The Government plans to approve, in second reading, the Draft Law on the Protection and Resilience of Critical Entities, an initiative that transposes the European Directive 2022/2557 on the safeguarding of those organizations that provide essential services in strategic sectors and are indispensable for maintaining social functions or economic activities. The text, to which Demócrata has had exclusive access, proposes as a novelty the creation of a national certification scheme in terms of resilience of critical entities.
As this newspaper has learned, and just as was advanced in the Democratic Agenda, the draft bill has already passed through the General Commission of Secretaries of State and Undersecretaries (CGEYS), so it is ready to receive approval in the Council of Ministers. Presumably, this Tuesday (next week, at most).
Routinely, Pedro Sánchez's Government practices what is known as gold plating, that is, going beyond what the European Directive proposes as such. Thus, as a novelty, the text establishes the creation of a national certification scheme regarding the resilience of critical entities.
In the Executive's judgment, “this will allow entities to guarantee that their measures adapt to a certification scheme that analyzes the global aspects of their operations, standardizing and showing the levels of quality, security, and compliance”, according to the text accessed by Demócrata.
An objective articulated through a Strategy
The purpose of the standard is to strengthen and guarantee the entities or organizations that operate critical infrastructures in strategic sectors such as energy, transport, healthcare, water, public administration, the production, processing and distribution of food, the nuclear industry, research facilities, or private security, among others.
The purpose of the standard is to strengthen and guarantee the entities or organizations that operate critical infrastructures in strategic sectors
A series of concrete measures is established, in line, to guarantee the essential services they provide. For this purpose, a new planning framework will be articulated that would pivot around the National Strategy for the Protection and Resilience of Critical Entities (developed by the Secretary of State for Security and approved by the National Security Council) and the National Threat and Risk Assessment developed and approved by the aforementioned Secretary of State for Security.
Individual analyses and access controls
Another of the measures with which it is intended to enhance the resilience of critical entities consists of carrying out an individualized risk assessment by them, detailing singular actions that they would implement to mitigate incidents.
In the same way, a system of identity verification of the persons who perform certain duties or must access depending on which facilities, information, or control systems of the entities themselves would be established.
The text incorporates the concept of “significant disruptive effect”, which will allow determining when the interruption of a service can generate relevant impacts on society or the economy. In this regard, the particularities of entities belonging to the banking sector, financial market infrastructures, and digital infrastructures will also be regulated.
The advice to entities also stands as one of the cornerstones of the protection and resilience system.
Finally, the law creates a National Catalog of Critical and Strategic Entities, which integrates information related to critical infrastructures preserving their classified nature; and nine additional provisions, among which stands out the one related to Reports and checks for accreditations and background, intended to enable the carrying out of necessary checks in relation to the prevention of criminal offenses and serious threats against public security in critical facilities and entities, among other areas, issuing accreditations or suitability reports.
Other measures, supervisors and exemptions
The entities must ensure the suitability of the persons who provide their services and will have to designate a security officer as a contact with the competent authorities.
The Secretary of State for Security will be the competent national authority in the application of the aforementioned measures; and the National Commission for the Protection and Resilience of Critical Entities is created as a collegiate body attached to the Secretary of State for Security for the approval of sectoral strategic plans and collaboration in the identification of critical entities, and the Interdepartmental Working Group for the Protection and Resilience of Critical Entities.
The draft bill, if successful, would be applicable to critical entities located in the national territory, except those belonging to the banking, financial markets, and digital infrastructure sectors, which may be considered critical, but are excluded as they are regulated by their specific regulations.
Nor will it apply to entities dependent on the Ministry of Defense, to the State Security Forces and Corps, nor to the police forces of the autonomous communities with recognized and assumed statutory powers for the protection of people and property and for the maintenance of public order, which will be governed by their own regulations.