Cybersecurity and Personal data protection

Cybersecurity and Personal data protection


On 9 June 2022, the General Council approved Law 22/2022 on measures for the security of networks and information systems. Andorra’s geopolitical situation, the growing dependence of the economy on national and cross-border information systems and networks, and the potential synergies in the prevention of threats and the challenges posed by cyberincidents have led to the need to adopt the European legislation contained in Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. The law also takes into consideration  the European Commission’s Proposal COM (2020) 823 final on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.

Subsequently, in October 2022, the Government passed the regulatory implementation of the Cybersecurity Act. In particular, the primary objective of the Regulations of the National Security Plan (ENSAD) and Critical Infrastructure of the Principality (RIC-AD) is to establish standards for and ensure the systematic application of security measures that guarantee appropriate protection of the information processed and the services provided by the various organisations that provide services that are essential or important for the country. Moreover, they regulate the procedures required to improve the resilience of critical organisations, which not only provide an essential service but also use critical infrastructure that cannot be replaced in the event of a malfunction.

Personal data protection (European GDPR regulation)

On 28 October, the General Council approved Law 29/2021 on the protection of personal data (LQPD) with the aim of  adopting the new provisions established in this matter by European Regulation 2016/679 (General Data Protection Regulation, “GDPR”) and Directive (EU) 2016/680.

Subsequently, the Government passed Decree 368/2022 of 14 September 2022, which approved the Regulations of the Andorran Data Protection Agency. It also passed Decree 391/2022 of 28 September 2022, which approved the Implementing Regulations of Law 29/2021 of 28 October on the protection of personal data. In the context of the new challenges posed by unstoppable technological progress and globalisation, the Andorran legislator has updated the country’s data processing regulations, which both individuals and private and government organisations are required to implement when processing data relating to individuals.