The continuous advance of technology leads to a scenario where users and companies have increased their access to media, software, applications, information assets and, in the end, new methods for processing information. This advance is not only exclusive to private bodies – the public sector is also increasing their processing of citizen information.

The increase of public sector activity in this regard and the accompanying digital transformation taking place requires the information processed to be properly protected. Cybersecurity has thus become a matter that is of fundamental importance for the Public Administration of Spain (‘the Public Administration’) and which, as a straight-forward compliance or legal requirement, seems to have been solved. However, while new regulations are being developed both nationally and internationally, recent (and not so recent) cyberattacks (e.g. the WannaCry incident and the Meltdown and Spectre vulnerabilities) seem to demonstrate to governments that cybersecurity is a pressing issue that must be included in their planning and schedules.

Spain has developed internal regulations on cybersecurity requirements regarding the Public Administration, critical infrastructure, essential services, and other critical or sensitive assets. As one of the most (if not the most) important cybersecurity regulations, the ENS sets out specific security requirements for the Public Administration when offering electronic services to citizens.

European framework

Unlike other EU Member States, Spain has a relatively broad range of cybersecurity regulations related to government sectors, services, and operators, providing much more specific security measures than the comparatively dispersed European framework.