Legislative delays and 'ghost' entities: why crises catch Spain with its homework undone

The President of the Government, Pedro Sánchez, has made resilience a virtue. During his terms at the helm of Moncloa, he has faced a global pandemic, a volcanic eruption, and several wars that have altered the geopolitical landscape, among other issues. "We are focused on the urgent, but without losing sight of the important," he has stated on numerous occasions. However, the truth is that several of the crises have caught Spain with its homework undone.

Some catastrophes or episodes cannot be foreseen, but they could have been managed with more - and better - tools. The war in Iran surprised Spain with the Cybersecurity Law outdated and without a Critical Entities Law; the accidents in Adamuz and Gelida could not be investigated by the Authority created ex profeso for this type of event due to lack of statutes; and now, the State Public Health Agency would have helped in the management of hantavirus.

All these cases have a common denominator: that Spain arrives late. It is not that the event occurs and, afterwards, legislation is enacted accordingly, it is that the Government should have articulated all these reforms before and accumulates delays. In fact, the lack of majorities in Congress threatens to block some of them.

Some catastrophes or episodes cannot be foreseen, but they could have been managed with more - and better - tools

The war in Iran and the rush for security

The geopolitical tensions of recent years and technological evolution have elevated the reinforcement of countries' cybersecurity to an urgent category. The risk of foreign interference and the threat of hybrid conflicts compel states to strengthen this flank, especially with an open war in Iran and with the United States in a full rhetorical standoff against the Government of Spain for not supporting its offensive.

Sánchez is perfectly aware of this threat, not in vain, in the package he announced almost a year ago (in April 2025) to raise defense spending to 2% of GDP, he specified that 31% of the 10,471 million euros invested would be dedicated to developing, manufacturing, and acquiring new telecommunications and cybersecurity capabilities.

The purpose was to create a sort of  “digital shield” to guarantee the protection of rights in this area against hackers, stimulating the cloud, 5G, Artificial Intelligence, and quantum computing.

As fundamental as investing is, so is keeping legislation updated and adapted to rapid technological evolution, providing institutions with effective tools to prevent, detect, and respond to these threats; and this is a pending task for Spain since the war in Iran caught it with the obsolete cybersecurity law with respect to the European framework.

Already in January 2024, the then Minister of Digital Transformation and Public Function, José Luis Escrivá (current governor of the Bank of Spain), promised before the Commission of his branch in the Congress of Deputies a new cybersecurity law that would serve as a regulatory umbrella and give institutional backing to the interventions already carried out by the Ministry of the Interior, the Ministry of Defence, and the National Cryptologic Centre. It never arrived. And not only did it not arrive, but the Government is also significantly behind in regulatory matters in this area.

More than a year ago the Preliminary Draft Law on Cybersecurity Coordination and Governance passed the Council of Ministers in its first reading (specifically, on January 14, 2025). This is the initiative through which the Executive intends to transpose Directive (EU) 2022/2555, commonly known as the NIS2 Directive, which should have already been integrated into the Spanish legal system before October 2024.

The delay exposes Spain to a possible sanction by the Court of Justice of the European Union (CJEU), but the most egregious thing is that it puts the obligated subjects of the rule at risk by not having a specific and defined legislative framework, generating legal uncertainty.

The delay may be due to Europe preparing a new Cybersecurity package (the one unveiled on January 20), and both this initiative and the Digital Omnibus on AI anticipate new modifications to NIS2, and Spain awaits to transpose everything in the same article, the Cybersecurity one.

The shielding of critical entities

On Tuesday, March 17, several weeks after the start of the war in Iran, the Council of Ministers approved the Bill for the Protection and Resilience of Critical Entities, an initiative that transposes a European directive that was approved in 2022.

The purpose of the standard is to strengthen and guarantee the entities or organizations that exploit critical infrastructures in strategic sectors such as energy, transport, health, water, public administration, food production, processing and distribution, the nuclear industry, research facilities, or private security, among others.

The rule has reached Congress four years later and its landing in the BOE is not guaranteed due to the lack of majorities, which keeps not a few laws blocked.

Railroad accidents

The Railway Accidents Investigation Commission (CIAF) assumed the investigation of the Adamuz and Gelida accident, although it should not have. In August 2024, the BOE published the Law creating the Independent Administrative Authority for the Technical Investigation of Railway, Maritime and Civil Aviation Accidents and Incidents; however, despite a year and a half having passed, the entity was operational because its statute had not been approved in due time and form.

The Executive's idea, urged by the European Railway Agency, was to articulate a new authority that would bring together the investigations of different accidents. The law was approved and published in the BOE (Official State Gazette) on August 2, 2024.

The text stipulated in its Sixth Final Provision that the Government had one year to approve its organic Statute by royal decree. It was not met. The statute is still being processed. The Public Hearing process for the draft ended nine months ago, specifically, on April 1, 2025.

It is not frequent that deadlines expire for approving the statutes that govern the operation of recently created bodies, but it is not an isolated case either. It already happened with the Independent Authority for the Protection of Whistleblowers (AIPI).

Hantavirus Health Management

This scenario reveals a fracture in the Government's regulation: laws are approved to create bodies, but their operation is delayed by delays in the approval of their statutes, resulting in ghost entities. In fact, in information published by Demócrata at the end of January, it was suggested that the State Health Agency was going the same way.

At the end of July 2025, the Law creating the State Public Health Agency and amending the General Public Health Law landed in the BOE. The norm creates as such the State Public Health Agency, a body whose purpose is to strengthen the State's capabilities to improve the population's health, health equity, and well-being, and to protect the population against health risks and threats. It would have been an excellent instrument to manage hantavirus; however, it is not operational.

The article establishes that the Government had six months from the entry into force of the law to approve the Agency's Statute by Royal Decree. The proposal must come from the ministries of Health, Finance, and Digital Transformation and Public Function and include the bodies, centers, and services of the General State Administration that will be integrated into it; as well as specify the incorporation of its Governing Council of representatives from the autonomous communities at the proposal of the Interterritorial Council of the National Health System. And as it could not be otherwise, it must determine the organizational structure and its governing and executive bodies. The deadline expired on January 30.

The location of the headquarters, which was planned for February, but the decision was postponed to August 18, is currently being evaluated. Eight cities have officially applied to host it: Toledo, Granada, Zaragoza, Murcia, Barcelona, León, Oviedo, and Lugo. The Ministry of Health will issue a report, then the Consultative Commission will prepare and issue an opinion, and finally, the proposal will be submitted to the Council of Ministers.

Debugging responsibilities

No government chooses the crises it faces. Neither pandemics, nor train accidents, nor international conflicts depend on the will of whoever occupies La Moncloa. But it is the Executive's responsibility that, when they arrive, the State has the necessary tools to respond. Regulatory anticipation, updating laws, and the effective implementation of authorities are not a luxury, but an obligation.