Law 8/2011, 28 April, By Which Establish Measures For The Protection Of Critical Infrastructure.

Original Language Title: Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas.

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
JUAN CARLOS I King of Spain to all that the present join together and Act, know: that the Cortes Generales have approved and I come in to sanction the following law.

PREAMBLE the modern States are currently facing various challenges that give an increasingly complex national security. These new risks, generated largely by globalization, and include international terrorism, the proliferation of weapons of mass destruction, or organized crime, are added to the existing ones, of which traditional terrorism came to be an exponent.

In this context, is increasing the dependency that societies have a complex system of infrastructures that support and enable the normal development of the productive sectors, management and public life in general. These infrastructures are often highly interdependent each other, reason why the security problems that can trigger cascading through the system are able to cause failure, unexpected and increasingly more serious in basic services for the population.

To such an extent, is that any abort unwanted - even of short duration and well due to technical or natural causes, to deliberate attacks - could have serious consequences in the flow of vital supplies or in the operation of essential services, as well as cause disruption and serious malfunctions in the field of security, what is special attention for the national system of management of Crisis situations.

Infrastructures, which are exposed to a series of threats are among the strategic priorities of national security. For your protection it is essential, on the one hand, cataloguing the whole of those providing essential services to our society and, on the other, designing a planning that contains measures of prevention and protection effective against potential threats to such infrastructures, both at the level of physical security and the security of communications and information technologies.

On that line, have been undertaken various actions at national level, as the adoption, by the Secretariat of State for security of the Ministry of the Interior, of a first National Plan for protection of the critical infrastructure, on May 7, 2007, as well as the elaboration of a first national catalogue of strategic infrastructure. Likewise, dated 2 November 2007, the Council of Ministers approved an agreement on protection of critical infrastructure, which was given a decisive impetus in this area. The development and implementation of this agreement is a qualitative breakthrough of first order to ensure the security of citizens and the correct functioning of essential services.

At the same time, there are also a series of actions developed at the international level in Europe: after the terrible attacks in Madrid, the European Council of June 2004 urged the European Commission to develop a global strategy on critical infrastructure protection. On 20 October 2004 the Commission adopted a communication on the critical infrastructure protection in the fight against terrorism, which contains proposals to improve prevention, preparedness and response in Europe against terrorist attacks that affect them. Later, in December 2004, the Council approved the EPCIP (European programme for critical infrastructure protection) and launched a network of information about alerts on critical infrastructure (Critical Infrastructures Warning Information Network-CIWIN).

At present, the entry into force of Directive 2008/114, of the Council of 8 December on the identification and designation of European critical infrastructure and the assessment of the need to improve their protection (hereinafter Directive 2008/114/EC), is an important step in the cooperation in this field within the Union. Directive provides that responsibility last protect European critical infrastructures and main corresponds to the Member States and the operators of the same, and determines the development of a series of obligations and actions by these States, which should be incorporated into national laws.

The necessary actions to optimize the security of infrastructures are mainly framed in the field of protection against deliberate attacks and, especially, against terrorism, resulting therefore led by the Ministry of the Interior.

However, the security of critical infrastructure requires contemplating actions that go beyond mere material protection against possible aggressions or attacks, reason why it is inevitable to involve other organs of the General Administration of the State, other public authorities, other public bodies and the private sector. These critical infrastructures depend on increasingly information technologies, both for its management to its linkage with other systems, which are based, mainly, on means of information and communication of public and open character. It is needed, therefore, with the cooperation of all actors involved in the regulation, planning and operation of the various infrastructures that provide essential services for the society, without prejudice to coordination that will exercise the Ministry of the Interior in cooperation with the autonomous communities.

As a result, and given the complexity of the matter, its impact on the safety of the people and on the operation of the basic national and international structures, and in compliance with stipulated by Directive 2008/114/EC, becomes necessary to develop a standard which aims, on the one hand, regulating the protection of critical infrastructures against deliberate attacks of all kinds (both physical character as cibernético) and on the other hand, the definition of an organizational system for the protection of such infrastructures that combine public administrations and private entities concerned. As a basic component of this system, the law creates the National Centre for the protection of the critical infrastructure as an organ of assistance to the Secretary of State for security in the execution of the functions entrusted to it as responsible for the system.

