This Tuesday the Government has approved the Bill on the Protection and Resilience of Critical Entities, as Demócrata exclusively reported. The initiative transposes the European Directive 2022/2557 on the safeguarding of those organizations that provide essential services in strategic sectors and are indispensable for maintaining social functions or economic activities. What are the so-called critical entities, why are they so important at a strategic level for a country, which sectors does it affect and how would this new regulation impact?
What is a critical entity
A critical entity is any organization—public or private—that provides an essential service for the functioning of society or the economy. Its relevance does not depend so much on its size as on the impact that an interruption of its activity would have.
The new regulation also introduces the concept of “significant disruptive effect”, which allows measuring to what extent a service outage could affect security, public health, or economic stability. It is this potential impact that determines whether an infrastructure or entity should be considered critical.
In practice, this includes from energy operators to hospitals, transport networks, water supply systems or facilities linked to the food chain.
Affected sectors
The scope of the law is broad and covers the main strategic sectors. These include:
- Energy.
- Transport.
- Healthcare.
- Banking sector.
- Financial markets.
- Water.
- Digital infrastructures
- Public administration.
- Food.
- Nuclear industry.
- Research infrastructures.
- Private security.
It concerns activities whose interruption not only affects specific users, but can generate cascade effects on the whole of the economic and social system.
Some sectors such as banking, financial markets or digital infrastructures are left out of the new bill because they already have specific regulatory frameworks, especially in the field of cybersecurity.
Why are they so important
The importance of critical entities has gained prominence in recent years as a result of chained crises. The pandemic, the war in Ukraine or geopolitical tensions have highlighted the vulnerability of supply chains and essential services.
A failure in some link of one of these infrastructures can result in blackouts, transport interruptions, health problems or shortages. Therefore, the priority of administrations is to guarantee not only their physical protection, but also their capacity to resist, adapt and recover in the face of incidents.
This approach, known as resilience, is precisely the central axis of the new law.
What changes with the new law
The draft bill approved by the Government adapts Spanish regulations to the European directive on the resilience of critical entities and establishes a more structured model based on prevention and risk management.
One of the pillars will be the National Protection and Resilience Strategy, which will be supported by a periodic assessment of threats and risks. From there, national, sectoral, and operational plans will be coordinated, in which both administrations and the companies themselves will participate.
The entities, for their part, will be obliged to:
- Develop their own resilience plans
- Assess their risks individually
- Report relevant incidents
- Appoint security and resilience officers
- Strengthen access controls and personnel verification
The great novelty: a certification system
The most novel element of the law is the creation of a national resilience certification scheme, a mechanism that until now did not exist in this field.
This system will allow for standardized evaluation of whether the measures adopted by entities meet certain levels of quality, security, and regulatory compliance. In practice, it will function as a seal that will certify that an organization is prepared to face risks and guarantee the continuity of its services.
The objective is twofold: on the one hand, to homogenize standards across all sectors; on the other, to facilitate supervision by the authorities and improve confidence in the system's ability to withstand crises.
A new map of critical infrastructures
The law also provides for the creation of a National Catalogue of Critical and Strategic Entities, which will gather information about these infrastructures under confidentiality criteria. This instrument will allow authorities to have a more complete vision of the system and prioritize actions based on risk.
In parallel, the current National Centre for the Protection of Critical Infrastructures will evolve towards a new body with strengthened competencies in resilience and international cooperation.
More control in a context of uncertainty
The impetus for this law responds to a context marked by geopolitical instability, the increase in hybrid threats, and the growing interdependence between sectors.
In this scenario, the Government is betting on a model that combines regulation, supervision, and public-private collaboration to protect essential services. The key will lie in how these measures are implemented and in the capacity of companies to adapt to a more demanding framework.
With the new regulation, critical entities go from being infrastructures to protect to becoming actors obliged to demonstrate their resilience, in an environment where the continuity of service is already a matter of national security.