{"id":102790,"date":"2026-06-17T12:25:20","date_gmt":"2026-06-17T10:25:20","guid":{"rendered":"https:\/\/eiposgrados.com\/?p=102790"},"modified":"2026-06-17T12:25:23","modified_gmt":"2026-06-17T10:25:23","slug":"legislation-and-cybersecurity","status":"publish","type":"post","link":"https:\/\/eiposgrados.com\/eng\/blog-ciberseguridad\/legislacion-y-ciberseguridad\/","title":{"rendered":"Legislation and cybersecurity: lawyers and engineers, a strategic partnership"},"content":{"rendered":"<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Much has been said and written about the role of regulations in information security. With this article, I intend to offer an opinion, open to debate and rebuttal.,<br>Regarding this aspect, I want to position myself on the fact that legislative and technical profiles only<br>They can work together to achieve the desired and pursued goal of enjoying a cybersecure and resilient society.<\/p>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\"><br>Cybersecurity is no longer an area limited to purely technical issues<br>techniques to become an essential component of corporate governance and<br>of national security in the case of governments and public administrations.<br>In this context, legislation and regulatory compliance should not be interpreted<br>not as an administrative burden, but as a fundamental ally that drives the<br>organizations to raise their level of maturity in digital risk management.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-text-align-left\"><br><strong>The regulatory framework as a catalyst for cybersecurity<\/strong><\/h2>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\"><br>Legislative developments in cybersecurity and data protection have<br>introduced minimum standards that require companies to integrate security into their management processes. The General Data Protection Regulation (GDPR,<br>Regulation (EU) 2016\/679 marked a milestone by establishing strict obligations on<br>The processing of personal information, with proactive accountability mechanisms and significant penalties for non-compliance. Its impact has gone beyond privacy: it has reinforced the need to incorporate robust security policies to guarantee the confidentiality, integrity, and availability of data\u2014in this case, personal data, but perfectly applicable to any other type of information.<\/p>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\"><br>In parallel, Directive (EU) 2016\/1148, known as the NIS Directive, and its revision<br>through Directive (EU) 2022\/2555 (NIS2), they have extended the requirement for measures<br>security to a greater number of sectors, including essential services and<br>Digital service providers. The transposition of NIS2 into legal systems<br>national regulations, including those in Spain, force many SMEs and medium-sized enterprises to<br>They are part of critical supply chains and are now required to adopt cybersecurity measures that were not previously mandatory. This regulatory framework is contributing to the creation of a more homogeneous and resilient ecosystem in the face of transnational threats.<\/p>\n\n\n\n<p class=\"has-text-align-left wp-block-paragraph\">Likewise, sector-specific regulations such as Royal Decree-Law 12\/2018, on safety<br>of information networks and systems in Spain, or international standards<br>Standards such as ISO\/IEC 27001 reinforce the need for alignment between compliance<br>legal and good technical practices.<\/p>\n\n\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Beyond regulated sectors<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While the financial, energy, and healthcare sectors have historically been more heavily regulated due to their impact on society, reality shows that no organization is immune to cyber risks. Ransomware, industrial espionage, and digital fraud affect large corporations, SMEs, professional firms, and tech startups alike.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In this sense, the legal framework provides a common language to address the<br>security across the board. The obligation to comply with certain<br>Regulations are driving companies of all sizes to systematize their controls<br>internal, allocate resources and justify investments in security.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It is worth noting that, in addition to general frameworks such as GDPR or NIS2, there are<br>Sector-specific regulations that reinforce the requirement for security measures<br>specific. In the financial field, Directive (EU) 2015\/2366 (PSD2) on<br>Payment services establish strict obligations regarding authentication<br>Enhanced customer accountability (SCA) and electronic transaction protection.<br>In a complementary manner, the new Regulation (EU) 2022\/2554, known as<br>DORA (Digital Operational Resilience Act) introduces a homogeneous framework for the<br>risk management of information and communication technologies (ICT) in<br>Banks, insurers, investment firms, and financial service providers. Its objective is to ensure that the European financial sector can withstand, respond to, and recover from serious cybersecurity incidents, strengthening both business continuity and customer confidence.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>In the insurance and investment sector, the Solvency II regulations (Directive<br>2009\/138\/EC) and the MiFID II Directive (2014\/65\/EU) also incorporate requirements for<br>technology risk management and business continuity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>In Spain, Law 41\/2002 on patient autonomy and Regulation (EU)<br>Regulation 2017\/745 on medical devices requires strengthening confidentiality and<br>clinical information security, while Royal Decree 43\/2021, which<br>It develops Royal Decree-Law 12\/2018 on network security and<br>information systems, introduces specific security obligations for<br>Essential service providers and digital providers. Also in the sector<br>energy, the regulations derived from Regulation (EU) 2019\/941 on the<br>Risk preparedness in the electricity sector integrates requirements for<br>cybersecurity as part of operational resilience.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Thus, regulatory compliance does not only respond to generic requirements,<br>but also to specialized requirements that vary depending on the activity. This<br>It reinforces the idea that compliance becomes a differentiating factor.<br>in terms of reputation and competitiveness, capable of generating trust in<br>clients, investors and strategic partners.<\/p>\n\n\n\n<h2 class=\"gb-headline gb-headline-ae409fcd gb-headline-text\"><strong>Digital society and shared responsibility<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Global interconnectedness makes cybersecurity a public good.<br>legislation that requires notification of security incidents (Article 33 of the GDPR)<br>or Article 23 of the NIS2 Directive) promote a culture of transparency and<br>This collaboration goes beyond the business sector. These obligations have allowed the relevant authorities to gather information to improve the coordinated response to cyber threats and have increased citizens&#039; awareness of the risks they face.