A new Cybersecurity Legal Framework has been submitted for public consultation, which transposes the Directive on Network and Information Security 2 (NIS 2), aimed at guaranteeing a high common level of cybersecurity throughout the European Union.

The draft legislation extends the number of entities covered by the cybersecurity regulatory framework, as well as the supervisory powers of the National Cybersecurity Centre, and sets the degree of compliance with cybersecurity measures according to the size of the entities and the importance of their activity.

The new rules will apply to both the private and public sectors, imposing new standards and obligations on various “essential and important” sectors, including stricter management of cybersecurity risks and the need for coordination between public and private entities.

In this context, the heads of the administrative, management and governing bodies of organisations which are considered “essential and important” will be responsible for approving and implementing risk management measures, as well as promoting training on them.

It is also envisaged that managers will have to answer directly for offences committed in situations where they fail to check compliance with the rules or act negligently. 

Furthermore, security is reinforced regarding service providers and suppliers, particularly concerning the duty of diligence when choosing a third party, who must be assessed and monitored to ensure they offer the same guarantees the entity has implemented in its organisation.

In the event of non-compliance, there are fines of up to 250,000 euros for individuals and up to 10 million euros or the equivalent of 2 per cent of annual worldwide turnover (whichever is higher) for legal persons.

Additionally, accompanying sanctions may be applied, namely a ban on taking part in public contracts or suspension of the provision of services until the situation is regularised.

The law also deepens three fundamental instruments for public cybersecurity policies: 

• The National Cyberspace Security Strategy, defining the national strategic priorities and objectives in terms of cybersecurity;
• The National Response Plan for Large-Scale Cybersecurity Crises and Incidents, regulating and improving the management of this type of incident;
• The National Cybersecurity Reference Framework, which will bring gather and publicise norms, standards and good practices in cybersecurity management.

The new Cybersecurity Legal Framework entered into public consultation on 22^nd November, and the deadline has been extended to 31^st December.