The Government may impose fines of between half a million and one million euros on operators of essential services and digital service providers who commit very serious infringements in matters of cybersecurity.
For the first time, the imposition of penalties for violating the cybersecurity norms for critical operators (energy, water, transport, health, banking, etc.) and for digital service providers (search engines, e-commerce, cloud computing, etc.) is contemplated. But it is responsibility of the States the typification of the faults and the amount of the sanctions.
Although most companies already inform about the cyber-attacks they are victims of, some hide them for fear of damaging their reputation or having to compensate affected customers. The law will not only sanction these behaviors, but also protects employees or subcontractors who denounce these facts.
To the providers of essential services, the Administration may request information on the effective application of its security policy, as well as auditing them or requiring them to submit to an audit. On the other hand, on the part of the digital service providers “will only inspect compliance with the obligations derived from this law when there is a suspicion of any breach by reasoned request of other bodies or complaint.
In application of the European directive, the law creates a “single point of contact” to communicate incidents with other countries of the EU, which will be the National Security Council, and maintains the current CERT (Cyber Emergency Response Team), which pass to be called CIRT: The National Cryptological Center (CCN), for Public Administration; the National Institute of Cybersecurity (INCIBE), for private companies; and the Joint Cyber Defense Command, for the Army.
Via: el país