Machine Translation of "Real Decree 704/2011, 20 May, Which Approves The Regulation Of Protection Of Critical Infrastructures." (Spain)

Real Decree 704/2011, 20 May, Which Approves The Regulation Of Protection Of Critical Infrastructures.

Original Language Title: Real Decreto 704/2011, de 20 de mayo, por el que se aprueba el Reglamento de protección de las infraestructuras críticas.

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

TEXT

Law 8/2011 of 28 April 2011 laying down measures for the protection of critical infrastructure enables the Government, in its fourth final provision, to issue the implementing regulation for the implementation of the Law.

In compliance with this mandate, the present royal decree is approved, first, with the aim of developing, specifying and extending the aspects mentioned in the aforementioned Law, especially when the tenor of the law is not clear only the articulation of a complex interdepartmental system for the protection of critical infrastructures, composed of organs and entities of both the Public Administrations and the private sector, but the design of an entire planning to prevent and protect the so-called critical infrastructure of the threats or intentional acts from criminal figures such as terrorism, enhanced through communication technologies.

Secondly, this normative text is not only consistent with the legal framework it brings, but also serves the purposes of the National Crisis Situation Management System and complies with the mandatory transposition of Directive 2008 /114/EC of the Council of the European Union of 8 December 2009 on the identification and designation of European Critical Infrastructure and the assessment of the need to improve its protection. This is due to the broad forecasts provided by the text in the field of the different Plans to be drawn up by both the Public Administrations-in the case of the National Plan for the Protection of Critical Infrastructures, the Plans Sectorial Strategic and Operational Support Plans-such as companies, organizations or institutions classified as critical operators, to whom the Law assigns a number of obligations, including the elaboration of two planning tools: the Operator Safety Plans and the Protection Plans Specific.

The Law also provides for critical operators to appoint a Security and Liaison Officer-who is required to be a security director who grants the Ministry of the Interior to security personnel. Private security undertakings pursuant to the provisions of Royal Decree 2364/1994 of 9 December 1994, for which the Private Security Regulation is adopted, or the equivalent rating, according to its specific rules. Likewise, the designation of a Security Delegate for each of the critical infrastructures identified is contemplated.

As far as its content is concerned, the present royal decree consists of a single article, a single transitional provision and two final provisions. For its part, the Regulation consists of 36 articles structured in four Titles. Title I contains the general questions relating to its object and scope, and devotes an article to the figure of the National Catalogue of Strategic Infrastructures, as an instrument of the Ministry of State of Security of the Ministry of the Interior which must bring together all the data and the assessment of the criticality of the aforementioned infrastructures and that it will be used as a base to plan the necessary actions in terms of safety and protection of the same, to the the contributions of the operators themselves. Title II is fully dedicated to the Critical Infrastructure Protection System, and develops, among others, the legal provisions relating to the organs created by the Law, i.e. the National Center for the Protection of the Critical Infrastructure (CNPIC), the National Commission for the Protection of Critical Infrastructures and the Interdepartmental Working Group for the Protection of Critical Infrastructures, concreting the composition, competencies and operation of all of them. Title III is responsible for the regulation of the planning instruments, focusing on each of the aforementioned Plans, whose process of elaboration, approval and registration, as well as its material contents, regulates in greater detail. Finally, Title IV is dedicated to the security of communications and the figures of the Security and Liaison Officer and the Security Delegate of critical infrastructure.

The fulfillment of this royal decree has been the result of intense dialogue and collaboration between the different departments of the Ministry and the affected organizations, also counting on the contribution of the different Communities Autonomous and of the business sector, after the process of public information granted to all of them, which has contributed to endow the text of an extensive and, on the other hand, indispensable, degree of consensus.

Under its virtue, on the proposal of the First Vice President of the Government and Minister of the Interior, with the prior approval of the Third Vice President of the Government and Minister of Territorial Policy and Public Administration, with the report favourable to the Second Vice-President of the Government and Minister for Economic Affairs and Finance, in agreement with the Council of State, and after deliberation by the Council of Ministers at its meeting on 20 May 2011,

DISPONGO:

TITLE I

Single item. Approval of the Critical Infrastructure Protection Regulation.

In the development and implementation of Law 8/2011 of 28 April, establishing measures for the protection of critical infrastructures, the Regulation of Protection of Critical Infrastructures is adopted, the text of which is insert below.

Single transient arrangement. Units and jobs with lower organic level to General Subdirection.

The units and posts of lower organic level to the National Center for the Protection of Critical Infrastructures will continue to remain and will be paid from the same credits. (a) the budget is to be adopted until the employment relations adapted to the planned organisational structure in the field of the protection of critical infrastructures are approved. Such adaptation shall in no case lead to an increase in public expenditure.

Final disposition first. Competence title.

This royal decree is issued under the jurisdiction conferred on the State in matters of public security in Article 149.1.29. of the Constitution.

Final disposition second. Entry into force.

This royal decree will enter into force on the day following its publication in the "Official State Gazette".

Given in Madrid, 20 May 2011.

JOHN CARLOS R.

The First Vice President of the Government and Minister of the Interior,

ALFREDO PEREZ RUBALCABA

CRITICAL INFRASTRUCTURE PROTECTION REGULATION

TITLE I

General provisions

CHAPTER I

Object and Scope

Article 1. Object.

1. The purpose of this Regulation is to develop the framework provided for in Law 8/2011 of 28 April 2011 laying down measures for the protection of critical infrastructures in order to implement the actions of the various bodies. Members of the Critical Infrastructure Protection System (hereinafter the System) as well as the different planning instruments of the System.

2. It also regulates the special obligations to be taken by the State and operators of those infrastructures which are determined to be critical, as provided for in Article 2 (e) and (f) of that Law.

Article 2. Scope.

The scope of this Regulation shall be that provided for in Article 3 of Law 8/2011 of 28 April 2011.

CHAPTER II

The National Strategic Infrastructure Catalog

Article 3. The National Strategic Infrastructure Catalogue.

