The National Cryptologic Centre (CCN) is an Organisation, within the National Intelligence Centre (CNI), set up in 2002 to guarantee ICT security in different public administration entities and security for systems that process, store or send out classified information.
Its sphere of competence is defined by the following standard framework:
- Law 11/2002, dated 6th May, regulating the National Intelligence Centre (CNI).
- Royal Decree 421/2004, 12th March, regulating and defining the sphere and functions of the National Cryptologic Centre (CCN).
- Presidential Ministerial Order PRE/2740/2007, dated 19th September, that regulates the National Evaluation Frame work and Information Technology Security Certification giving the CCN the capacity to act as a Certification Body (OC) for this Framework.
- Royal Decree 03/2010, dated 8th January, developing the National Security Framework (update RD 951/2015, de 23 de octubre), establishing basic principles and mínimum requirements, as well as protection measures to be implanted in Administration systems.
- Government Delegate Commission for Intelligence Matters, that annually defines CNI objectives using the Intelligence Directive setting out the Centre’s work.
In addition to the aforementioned legislation, there have been several standards published over the last two years that directly affect the cyber-security sector and consequently the National Cryptology Centre's work as well. Among others, we might mention:
- The National Cyber-Security Strategy, approved on April 30, 2019, develops the forecasts of the National Security Strategy of 2017 in the field of cybersecurity.
- Royal Decree-Law 12/2018, dated 7th September, network security and information systems.
- The (EU) Directive 2016/1148 from the European Parliament and Council dated 6th July 2016 relating to measures intended to guarantee a high common level of security in the Union's networks and information systems, also known as the NIS Directive. This is the first community directive in terms of cyber-security that came into force on 9th August 2016; it should be adopted and published in each of the Member States before 9th May 2018.
- National Cyber-Security Strategy and the nine Plans Derived from the National Cyber-security Plan, approved on 14th July 2015 by the National Security Council, that develop the Strategy and organise the State's work in this field.
- Law 39/2015, dated 1st October, on the Common Administrative Procedure for Public Administrations.
- Law 40/2015, dated 1st October, on the Public Sector Legal Regime, which extends the scope of the ENS to the public institutional sector and thus the responsibility of the CCN.
- Technical Security Instruction (ITS) in compliance with the National Security Framework. Resolution dated 13th October 2016 from the Secretary of State for Public Administrations.
- Technical Security Instructions (ITS) from the State Security Report. Resolution dated 7th October 2016, from the Secretary of State for Public Administrations to approve the Technical Security Instruction in the State Security Report.
- Organic Law 1/2015, dated 30th March ,modifying Organic Law 10/1995, dated 23rd November, on Criminal Law regarding terrorism crimes including criminal cyberterrorism.
Technical Security Instruction (ITS) on Security Incident Notification. Resolution of April 13, 2018, of the State Secretariat of Public Function, approving the Technical Instruction on Security for the Notification of Security Incidents.
- Technical Security Instruction (ITS) on Information Systems Security Auditing. Resolution of 27 March 2018, of the Ministry of State for the Civil Service, approving the Technical Instruction on Security Audit of the Security of Information Systems.
- Technical Security Instruction (ITS) in accordance with the National Security. Scheme Resolution of 13 October 2016, of the Ministry of Public Administration, approving the Technical Security Instruction in accordance with the National Security Framework.