The Government has approved this Tuesday the Draft Law on the Protection and Resilience of Critical Entities, as Demócrata exclusively advanced. It is an initiative whose purpose is to transpose a European directive on the protection of those organizations that provide essential services in strategic sectors and are indispensable for maintaining social functions or economic activities. To this end, among other things, the Executive will allow the installation of anti-drone systems and biometric recognition.
The text, to which this medium has had access, includes an additional provision (eighth) related to the installation of anti-drone systems to guarantee the protection of some or all critical facilities. The implementation of these systems, characteristics and extent will be regulated through a royal decree that the Government must approve.
Biometric recognition systems
The Critical Entities Bill opens the door to the use of biometric recognition systems to reinforce security in strategic infrastructures. These technologies may be used to identify people who access certain facilities or move through them, always with the objective of preventing crimes and guaranteeing physical security.
The implementation of these systems will not be automatic. The regulation establishes that their conditions and characteristics must be developed, as in the case of anti-drone systems, by means of a royal decree. Furthermore, their use must be justified based on the National Threat and Risk Assessment, which will allow adapting the measures to the criticality of each installation.
According to the text, biometric recognition will have a strictly limited purpose: to verify the identity of a person to allow their access or transit in sensitive areas. In no case may it be used for labor purposes, such as time control or the supervision of workers' activity, which seeks to limit its use and prevent possible abuses.
Biometric systems may not be used for employment purposes, such as timekeeping or the supervision of workers' activity
The system must comply with the principles of privacy by design and data minimization, so that the technology used adjusts to the specific needs of each entity. Before its implementation, the carrying out of a data protection impact assessment will be mandatory, in line with European regulations.
Likewise, the law will require these systems to incorporate mechanisms that allow the identity of the person to be unlinked from their biometric template and that prevent its reuse for other purposes. With this, the Executive tries to balance the reinforcement of security in critical infrastructures with the guarantees regarding fundamental rights and data protection.
Where will they be able to install themselves?
A critical entity is any organization—public or private—that provides an essential service for the functioning of society or the economy. Its relevance does not depend so much on its size as on the impact that an interruption of its activity would have.
The new regulation also introduces the concept of “significant disruptive effect”, which allows measuring to what extent a service outage could affect security, public health, or economic stability. It is that potential impact that determines whether an infrastructure or entity should be considered critical.
In practice, this includes everything from energy operators to hospitals, transport networks, water supply systems, or facilities linked to the food chain.
The scope of the law is broad and covers the main strategic sectors. These include:
- Energy.
- Transport.
- Health.
- Banking sector.
- Financial markets.
- Water.
- Digital infrastructures
- Public administration.
- Food.
- Nuclear industry.
- Research infrastructures.
- Private security.
It concerns activities whose interruption not only affects specific users, but can generate cascade effects on the whole of the economic and social system.
Some sectors such as banking, financial markets or digital infrastructures are left out of the new bill because they already have specific regulatory frameworks, especially in the field of cybersecurity.
The importance of critical entities has gained prominence in recent years as a result of chained crises. The pandemic, the war in Ukraine or geopolitical tensions have highlighted the vulnerability of supply chains and essential services.
A failure in some link of one of these infrastructures can translate into blackouts, transport interruptions, health problems or shortages. Therefore, the priority of administrations is to guarantee not only their physical protection, but also their ability to resist, adapt and recover from incidents.