The purpose of this standard is, therefore, the establishment of measures for the protection of critical infrastructures that provide an adequate basis on which effective coordination of public administrations and of the entities and agencies managers or owners of infrastructures that provide essential services for the society, in order to achieve better security for those seats.

On this basis, the national catalogue of strategic infrastructures will be supported (in accordance with the communication of the Council of the European Union of 20 October 2004, which says that each sector and each Member State shall identify the infrastructures that are critical in their respective territories) and the National Plan for the protection of critical infrastructure, as important tools in the management of the security of our infrastructure.

The law consists of 18 articles, divided into 3 titles. Title I is intended to the definitions of the terms coined by Directive 2008/114/EC, as well as to establish the issues relating to the scope and object. Title II is devoted to regular organs and planning instruments that are integrated in the system of protection of the critical infrastructure. Title III establishes, finally, protection measures and procedures which must derive from the application of this standard. In addition, the law consists of four additional provisions and five final dispositions.

While the material content of the law is essentially organizational, especially with regard to the composition, powers and functioning of the organs that make up the system of protection of critical infrastructure, as well as in all regards different protection plans, has been chosen to provide this standard of legal rank, in accordance with the criteria of the Council of State in order to sufficiently meet those obligations imposed by the law and require a specific legal coverage.

Title I General provisions article 1. Object.

1. this law is to establish the strategies and structures that allow direct and coordinate the activities of the different bodies of the public administrations in the protection of critical infrastructures, previous identification and designation of these are to improve the prevention, preparedness and response of our State against terrorist attacks or other threats that affect critical infrastructures. To do so will be driven, in addition, the collaboration and involvement of managers and owners of these infrastructures, agencies in order to optimize the level of protection of these deliberate attacks of all kinds, in order to contribute to the protection of the population.

2 likewise, this law regulates the special obligations that should assume both public authorities and the operators of those infrastructures that are determined as critical infrastructure, as provided for in paragraphs e)) and (f) of article 2 of the same.

Article 2. Definitions.

For the purposes of this law, it means:


a) essential service: the service necessary for the maintenance of the basic social functions, health, safety, social and economic well-being of citizens or the effective functioning of the State institutions and public administrations.

(b) strategic sector: each one of the different areas within the labour, economic and productive activity that provides an essential service or guaranteeing the exercise of the authority of the State or the country's security. Categorization is determined in the annex to this standard.

(c) strategic sub-sector: each one of the areas in which are divided the various strategic sectors, according to distribution containing a proposal from the ministries and agencies concerned, the technical document that is approved by the National Centre for protection of the critical infrastructure.

(d) strategic infrastructure: facilities, networks, systems and equipment, physical and information technology upon which rests the functioning of essential services.

(e) critical infrastructure: the strategic infrastructures whose operation is essential and not allow alternative solutions, so their disruption or destruction would have a serious impact on essential services.

(f) European critical infrastructure: those critical infrastructure located in a Member State of the European Union, whose disruption or destruction would affect badly at least two States members, all pursuant to the Directive 2008/114, of the Council of 8 December, on the identification and designation of European critical infrastructure and the assessment of the need to improve their protection (hereinafter (, Directive 2008/114/EC).

(g) critical zone: that contiguous geographical area where several critical infrastructures are established in charge of interdependent, and different operators which is declared as such by the competent authority. The Declaration of a critical area shall provide the best protection and greater coordination among the various holders operators of critical infrastructure or European critical infrastructure located in a geographical area reduced, as well as forces and State security bodies and the autonomous police of integral character.

(h) horizontal criticality criteria: the parameters according to which determines criticality, severity and consequences of the disruption or destruction of a critical infrastructure will be assessed depending on: 1. the number of people affected, valued the potential number of fatalities or wounded with severe injuries and the consequences for public health.

2. the economic impact based on the magnitude of economic losses and deterioration of products and services.

3. the environmental impact, degradation in the place and its surroundings.

4. the public and social impact, by the incidence in the population's trust in the ability of the public administrations, the physical suffering and the alteration of everyday life, including loss and the serious deterioration of essential services.

