Cybersecurity and RD 43/2021 – CISO Advisory Plan

Cybersecurity, essential in 2021

We accompany your company in its adaptation to Royal Decree 43/2021 with the CISO Advisory Plan

We explain what the obligations of RD 43/2021 , a before and after for cybersecurity of many companies, and how to face them with the greatest comfort and security for your business activity.

Cybersecurity and RD 43/2021 – CISO Advisory Plan

Obligations of RD 43/2021

We explain the changes introduced with this Royal Decree and the companies it affects.

What we offer you at Edorteam

An accompaniment service to your CISO for the correct development of its functions.

What is Royal Decree 43/2021?

It is a Royal Decree approved on January 27, 2021, by which Royal Decree-Law 12/2018, of September 7, on security of networks and information systems is developed.

This Royal Decree wants to end the insufficient cybersecurity policies that many companies still present today, such as obsolete operating systems, unlicensed software and an absolute lack of access control and activity monitoring.

This, added to the exponential growth of cyberattacks that have been taking place during the last year, motivated by the pandemic situation and the rise of teleworking, have led to the entry into force of this regulation and the adjusted time limits to apply it.

It is considered that essential services companies such as energy, health, waste management or food, should reduce to the maximum their risks of suffering a cyber incident that paralyzes their work activity, hence the new law.

What companies are required to comply with RD 43/2021?

In accordance with the provisions of article 2 of RD 43/2021, obligated organizations are divided into two large groups:

Essential Service Operators

Companies that belong to sectors known as Critical Infrastructure by Directive (EU) 2016/1148 of the European Parliament and of the Council, of July 6, 2016 (known as the NIS Directive).

The Critical Infrastructure sectors provide the services necessary for the maintenance of the basic social functions : health, safety, social and economic well-being of citizens, or effective operation of State institutions and Public Administrations.

In Law 8/2011, of April 28, which establishes measures for the protection of critical infrastructures, these sectors of activity are established:










Outer space


Nuclear Industry


Chemical industry


Research Industry




Financial and Tax System


Information and Communication Technologies (ICT)



Digital Service Providers

Within this second group, small or micro-enterprises (less than 50 workers or less than 10 million euros in annual turnover) are exempt.


Online markets

Platforms for the sale of products and / or services of third parties.

Online search engines


Cloud services

What are the obligations of RD 43/2021?

Appoint the Information Security Manager or CISO (Chief Information Security Officer)

This figure can be a person, entity or collegiate body, and will be appointed before the corresponding Ministry (according to the sector of the company) at most the April 27, 2021 . The professional figure of the CISO has several responsibilities within the company and therefore should be a profile with high capacities, Here we explain how the CISO of your company should be .

Royal Decree 43/2021 obligations in cybersecurity

A CISO acts as a point of contact with the competent authority and supervises that the company complies with the established cybersecurity requirements.

Prepare the Statement of Applicability

In accordance with the provisions of article 6 of RD 43/2021, the CISO must prepare a document called Declaration of Applicability of the security measures of the company. Broadly speaking, it should include:

  • Analysis of Actual state cybersecurity of the company in order to identify gaps and risks.
  • Reflect the deficiencies detected and how they are intended to be solved.
  • Develop a monitoring plan to check that these deficiencies are eventually corrected.
  • Set up plans for the detection, management, recovery and assurance of the continuity of operations in the event of a cyber-incident.

Sign and submit the Declaration of Applicability

The Statement of Applicability must be signed by the CISO and approved by the company. Finally, it will be presented to the competent authority no later than the July 27, 2021 .

In addition, the Statement of Applicability will be reviewable at least every 3 years .

Do you need further assistance?

Tell us about technological needs for your business. Tell us about your company's technological needs you may have to interview. We'll study your case to offer expert IT services for your business.

Edorteam, a valuable support for your CISO

With our CISO Advisory Plan, we accompany your company in its adaptation to RD 43/2021. The figure of the CISO requires high capacities and carries important responsibilities. Trust Edorteam to guide and accompany to your company’s CISO:


Situation analysis

  • We analyze the current state of the company’s cybersecurity.
  • We identify possible risks and threats.
  • We advise the management to appoint the CISO of the company.

Definition of objectives

  • We work hand in hand with the CISO in the development of a Cybersecurity Plan for the company.
  • We define the strategic objectives to be achieved in terms of cybersecurity and how to solve them.

Improvement actions

  • If you need software solutions to improve the cybersecurity of the company, we take care of their implementation on all computer equipment.
  • We train your professionals in its use, promoting good practices in cybersecurity.

Support and follow-up

  • We advise your CISO in the presentation of the Declaration of Applicability.
  • We monitor the effectiveness of the measures applied.
  • We will maintain direct contact to resolve technical or digital security incidents.
CISO Advisory Service for companies and RD 43/2021

At Edorteam you have both a legal department and an IT department specialized in cybersecurity solutions.

The service is comprehensive: we not only identify the improvements to be made, we also take care of their implementation in the company.

The keys of RD 43/2021 in e-book format

All about Royal Decree 43/2021 on security of networks and information systems.

Download our e-book and find out what measures you should apply and if you are an affected company.

What are the functions of the CISO?

Visit our blog to learn more about what kind of professional profile can perform the functions of the CISO.

Can it be someone outside the company? Is it a temporary figure? Discover it here.