1. The National Catalogue of Strategic Infrastructures (hereinafter the Catalogue) is the administrative record that contains complete, updated and contrasted information of all the strategic infrastructures located in the territory national, including criticism as well as those classified as European criticism affecting Spain, in accordance with Directive 2008 /114/EC.

2. The main purpose of the Catalogue is to assess and manage the data available from the different infrastructures, with the objective of designing the mechanisms of planning, prevention, protection and reaction to an eventual threat against those and, if necessary, activate, in accordance with the National Plan for the Protection of Critical Infrastructures, an agile, timely and proportionate response, in accordance with the level and characteristics of the threat in question.

Article 4. Content of the Catalog.

1. The catalogue must include, among other information, those relating to the description of the infrastructure, its location, ownership and administration, the services they provide, the means of contact, the level of security they require in the light of the assessed risks as well as information obtained from the Security Forces and Corps.

2. The Catalogue will be nourished by the information that will facilitate the National Center for the Protection of the Critical Infrastructures (CNPIC) the operators of the infrastructures as well as the other responsible subjects of the System related to Article 5 of Law 8/2011 of 28 April.

3. The National Catalogue of Strategic Infrastructures has, in accordance with the provisions of the legislation in force in the field of official secrets, the qualification of SECRET, conferred by the Agreement of the Council of Ministers of 2 November 2007, In addition to the data contained in the Catalogue itself, the equipment, computer applications and communications systems inherent in it, as well as the level of qualification of the persons who can access the information in the contained.

Article 5. Catalog Management and Update.

1. The custody, management and maintenance of the National Catalogue of strategic infrastructures is the responsibility of the Ministry of the Interior, through the Secretariat of State of Security.

2. The Ministry of the Interior, through the Secretariat of State of Security, will be responsible for classifying an infrastructure as strategic and, where appropriate, as critical infrastructure or critical European infrastructure, as well as for including first in the Catalogue, after verification that it meets one or more of the horizontal criteria of criticality provided for in Article 2 (h) of Law 8/2011 of 28 April.

3. The process of identifying an infrastructure as critical will be carried out by the CNPIC, which will be able to obtain the participation and advice of the person concerned, as well as of the competent system agents, to which he will report later result of such a process.

4. The classification of an infrastructure as a European criticism will entail the additional obligation to communicate its identity to other Member States which may be significantly affected by it, in accordance with the provisions of the Directive. 2008 /114/EC. In such a case, the notifications, in reciprocity with other Member States, shall be made by the CNPIC, in accordance with the security classification that corresponds to the rules in force.

5. In cases where there is a significant change affecting the infrastructure registered and which is of interest for the purposes provided for in this Regulation, the critical operators responsible for this Regulation shall, by means of the the means made available by the Ministry of the Interior, the new data from those to the CNPIC, which must be validated prior to its incorporation into the Catalogue. In any case, the updating of the available data should be done on an annual basis.

TITLE II

Critical Infrastructure Protection System agents

Article 6. The Secretary of State for Security.

The Secretary of State for Security is the top body of the Ministry of the Interior responsible for the National Critical Infrastructure Protection System, for which the head of the Ministry of the Interior, or the body to whom it delegates, will exercise the The following functions:

a) Design and direct the national critical infrastructure protection strategy.

b) Approve the National Plan for the Protection of Critical Infrastructures and direct its implementation, stating in its case the levels of security to be established at any time, in accordance with the content of the said Plan and in coordination with the Anti-Terrorist Prevention and Protection Plan.

c) Approve the Safety Plans of the Operators and their updates on the proposal of the CNPIC, taking into their case, as a reference, the actions of the body or body competent to grant those authorizations corresponding to their sectoral rules.

d) Approve the different Specific Protection Plans or any proposals for improvement of these on a proposal of the CNPIC, in the terms of the provisions of Article 26 of this regulation.

e) Approve the Operational Support Plans, as well as monitor and coordinate the implementation of these and those other prevention and protection measures that should be activated by both the Security Forces and the Armed forces, if any, as by the security officers themselves of the critical operators.

f) Approve, after the CNPIC report, the declaration of an area as critical, on the proposal of the delegations of the Government in the Autonomous Communities and in the Cities with Statute of Autonomy or, where appropriate, of the Communities Autonomous with statutory powers recognised for the protection of persons and property and for the maintenance of public order.

g) Identify the different areas of responsibility in the protection of critical infrastructures; analyzing the prevention and response mechanisms provided by each of the actors involved.

(h) Issue the instructions and protocols of collaboration aimed at both the staff and bodies outside the Ministry of the Interior and the operators of the strategic infrastructures, as well as encouraging the adoption of good practices.

i) Responding to the fulfilment of the obligations and commitments assumed by Spain under Directive 2008 /114/EC, without prejudice to the powers of the Ministry of Foreign Affairs and Cooperation.

j) Monitor, within the scope of this regulation, projects and studies of interest and coordinate participation in financial programmes and grants from the European Union.

k) To collaborate with the Ministries and agencies integrated in the System in the elaboration of any sectoral norm that is dictated in the development of Law 8/2011, of April 28 and of this regulation.

l) Other functions that may eventually be agreed upon by the Government's Delegation for Crisis Situations.

Article 7. The National Center for the Protection of Critical Infrastructures.

The CNPIC of the Ministry of the Interior, organically dependent on the Secretariat of State for Security, will have the organic level to be determined in the corresponding relation of jobs, and will perform the following functions:

(a) Attend the Secretary of State for Security in the execution of his functions in the field of critical infrastructure protection, acting as a contact and coordination body with the System Agents.

b) To implement and keep up to date the National Plan for the Protection of Critical Infrastructures as provided for in Article 16 of this Regulation.

c) Determine the criticality of the strategic infrastructures included in the Catalog.

d) Keep the catalogue operational and updated, establishing the procedures for the discharge, reduction and modification of the infrastructure, both national and European, which are included in the catalogue under the horizontal and the effects of sectoral interdependencies on the basis of the information provided by the operators and other agents of the System, as well as the establishment of their internal classification.

e) Carry out the following functions with regard to the planning instruments provided for in this regulation:

Directing and coordinating risk analyses carried out by specialized, public or private agencies, on each of the strategic sectors within the framework of the Sectoral Strategic Plans, for their study and deliberation by the Interdepartmental Working Group for the Protection of Critical Infrastructures.

