Cybersecurity - Gibraltar

The EU NIS Directive was transposed into Part 7 of the Civil Contingencies Act 2007 on 10 May 2018, on which date the GRA was designated as Competent Authority for the security of network and information systems of designated OESs and DSPs, and as Gibraltar's single point of contact.

Security and incident-reporting obligations apply to critical-infrastructure operators termed Operators of Essential Services (energy, health, transport, drinking water, banking, financial market infrastructure) and to Digital Service Providers. The GRA establishes and maintains the lists of designated OESs and DSPs.

Designated OESs must take appropriate and proportionate technical and organisational measures to manage risks to the network and information systems supporting their essential services. Obligations are set out in sections 41, 42 and 43 of the Act for OESs and DSPs respectively.

OESs and DSPs must report NIS incidents to the GRA without delay by submitting an Incident Notification Form; the GRA records and reports incident notifications as part of its supervisory role.

Section 49 grants the GRA powers to inspect OESs (who must cooperate and bear reasonable inspection costs), and a Cyber Assessment Framework (CAF) developed under section 54 lets the GRA gauge how far OESs meet required cybersecurity levels.

Beyond NIS, personal-data breaches must be notified to the GRA (acting as data protection authority) within 72 hours under data-protection rules, and public communications-network providers must notify the GRA of security/integrity breaches under section 34B(2)(a) of the Communications (Personal Data and Privacy) Regulations 2006.