How the New Registry of Cybersecurity Focal Points Works in the National Public Sector

Administrative Decision No. 641/21 (more information here) established that entities and jurisdictions of the National Public Sector have the obligation to submit their Information Security Policies. On top of that, Regulation No. 7/2021 was issued to coordinate that information through the “Registry of Cybersecurity Focal Points in the National Public Sector.” Thus, entities under the scope of this regulation must report not only the information that identifies cybersecurity agents but also whether the agency already has established an Information Security Plan or security measures with, if applicable, a brief description of how it was deployed. Otherwise, entities must indicate when they will be established or why they are exempted.

Finally, the regulation establishes an obligation to report security incidents within 48 hours of becoming aware of their occurrence or potential occurrence, as well as to report significant escalations when applicable. Reportable security incidents are those that may have a potential or real adverse impact on technological infrastructures, information systems and managed data, especially those that compromise personal or critical data of the entity, represent a breach of current regulations or affect the services linked to substantive functions under its purview.

The full text of Provision No. 7/2021 can be found here (Spanish only).