Establish the minimum contents of the Operator Safety Plans, the Specific Protection Plans and the Operational Support Plans and monitor the process of preparing them, recommending, if necessary, the order of preference for countermeasures and procedures to be adopted to ensure their protection from deliberate attacks.

Assess, after the issuance of the relevant specialized technical reports, the Operator's Safety Plans and propose, where appropriate, for approval, to the Secretary of State for Security, or the body to whom it delegates.

Analyze the Specific Protection Plans provided by the critical operators with respect to the different critical infrastructures or European critical infrastructures of their ownership and propose them, where appropriate, for their approval, to the Secretary of State for Security, or body to whom it delegates.

To validate the Operational Support Plans designed for each of the critical infrastructures existing in the national territory by the State Police Corps or, where appropriate, autonomic competent, previous report, respectively, of the Government Delegations in the Autonomous Communities or the Autonomous Communities which have statutory powers recognised for the protection of persons and property and for the maintenance of public order.

f) Elevate the Secretary of State for Security, or the body to whom it delegates, the proposals for the declaration of an area as critical to be carried out.

g) Implement, under the general principle of confidentiality, permanent mechanisms of information, alert and communication with all the agents of the System.

(h) Collect, analyse, integrate and assess information on strategic infrastructures from public institutions, police services, operators and the various instruments of international cooperation for their referral to the National Anti-Terrorist Coordination Centre of the Ministry of the Interior or other authorised bodies.

i) Participate in the performance of exercises and drills in the field of critical infrastructure protection.

j) Coordinate the work and participation of experts in the different working groups and meetings on critical infrastructure protection, at national and international level.

k) Being, in the field of the Protection of Critical Infrastructures, the National Contact Point with international agencies and with the European Commission, as well as raise it, after consulting the National Coordination Center Anti-terrorism, reports on threat assessment and types of vulnerabilities and risks found in each of the sectors in which European critical infrastructure has been designated, within the time limits and conditions set by the Directive.

l) Execute actions arising from compliance with Directive 2008 /114/EC on behalf of the Secretary of State for Security.

Article 8. Ministries and bodies integrated into the Critical Infrastructure Protection System.

The ministries and agencies of the System referred to in Article 8 of Law 8/2011 of 28 April shall have the following powers:

a) Participate, through the Interdepartmental Working Group for the Protection of Critical Infrastructures, with the support, if any, of the operators, in the elaboration of the Sectoral Strategic Plans, as well as proceed to review and update the terms provided for in this Regulation.

(b) To verify, in the field of their competences, compliance with the Sectoral Strategic Plans and the actions derived from them, with the exception of those corresponding to specific security measures established in the specific infrastructure, or those to be carried out by other bodies of the General Administration of the State, in accordance with its specific legislation.

c) To collaborate with the Secretariat of State of Safety, both in the designation of the critical operators and in the elaboration of any sectoral norm that is dictated in the development of Law 8/2011, of April 28, as well as of the present rules.

d) Provide technical advice to the Secretariat of State for Security in the cataloging of the infrastructures within its field of competence, making available to the CNPIC the technical information that will help determine their criticality, for inclusion, exclusion or modification in the Catalogue.

(e) Custodian, in the terms of the regulations on classified matters and official secrets, the sensitive information on the protection of strategic infrastructures that they have in their capacity as agents of the System.

f) Designate a person to participate in the Sectoral Working Groups that may eventually be created in the field of critical infrastructure protection.

g) To participate, at the request of the CNPIC or on its own initiative, in the different working groups and meetings on critical infrastructure protection related to its coordination sector, in the national and

(h) Collaborate with the Secretariat of State for Security in actions arising from compliance with Directive 2008 /114/EC, as provided for in Article 7 (l) of this Regulation.

i) Participate in the process of classifying an infrastructure as critical, including the exercise of the faculty of proposal to that end.

Article 9. The Government Delegations in the Autonomous Communities and in the Cities with Autonomy Statute.

Under the authority of the Secretary of State for Security, and in the exercise of its powers, the Government Delegates in the Autonomous Communities and in the Cities with Autonomy Statute will have, in respect of the critical infrastructure located on its territory, the following powers:

(a) Coordinate the action of the State Security Forces and Corps in the face of a security alert, and ensure the implementation of the National Critical Infrastructure Protection Plan in case of activation of this.

b) Collaborate, in accordance with its territorial scope of action, with other organs of the Administration or competent public bodies in accordance with its specific legislation, as well as with the territorial delegations of other System ministries and agencies in actions to be developed for the implementation of the Sectoral Plans in force in the field of critical infrastructure protection.

c) To participate in the implementation of the different Specific Protection Plans in those critical infrastructures or critical European infrastructures existing in their territory, in the terms in which the Chapter IV of Title III of this Regulation.

d) Intervenir, through the competent State Police Corps, and in collaboration with the infrastructure security officer, in the implementation of the different Operational Support Plans in those infrastructures critical European critical infrastructure or infrastructure in its territory, as set out in Chapter V of Title III of this Regulation.

e) Propose to the Secretariat of State of Security through the CNPIC the declaration of critical zone on the basis of the existence of several critical infrastructures or European critical infrastructures in a geographical area continues, in order to achieve coordinated protection between the different operators and the Security Forces and Corps.

(f) Custodian of sensitive information on the protection of strategic infrastructures at their disposal as agents of the System, in application of the current regulations on classified materials and official secrets.

Article 10. The Autonomous Communities and the Cities with Autonomy Statute.

