating response measures across Spanish networks (Spanish: https://www.certsi.es/; English: www.certsi.es/en).
CCN-CERT is the national alert and reporting system for Public administration, company and organisation of strategic interest, such as those essential for Spanish security and economy (Spanish: https://www.ccn-cert.cni.es/; English: www.ccn-cert.cni.es/en/).
CSUC-CSIRT is one of the computer emergency response teams for the University of Catalanya (Catalan: http://www.csuc.cat/; English: www.csuc.cat/en/communications/security/incident-response-team).
Participation of EMPACT projects in coordination with EUROPOL. Operative actions fostering the collaboration with the private sector and awarenss raising.
Participation in CyberEurope, the pan-European cyber exercise organised by ENISA.
Participation in CyberEx, international cybersecurity exercise in cooperation with the Organisation of American States.
Participation in the European Cyber Security Challenge, organised by the European Commission and ENISA, with INCIBE and other 9 members in the Organisation Committee. Spain ranked first in the competition.
All relevant Spanish legislation, including references to European regulations related to information security and cyber security are contained in a single document put together by INCIBE and the Official State Gazette. The document is available here.
The classification of information and the handling of such information is covered by Law 9/1968; Law 11/2007 and Royal Decree 3/2010. Spain classifies information deemed a state secret according to a four-tier classification system. The classification levels are assigned according to the level of risk involved in disclosing the classified information.
There is no legislation or policy in place in Spain that requires a public report on cyber security capacity for the government.
However, the strategy states that enforced incident reporting is a line of action that the Spanish government will pursue.
Businesses and Public Private Partnerships
INCIBE provides dedicated services for businesses, such as:
INCIBE also provides complete and detailed awareness fostering programme for a broad range of companies. It includes lots of materials developed with training purposes, as well as a detailed manual to follow the necessary steps when applying the plan to a particular company case. Also, talks on different aspects of cybersecurity may be scheduled to supplement the documentation.
Both AENOR and AEI Ciberseguridad provide a trust seal. The AENOR seal validates good practices for e-commerce companies, while the AEI Ciberseguridad is a certification framework to check that a company is compliant with security requirements. Any company owning this certificate has passed a test to prove that they have in place the necessary physical and logical measures to protect their assets against several threats that could be damaging. This certification schema has a training programme associated.
The ISMS Forum is a company cluster established as a non-profit in 2007 to promote the development of information security in Spain and benefit the whole community involved in the sector. It is a specialised discussion forum for companies and public/private organisations to collaborate share and get to know the latest innovations concerning information security. Upwards of 150 companies and 850 independent professionals are part of it. The Forum also provides training courses at affordable prices. Currently they offer two different courses: one on GDPR and another one on certified data protection.
|Overall assessment/best practices||
In January 2016, ICC Spain in collaboration with the Spain Chamber of Commerce hosted a seminar in Madrid to present a Spanish version of the ICC Cyber security guide for business.The Spanish version of the guide launched at the seminar in Madrid today is the result of the collaboration between ICC Spain, ICC Mexico and ICC Chile with the support of Telefonica.
In February 2016, Huawei Spain and INCIBE signed a Memorandum of Understanding (MoU), which included a commitment from both organizations to promote best practices and information exchanges concerning cyber security protection.
Spain has also established the Centre for Industrial Cybersecurity (CCI) which promotes security best practices in the industrial sector.
|Date of last WISER analysis||
Compliance with the GDPR and NIS Directive: Report a cyber incident
Report a cyber incident to national CERT/CSIRT
|Guidance and Updates||
CERT.ES provides a wealth of information about the cyber threat landscape in both Spanish and English, spanning latest updates (e.g. Hackers filter unreleased HBO content), technical blog posts (e.g. PRP and HRS redundancy protocols). Its Early warning service is for users with advanced knowledge in computing such as system administrators that need practical information that makes it easier to prevent, protect, and respond to a security incident as quickly as possible (most often in Spanish), as well as alerts on vulnerabilities in the form of a database in Spanish to inform, warn and help professioanals with the latest security vulnerabilities in technology systems. Other insights from CERT.ES include an impact map indicating the risk levels in Spain.
Some of the other regional CSIRTs/CERTs also provide updates, alerts and other information services.
|Date of last WISER analysis||July 2017|