Interior presents a law that extreme control over critical infrastructure workers | Spain

The Ministry of Interior will take on Tuesday the first step to reinforce the security of the so -called critical entities before any type of “natural or human” threat, from sabotages and terrorist attacks to those caused by natural catastrophes and serious technical incidents, such as The great blackout of April 28 that affected the entire Iberian Peninsula. To do this, its headline, Fernando Grande-Marlaska, will present in the Council of Ministers the Draft of the Law of Protection and Resilience of Critical Entities, with which it seeks to increase the current protection that these already have essential infrastructure For the normal functioning of citizen activity – among those found, for example, energy plants, airports, hospitals and water supply systems – as well as its ability to overcome any incident that puts its operation at risk.

Among the measures contemplated, it includes the possibility that, « in duly motivated cases », a critical private entity of a private nature can request the verification of the background of their workers who « perform sensitive tasks » or have « direct or remote access to their facilities, information or control systems. » This consultation must be approved by the Secretary of State for Security and « will be provided and will be strictly limited to what is necessary, with the sole purpose of evaluating a possible risk to the security of the critical entity in question. »

The text, to which the country has had access, details that the consultation will include “corroborating the identity of the person object of the verification”, “check in the National Registry or in the European Criminal Background Information System the criminal records the eventual record of crimes directly related to the functions of the specific position” and review “the intelligence information and of any other type available to the competent national authorities”. The document details that these measures of “accreditations or suitability reports” are collected in the 2022 European Union Directive that interior transposes with this law.

The draft collects in its exposition of reasons that the objective of the new norm is to modernize the legal framework currently in order to respond to increasingly complex threats, including calls hybrids (Actions that seek to unbalance the security conditions of a State without exceeding the threshold of conventional armed aggression). For this, the Interior proposal raises the need for critical entities themselves to evaluate the risks they face and, in the following six months, develop a resilience plan that includes prevention, response and recovery measures before them in order to guarantee the continuity of the provision of essential services for society and the economy.

This resilience – that entities must refer to the Secretary of State for Validation – will have to detail « the technical, organizational and security measures » to, for example, « to avoid incidents, especially valuing measures to reduce the risk of catastrophes and adaptation to climate change. » It must also « guarantee adequate physical protection of its facilities and critical infrastructure » with special attention to « fences, barriers, tools and perimeter surveillance routines, detection equipment and access controls, among others. » The Security Forces will also prepare “operational support plans” of each of the critical infrastructure that contemplate “surveillance, prevention or reaction measures complementary to those provided by the critical entity”.

Interior also wants public and private entities in these resilience plans to collect the measures to be able to “respond and resist the consequences of the incidents and mitigate them” and, in addition, “recover from incidents, especially attending to continuity measures of activities and the identification of alternative supply chains, in order to resume the provision of the essential service”. Critical entities must designate « a person, unity or organ as head of security and resilience », which in addition to being responsible for compliance with response plans, will be the point of contact with the authorities. This person must have an authorization as Security Director issued by Interior.

The text states that the Secretary of State for Security remains the competent body of coordinating all actors, both public and private. It will, as until now, through the National Center for Critical Infrastructure Protection (CNPIC), which will be renamed once the law is approved with the name of the National Center for the Protection and Resilience of Critical Entities (CNPREC). This agency will be responsible for preparing the plan that « will allow to direct and coordinate the precise actions to strengthen the safety of critical entities and their infrastructure, with the aim of guaranteeing the provision of essential services. »

The project is, in reality, the transposition of a European directive approved in December 2022 that sought precisely involving public and private entities related to the critical installations of the entire European Union (EU) to make risk assessments, adopt measures and promised to notify the governments of any significant incident that could endanger the services they provide.

The directive already put the focus on the risk derived from natural catastrophes and climate change, which stressed that it had intensified the frequency and magnitude of extreme meteorological phenomena that threaten “the capacity, efficiency and useful life of certain types of entities and infrastructure if there are no adaptation measures to said phenomenon,” as it now recalls interior.