Radar
Time change
Rentals
Donald Trump
Rentals
Elections Castilla y León
Renewable projects
Economic measures
AEMET
Isabel Díaz Ayuso
Gasoline price
Ursula Von der Leyen
Missing
Farmers
Ballistic missiles
Feijóo
Alberto nadal
Juanma Moreno
European Commission
Indra
Sectors Health Defense Digital & AI Agriculture & Food Textile Economy Industry and sustainability Energy Housing
International

The war in Iran forces Spain to shield two pending flanks: cybersecurity and critical entities

The Government has taken two important steps this week to strengthen its defense capabilities, although its implementation is still far off

5 minutes

EuropaPress 7161350 presidente gobierno pedro sanchez antes recibir presidente estado palestina

EuropaPress 7161350 presidente gobierno pedro sanchez antes recibir presidente estado palestina

Share

Comment

Published

5 minutes

Most read

The military escalation in Iran has exposed two sensitive seams of Spain: the protection of critical entities and cybersecurity. In the midst of war, the Government has been forced to take steps to shield both flanks, as it had pending tasks and, now, urgency presses in the face of potential foreign interferences.

Last Tuesday the Council of Ministers approved the Draft Law on the Protection and Resilience of Critical Entities, as Demócrata exclusively reported. The initiative transposes European Directive 2022/2557 on the safeguarding of those organizations that provide essential services in strategic sectors and are indispensable for maintaining social functions or economic activities, which it had pending.

What is a critical entity and why it must be protected

A critical entity is any organization—public or private—that provides an essential service for the functioning of society or the economy. Its relevance does not depend so much on its size as on the impact that an interruption of its activity would have.

The new regulation also introduces the concept of “significant disruptive effect”, which allows measuring to what extent a service outage could affect security, public health, or economic stability. It is this potential impact that determines whether an infrastructure or entity should be considered critical.

In practice, this includes everything from energy operators to hospitals, transport networks, water supply systems, or facilities linked to the food chain. These are activities whose interruption not only affects specific users, but can generate cascade effects on the entire economic and social system.

It is a matter of national security, which affects the following sectors:

  • Energy.
  • Transport.
  • Healthcare.
  • Banking sector.
  • Financial markets.
  • Water.
  • Digital infrastructures
  • Public administration.
  • Food.
  • Nuclear industry.
  • Research infrastructures.
  • Private security.

Some sectors such as banking, financial markets or digital infrastructures are left out of the new bill because they already have specific regulatory frameworks, especially in the field of cybersecurity.

The importance of critical entities has gained prominence in recent years as a result of chained crises. The pandemic, the war in Ukraine or geopolitical tensions have highlighted the vulnerability of supply chains and essential services.

A failure in some link of one of these infrastructures can translate into blackouts, transport interruptions, health problems or shortages. Therefore, the priority of administrations is to guarantee not only their physical protection, but also their capacity to resist, adapt and recover in the face of incidents.

What changes and when?

The Critical Entities Bill adapts Spanish regulations to establish a more structured model, based on prevention and risk management. One of its main pillars will be the National Strategy for Protection and Resilience, which will be supported by a periodic evaluation of threats and risks. From there, national, sectoral, and operational plans will be coordinated, in which both administrations and the companies themselves will participate.

As a major novelty, a national resilience certification scheme, a mechanism that until now did not exist in this field and that would allow for a standardized evaluation of whether the measures adopted by entities meet certain levels of quality, security, and regulatory compliance. In practice, it will function as a seal that will certify that an organization is prepared to face risks and guarantee the continuity of its services.

However, all the aforementioned is by no means of immediate application. The bill has been sent to Congress and must overcome the always arduous parliamentary process, especially in a context of lack of majorities of an Executive that struggles to pass any law -and many of them fall by the wayside, either because they remain blocked due to successive extensions of the amendment period, or because they lapse-.

Anti-drone systems and biometrics, further away

The text of the bill, to which Demócrata has had access, allows the installation of anti-drone systems and of biometric recognition. However, its implementation will have to wait even longer. The wording establishes that it will be regulated by two royal decrees that the Council of Ministers must approve in the future. Furthermore, its use must be justified based on the National Threat and Risk Assessment, which will allow adapting the measures to the criticality of each installation.

EuropaPress 7373900 ministro interior fernando grande marlaska rueda prensa posterior consejo

Featured story

Exclusive

The Government reinforces the protection of Spain's critical infrastructures with anti-drone systems and biometrics

3 minutes

Cybersecurity, a pending subject

The President of the Government, Pedro Sánchez, is perfectly aware of the need to invest in cybersecurity, not in vain, in the package he announced almost a year ago (in April 2025) to raise defense spending to 2% of GDP, he specified that 31% of the 10,471 million euros invested would be dedicated to developing, manufacturing, and acquiring new telecommunications and cybersecurity capabilities.

The purpose was to create a kind of "digital shield" to guarantee the protection of rights in this area against hackers, stimulating the cloud, 5G, Artificial Intelligence and quantum computing.

But as vital it is to invest to strengthen the digital shield as it is to have updated legislation, and Spain is completely outdated. It's been more than a year since the Preliminary Draft Law on Cybersecurity Coordination and Governance passed through the Council of Ministers in its first reading (specifically, January 14, 2025). This is the initiative through which the Executive intends to transpose Directive (EU) 2022/2555, commonly known as NIS2 Directive, which should have already been integrated into the Spanish legal system before October 2024.

The initiative affects the sectors considered of high criticality for the normal functioning of the country, coinciding with a good part of the critical entities:

  • Energy (electricity, gas, oil, hydrogen).
  • Transport (air, rail, maritime, roads).
  • Banking and financial markets
  • Healthcare and pharmaceutical products.
  • Drinking water and wastewater.
  • Digital infrastructure and technology services (e.g., data centers or DNS services).
  • Public administration entities and space sector.
  • Nuclear industry.

The delay in the transposition of the directive is due to the fact that Europe is preparing a new Cybersecurity package (the one unveiled on January 20), and both this initiative and the Digital Omnibus on AI and Data Centers anticipate new modifications to NIS2 and Spain is waiting to transpose everything in the same article, that of Cybersecurity.

Two small big steps

This week Spain has taken two small, but big steps, to modernize its entire defense structure. Firstly, the bill was approved by the Council of Ministers and sent to the Cortes for processing. And secondly, has opened the Public Consultation on the Digital Omnibus proposal, specifically, regarding data centers.