1. The Autonomous Communities with statutory powers recognized for the protection of persons and property and for the maintenance of public order shall develop, on the infrastructures located within their territory, the powers provided for in the (c), (d), (e) and (f) of the previous Article, given the existence of the Autonomous Police Corps, and without prejudice to the knowledge of the relevant information and information of the respective Government Delegations in those Autonomous Communities; of the plans referred to in this Regulation.

2. In any case, the coordination of the actions to be carried out in the field of protection of the critical infrastructures between the State Security Forces and the Police Corps of the Autonomous Communities with powers in security matters shall be governed by the provisions of the relevant Security Boards agreements.

3. The Autonomous Communities not included in the first paragraph of this Article shall participate in the System and in the collective organs of the System in accordance with the competencies recognized by their respective Statutes of Autonomy.

4. In accordance with the provisions of its Statute of Autonomy, the Cities of Ceuta and Melilla, through its Governing Councils and in agreement with the respective Government Delegation, may issue the appropriate reports and proposals in relation to the the adoption of specific measures on critical and critical European infrastructures on their territory.

Article 11. The National Commission for the Protection of Critical Infrastructures.

1. The National Commission for the Protection of Critical Infrastructures (hereinafter the Commission) shall carry out the following tasks:

a) Preserve, guarantee and promote the existence of a culture of security of critical infrastructures in the field of public administrations.

(b) Promote the effective implementation of the provisions of Law 8/2011 of 28 April laying down measures for the protection of critical infrastructures by all the persons responsible for the system of protection of critical infrastructures, based on the reports issued in this respect by the Interdepartmental Working Group for the Protection of Critical Infrastructures.

c) Carry out the following actions on a proposal from the Working Group:

Approve Sectorial Strategic Plans.

Designate critical operators.

Approve the creation, modification, or deletion of sectoral or technical work groups, setting their objectives and their frameworks for action.

(d) To promote those other tasks that are considered accurate in the framework of inter-ministerial cooperation for the protection of critical infrastructures.

2. The Commission shall be chaired by the Secretary of State for Security, and its members shall be:

a) On behalf of the Ministry of the Interior:

The Director General of the Police and the Civil Guard.

The Director General of Civil Protection and Emergencies.

The Director of the CNPIC, who will perform the duties of the Secretary of the Commission.

b) Representing the Ministry of Defense, the Director General of Defense Policy.

c) Representing the National Intelligence Center, a Director General appointed by the Secretary of State-Director of the National Intelligence Center.

d) Representing the Department of Infrastructure and Tracking for Crisis Situations, its Director.

e) On behalf of the Nuclear Safety Council, the Technical Director of Radiological Protection.

f) representing each of the ministries integrated in the System, a person with a rank equal to or higher than the Director General, appointed by the holder of the corresponding ministerial department on the basis of the appropriate material activity.

3. In addition to the members referred to in the preceding paragraph, a representative with a voice and vote shall be present at the meetings of the Commission for each of the Autonomous Communities which have statutory powers for the protection of persons and property and for the maintenance of public order. A representative of the Association of Local Entities with the highest national level in the meetings will also participate, with voice and vote.

Where appropriate, and when their presence and criteria are essential for the subjects to be dealt with, they may be convened, by decision of their president, agencies, experts or other public administrations.

4. The Commission shall meet at least once a year, on an ordinary basis, and in an extraordinary manner where it is deemed appropriate upon the convening of its President, who shall determine the agenda of the meeting in the terms laid down for the (a) the bodies of the members of the Court of Justice in Chapter II of Title II of Title II of Law No 30/1992 of 26 November 1992 on the Legal Regime of Public Administrations and of the Common Administrative Procedure. The Secretariat of the Commission shall be the Director of the CNPIC.

5. The Commission shall be assisted by the Interdepartmental Working Group for the Protection of Critical Infrastructure.

Article 12. The Interdepartmental Working Group for the Protection of Critical Infrastructures.

1. The Interdepartmental Working Group for the Protection of Critical Infrastructures (hereinafter the Working Group) performs the following functions:

(a) Develop, with the collaboration of the System Agents concerned and the relevant technical advice, the different Sectoral Strategic Plans for submission to the Commission, as provided for in Title III, Chapter II of this regulation.

b) Propose to the Commission the designation of the critical operators for each of the defined strategic sectors.

(c) Propose to the Commission the creation, modification or deletion of sectoral or technical working groups, monitoring, coordinating and monitoring the work and its work and reporting in due course of the results obtained from the Commission.

(d) to carry out the studies and work which the Commission entrusts to it under this Regulation. To do this, you can count, if necessary, with the support of specialized technical personnel.

2. The Working Group shall be chaired by the Director of the CNPIC and shall be composed of:

(a) A representative of each of the ministries of the System, appointed by the holder of the relevant ministerial department.

b) A representative of the Operational Deputy Directorate of the National Police Corps, designated by the National Police Corps.

(d) A representative of the Directorate-General for Civil Protection and Emergencies of the Ministry of the Interior, designated by the Ministry of the Interior.

e) A representative of the Joint Chiefs of Defense, appointed by the Chief of Defense Staff.

f) A representative of the National Intelligence Center, appointed by the Secretary of State Director of the National Intelligence Center.

g) A representative of the Department of Infrastructure and Monitoring for Crisis Situations, appointed by the holder of the Ministry of the Presidency or the body to whom he delegates, on a proposal from the Director of the Cabinet of the Presidency of the Government.

h) A representative of the Nuclear Security Council, appointed by the President of that body.

i) A representative of the CNPIC, with Secretary's duties.

3. In addition to the members referred to in the preceding paragraph, a representative shall be present at the meetings of the Working Group, with a voice and vote for each of the Autonomous Communities with statutory powers recognised for the protection of goods and persons and for the maintenance of public order. A representative of the Association of Local Entities with the highest national level in the meetings will participate in a voice and vote.

