{"id":6399,"date":"2021-03-10T09:49:53","date_gmt":"2021-03-10T08:49:53","guid":{"rendered":"https:\/\/edorteam.com\/cybersecurity-and-rd-43-2021-ciso-advisory-plan\/"},"modified":"2026-05-04T17:33:52","modified_gmt":"2026-05-04T15:33:52","slug":"cybersecurity-and-rd-43-2021-ciso-advisory-plan","status":"publish","type":"page","link":"https:\/\/nova.edorteam.com\/en\/cybersecurity-and-rd-43-2021-ciso-advisory-plan\/","title":{"rendered":"Cybersecurity and RD 43\/2021 – CISO Advisory Plan"},"content":{"rendered":"

IT security and RD 43\/2021, how does it impact essential companies?<\/h2>\n<\/div><\/div>

We help you reinforce and update your company in IT security matters with the CISO Advisor service. RD 43\/2021 marked a turning point for essential service companies<\/strong>. We explain its cybersecurity obligations and how to address them.<\/p>\n<\/div><\/div>

Companies obligated by RD 43\/2021<\/a><\/div>
How we help you at Edorteam<\/a><\/div><\/div>
\"Cybersecurity<\/span><\/div><\/div><\/div><\/div>

What is Royal Decree 43\/2021?<\/h2>\n

It is a Royal Decree approved on January 27, 2021, by which Royal Decree-Law 12\/2018, of September 7, on security of networks and information systems is developed.<\/p>\n

This Royal Decree wants to end the insufficient cybersecurity policies that many companies still present today, such as obsolete operating systems, unlicensed software and an absolute lack of access control and activity monitoring.<\/p>\n

This, added to the exponential growth of cyberattacks that have been taking place during the last year, motivated by the pandemic situation and the rise of teleworking, have led to the entry into force of this regulation and the adjusted time limits to apply it.<\/p>\n<\/div><\/div><\/div>

It is considered that essential services companies such as energy, health, waste management or food, should reduce to the maximum their risks of suffering a cyber incident that paralyzes their work activity, hence the new law.<\/h3>\n<\/div><\/div>
<\/div><\/div><\/div><\/div><\/div>

What companies are required to comply with RD 43\/2021?<\/h2>\n

In accordance with the provisions of article 2 of RD 43\/2021, obligated organizations are divided into two large groups:<\/p>\n<\/div><\/div><\/div><\/div>

Essential Service Operators<\/h4>\n

Companies that belong to sectors known as Critical Infrastructure<\/strong> by Directive (EU) 2016\/1148 of the European Parliament and of the Council, of July 6, 2016 (known as the NIS Directive).<\/p>\n

The Critical Infrastructure sectors provide the services necessary for the maintenance of the basic social functions<\/strong> : health, safety, social and economic well-being of citizens, or effective operation of State institutions and Public Administrations.<\/p>\n

In Law 8\/2011, of April 28, which establishes measures for the protection of critical infrastructures, these sectors of activity are established:<\/p>\n<\/div><\/div><\/div>

N<\/span><\/span><\/div>

Administration<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Water<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Feeding<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Energy<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Outer space<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Nuclear Industry<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Chemical industry<\/h4><\/div><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Research Industry<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Health<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Financial and Tax System<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Information and Communication Technologies (ICT)<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Transport<\/h4><\/div><\/div><\/div><\/div><\/div>
<\/div><\/div><\/div><\/div>

Digital Service Providers<\/h4>\n

Within this second group, small or micro-enterprises (less than 50 workers or less than 10 million euros in annual turnover) are exempt.<\/p>\n<\/div><\/div><\/div>

N<\/span><\/span><\/div>

Online markets<\/h4>

Platforms for the sale of products and \/ or services of third parties.<\/p>\n<\/div><\/div><\/div><\/div>

N<\/span><\/span><\/div>

Online search engines<\/h4><\/div><\/div><\/div>
N<\/span><\/span><\/div>

Cloud services<\/h4><\/div><\/div><\/div><\/div><\/div><\/div>

What are the obligations of RD 43\/2021?<\/h2>\n<\/div><\/div>

Appoint the Information Security Manager or CISO (Chief Information Security Officer)<\/em><\/h4>\n

This figure can be a person, entity or collegiate body, and will be appointed before the corresponding Ministry (according to the sector of the company) at most the April 27, 2021<\/strong> . The professional figure of the CISO has several responsibilities within the company and therefore should be a profile with high capacities, Here we explain how the CISO of your company should be<\/a> .<\/p>\n<\/div><\/div><\/div>

\"Royal<\/span><\/div>

A CISO acts as a point of contact with the competent authority and supervises that the company complies with the established cybersecurity requirements.<\/h4>\n<\/div><\/div>
<\/div><\/div><\/div><\/div>

Prepare the Statement of Applicability<\/h4>\n

In accordance with the provisions of article 6 of RD 43\/2021, the CISO must prepare a document called Declaration of Applicability of the security measures<\/strong> of the company. Broadly speaking, it should include:<\/p>\n