Draft law on the protection and resilience of critical infrastructures: transposition of Directive (EU) 2022/2557 (CER)

1. Introduction

The Congress of Deputies has published the Draft Law on the Protection and Resilience of Critical Entities (hereinafter, "LPREC") to transpose Directive (EU) 2022/2557. Once it comes into effect, it will repeal Law 8/2011 and replace the asset-centered approach with a focus on entities.

The law will require critical entities to prepare a risk assessment and a Resilience Plan, subjecting them to validation by the Secretary of State for Security, to demonstrate that they have sufficient capacity to prevent, withstand, and recover from any incident that significantly interrupts the provision of an essential service, regardless of its origin: natural risks, hybrid threats, terrorism, or other adverse threats.

Cybersecurity is beyond the formal scope of this law, reserved for the transposition of NIS2; however, in practice, both frameworks must be integrated to avoid duplication and ensure consistency between physical resilience and digital security.

2. Does this regulation apply to you?

The regulation applies to entities (public and private) operating in any of the sixteen sectors listed in the Annex:

• Energy
• Transport
• Banking*
• Financial market infrastructures*
• Healthcare
• Water
• Digital infrastructure*
• Public administration
• Space
• Food production, processing and distribution
• Nuclear industry
• Research facilities
• Chemical industry
• Private security
• Waste
• Insurance*

*These sectors are exempt from key obligations such as risk assessment, resilience plan, etc. (CA 4).

The key factor is not belonging to the sector, but being identified as a critical entity by the National Commission for the Protection and Resilience of Critical Entities, at the proposal of the Secretary of State for Security. Identification is based on horizontal criteria of criticality: number of people affected by a failure, economic impact, environmental impact, and impact on institutional trust.

The draft law also introduces the concept of strategic entity: one that manages infrastructures that, although not critical, are relevant for essential services. Its regulatory regime is less burdensome, but its inclusion in the National Catalogue (classified) has implications regarding reputation and insider information that should not be overlooked.

3. The obligations defining compliance

• Risk assessment

9 months from the notification of identification

As a fundamental document for compliance with the LPREC, it must cover natural, human, hybrid, and terrorist threats, including sectoral interdependencies, and is submitted to the SES for formal validation. A deficient assessment weakens the entity's position in any subsequent supervisory actions. When the entity has previous assessments made under other relevant regulatory obligations, it may rely on them if the SES declares them compliant.

• Resilience Plan

6 months after the assessment

This is a central instrument of the law, consisting of technical, organizational, and security measures proportional to the identified risk, subject to periodic updates. It should be noted that its absence or serious inadequacy constitutes a very serious infringement, punishable by a fine of up to €10,000,000 or 2% of total annual turnover.

• Safety and Resilience Officer with Security Director accreditation

The safety officer must have the Ministry of Interior accreditation as a security director. Obtaining this accreditation can take several months, making this requirement the most predictable operational bottleneck regarding regulatory compliance.

• Incident notification

24 hours for initial notification + 1 month for a detailed report

This requires internal operational procedures from day one. Organizations subject to NIS2 must also notify two different authorities (CNPREC and the competent authority in NIS2) with different timelines and content requirements, making it essential to design a unified incident management procedure that complies with both frameworks.

4. The National Certification Scheme

Article 11 provides for the creation of a National Certification Scheme regarding the resilience of critical entities but postpones its specific design to subsequent regulatory development, without detailing its structure or potential coordination with other existing schemes, introducing a degree of uncertainty.

At the same time, Articles 6.3 and 8.2 allow entities to reuse risk assessments and existing plans or documents drafted in accordance with other regulations, as long as the Secretary of State for Security declares them fully or partially compliant with the obligations related to the risk assessment and the resilience plan. In practice, this establishes a functional recognition mechanism for existing management tools that could help minimize duplication when a prior certification or management system substantially covers the requirements established here.

5. Activation of biometrics

The protection of personal data plays a central role in the new resilience regime, especially in measures involving increased identification and control of access to facilities and systems. In this context, processing based on biometric technologies is particularly relevant, as it combines a significant impact on security with a high risk to the rights of the individuals concerned.

• The legal authorization is established for critical entities to use biometric authentication and recognition systems as a security measure, without imposing its widespread use
• The processing of personal data carried out in this context is expressly based on Article 6, paragraph 1, letter c), of the GDPR and, in the case of biometric data, on this provision in conjunction with Articles 9, paragraph 2, letters b) and g) of the GDPR.
• In all cases, a prior and specific data protection impact assessment (DPIA) is required for these systems, which must justify the necessity and proportionality and define adequate mitigation measures.

6. Recommended next steps

For organizations in the sectors listed in the annex:

• Cross-sectoral gap analysis: simultaneously determine exposure to NIS2, DORA, the AI Act, and the CRA.
• Review security governance structure: Check if the position of Safety and Resilience Officer can be held by the existing CISO/CSO, or if the appointment of a Security Director from the Ministry is necessary.
• Audit contracts with critical suppliers: Include clauses on compliance with the CRA, SLAs for reporting vulnerabilities and continuity of support.
• Prior biometric DPIA: If the organization decides to install biometric recognition systems, carry out the data protection impact assessment (DPIA).
• Dual incident management procedure: Design a single incident management protocol that simultaneously complies with the deadlines of the CER and NIS2.

Information note from the Data Protection and Cybersecurity Department of ECIJA Madrid.