AUGUST 19, 2021

Regulation No. 7/2021 of the National Cybersecurity Directorate: creation of the “National Public Sector Cybersecurity Focal Points Registry”.

CIRCULARS

CIRCULAR

Public Law and TMT Departments’ joint report | Regulation No. 7/2021 of the National Cybersecurity Directorate: creation of the “National Public Sector Cybersecurity Focal Points Registry”

Dear Sir or Madam,

Regulation No. 7/2021 (the “Regulation”) of the National Cybersecurity Directorate (the “Directorate”) was published in the Official Gazette today. This Regulation:

1. Creates the “National Public Sector Cybersecurity Focal Points Registry” (the “Registry”).

2. Provides that the highest authorities of the entities and jurisdictions of the National Public Sector included in subsection a) of Section 8 of Law No. 24,156 on Financial Administration and Control Systems of the National Public Sector and suppliers contracting with such entities and jurisdictions, shall inform by means of an Official Communication of the Electronic Document Management System (GDE) to the Directorate the names, surnames, institutional e-mail address, CUIT/CUIL and contact telephone number of the agent to whom cybersecurity functions have been or will be assigned in their jurisdiction, within the terms set forth in Section 5 of Administrative Decision No. 641/2021 (the “Decision”). Once said term has elapsed, the designated agents shall have 30 days to enter their data in the Register. The same procedure shall be applied whenever the aforementioned functions are assigned to another agent.

3. Instructs that the Security Plans referred to in Sections 3 and 4 of the Decision shall state, for each of the 14 sections contained in title V of the Annex called “Guidelines”, whether the organization already has a plan in place and security measures implemented, and if so, a description of such measures shall be included. Otherwise, it must indicate the period within which they will be implemented or the reasons why they should not be deployed. Additionally, and for each section, the main obstacles faced by the agency for the implementation or continuity of the required measures should be included, if applicable. The Security Plans must be submitted to the Directorate through the GDE System within the deadlines set forth in Article 4 of the Decision.

4. Provides that the entities and jurisdictions reached by the Decision must report security incidents occurring in their spheres, within 48 hours of becoming aware of their occurrence or potential occurrence and, if any, when there are significant escalations. The security incidents to be reported are those that may have a potential or actual adverse impact on the technological infrastructures, information systems, and the data they manage, especially those that compromise personal or critical data of the agency, entity or jurisdiction, represent a breach of the regulations in force or affect the services related to substantive functions of its competence. Reports must be submitted using the form published on the CERT.ar website: https://www.argentina.gob.ar/jefatura/innovacion-publica/ssetic/direccion-nacional-ciberseguridad/cert-ar/reportar-un-incidente. Likewise, once the incident has been managed, a detailed report shall be sent through the mentioned website, including the estimated impact and the measures adopted during the life cycle of the incident for the remediation and recovery of the services and/or information affected.

5. Informs that the Directorate will periodically report on the website https://www.argentina.gob.ar/jefatura/innovacion-publica/ssetic/direccion-nacional-ciberseguridad, the progress in compliance with the Decision by the agencies, jurisdictions, and entities reached.

Please, do not hesitate to contact us should you require any additional information on this matter.

Sincerely,

Oscar Aguilar Valdez
Juan A. Stupenengo
Florencia Rosati
Emilio Beccar Varela