By decision of the President, other Public Administrations, agencies or experts whose technical advice is deemed to be accurate for the issues to be addressed may attend.

4. The Working Group shall meet at least twice a year, on an ordinary basis, and in an extraordinary manner when it is deemed appropriate to call upon its President, who shall determine the agenda for the meeting. The Secretariat shall be based on one of the officials providing services to the CNPIC, by decision of its Director.

5. For the exercise of the powers conferred on the Working Group by this Regulation, other sectoral working groups may be established for the sectors or subsectors listed in the Annex to Law 8/2011 of 28 April, in which they may participate, in addition to the CNPIC and the relevant System ministry or body, critical operators and other System agents.

Article 13. Critical Operators.

1. The critical operators shall be the members of the System, who, from both the public and private sectors, meet the conditions set out in Article 13 of Law 8/2011 of 28 April.

2. In application of the provisions of the aforementioned Law, it is for the critical operators:

(a) To provide technical cooperation to the Secretariat of State for Security, through the CNPIC, in the assessment of the infrastructure that is provided to the Catalogue. Therefore, they should update the available data at an annual frequency and, in any case, at the request or prior validation of the CNPIC.

b) Collaborate, if necessary, with the Working Group, in the elaboration of the Sectoral Strategic Plans and in the realization of the risk analyses on the strategic sectors where they are included.

c) Develop the Operator's Safety Plan and proceed to update it periodically or when circumstances so require, in accordance with Chapter III, Title III of this Regulation.

d) Develop a Specific Protection Plan for each of the infrastructures considered to be critical in the Catalogue as well as proceed to update periodically or when circumstances so require, in accordance with the established in Chapter IV, Title III of this Regulation.

e) Designate a Security and Liaison Officer, pursuant to the provisions of Article 34 of this Regulation.

(f) Designate a Security Delegate for each of its infrastructures considered to be Critical or European Criticism by the Secretary of State for Security, communicating its designation to the corresponding bodies under the terms of the provided for in Article 35 of this Regulation.

g) Facilitate the inspections carried out by the competent authorities to verify compliance with the sectoral rules, as set out in Title III of this Regulation.

Article 14. Designation of critical operators.

1. For the designation of a business or body as a critical operator, at least one of the infrastructure shall be sufficient to meet the critical infrastructure consideration, in accordance with the criteria laid down in Article 2, paragraph (h) of Law 8/2011 of 28 April. In this case, the CNPIC shall draw up a motion for a resolution and notify it to the holder or administrator of those.

2. The proposal shall contain the intention to designate the operator or administrator of the facility or facilities as a critical operator.

3. The person concerned shall have a period of 15 days from the day following receipt of the notification in order to forward to the CNPIC any allegations which he or she considers to be coming, after which the Commission, acting on a proposal from the Working Group, (a) give the decision in which the operator is to be appointed, if appropriate, as a critic. This decision may be appealed to the Secretary of State for Security and, if necessary, subsequently, before the judicial-administrative jurisdiction, in the general terms provided for in the legislation in force in the field of administrative procedure and judicial-administrative jurisdiction.

4. The communications with the data subject shall take into account, in any case, the security classification corresponding to the rules in force.

Article 15. Dialogue with critical operators.

1. Critical operators in the Private Sector will have at the CNPIC the direct point of contact with the Secretariat of State for Security regarding the responsibilities, functions and obligations set out in Law 8/2011 of 28 April, and in the provided for in this Regulation.

2. In cases where the critical operators of the Public Sector are linked or dependent on a public administration, the body of such administration which has powers for the purpose of the matter may be the interlocutor with the Ministry of the Interior through the CNPIC as regards the responsibilities, functions and obligations set out in Law 8/2011 of 28 April, and as provided for in this regulation, should communicate that decision to the CNPIC.

TITLE III

Planning instruments

CHAPTER I

The National Plan for the Protection of Critical Infrastructures

Article 16. Purpose, elaboration and content.

1. The National Plan for the Protection of Critical Infrastructures is the State's programming instrument developed by the Secretariat of State for Security and aimed at keeping the Spanish infrastructures that provide the services safe. essential to society.

2. The National Plan for the Protection of Critical Infrastructures will establish the criteria and the precise guidelines for mobilising the operational capacities of public administrations in coordination with critical operators, articulating the preventive measures necessary to ensure the permanent, up-to-date and homogeneous protection of our strategic infrastructure system in the face of threats from deliberate attacks against them.

3. In addition, the Plan will provide for different levels of security and police intervention, which will be activated, in each case, according to the results of the threat assessment and in coordination with the Anti-Terrorist Prevention and Protection Plan in effect, which must be adapted.

The different levels of security will contain the graduated adoption of devices and measures of protection in situations of increase of the threat against the national strategic infrastructures and will require the contest of the Security forces and bodies, the Armed Forces, where appropriate, and those responsible for the infrastructure to be protected by the infrastructure managers or operators.

Article 17. Approval, registration, and classification.

1. The National Plan for the Protection of Critical Infrastructures will be approved by resolution of the head of the Secretariat of State of Security and will be registered in the CNPIC, without prejudice to those other agencies that need to know about the they are authorized to access it by the Secretary of State for Security.

2. The Plan shall be classified in accordance with the laws in force in the field of official secrets, and shall be expressly classified in the instrument of its approval.

Article 18. Review and update.

1. The National Critical Infrastructure Protection Plan will be reviewed every five years by the Secretary of State for Security.

2. The modification of any of the data or instructions included in the National Plan for the Protection of Critical Infrastructures will force automatic updating of the same, which will be carried out by the CNPIC and will require the express approval of the Secretary of State for Security.

CHAPTER II

The Sectoral Strategic Plans

Article 19. Purpose, elaboration and content.

1. The Sectoral Strategic Plans are the instruments of study and planning with scope in all the national territory that will permit to know, in each of the sectors referred to in the Annex of Law 8/2011, of April 28, which are the essential services provided to society, the general functioning of society, the vulnerabilities of the system, the potential consequences of their inactivity and the strategic measures necessary for their maintenance.

