Much has been said and written about the role of regulations in information security. With this article, I intend to offer an opinion, open to debate and rebuttal.,
Regarding this aspect, I want to position myself on the fact that legislative and technical profiles only
They can work together to achieve the desired and pursued goal of enjoying a cybersecure and resilient society.
Cybersecurity is no longer an area limited to purely technical issues
techniques to become an essential component of corporate governance and
of national security in the case of governments and public administrations.
In this context, legislation and regulatory compliance should not be interpreted
not as an administrative burden, but as a fundamental ally that drives the
organizations to raise their level of maturity in digital risk management.
The regulatory framework as a catalyst for cybersecurity
Legislative developments in cybersecurity and data protection have
introduced minimum standards that require companies to integrate security into their management processes. The General Data Protection Regulation (GDPR,
Regulation (EU) 2016/679 marked a milestone by establishing strict obligations on
The processing of personal information, with proactive accountability mechanisms and significant penalties for non-compliance. Its impact has gone beyond privacy: it has reinforced the need to incorporate robust security policies to guarantee the confidentiality, integrity, and availability of data—in this case, personal data, but perfectly applicable to any other type of information.
In parallel, Directive (EU) 2016/1148, known as the NIS Directive, and its revision
through Directive (EU) 2022/2555 (NIS2), they have extended the requirement for measures
security to a greater number of sectors, including essential services and
Digital service providers. The transposition of NIS2 into legal systems
national regulations, including those in Spain, force many SMEs and medium-sized enterprises to
They are part of critical supply chains and are now required to adopt cybersecurity measures that were not previously mandatory. This regulatory framework is contributing to the creation of a more homogeneous and resilient ecosystem in the face of transnational threats.
Likewise, sector-specific regulations such as Royal Decree-Law 12/2018, on safety
of information networks and systems in Spain, or international standards
Standards such as ISO/IEC 27001 reinforce the need for alignment between compliance
legal and good technical practices.
Beyond regulated sectors
While the financial, energy, and healthcare sectors have historically been more heavily regulated due to their impact on society, reality shows that no organization is immune to cyber risks. Ransomware, industrial espionage, and digital fraud affect large corporations, SMEs, professional firms, and tech startups alike.
In this sense, the legal framework provides a common language to address the
security across the board. The obligation to comply with certain
Regulations are driving companies of all sizes to systematize their controls
internal, allocate resources and justify investments in security.
It is worth noting that, in addition to general frameworks such as GDPR or NIS2, there are
Sector-specific regulations that reinforce the requirement for security measures
specific. In the financial field, Directive (EU) 2015/2366 (PSD2) on
Payment services establish strict obligations regarding authentication
Enhanced customer accountability (SCA) and electronic transaction protection.
In a complementary manner, the new Regulation (EU) 2022/2554, known as
DORA (Digital Operational Resilience Act) introduces a homogeneous framework for the
risk management of information and communication technologies (ICT) in
Banks, insurers, investment firms, and financial service providers. Its objective is to ensure that the European financial sector can withstand, respond to, and recover from serious cybersecurity incidents, strengthening both business continuity and customer confidence.
In the insurance and investment sector, the Solvency II regulations (Directive
2009/138/EC) and the MiFID II Directive (2014/65/EU) also incorporate requirements for
technology risk management and business continuity.
In Spain, Law 41/2002 on patient autonomy and Regulation (EU)
Regulation 2017/745 on medical devices requires strengthening confidentiality and
clinical information security, while Royal Decree 43/2021, which
It develops Royal Decree-Law 12/2018 on network security and
information systems, introduces specific security obligations for
Essential service providers and digital providers. Also in the sector
energy, the regulations derived from Regulation (EU) 2019/941 on the
Risk preparedness in the electricity sector integrates requirements for
cybersecurity as part of operational resilience.
Thus, regulatory compliance does not only respond to generic requirements,
but also to specialized requirements that vary depending on the activity. This
It reinforces the idea that compliance becomes a differentiating factor.
in terms of reputation and competitiveness, capable of generating trust in
clients, investors and strategic partners.
Digital society and shared responsibility
Global interconnectedness makes cybersecurity a public good.
legislation that requires notification of security incidents (Article 33 of the GDPR)
or Article 23 of the NIS2 Directive) promote a culture of transparency and
This collaboration goes beyond the business sector. These obligations have allowed the relevant authorities to gather information to improve the coordinated response to cyber threats and have increased citizens' awareness of the risks they face.
Therefore, regulation is not limited to the protection of private interests, but rather
It establishes mechanisms for co-responsibility between administrations, the private sector and
Citizenship, strengthening collective resilience against global risks.

Conclusions: compliance as a strategic advantage, the alliance between
Engineers and lawyers and the role of the compliance area
In a scenario where the boundaries between the physical and the digital are blurring, the
Regulatory compliance in cybersecurity is emerging as an accelerator
strategic that promotes professionalization, legitimizes investments and strengthens the
confidence in the market.
However, a relevant debate arises regarding the internal governance of
Regulatory compliance in relation to cybersecurity: should the responsibility fall on
legal responsibility in compliance areas, traditionally responsible for
regulatory supervision, or should it be directly integrated into the areas of
cybersecurity?
From a corporate governance perspective, the area of compliance is
Compliance is fundamental as a guarantor of the correct interpretation of the law, alignment with the current regulatory framework, and accountability to external supervisory bodies. In this respect, compliance ensures that the organization not only adopts technical measures but can also demonstrate, through documentary evidence and audit processes, that these measures comply with applicable regulations. Thus, compliance acts as a bridge between companies and regulators.
On the other hand, from a more operational perspective, it is inefficient that the
Legal interpretation should remain isolated from technical implementation. The information security area needs to translate the obligations imposed by law—such as encryption, monitoring, incident management, business continuity, and breach notification—into concrete controls. For this process to be agile and effective, the cybersecurity area must assume an active role in compliance management, preventing it from becoming a mere administrative task disconnected from technological reality.
The solution, in practice, does not involve choosing one of the two positions in a certain way.
not by exclusivity, but by building collaborative models that integrate both perspectives. The compliance area must lead the alignment with the corporate strategy and regulatory requirements, while cybersecurity must operationalize these requirements, ensuring that the implemented technical measures not only comply with the standard, but also add value in terms of risk reduction.
In this context, multidisciplinary collaboration between
Engineers and lawyers. The former guarantee the technical feasibility and effectiveness of the
controls, while the latter interpret and translate the regulatory framework into
Obligations applicable to the organization. The future of corporate cybersecurity
Therefore, it involves hybrid structures where compliance and cybersecurity act in a coordinated manner, avoiding organizational silos and promoting a model of
Comprehensive governance that combines legal, strategic, and operational vision. It should not
It is rare to find legal profiles as part of the operational teams of the
information security areas.
Sergio Padilla Foubello
Director of the Cybersecurity Chair at EIP International Business School
Do you want to train in CybersecurityAt EIP we have the best training