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>Therefore, regulation is not limited to the protection of private interests, but rather<br>It establishes mechanisms for co-responsibility between administrations, the private sector and<br>Citizenship, strengthening collective resilience against global risks.<\/p>\n\n\n\n<figure class=\"gb-block-image gb-block-image-5b4ec82b\"><a href=\"https:\/\/es.linkedin.com\/in\/sergio-padilla-foubelo-70b32336\" target=\"_blank\" rel=\"noopener\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1091\" height=\"613\" class=\"gb-image gb-image-5b4ec82b\" src=\"https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022.png\" alt=\"cybersecurity\" title=\"Screenshot 2026-06-10 023022\" srcset=\"https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022.png 1091w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-300x169.png 300w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-1024x575.png 1024w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-768x432.png 768w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-294x165.png 294w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-123x69.png 123w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-18x10.png 18w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-200x112.png 200w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-500x281.png 500w, https:\/\/eiposgrados.com\/wp-content\/uploads\/2026\/06\/captura-de-pantalla-2026-06-10-023022-800x449.png 800w\" sizes=\"(max-width: 1091px) 100vw, 1091px\" \/><\/a><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><br><strong>Conclusions: compliance as a strategic advantage, the alliance between<br>Engineers and lawyers and the role of the compliance area<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>In a scenario where the boundaries between the physical and the digital are blurring, the<br>Regulatory compliance in cybersecurity is emerging as an accelerator<br>strategic that promotes professionalization, legitimizes investments and strengthens the<br>confidence in the market.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, a relevant debate arises regarding the internal governance of<br>Regulatory compliance in relation to cybersecurity: should the responsibility fall on<br>legal responsibility in compliance areas, traditionally responsible for<br>regulatory supervision, or should it be directly integrated into the areas of<br>cybersecurity?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>From a corporate governance perspective, the area of compliance is<br>Compliance is fundamental as a guarantor of the correct interpretation of the law, alignment with the current regulatory framework, and accountability to external supervisory bodies. In this respect, compliance ensures that the organization not only adopts technical measures but can also demonstrate, through documentary evidence and audit processes, that these measures comply with applicable regulations. Thus, compliance acts as a bridge between companies and regulators.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>On the other hand, from a more operational perspective, it is inefficient that the<br>Legal interpretation should remain isolated from technical implementation. The information security area needs to translate the obligations imposed by law\u2014such as encryption, monitoring, incident management, business continuity, and breach notification\u2014into concrete controls. For this process to be agile and effective, the cybersecurity area must assume an active role in compliance management, preventing it from becoming a mere administrative task disconnected from technological reality.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>The solution, in practice, does not involve choosing one of the two positions in a certain way.<br>not by exclusivity, but by building collaborative models that integrate both perspectives. The compliance area must lead the alignment with the corporate strategy and regulatory requirements, while cybersecurity must operationalize these requirements, ensuring that the implemented technical measures not only comply with the standard, but also add value in terms of risk reduction.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>In this context, multidisciplinary collaboration between<br>Engineers and lawyers. The former guarantee the technical feasibility and effectiveness of the<br>controls, while the latter interpret and translate the regulatory framework into<br>Obligations applicable to the organization. The future of corporate cybersecurity<br>Therefore, it involves hybrid structures where compliance and cybersecurity act in a coordinated manner, avoiding organizational silos and promoting a model of<br>Comprehensive governance that combines legal, strategic, and operational vision. It should not<br>It is rare to find legal profiles as part of the operational teams of the<br>information security areas.<\/p>\n\n\n\n<p class=\"has-medium-font-size wp-block-paragraph\"><strong>Sergio Padilla Foubello<br><\/strong>Director of the Cybersecurity Chair at EIP International Business School<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Do you want to train in&nbsp;<a href=\"https:\/\/eiposgrados.com\/eng\/programs\/master-in-cybersecurity\/\">Cybersecurity<\/a>At EIP we have the best training<\/p>","protected":false},"excerpt":{"rendered":"<p>Much has been said and written about the role of regulations in information security. With this article, I intend to offer my opinion\u2026 <a title=\"Legislation and cybersecurity: lawyers and engineers, a strategic partnership\" class=\"read-more\" href=\"https:\/\/eiposgrados.com\/eng\/blog-ciberseguridad\/legislacion-y-ciberseguridad\/\" aria-label=\"Read more about Legislation and cybersecurity: lawyers and engineers, a strategic partnership\">Read more<\/a><\/p>","protected":false},"author":4519,"featured_media":102791,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[332],"tags":[],"class_list":["post-102790","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-ciberseguridad"],"acf":[],"_links":{"self":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/posts\/102790","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/users\/4519"}],"replies":[{"embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/comments?post=102790"}],"version-history":[{"count":0,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/posts\/102790\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/media\/102791"}],"wp:attachment":[{"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/media?parent=102790"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/categories?post=102790"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eiposgrados.com\/eng\/wp-json\/wp\/v2\/tags?post=102790"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}