2. The Working Group, coordinated by the CNPIC, shall establish with the participation and technical advice of the operators concerned, where appropriate, a Strategic Plan for each of the sectors or sub-sectors of activity to be determined.

3. The Sectoral Strategic Plans will be based on a general risk analysis where vulnerabilities and potential threats, both physical and logical, are addressed, affecting the sector or sub-sector in question in the field of protection of strategic infrastructures.

4. Each Sectoral Strategic Plan shall contain at least the following:

a) Analysis of risks, vulnerabilities, and consequences at the global level.

(b) Proposals for the implementation of the necessary organisational and technical measures to prevent, react and, where appropriate, mitigate the possible consequences of the different scenarios envisaged.

c) Proposals for the implementation of other preventive and maintenance measures (e.g. exercises and drills, preparation and instruction of personnel, articulation of precise communication channels, evacuation plans or operational plans to address potential adverse scenarios.)

d) Measures to coordinate with the National Plan for the Protection of Critical Infrastructures.

5. The Sectoral Strategic Plans may be constituted taking into account other existing plans or programmes, created on the basis of their own specific sectoral legislation. Where the sectoral plans or programmes meet the extremes referred to in paragraph 4, they may be adopted as a Sectoral Strategic Plan for the relevant sector or sub-sector.

Article 20. Approval, registration, and classification.

1. The Sectoral Strategic Plans shall be approved by the Commission within a maximum of 12 months from the entry into force of this Royal Decree.

2. The CNPIC will manage and maintain a central register of all existing Sectoral Strategic Plans, once they are approved by the Commission. The ministries and agencies of the System shall have access to the Plans of those sectors for which they are competent.

3. The Sectoral Strategic Plans shall be classified in accordance with the laws in force in the field of official secrets, and must be expressly stated in the instrument of their approval. The CNPIC shall be responsible for ensuring access to all or part of the information contained in those plans to the authorised System Agents.

Article 21. Review and update.

1. The Sectoral Strategic Plans should be reviewed every two years by the ministries and agencies of the System.

2. The modification of any of the data included in the Sectoral Strategic Plans will force the automatic updating of these, which will be carried out by the ministries and agencies of the System that are competent in the affected sector and will be subsequently approved by the Commission.

CHAPTER III

Operator Security Plans

Article 22. Purpose, elaboration and content.

1. Operator Security Plans are the strategic documents defining the general policies of critical operators to ensure the security of the set of facilities or systems of their ownership or management.

2. Within six months of the notification of the resolution of its designation, each critical operator must have drawn up an Operator Safety Plan and submit it to the CNPIC, which shall evaluate and report on it for approval, if is, by the Secretary of State for Security or the body in which it is delegated.

3. The Operator's Safety Plans shall establish a risk analysis methodology to ensure the continuity of the services provided by that operator and in which the criteria for the application of the different measures are collected. security to be implemented to address both physical and logical threats identified on each of the typologies of their assets.

4. The Secretariat of State for Security of the Ministry of the Interior, through the CNPIC, will establish, with the collaboration of the Ministries of the System and dependent organisms, the minimum contents of the Safety Plans of the Operator, as well as the model on which to base the processing of these.

Article 23. Approval, registration, and classification.

1. The Secretary of State for Security, or the body in which this delegate, after reporting the CNPIC, shall approve the Operator's Security Plan or proposals for improvement of the Operator's Security Plan, notifying the person concerned of the resolution within a maximum of two months.

2. In addition to the resolution of approval or amendment, the CNPIC, taking into account the actions of the regulatory body competent under the applicable sectoral rules, shall make the critical recommendations to the operator. considers relevant, in any case, proposing a gradual implementation timetable where the order of preference for the measures and the procedures to be adopted is set.

3. The CNPIC will manage and maintain a central register of all existing Operator Safety Plans, once they are approved by the Secretary of State for Security. System agents may have access to the plans, subject to verification by the CNPIC of their need to know and with the appropriate authorisation.

4. The Operator's Safety Plans shall be classified in accordance with the laws in force in respect of official secrets, and must be expressly stated in the instrument of their approval. The CNPIC shall be responsible for ensuring access to all or part of the information contained in those plans to the authorised System Agents, ensuring the confidentiality and security of the system. For their part, the critical operators responsible for the preparation of the respective plans shall be responsible for the implementation of the security measures of the information required under the Law.

Article 24. Review and update.

1. The Operator Safety Plans must be reviewed every two years by the operators critical and approved by the CNPIC. This may at any time require specific information on the status of implementation of the Operator's Safety Plan.

2. The modification of any of the data included in the Operator's Safety Plans will require the automatic updating of the Operator's Safety Plans, which will be carried out by the critical operators responsible and will require the express approval of the CNPIC.

CHAPTER IV

Specific Protection Plans

Article 25. Purpose, elaboration and content.

1. The Specific Protection Plans are the operational documents to define the concrete measures already adopted and those that will be adopted by the critical operators to ensure the integral security (physical and logical) of their critical infrastructure.

2. Within four months of the approval of the Operator's Safety Plan, each critical operator must have drawn up a Specific Protection Plan for each of its critical infrastructures, as considered by the Secretariat of State of Safety and submit it to the CNPIC. The same procedure and time limits will be established when a new critical infrastructure is identified.

3. The Specific Protection Plans of the different critical infrastructures shall include all measures that are deemed necessary by the respective critical operators in the light of the risk analysis carried out in respect of the threats, (a) the information systems, including those of terrorist origin, on their assets, including information systems.

4. Each Specific Protection Plan shall provide for the adoption of both permanent protective measures, on the basis of the provisions of the preceding paragraph, and of temporary and graduated security measures, which shall be determined in particular the activation of the National Plan for the Protection of Critical Infrastructures, or as a result of communications which the competent authorities may make to the critical operator in relation to a particular threat on one or more of them infrastructure by the managed.

