{"id":6405,"date":"2021-02-20T10:04:04","date_gmt":"2021-02-20T09:04:04","guid":{"rendered":"https:\/\/edorteam.com\/important-changes-in-company-cybersecurity-royal-decree-43-2021\/"},"modified":"2026-05-04T17:28:17","modified_gmt":"2026-05-04T15:28:17","slug":"important-changes-in-company-cybersecurity-royal-decree-43-2021","status":"publish","type":"post","link":"https:\/\/nova.edorteam.com\/en\/important-changes-in-company-cybersecurity-royal-decree-43-2021\/","title":{"rendered":"Important changes in company cybersecurity: Royal Decree 43\/2021"},"content":{"rendered":"\n

On January 27, the Royal Decree 43\/2021<\/a> by which the Royal Decree-Law 12\/2018, of September 7, on security of networks and information systems is developed. The approval of this regulation implies a milestone for business cybersecurity<\/strong> because it establishes important changes for a large number of affected companies: Essential Services<\/strong> sy Digital Service Providers<\/strong> .<\/p>\n

With this RD we want to end the insufficient cybersecurity policies that we still find in many companies, and it is motivated by the exponential growth of cyber attacks during the last year, taking advantage of the pandemic situation, and the rise of teleworking and electronic commerce. These changes should take place within a few very short time frames<\/strong> and they have a high impact on corporate cybersecurity governance.<\/p>\n

In other words, this regulation wants to promote initiatives so that essential services companies achieve an adequate level of cybersecurity<\/strong> .<\/p>\n

These are the main obligations derived from Royal Decree 43\/2021: <\/span><\/p>\n<\/div><\/div>

The obligated companies will designate a person, entity or collegiate body as Responsible for Information Security or CISO<\/strong> (Chief Information Security Officer). This figure will act as a point of contact with the competent authority and will supervise that the company complies with the cybersecurity requirements required by the regulations.<\/p>\n

In a future post we will talk about their functions in detail, but it is important to know that companies have 3 months to appoint your Security Manager<\/strong> before the corresponding Ministry (according to activity sector) and provide it with the necessary means to carry out its functions. That is, the term ends in April 2021<\/strong> .<\/p>\n<\/div><\/div>

After the appointment of the Security Manager, the company must make a document called Statement of Applicability<\/strong> of the security measures that the company will adopt (article 6 of RD 43\/2021).<\/p>\n

Broadly speaking, this document will analyze the cybersecurity measures that the company currently has and the deficiencies detected and how they are intended to be solved will be reflected<\/strong> , including a monitoring plan to verify that the minimum requirements are met.<\/p>\n

These are the sections that the Statement of Applicability<\/strong> :<\/p>\n