The Legislative Assembly of El Salvador has recently approved the Cybersecurity and Information Security Law, aimed at ensuring the protection of data and computer systems managed by state entities, as well as the country’s critical infrastructures.
The law applies to all government bodies, including its dependencies, autonomous institutions, municipal authorities, and any entity managing public resources, state assets, or impacting critical infrastructures. Additionally, it may extend to certain private sector entities, such as those managing public information or interacting with the country’s critical systems.
The law also imposes various responsibilities on the obligated parties, particularly regarding the implementation of cybersecurity systems and strategies.
Key Obligations Include:
- Ongoing Cybersecurity Management: Entities must implement a management system that allows them to identify and mitigate risks that could affect the security of their computer systems, networks, and equipment.
- Development of Security Strategies: They must create information security strategies aligned with national and international frameworks.
- Continuity and Review Plans: Entities are required to develop operational continuity and cybersecurity plans, which must be approved by the competent authority and reviewed periodically.
- Simulations and Ongoing Analyses: Simulations and continuous reviews must be conducted to detect vulnerabilities in systems and processes that could compromise information security.
- Cybersecurity Incident Responses: Entities must take immediate measures to prevent, report, and mitigate cybersecurity and information security incidents.
- Designation of Responsible Parties: The law mandates the creation of a dedicated area or the designation of responsible individuals for implementing and monitoring cybersecurity measures, ensuring they have the independence and authority to perform their duties.
State Cybersecurity Agency
With the approval of this law, the State Cybersecurity Agency is established, an entity responsible for overseeing and enforcing the provisions of the law. This agency will be responsible for coordinating with institutions and ensuring compliance with established security standards. Among its key responsibilities are:
- Developing the National Cybersecurity and Information Security Policy, which will include necessary guidelines, plans, and action programs. This policy must be approved by the president of the Republic.
- Issuing regulations, protocols, and technical standards based on international best practices in cybersecurity, aligned with national policy.
- Creating and implementing action programs to address cybersecurity threats or incidents affecting the obligated entities.
- Requiring affected entities to take necessary actions to mitigate the effects of incidents and ensure the recovery of systems and protection of information.
Once the president of the Republic sanctions the law, it will come into effect 8 days after its publication in the Official Gazette.
rodrigo.benitez@garciabodan.com
Associate
García & Bodán
El Salvador