5. The Secretariat of State of Security, through the CNPIC, will establish the minimum contents of the Specific Protection Plans, as well as the model in which to base the structure and the completeness of these that, in any case, will fulfill the guidelines marked by their respective Operator Safety Plans.

Article 26. Approval, registration, and classification.

1. The Secretariat of State of Security shall notify the person concerned, within a maximum of two months from the date of receipt, of its decision with the approval of the various Specific Protection Plans or any proposals for improvement. of these. Previously, through the CNPIC, a mandatory report will be obtained from the Government Delegations in the respective Autonomous Communities or in the Cities with Autonomy Statute in which the criteria of the bodies will be considered, if necessary the competent authorities of the Autonomous Communities with statutory powers recognised for the protection of persons and property and for the maintenance of public order, as well as the body or body competent to grant critical operators corresponding authorisations under the existing sectoral legislation.

2. In addition to the resolution of approval or amendment, the CNPIC, on the basis of the reports referred to in the previous paragraph, shall make recommendations to the operator critical of the recommendations it considers relevant, in any event proposing a timetable for implementation. gradual where the order of preference for the measures and the procedures to be adopted for the infrastructure concerned is fixed.

3. The delegations of the Government in the Autonomous Communities and in the Cities with a Statute of Autonomy or, where appropriate, the competent body of the Autonomous Communities with statutory powers recognized for the protection of persons and property and for the maintenance of public order, they shall keep a record where they are, once approved by the Secretary of State for Security, all the Specific Protection Plans of critical infrastructures or critical infrastructures (a) the European Union (EU) and the European Union (EU). In any event and on the basis of the above, the CNPIC will manage and safeguard a central register of all existing Specific Protection Plans. System agents may have access to the plans, subject to verification by the CNPIC of their need to know and with the appropriate authorisation.

4. Specific Protection Plans shall be classified in accordance with the laws in force in the field of official secrets, and must be expressly stated in the instrument of their approval. The CNPIC shall be responsible for ensuring access to all or part of the information contained in those plans to the authorised System Agents, ensuring the confidentiality and security of the system. For their part, the system agents responsible for the preparation of the respective plans and those responsible for their registration must guard the same by implanting the security measures of the information required according to the Law.

Article 27. Review and update.

1. The Specific Protection Plans must be reviewed every two years by the critical operators, a review to be approved by the Government Delegations in the Autonomous Communities and in the Cities with Autonomy Statute or, in their Case by case, by the competent authority of the Autonomous Communities with statutory powers recognised for the protection of persons and property and for the maintenance of public order, and by the CNPIC.

2. The modification of any of the data included in the Specific Protection Plans will force the automatic updating of these, which will be carried out by the critical operators responsible and will require the express approval of the CNPIC.

Article 28. Implementation and monitoring.

1. The Government's Delegates in the Autonomous Communities shall ensure that the different Specific Protection Plans are implemented correctly and shall have the powers of inspection in the field of critical infrastructure protection. Such powers shall, where appropriate, be developed in a coordinated manner with the inspection powers of the body or body competent to grant critical operators the relevant authorisations under the sectoral legislation in effect.

2. In those Autonomous Communities with statutory powers recognised for the protection of persons and property and for the maintenance of public order, the powers of inspection shall be exercised by their competent bodies, without prejudice to the the provisions of the applicable sectoral legislation and of the necessary coordination with the Government Delegations in those Communities and the other regulatory bodies competent under their sectoral rules.

3. In the exercise of such monitoring, the competent bodies may at all times require from the responsible infrastructure or critical infrastructure in Europe the updated status of the implementation of the proposed measures in the Decisions approving or amending the Specific Protection Plans drawn up in the event of changes in the circumstances which have been adopted, or in order to bring them into line with the current rules affecting them, of this to the Secretariat of State for Security, through the CNPIC.

4. The powers of inspection in the port facilities, as well as in those other points or establishments considered critical that are integrated in a port, will be established in accordance with the provisions of the Royal Decree 1617/2007, dated December 7.

Article 29. Compatibility with other existing plans.

1. The elaboration of the Specific Protection Plans for each of the critical infrastructures shall be carried out without prejudice to the obligation to comply with the requirements of the Technical Code of the Building, approved by Royal Decree 314/2006, 17 March, the Royal Decree 393/2007, of March 23, approving the Basic Standard of Self-Protection of the centers, establishments and dependencies dedicated to activities that can give rise to emergency situations, the regulations of Private security or any other specific sectoral regulations applicable to it.

2. Nuclear installations and radioactive installations which are considered to be critical in the Regulation on nuclear and radioactive installations, approved by Royal Decree 1836/1999 of 3 December, as amended by Royal Decree 35/2008 On 18 January, they will integrate their Specific Protection Plans into the respective Physical Protection Plans, in respect of their approval and evaluation, as set out in their specific sectoral regulations, without prejudice to their application under Law 8/2011 of 28 April.

3. Port facilities, as well as those other points or establishments deemed critical to be integrated in a port, in accordance with the provisions of Royal Decree 1617/2007 of 7 December establishing measures For the improvement of the protection of the ports and the marine transport, they will integrate their plans of Specific Protection in the Plans of Protection of the Ports previewed in the said Royal Decree, regarding their approval and evaluation, as set out in that rule, without prejudice to what is applicable to it under Law 8/2011, 28 of April.

4. In the case of airports, aerodromes and air navigation facilities, the respective airport security programmes approved in accordance with the provisions of Law 21/2003 of 7 July 2003 shall be considered as Specific Protection Plans. Air Safety as amended by Law 1/2011 of 4 March establishing the State Operational Safety Programme for Civil Aviation and amending Law 21/2003 of 7 July on Air Safety and Royal Decree 550/2006 of 5 December May, for which the competent authority responsible for the coordination and monitoring of the Programme is appointed National Security for Civil Aviation and is determined the organization and functions of the National Committee on Civil Aviation Security. However, the Ministry of the Interior, through its representative in the National Committee on Civil Aviation Safety, may propose additional content, in accordance with the provisions of Article 25 (5) of this Royal decree.

