Critical entities: enhanced protection and resilience

In 2,011, the vast majority of people learned that Spain was facing a new challenge to protect certain infrastructures that are essential to our daily lives: critical infrastructures. On 28 April of that year a law was published, which we would all know as the PIC, which set out the issues that had to be established for certain types of entities in specific facilities. It would be a body set up in 2,007 that would determine what was or was not critical infrastructure. What was peculiar at the time was that this was preceded by an EU Council Directive 2,008/114. This now seems quite normalised, it was not so common more than a decade ago.

Years later and with the logical evolution, also in terms of attacks and risks, the European Union decided to take a new look at critical infrastructures. With standardisation processes such as DORA, NIS2 or CRA to give examples, it could not be that key entities for Europe would not be homogenised at a security level, although with the particularities of the physical characteristics of these environments. Thus, in 2,022, through Directive 2,557 on the resilience of critical entities, the starting signal was given so that, as of January 2,023, the member countries could transpose it.

If there are sectors that are already regulated by another law, the future law will not apply to them

This sounds like NIS2 in many ways, doesn't it? The preliminary draft law for this transposition has recently been made public. It is really a parallel path to that of the NIS2 as both standards are necessary to speak in a homogenised way on a scale of criticality of entities. Led by the Ministry of the Interior, the draft has a strong emphasis on risk-oriented assessment. This is something that already existed in the law still in force, but perhaps not in such a pronounced way. Here again we see the need for homogenisation with the set of directives that have come out of the European Union in recent years, where risk orientation is a maxim.

There are peculiarities in establishing who is or is not subject to this law. Same as NIS2. If there are sectors that are already regulated by another law, the future law will not apply to them, even if they are currently covered by the Critical Infrastructure Law. This is the case in the banking sector, where the DORA regulation that is specific to them means that they are not required to apply two homogenised laws concurrently. We have already discussed with NIS2 the concept of a special or specific law prevailing over the general law. The same is true here.

The draft bill also establishes the change of the current body of the Ministry of the Interior in charge of the promotion, coordination and supervision of all the activities entrusted to the Secretary of State for Security in relation to the Protection of Critical Infrastructures in the national territory: the CNPIC. It will be renamed CNPREC: the National Centre for the Protection and Resilience of Critical Entities, being the single point of contact for critical entities, with the exception of public entities, which in their dependence on a Public Administration may use it as a communication authority. This body will develop the National Critical Entity Protection and Resilience Plan.

That point of resilience seems not to be the case, but it does change some things. An important one is not only the need to recover from an impact, but to learn to come out stronger, to anticipate where feasible and also to communicate. And another aspect that may also be overlooked at first, but which has a very serious impact, is that we are not talking about Critical Infrastructures, we are already talking about Critical Entities. Therefore, there is a change of action, expanding the application of the standard in a much broader concept than previously focused on specific installations of an entity.

It will also define the National Certification Scheme for critical entity resilience and standardisation rules. This scheme will replace the documents, processes and governance that currently the entities named as critical infrastructure have developed through Operator Security Plans (OSPs) and Specific Protection Plans (SPPs). Although the Scheme is not yet known, it is probably easy to deduce that it will be aligned with other existing standards, which many private and public entities are already applying. 

The similarities with NIS 2 are more than obvious, but there are some issues of its own due to the sensitivity of this type of infrastructure:

• Consideration of physical hazards, including both meteorological and natural disaster risks.
• The possibility to carry out a request for vetting of a person's suitability through his or her personal background to operate in a critical entity.
• Consider risks of a hybrid nature as likely. That is, they can come from a physical and logical attack in a linked way.

Thus, with this future law we will have established the requirements, regulation and communication of Critical Entities. And, with the also future approval of the transposition of the NIS2, of the essential and important entities. All harmonised and regulated. With the supply chain also in focus, it seems that no company in the whole of Europe will be unaffected by these standards.