New obligations for public and private actors: resilience plans, risk assessments, training, and operational coordination
The Council of Ministers of Spain has recently approved the preliminary draft of the Law on the Protection and Resilience of Critical Entities (CER Law), a significant step toward strengthening national security and the continuity of essential services. This initiative seeks to adapt Spanish legislation to Directive (EU) 2022/2557, focusing on the protection of critical infrastructures against diverse threats, ranging from natural phenomena to cyberattacks and sabotage.
What is Directive (EU) 2022/2557?
Also known as the CER Directive, it is the European regulation that governs the resilience of critical entities that provide essential services—such as energy, transport, health, or water—within the Member States. It replaces the previous 2008 directive and broadens the approach: it no longer focuses solely on physical infrastructure, but also on the organizational capacity of these entities to anticipate, withstand, and recover from any threat, ranging from cyberattacks to natural disasters.
The CER Law emerges at a crucial moment, especially after the massive blackout of April 28, 2025, which affected the entire Iberian Peninsula, highlighting the vulnerability of critical infrastructures to unforeseen incidents. The main objective of the law is to guarantee the resilience and continuity of essential services, such as energy, transport, healthcare, and water supply, through the implementation of preventive and response measures against potential threats.
Main updates of the law
-
Expansion of strategic sectors: The law broadens the scope of sectors considered critical, now including areas such as hydrogen, urban heating and cooling systems, private security, and wastewater management. This expansion reflects a more comprehensive view of the essential infrastructures necessary for the functioning of society.
- Creation of the National Catalog of Critical and Strategic Entities: A National Catalog will be established to identify critical and strategic entities, based on criteria defined by the National Strategy for Protection and Resilience and the National Threat and Risk Assessment. These strategic documents will be updated at least every four years.
- Obligation of resilience plans: Critical entities, both public and private, must develop a Resilience Plan that assesses the risks that may affect the provision of their essential services. This plan must include measures for prevention, response, and recovery, as well as staff training and supply chain management.
-
Personnel background checks: One of the most notable measures is the ability for critical entities to request criminal background checks and other sensitive information for staff performing sensitive roles, subject to authorization from the Secretary of State for Security. This measure aims to prevent internal risks and strengthen the security of infrastructures.
- Transformation of CNPIC into CNPREC: The current National Center for the Protection of Critical Infrastructures (CNPIC) will be replaced by the National Center for the Protection and Resilience of Critical Entities (CNPREC), which will take on the coordination of the security of essential services in collaboration with all involved stakeholders.
Regulatory and operational impact
The approval of the Draft Law on the Protection and Resilience of Critical Entities marks a milestone in the evolution of the Spanish regulatory framework related to national security. Its comprehensive and cross-cutting approach, aligned with Directive (EU) 2022/2557, demonstrates a clear intention to respond to systemic risks with a more robust, preventive, and coordinated regulatory architecture. Jorge Quintana, CEO of ACK3, highlights:
“This law marks a before and after in the way we understand the security of critical infrastructures in Spain. It is not only about protecting assets, but about ensuring the continuity of essential services in an environment that is increasingly interdependent and exposed to hybrid threats.”
The new legislation poses significant challenges at both the strategic and operational levels. The obligation to design and maintain up-to-date resilience plans, the management of risk in complex supply chains, and the need to establish internal governance oriented toward the functional security of essential infrastructures are elements that call for deep reflection on organizational maturity and current compliance models.
Likewise, the creation of new instruments such as the National Catalog or the transformation of the CNPIC into the CNPREC suggests an institutional shift toward more proactive and resilient structures. These changes will require continuous adaptation by the affected entities, as well as greater integration of security criteria into corporate decision-making and the design of public policies.
Ultimately, this regulation not only strengthens defenses against complex threats, but also promotes a culture of resilience that will be essential in a context of growing critical interdependence between sectors and territories.
Are you interested in strengthening your organization’s resilience in the context of the new CER Law?
The ability to anticipate, withstand, and recover from complex threats will be key for public and private entities in the coming years. At ACK3, we work from a comprehensive organizational resilience approach, aligned with the new regulatory frameworks and backed by proven experience in critical sectors.
