General guidelines to strengthen the governance of digital security, the
identification of critical cybernetic infrastructures and essential services, risk
management, and response to digital security incidents

The National Government issued Decree 338 of March 8, 2022, which added a new title to Decree 1078 of 2015, Decree of the ICT sector, to strengthen digital governance, the identification of critical cyber infrastructures and essential services, risk management, and response to digital security incidents.

Decree 338 of 2022 partially regulates articles 64 of Law 1437 of 2011, referring to standards and protocols that public entities must comply with the application of electronic media in administrative procedures, and articles 147 and 148 of Law 1955 of 2019 about digital transformation and digital government policy regarding cybersecurity.

For whom does Decree 338 of 2022 apply?

• Entities of the Public Administration under the terms of article 39 of Law 489 of 1998 and individuals that perform public or administrative functions.
• Entities of the legislative and judicial branches, control, and independent entities, recognizing their autonomy from the administration.

Private legal entities that provide services for managing critical cybernetic infrastructures or providing essential services may apply the provisions in this decree if they are not contrary to their nature or to the requirements that regulate their activity or service.

What is the scope of Decree 338 of 2022?

This regulation establishes that the governance of digital security will be based on the general principles of the administrative function, ICT, the administrative procedure, the processing of personal data, and the Digital Government policy. Likewise, it introduces the following as particular principles:

• Trust
• Coordination
• Multi-stakeholder collaboration
• Cooperation
• Approach based on risk management
• Free-of-charge
• Inclusion
• Proportionality
• Safeguarding the human rights and fundamental values of citizens
• Efficient use of infrastructure and resources to protect critical cyber infrastructure and essential services

The norm establishes a digital security governance model, whose guidelines and standards will be defined by the ICT Ministry to strengthen digital security, the protection of networks, critical infrastructures, essential services, and information systems in Cyberspace. The National Digital Security Coordination, the National Digital Security Committee, the Digital Security Working Groups, the Digital Security Worktables, and the Unified Digital Security Command Posts will implement the model according to the functions established in the decree.

In terms of critical cybernetic infrastructures and essential services, the ICT Ministry will formulate the inventory of critical public cybernetic infrastructures and essential services in cyberspace, which will be updated every two years. The methodology will be defined within 12 months to establish which infrastructures are critical cybernetic and essential services. In addition, the authorities that own essential critical infrastructure will have a series of obligations according to the regulation.

Finally, the regulation indicates that the ICT Ministry will establish the variables to define a significant impact on critical infrastructure. A national model for incident care and management is arranged and will be executed by the Cybernetic Emergency Response Team of Colombia (COLCERT), the Digital Security Incident Response Team for government sector entities (GOVERNMENT CSIRT), and the Cyber Security Incident Response Team for sectors defined as critical or essential service providers – (CSIRT – SECTORIAL) under the terms of the decree.

Author: Camilo Millán I [email protected] I TMT