Spain is progressing with the implementation of the CER Directive (EU) 2022/2557 through the proposed Law on the Protection and Resilience of Critical Entities (the “Bill”), recently published by Parliament.
The Bill represents more than a formal transposition exercise. It introduces a material shift in the Spanish framework, moving away from a model focused on protecting individual infrastructures towards a broader, entity-based approach centred on the resilience of organisations providing essential services.
A move towards a resilience-based framework
The underlying objective of the Bill is to ensure that essential services can continue to operate in the face of disruption. To that end, designated entities will be required to demonstrate that they are capable of preventing, withstanding and recovering from incidents, regardless of their origin. This includes natural hazards, hybrid threats, terrorism and other hostile scenarios.
Cybersecurity: outside scope, but not out of mind
The treatment of cybersecurity is likely to attract particular attention.
The Bill does not regulate cybersecurity obligations as such. Instead, these will be addressed separately through the future Spanish implementation of the NIS2 Directive (EU) 2022/2555, and the Bill expressly excludes matters falling within that regime from its scope.
This distinction, however, is primarily formal. In practice, the resilience of critical entities depends on both physical and digital security. The Bill itself acknowledges this by emphasising the need for coordination between the relevant authorities and regulatory frameworks, particularly in relation to risk assessment, incident reporting and supervisory activities.
Scope and designation
The Bill applies to entities operating in a broad range of sectors considered essential to the functioning of society and the economy, including energy, transport, healthcare, water, food supply, chemicals and digital infrastructure.
However, regulatory obligations are not triggered simply by sector, but by formal designation as a “critical entity” by the competent authority. This designation is based on the potential impact of a disruption, assessed against criteria such as the number of people affected, economic and environmental consequences, and the impact on public confidence.
The Bill also introduces the concept of “strategic entities”, covering organisations that manage infrastructure which, while not critical, is nonetheless relevant to the provision of essential services. Although subject to a lighter regime, inclusion in the national catalogue – classified in nature – may still have legal and reputational implications.
Core obligations
Once designated, entities will be subject to a structured compliance framework built around two central obligations.
The first is the preparation of a risk assessment, to be completed within nine months of designation. This assessment must take a comprehensive view of risks, including cross-sector and cross-border interdependencies, and must be submitted to the Secretary of State for Security for validation. Existing assessments prepared under other regulatory frameworks may be relied upon, provided they are deemed compliant.
The second is the adoption of a Resilience Plan within six months following the risk assessment. This plan is expected to set out appropriate technical and organisational measures, including physical protection, access controls, crisis management procedures and business continuity arrangements. It will constitute the primary reference point for demonstrating compliance with the Bill.
In addition, entities must appoint a Security and Resilience Officer, holding official accreditation as a Director of Security, and implement procedures to notify significant incidents within 24 hours, followed by a detailed report within one month.
Supervision and sanctions
The Bill establishes a comprehensive supervisory framework, with the Secretary of State for Security acting as the competent authority responsible for oversight, validation and enforcement.
From a practical perspective, enforcement risk is likely to concentrate on the substance of compliance rather than formalities. In particular, failures relating to core obligations – such as not adopting a resilience plan or doing so in a materially deficient manner – are expected to attract the highest level of scrutiny.
These may result in fines ranging from €1,000,000 to €10,000,000, or up to 2% of the undertaking’s total worldwide annual turnover, whichever is higher. This level of potential exposure reflects a broader EU trend towards turnover-based penalties and underscores the importance of treating resilience as a matter of strategic governance.
Certification and interaction with existing frameworks
The Bill provides for the future creation of a National Certification Scheme for resilience, although its detailed design will be addressed through secondary legislation.
In parallel, it adopts a pragmatic approach by allowing entities to rely on existing risk assessments, plans or compliance frameworks developed under other regulatory regimes. Where these are considered equivalent, they may be recognised – fully or in part – as satisfying the requirements of the Bill.
Biometrics and data protection
The Bill also addresses the use of biometric technologies as part of security measures.
It establishes a legal basis for their use in authentication and access control, while making clear that such processing must comply with the General Data Protection Regulation. In particular, organisations will be required to carry out a prior data protection impact assessment, demonstrating necessity, proportionality and the implementation of appropriate safeguards.
Conclusion
The Bill represents a significant development in Spain’s legal framework for the protection of essential services. By focusing on the resilience of entities rather than individual assets, it introduces a more holistic and risk-based approach.
While certain elements remain to be clarified through secondary legislation, the direction of travel is clear. The framework is designed not only to strengthen resilience, but also to ensure a higher degree of consistency across the European Union, particularly when read alongside parallel regimes such as NIS2.
If you would like to know more, please get in touch.