CHAPTER V

Operational Support Plans

Article 30. Purpose, elaboration and content.

1. The Operational Support Plans are the operational documents where the concrete measures to be implemented by the Public Administrations in support of critical operators for the best protection of critical infrastructures must be reflected.

2. For each of the critical infrastructures and critical infrastructures in Europe, with a specific Protection Plan and on the basis of the data contained therein, the Delegation of the Government in the Autonomous Community or, where appropriate, the The competent authority of the Autonomous Community shall supervise the implementation of an Operational Support Plan by the State Police Corps, or in its autonomous case, with competence in the territorial demarcation in question. In order to be drawn up, to be completed within four months of the approval of the respective Specific Protection Plan, the infrastructure security officer shall be assisted.

3. On the basis of their specific Specific Protection Plans, the Operational Support Plans shall, if the facilities require, provide for the planned measures of surveillance, prevention, protection and reaction to be adopted by the Member States. police units and, where appropriate, the Armed Forces, when the National Plan for the Protection of Critical Infrastructure is activated, or if the existence of an imminent threat to such infrastructure is confirmed. These measures will always be complementary to those of a gradual nature that have been foreseen by the critical operators in their respective Specific Protection Plans.

4. The CNPIC will establish the minimum contents of the Operational Support Plans, as well as the model in which to base the structure and development of these, which will be based on the part that corresponds to the information contained in the respective ones. Specific Protection Plans.

5. The Ministry of Defense will be able to access the Operational Support Plans of those critical infrastructures or European critical infrastructures that, in case of activation of the National Plan of Protection of the Critical Infrastructures and the effects of coordinate the corresponding support of the Armed Forces, it is considered appropriate, prior to a joint study of the aforementioned supports.

Article 31. Approval, registration, and classification.

1. The Operational Support Plans shall be validated and approved by the Secretariat of State for Security, through the CNPIC.

2. The delegations of the Government in the Autonomous Communities and in the Cities with a Statute of Autonomy or, where appropriate, the competent organ of each Autonomous Community with statutory powers recognized for the protection of persons and property for the maintenance of public order, they shall keep a register where they are, once validated, all the Operational Support Plans of the critical infrastructures and critical European infrastructures located in their demarcation, and which shall be keep permanently updated. In any case and on the basis of the above, the CNPIC will manage and maintain a central register of all existing Operational Support Plans. System agents may have access to the plans, subject to verification by the CNPIC of their need to know and with the appropriate authorisation.

3. The Operational Support Plans shall be classified in accordance with the laws in force in the field of official secrets, and must be expressly stated in the instrument of their approval. The CNPIC shall be responsible for ensuring access to all or part of the information contained in those plans to the authorised System Agents, ensuring the confidentiality and security of the system. For their part, the System Agents responsible for the elaboration and registration of the respective plans shall be responsible for the implementation of the security measures of the information required under the Law.

Article 32. Review and update.

1. The Operational Support Plans must be reviewed every two years by the State Police Corps, or in its autonomous case, with competence in the territorial demarcation in question, a review to be approved by the Government Delegations. in the Autonomous Communities and in the Cities with a Statute of Autonomy or, where appropriate, by the competent authority of the Autonomous Communities with statutory powers recognized for the protection of persons and property and for the maintenance of the public order, requiring the express approval of the CNPIC.

2. The modification of any of the data included in the Operational Support Plans shall require the automatic updating of these data, which shall be carried out by means of the procedure provided for in the first paragraph.

TITLE IV

Communications between critical operators and public administrations

Article 33. Communications security.

1. The CNPIC will be responsible for managing the information and communications management systems that are designed in the field of critical infrastructure protection, which must be supported and supported by the agents. the System and all other affected entities or entities.

2. The security of the information and communications systems provided for in this royal decree will be accredited and, if necessary, certified by the National Center for National Intelligence, in accordance with the established competencies. in its specific regulations.

3. The Presidency of the Government will facilitate the use of the "Malla B", a system of support of strategic safe communications of the National System of Crisis Management and the Presidency of the Government, through which the authorized agents of the System will be able to access the information available in the Catalog, with the access levels to be determined.

Article 34. The Security and Liaison Officer.

1. Within three months of their designation as critical operators, they shall appoint and communicate to the Secretariat of State Security, through the CNPIC, the name of the Security Officer and link in the terms and conditions provided for in Article 16 of Law 8/2011 of 28 April.

2. The Security and Liaison Officer shall represent the critical operator before the Secretariat of State for Security in all matters relating to the security of its infrastructures and the different plans specified in this Regulation, where appropriate, the operational and information needs that arise in this respect.

Article 35. The Security Delegate of the critical infrastructure.

1. Within three months of the identification as a European criticism or criticism of one of its infrastructures, the critical operators shall communicate to the Government Delegations in the Autonomous Communities and in the Cities with Autonomy Statute. or, where appropriate, the competent authority of the Autonomous Community with statutory powers recognised for the protection of persons and property and for the maintenance of the public order in which they are located, the existence and identity of a Security delegate for that infrastructure.

2. The Security Delegate shall constitute the operational liaison and the information channel with the competent authorities in all matters relating to the specific security of the critical infrastructure or critical European infrastructure in question. the operational and information needs related to that.

Article 36. Security of the classified data.

The classified data relating to the infrastructure of the critical operators will, in any case, comply with the security requirements established by the Secretary of State Director of the National Intelligence Center, agreement with the applicable specific rules.

Real Decree 704/2011, 20 May, Which Approves The Regulation Of Protection Of Critical Infrastructures.

Original Language Title: Real Decreto 704/2011, de 20 de mayo, por el que se aprueba el Reglamento de protección de las infraestructuras críticas.

Subscribe to a Global-Regulation Premium Membership Today!

TEXT

Search Translated Laws of Spain