(i) risk analysis: the study of the hypotheses of possible threats needed to identify and assess vulnerabilities in strategic sectors and the possible impact of the disturbance or destruction of infrastructure that give support.

(j) interdependencies: the effects of a disturbance in the operation of the installation or service would result in other facilities or services, distinguishing itself impacts on the sector and in other sectors, and the impact of local, regional, national or international scope.

(k) protection of critical infrastructures: the set of activities aimed at ensuring the functionality, continuity and integrity of critical infrastructures in order to prevent, mitigate and neutralize the damage caused by an attack deliberate against these infrastructures and to ensure the integration of these actions with the rest coming from other subjects responsible for within their respective competence.

(l) sensitive information about strategic infrastructure protection: the specifics about strategic infrastructures that reveal, could be used to plan and carry out actions designed to cause disturbance or destruction of these.

(m) critical operators: entities or agencies responsible for investments or the day-to-day operation of an installation, network, system, or physical computer or information technology designated as critical infrastructure pursuant to this law.

(n) security level: one whose activation by the Ministry of the Interior is foreseen in the National Plan for the protection of critical infrastructure, in accordance with the overall assessment of the threat and the specific which in each case is made on each infrastructure, whereby shall declare a degree of concrete intervention of the different bodies responsible for security.

or) national catalogue of strategic infrastructures: the complete, up-to-date, proven and systemized computer relative to the specific characteristics of each of the strategic infrastructures existing in the national territory.

Article 3. Scope of application.

1. the present law shall apply to critical infrastructures located in the national territory linked to strategic sectors defined in the annex to this law.

2 except your application infrastructure of the Ministry of defence and forces and security bodies, which shall be subject, for the purposes of administrative control, by its own rules and procedures.

3 the application of this law shall be without prejudice: a) the mission and functions of the National Intelligence Center, laid down in the specific regulations, always counting on the necessary collaboration and complementarity with those.

(b) the criteria and provisions contained in the Act 25/1964, 29 April, on nuclear energy, and development of the standards, and the Act 15/1980, April 22, from creation of the Consejo de Seguridad Nuclear, reformed by law 33/2007 of 7 November.

(c) the provisions of the national security of the Civil Aviation program contemplated in law 21/2003, of July 7, aviation safety, and its complementary regulations.

Article 4. The national catalogue of strategic infrastructure.

1. the Ministry of the Interior, through the Secretary of State for security, is responsible for the national catalogue of strategic infrastructures (hereinafter the catalogue), instrument containing all information and assessment of strategic infrastructures of the country, among which will be including those classified as critical or European criticism, under the conditions determined in the regulation to develop this law.

2. the competition to classify an infrastructure as strategic, and where appropriate, critical infrastructure as a European critical infrastructure, as well as for inclusion in the national catalogue of strategic infrastructure, will correspond to the Ministry of the Interior, through the Secretary of State for security, including proposals, where appropriate, of the competent body of the autonomous communities and cities with statute of autonomy who have skills recognized articles of Association for the protection of people and goods and the maintenance enforcement in relation to infrastructures located in their territorial demarcation.

Title II critical infrastructure protection system article 5. Purpose.

1 critical infrastructure protection system (hereinafter the system) consists of a series of institutions, bodies and companies, from both public and private, with responsibilities in the correct functioning of essential services or the security of the citizens.

2 are the agents of the system, with functions to be determined according to the rules, the following: a) the Secretary of State of security of the Ministry of the Interior.

b) the National Centre for the protection of the critical infrastructure.

(c) the ministries and organisms integrated in the system, which will be included in the annex to this law.

d) the autonomous communities and cities with statute of autonomy.

e) the delegations of the Government in the autonomous communities and cities with statute of autonomy.

f) local corporations, through the Association of local authorities of greater implementation at the national level.

(g) the National Commission for the protection of the critical infrastructure.

(h) the interdepartmental working for the protection of the critical infrastructure group.

(i) critical public and private sector operators.

Article 6. The Secretary of State for security.

The Secretary of State for security is the superior body of the Ministry of the Interior responsible for the system of protection of national critical infrastructures.

