#insights

Critical infrastructures (CI) are vital components for a country’s functionality and citizen welfare. According to Spain’s National Plan for the Protection of Critical Infrastructures (PNPIC), these include facilities, networks, services, and IT systems whose disruption would significantly impact public health, safety, economic stability, or the proper operation of public institutions. This aligns with EU Directive 2008/114/EC, which emphasises the need to identify and protect European critical infrastructure.

Key sectors classified as critical

Spain recognises the following as critical sectors:

• Public administration and government
• Space infrastructure (satellites and control centres)
• Chemical and nuclear industries
• Water supply and treatment
• Energy production and distribution
• Information and communication technologies (ICT)
• Healthcare
• Transport (airports, ports, rail, public networks)
• Agriculture and food
• Finance and taxation
• Security and defence

Although digitisation has brought major efficiencies to these sectors, it has also exposed them to significant cyber threats, from malware to insider risks. Robust cybersecurity is now fundamental.

Current situation and progress

Back in 2017, 20% of critical infrastructure operators in Spain had not assessed their cyber risk level, with the water and transport sectors exceeding 40%. However, over 80% have now conducted risk assessments, marking major progress. Nevertheless, more needs to be done regarding awareness, training, and technical implementation.

Legislation and regulatory framework

Several major regulatory developments have shaped CI cybersecurity in Spain:

• NIS2 Directive (EU) – Effective from January 2023, mandatory by October 2024. It mandates risk management, incident notification, and monitoring obligations.
• Directive on the Resilience of Critical Entities (REC) – In force across the EU from October 2024, aiming to enhance operational and physical resilience.
• Royal Decree 443/2024 – Sets the National Security Framework for 5G networks.
• National Security Framework (ENS) – Established by Royal Decree 311/2022, it provides a comprehensive security framework adapted to NIS2 and REC, with risk-based protective measures.

Key obligations under the ENS

CIs must:

• Ensure service availability and continuity.
• Monitor and manage incidents, cooperating with CSIRTs (Computer Security Incident Response Teams).
• Share relevant data with authorities during security events.
• Undergo audits and resolve any identified shortcomings.
• Implement security measures in systems, operations, and governance.
• Internal structure and planning

To meet legal obligations, CIs should:

• Create a security organisational chart outlining all roles and responsibilities.
• Appoint a Security Liaison Officer and Security Delegate.
• Develop and maintain cybersecurity plans.
• Communicate proactively with competent authorities.
• Conduct risk assessments and regularly update protection plans.
• Essential cybersecurity documentation

Compliance with ENS and NIS2 requires:

• Security Policy – Approved by senior management, establishing security principles.
• Risk Assessment – Periodic analysis of threats and vulnerabilities.
• Business Continuity and Disaster Recovery Plans – Ensure ongoing operations and rapid recovery.
• Access Control and Identity Management Policies.
• Information Protection and Data Privacy Policies.
• Incident Register – Tracks incident classification, impact, and response.
• Cybersecurity Management Plan – Risk mitigation activities and responsibilities.
• Incident Response Plan – Protocols for detection, containment, and recovery.
• Awareness and Training Plan – Educates staff on secure behaviour and cyber hygiene.
• Threat Monitoring Plan – Utilises IDS/IPS and behavioural analytics.
• Audit and Compliance Plan – Periodic reviews to ensure security measures are working.

Conclusion

Cybersecurity in critical infrastructure is no longer a regulatory checkbox—it is a strategic imperative for national stability, economic sustainability, and public safety. Legal frameworks like ENS and NIS2 provide the scaffolding, but the true challenge lies in cultural integration, continuous improvement, and strong public-private cooperation. Only through a unified, informed, and resilient approach can we ensure that our most vital systems remain secure in an ever-evolving threat landscape.