Important changes in company cybersecurity: Royal Decree 43/2021


News on cybersecurity, data protection and software solutions.

Important changes in company cybersecurity: Royal Decree 43/2021

19 Jul, 21

On January 27, the Royal Decree 43/2021 by which the Royal Decree-Law 12/2018, of September 7, on security of networks and information systems is developed. The approval of this regulation implies a milestone for business cybersecurity because it establishes important changes for a large number of affected companies: Essential Services sy Digital Service Providers .

With this RD we want to end the insufficient cybersecurity policies that we still find in many companies, and it is motivated by the exponential growth of cyber attacks during the last year, taking advantage of the pandemic situation, and the rise of teleworking and electronic commerce. These changes should take place within a few very short time frames and they have a high impact on corporate cybersecurity governance.

In other words, this regulation wants to promote initiatives so that essential services companies achieve an adequate level of cybersecurity .

These are the main obligations derived from Royal Decree 43/2021:

The obligated companies will designate a person, entity or collegiate body as Responsible for Information Security or CISO (Chief Information Security Officer). This figure will act as a point of contact with the competent authority and will supervise that the company complies with the cybersecurity requirements required by the regulations.

In a future post we will talk about their functions in detail, but it is important to know that companies have 3 months to appoint your Security Manager before the corresponding Ministry (according to activity sector) and provide it with the necessary means to carry out its functions. That is, the term ends in April 2021 .

After the appointment of the Security Manager, the company must make a document called Statement of Applicability of the security measures that the company will adopt (article 6 of RD 43/2021).

Broadly speaking, this document will analyze the cybersecurity measures that the company currently has and the deficiencies detected and how they are intended to be solved will be reflected , including a monitoring plan to verify that the minimum requirements are met.

These are the sections that the Statement of Applicability :

  • Risk analysis and management.
  • Risk management of third parties or suppliers.
  • Catalog of security, organizational, technological and physical measures.
  • Personnel management and professionalism.
  • Acquisition of security products or services.
  • Incident detection and management.
  • Plans for the recovery and assurance of the continuity of operations.
  • Continuous improvement
  • Systems interconnection.
  • Record of user activity.

The Statement of Applicability must be submitted and signed by the Security Manager within a period of 6 months, that is, in July 2021 . In addition, it will be reviewed at least every 3 years.



At Edorteam we accompany you in adapting your company to the regulations

You have at your disposal our team of lawyers and legal compliance specialists, as well as our consultants and technical specialists in cybersecurity. Count on us to help your Security Manager detect and solve digital security problems that your company may suffer, Contact us .

Edorteam, a valuable support for your CISO

We accompany your company in its adaptation to Royal Decree 43/2021 with the CISO Advisory Plan, contact us without obligation.

What companies are required to comply with RD 43/2021?

We understand how essential service operators defined in these two laws:

  • Law 17/2015, of July 9, on the National Civil Protection System . For the purposes of this law, essential services will be understood as: the services necessary for the maintenance of basic social functions, health, safety, social and economic well-being of citizens, or the effective functioning of State institutions and the Public administrations.
  • Law 8/2011, of April 28, which establishes measures for the protection of critical infrastructures . For the purposes of this Law, essential service shall be understood as the service necessary for the maintenance of basic social functions, health, security, social and economic well-being of citizens, or the effective functioning of State Institutions and the Public administrations.
Energy and nuclear industry

Some examples are:
Electric power marketers and distributors, gas marketers and distributors companies, municipal water supply companies, private drinking water supply companies, petrochemical companies …


Chemical industry , for example: suppliers and producers of substances, manufacture of basic chemical products, nitrogen compounds, fertilizers, plastics, synthetic rubber, manufacture of pharmaceutical products, pharmaceutical specialties; manufacture of pesticides and other agrochemical producers; manufacture of soaps, colognes, cosmetics …

Textile manufacturing industry (except clothing) such as: manufacture of fabrics (except clothing), textile products for technical and industrial use, manufacture of work clothing; manufacture of paints and varnishes; manufacture of containers, plastic packaging …


Some examples are:
Air, railway, maritime or river transport, road transport …


As for example, wastewater treatment.

Production, distribution and sale of food

Some examples are:
Large areas for the sale of food products (supermarket chains, hypermarkets, agri-food industries, cooperatives; small and medium-sized production companies, food distribution companies that have department stores) and horticulture companies (large nurseries) …

Companies manufacturing oils, animal and vegetable fats, dairy products, beverages

Healthcare and research industry

Some examples are:

Hospitals (both public and private).

Cosmetic surgery, dental, clinical analysis, rehabilitation, ophthalmology, assisted reproduction clinics (not applicable to small consultations with a single professional).

Supply companies of medical, surgical, orthopedic material

Geriatric, day centers.

Mutual societies for occupational accidents and work and diseases of Social Security professionals.

Research companies.

Financial and tax system

All banking and credit entities.

Other examples are: brokers, credit recovery companies, companies that offer lines of credit, portfolio management companies, financial advisory companies, foreign investment companies (registered in the Official Registry of ESI) …

Digital Service Providers


  • Online search engines.
  • Online markets (platforms for the sale of third-party products and / or services).
  • Cloud services.

Within this group, small or micro-enterprises (less than 50 workers or less than 10 million euros in annual turnover) are exempt.


If your business falls into one of these categories, the clock is ticking and there is a lot of work to do. In Edorteam you also have a legal department and IT department specialist in cybersecurity solutions. Our goal is to offer you an easy and effective adaptation to RD 43/2021.

Contact us now and let’s get to work.


Submit a Comment

Your email address will not be published.

Related posts

More and more legal obligations for your company

More and more legal obligations for your company

Keeping your company's regulatory compliance under control is becoming increasingly complex, as in recent years there have been constant changes in the legal framework, both at state and European level: Personal data protection Obligation of preventive cybersecurity...