Cybersecurity and RD 43/2021 – CISO Advisory Plan

IT security and RD 43/2021, how does it impact essential companies?

We help you reinforce and update your company in IT security matters with the CISO Advisor service. RD 43/2021 marked a turning point for essential service companies. We explain its cybersecurity obligations and how to address them.

Companies obligated by RD 43/2021
How we help you at Edorteam
Cybersecurity and RD 43/2021 – CISO Advisory Plan

What is Royal Decree 43/2021?

It is a Royal Decree approved on January 27, 2021, by which Royal Decree-Law 12/2018, of September 7, on security of networks and information systems is developed.

This Royal Decree wants to end the insufficient cybersecurity policies that many companies still present today, such as obsolete operating systems, unlicensed software and an absolute lack of access control and activity monitoring.

This, added to the exponential growth of cyberattacks that have been taking place during the last year, motivated by the pandemic situation and the rise of teleworking, have led to the entry into force of this regulation and the adjusted time limits to apply it.

It is considered that essential services companies such as energy, health, waste management or food, should reduce to the maximum their risks of suffering a cyber incident that paralyzes their work activity, hence the new law.

What companies are required to comply with RD 43/2021?

In accordance with the provisions of article 2 of RD 43/2021, obligated organizations are divided into two large groups:

Essential Service Operators

Companies that belong to sectors known as Critical Infrastructure by Directive (EU) 2016/1148 of the European Parliament and of the Council, of July 6, 2016 (known as the NIS Directive).

The Critical Infrastructure sectors provide the services necessary for the maintenance of the basic social functions : health, safety, social and economic well-being of citizens, or effective operation of State institutions and Public Administrations.

In Law 8/2011, of April 28, which establishes measures for the protection of critical infrastructures, these sectors of activity are established:

N

Administration

N

Water

N

Feeding

N

Energy

N

Outer space

N

Nuclear Industry

N

Chemical industry

N

Research Industry

N

Health

N

Financial and Tax System

N

Information and Communication Technologies (ICT)

N

Transport

Digital Service Providers

Within this second group, small or micro-enterprises (less than 50 workers or less than 10 million euros in annual turnover) are exempt.

N

Online markets

Platforms for the sale of products and / or services of third parties.
N

Online search engines

N

Cloud services

What are the obligations of RD 43/2021?

Appoint the Information Security Manager or CISO (Chief Information Security Officer)

This figure can be a person, entity or collegiate body, and will be appointed before the corresponding Ministry (according to the sector of the company) at most the April 27, 2021 . The professional figure of the CISO has several responsibilities within the company and therefore should be a profile with high capacities, Here we explain how the CISO of your company should be .

Royal Decree 43/2021 obligations in cybersecurity

A CISO acts as a point of contact with the competent authority and supervises that the company complies with the established cybersecurity requirements.

Prepare the Statement of Applicability

In accordance with the provisions of article 6 of RD 43/2021, the CISO must prepare a document called Declaration of Applicability of the security measures of the company. Broadly speaking, it should include:

  • Analysis of Actual state cybersecurity of the company in order to identify gaps and risks.
  • Reflect the deficiencies detected and how they are intended to be solved.
  • Develop a monitoring plan to check that these deficiencies are eventually corrected.
  • Set up plans for the detection, management, recovery and assurance of the continuity of operations in the event of a cyber-incident.

Sign and submit the Declaration of Applicability

The Statement of Applicability must be signed by the CISO and approved by the company. Finally, it will be presented to the competent authority no later than the July 27, 2021 .

In addition, the Statement of Applicability will be reviewable at least every 3 years .

Ask us any question

Do you need personalized advice?

Explain the current situation of your company and what you need. We will call you and analyze your case to assess whether your company is at risk of regulatory non-compliance. Our services adapt to all company sizes.

Edorteam, a valuable support for your CISO

With our CISO Advisory Plan, we accompany your company in its adaptation to RD 43/2021. The figure of the CISO requires high capacities and carries important responsibilities. Trust Edorteam to guide and accompany to your company’s CISO:

U

Situation analysis

  • We analyze the current state of the company’s cybersecurity.
  • We identify possible risks and threats.
  • We advise the management to appoint the CISO of the company.

Definition of objectives

  • We work hand in hand with the CISO in the development of a Cybersecurity Plan for the company.
  • We define the strategic objectives to be achieved in terms of cybersecurity and how to solve them.

Improvement actions

  • If you need software solutions to improve the cybersecurity of the company, we take care of their implementation on all computer equipment.
  • We train your professionals in its use, promoting good practices in cybersecurity.

Support and follow-up

  • We advise your CISO in the presentation of the Declaration of Applicability.
  • We monitor the effectiveness of the measures applied.
  • We will maintain direct contact to resolve technical or digital security incidents.
CISO Advisory Service for companies and RD 43/2021

At Edorteam you have both a legal department and an IT department specialized in cybersecurity solutions.

The service is comprehensive: we not only identify the improvements to be made, we also take care of their implementation in the company.

We speak your language

💡 Update your business’s IT security

At Edorteam, we understand that adapting to cybersecurity regulations such as RD 43/2021 can seem complex, full of technical requirements and complicated concepts. That’s why we strive to explain everything in a simple and direct way, ensuring that you understand every step we take to protect your company.

With over 30 years of experience protecting companies, we are specialists in cybersecurity and regulatory compliance. Our team advises you so that your company complies with regulations without complications.

N

IT security services for companies

  • Audit and risk analysis.
  • Implementation of security measures.
  • Cybersecurity training for employees.
  • Cyber incident management and notification.
  • Preparation for ISO 27001 and ENS certifications.
Contact our experts now

The keys of RD 43/2021 in e-book format

All about Royal Decree 43/2021 on security of networks and information systems.

Download this e-book and find out which measures you should apply and if you are an obliged company.

Download e-book

What are the functions of the CISO?

Visit our blog to learn more about what kind of professional profile can perform the functions of the CISO.

Can it be someone outside the company? Is it a temporary figure? Discover it here.

Read more