For the performance of their duties, the regulations implementing this law shall determine its powers in the matter, which will exercise with the assistance of the other members of the system and, mainly, of the National Centre for the protection of the critical infrastructure.

Article 7. The National Centre for the protection of the critical infrastructure.


1. is created the National Centre for the protection of the critical infrastructure (hereinafter the CNPIC) as ministerial body impulse, coordination and supervision of all activities which has entrusted the Ministry of security in relation to the protection of the critical infrastructure in the country.

2 CNPIC organically will depend on the Secretary of State for security, and its functions will be those according to the rules established.

3. without prejudice to the provisions of the preceding paragraph, it shall be for the CNPIC the realization of high, low, and changes to infrastructure in the catalog, as well as the determination of criticality of strategic infrastructures included in the same.

Article 8. Ministries and agencies in the system of protection of critical infrastructure.

1. for each strategic sector, shall be appointed, at least, a Ministry, agency, entity or body of the General Administration of the State integrated into the system. The appointment, high or low in a Ministry or agency with responsibility for a strategic sector shall be made through the modification of the annex to this law.

2. the ministries and agencies of the system will promote, in the scope of their powers, the security policies of the Government on national strategic sectors and ensure its application, also acting as contact points specialised in the matter. To do this, they will cooperate with the Ministry of the Interior through the Secretariat of State for security.

3. with these objectives, ministries and agencies of the system will play the functions determined by law.

4. a Ministry or agency of the system may have skills, also on two or more strategic sectors, in accordance with the annex to this law.

Article 9. Delegations from the Government in the autonomous communities and cities with statute of autonomy.

1. the delegates of the Government in the autonomous communities and cities with statute of autonomy will, under the authority of the Secretary of State for security, and in the exercise of their powers, have a number of powers with respect to critical infrastructures located in his district.

2. the regulatory development of these powers in any case will include intervention, through forces and security bodies, in the implementation of the various plans for specific protection and operational support, as well as the proposal to the Secretary of State of security of the Declaration of a zone as criticism.

3. Notwithstanding the provisions of the first paragraph of this article, the autonomous communities with powers vested articles of Association for the protection of goods and people and the maintenance of public order will develop, on infrastructure located on its territory, those powers of the delegations of the Government relating to the coordination of regional police forces and, where appropriate, to the activation by those of the Plan's operational support that corresponds to respond to a security alert.

Article 10. Autonomous communities and cities with statute of autonomy.

1. the communities autonomous and cities with statute of autonomy who have skills recognized articles of Association for the protection of persons and goods and for the maintenance of public order can develop, on infrastructures located in their territorial demarcation, the powers to be determined according to the rules with regard to their protection, without prejudice to the coordination mechanisms established.

2. in any case, the autonomous communities mentioned in the previous section will participate in the process of Declaration of a zone as criticism, in the adoption of the Plan of operational support that matches, and in the meetings of the interdepartmental working group. They will also be members of the National Commission for the protection of the critical infrastructure.

3. not included in the preceding paragraphs autonomous communities participating in critical infrastructure protection system and organs provided in this law, in accordance with the powers accorded to them by their respective statutes of autonomy.

Article 11. National Commission for the protection of the critical infrastructure.

1 creates the National Commission for the protection of critical infrastructure (hereinafter the Commission) as a collegiate body attached to the Ministry of security.

2. the Commission shall have the jurisdiction to approve the various sectoral strategic plans as well as to designate critical operators, on a proposal from the interdepartmental critical infrastructure protection working group.

3. its functions and composition are those according to the rules established.

Article 12. For the protection of the critical infrastructure interdepartmental working group.

1. the system will feature a group of interdepartmental working for the protection of the critical infrastructure (hereinafter the Working Group), whose composition and functions are determined by law.

2 you shall be responsible for, in any case, the development of the different sectoral strategic plans and the proposal to the Commission of the designation of critical operators for each of the defined strategic sectors.

Article 13. Critical operators.

1. operators considered critical under this Act shall collaborate with the competent authorities of the system, in order to optimize the protection of critical infrastructure and of the European critical infrastructures they managed. To that end, should: a) technically advise the Ministry of the Interior, through the CNPIC, in the assessment of own infrastructures that contribute to the catalog, updating the available data at annual intervals, and in any case, at the request of the mentioned Ministry.

