The current regulatory landscape regarding cybersecurity is constantly changing in response to its attempt to address the growing risks and threats, as well as the technological challenges facing society. Thus, in recent years, a gradual progress of cyber regulations at both European and national levels.
What is the current regulatory landscape?
Looking back five years, we only had a Critical Infrastructure Protection Law that was fairly well established at the national level, a NIS Directive at the European level that was still pending transposition into the Spanish legal system, and a National Security Scheme whose direct application was primarily to public administrations, in addition to other sectoral standards or regulations with a specific focus. But little more.

However, Today we find ourselves with a very different set of regulations and it is even expected that they will change in the future.Among them, the following are particularly noteworthy:
- NIS Law and its Implementing Regulations: The NIS Directive was transposed into Spanish law, defining the need for an Information Security Officer and specifying the areas to be taken into account regarding security risk management and incident reporting.
- NIS 2 DirectiveIn parallel, at the European level, an update has been made to the previous Directive, broadening its scope in pursuit of European-wide harmonization and increasing the need for support from the governing bodies. Thus, the NIS Law and its implementing regulations at the national level must be updated to comply with this new Directive.
- CER Directive: At the same time as the NIS 2 Directive was published, the update of the Directive from which the Critical Infrastructure Protection Act was based was also issued at European level.[5], so an update to the standard is also expected in this regard.
- DORA Regulation: This Regulation has been published in the financial sector, which has an even broader impact and acts as a specific regulation for the entire sector, seeking to unify the requirements that affect such a critical sector, in pursuit of a high level of resilience for the entire financial ecosystem.
- Other regulations at European level that aim to complete the protection of the European market, such as the Cyber Security Act, he Cyber Solidarity Act or the Cyber Resilience Act.
- Updated National Security Scheme: The need to update a standard that details the technical security requirements that public administrations must meet to current cybersecurity risks has given rise to a new regulation, which also places even greater emphasis on the need for those entities that work with the Public Administration to also comply with it.
- Standards updates, such as ISO 27001, NIST, PCI-DSS, or SWIFT CSPTechnological advancements, both in terms of systems and cyberthreats, mean that standards are constantly evolving to maintain a level of protection appropriate to the current situation.

Why this increase in regulatory pressure?
This regulatory shift addresses challenges that have emerged in recent years, such as the increased sophistication of cyberthreats, an increase in attacks aimed at halting organizations' operations (such as ransomware), the rise in remote working due to the COVID-19 pandemic, and even geopolitical tensions that have increased cyberattacks between nations.
These factors result in a large part of these standards being directed at increase resilience to cyberattacks, focusing primarily on four aspects:
- A new approach in which cybersecurity is fully intertwined and integrated with business continuity and crisis management. That is, the extension of cybersecurity as a discipline transcends the strictly preventive and protective sphere and therefore contributes to organizational resilience.
- Adequate security governance in the entities, with clear responsibilities in terms of security and full involvement of Senior Management.
- A set of security measures that make to address the main problems that entities face based on their own nature, so that efforts can be focused on those areas of greatest risk.
- Some appropriate mechanisms to manage and report incidents, so that supervisory authorities can have the information to act and minimize the damage caused by incidents, both by collaborating with the affected entities and by trying to prevent their rapid spread.
What can we expect in the future?
Technological advancements, including, for example, Artificial Intelligence, Quantum Computing, and other similar fields, will lead to the emergence of new risks, which is why many regulations remain open to risk management, allowing the most appropriate security measures to be defined. However, despite the fact that regulations, such as the NIS 2 Directive, aim to correct weaknesses observed in previous versions, such as the lack of standardization, It will be necessary to continue developing these in order to establish a reference framework that guarantees an adequate level of protection. for society in general and entities in particular.
Glossary
[1] Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 on measures for a high common level of security of network and information systems within the Union. https://www.boe.es/doue/2016/194/L00001-00030.pdf
[1] Royal Decree 43/2021, of January 26, which develops Royal Decree-Law 12/2018, of September 7, on the security of networks and information systems. https://www.boe.es/diario_boe/txt.php?id=BOE-A-2021-1192
[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive). https://www.boe.es/buscar/doc.php?id=DOUE-L-2022-81963
[1] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC. BOE.es – DOUE-L-2022-81965 Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC. https://www.boe.es/buscar/doc.php?id=BOE-A-2011-8849
[1] Law 8/2011, of April 28, establishing measures for the protection of critical infrastructures. https://www.boe.es/buscar/pdf/2011/BOE-A-2011-7630-consolidado.pdf
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. https://www.boe.es/buscar/doc.php?id=DOUE-L-2022-81962
[1]Cyber Security Act: https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-act
[1] Cyber Solidarity Act: https://www.eu-cyber-solidarity-act.com/
[1] Cyber Resilience Act: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act [1] Royal Decree 311/2022, of May 3, regulating the National Security Scheme. https://www.boe.es/buscar/doc.php?id=BOE-A-2022-7191