There is currently a growing trend for companies to be obliged to report any security incidents to the authorities that be. In 2018 the European General Data Protection Regulation (GDPR) will come into force, while Spain’s implementation of the NIS Directive will also be published. These two pieces of legislation will be added to a swelling body of rules such as the Critical Infrastructure Protection Law or Spain’s National Security Scheme, which already make it compulsory for affected companies to report any incidents. Thus, organizations of the public authorities, essential operators or operators of critical infrastructure as well as any firm managing personal data will all be affected by this new legislation.

Even so, the various regulations as yet lack any particular and specific terms and conditions about how this reporting is to be done: When? How much? How often? Reporting to whom? In which format? Organizations hence harbor serious doubts about how exactly to meet this particular reporting obligation. This is especially so whenever any given incident has to be simultaneously reported to several authorities.

Mindful of this grey area, the Quality and Security Working Group of the Spanish Association of Information-Society and Telecommunications Users (Asociación Española de Usuarios de Telecomunicaciones y de la Sociedad de la Información: AUTELSI ) has drawn up the study "Action procedure for security incidents requiring notification". GMV, as a member of the working group, has collaborated in the preparation and writing of this report, with Mariano J. Benito, CISO of GMV Secure e-Solutions, as the company’s group representative.

The aim of the guide is to clarify and cross-check the legal requirements laid down by these regulations, helping information-security professionals, the various members of the crisis/security committee and security bosses to carry out their activity. This will ensure that all of them are notifying any cybersecurity incidents with uniform criteria, within the established deadlines and including all necessary authorities in the reporting procedure. The guide also aims to raise awareness and bring this problem home to the various managerial bodies of companies and public authorities.