(b) cooperate, where appropriate, the Working Group on the elaboration of the sectoral strategic plans and in the realization of the risk analysis on the strategic sectors where they are included.

(c) draw up the Security Plan of the operator in the terms and with the contents to be determined by regulation.

(d) develop, as provided by law, a Protection Plan specific for each of the infrastructures considered as critical in the catalog.

(e) appoint a person responsible for safety and liaison in terms of this Act.

(f) appoint a safety delegate for each of their infrastructures considered critical or European criticisms by the Ministry of the Interior, communicating their appointment to the relevant bodies.

(g) facilitate the inspections that the competent authorities carried out to verify compliance with the sectoral regulations and adopt security measures that are called for in each Plan, resolving the deficiencies found in the shortest possible time.

2 will be a requirement for the designation of critical operators, both public and private, possessing at least one infrastructure which managed the consideration of critical infrastructure, the corresponding proposal that, in any case, the CNPIC shall inform the operator prior to its final classification.

3. the designation as such of the operators in each of the sectors or subsectors strategic defined critical shall be made in the terms established by law.

4. critical operators will have in the CNPIC the direct point of dialogue with the Ministry of the Interior as regards their responsibilities, functions, and obligations. In the event of critical Public Sector operators are linked or dependent on public administration, the competent authority of this can erect, through the CNPIC, in the partner with the Ministry of the Interior.

Title III instruments and communication system article 14. System planning instruments.

1 the protection of the critical infrastructure from any threats that may place them at risk requires the adoption and implementation of the following action plans: to) the National Plan for protection of the critical infrastructure.

b) the sectoral strategic plans.

(c) the plans of the operator's safety.

(d) the specific protection plans).

(e) operational support plans.

2. the Ministry of the Interior, through the Secretary of State for security, drawn up the National Plan for protection of the critical infrastructure, this being the structural document that will direct and coordinate the precise actions to protect critical infrastructure in the fight against terrorism.

3. the sectoral strategic plans will be also drawn up by the Working Group and approved by the Commission, and shall include, by sectors, defining criteria for measures to deal with a situation of risk.

4. the operator security plans and specific protection plans should be developed by critical operators with respect to all classified as critical or critical European infrastructures. Which, is planning instruments through which those assumes the obligation to collaborate in the identification of these infrastructures, specify policies to implement security thereof, as well as implement General measures of protection, both the permanent as temporary measures where appropriate, be taken to prevent, protect and respond to possible deliberate against those attacks.


5. the operational support plans shall be prepared by the State police body or, where appropriate, regional, competition in demarcation, for each one of the infrastructures classified as critical or European criticism highlights a specific protection Plan, and must contemplate measures of surveillance, prevention, protection, or reaction to lend, to complement those provided by the operators of critical.

6. the specific content and the procedure for development, approval and registration of each of the plans will be determined according to the rules.

Article 15. Security of communications.

1. the Secretary of State for security contents 14(bis) will provide management systems that allow a continuous update and review of the information available in the catalog by the CNPIC, as well as its dissemination to authorized agencies.

2. the public administrations shall ensure the guarantee of the confidentiality of data on strategic infrastructure to which they have access plans arising for their protection, according to the classification of the stored information.

3 systems, communications, and information on the protection of critical infrastructure will have the necessary security measures that will ensure its confidentiality, integrity and availability, depending on the level of classification that is assigned.

Article 16. The head of security and link.

1. critical operators appoint and shall notify the Ministry of the Interior a person in charge of safety and liaison with the Administration in the term established by law.

2. in any case, responsible for security and designated link must have with the Director of safety rating issued by the Ministry of the Interior pursuant to the regulation of private security or the equivalent qualification, according to their specific regulations.

3. the specific functions of the head of security and link will be provided for by law.

Article 17. The delegate of the security of the critical infrastructure.

1. operators with infrastructures considered criticism or European criticisms by the Ministry of the Interior shall communicate to the Government delegations or, where appropriate, to the competent body of the autonomous community with skills recognized articles of Association for the protection of persons and goods and for the maintenance of public order where those are located, the existence of a safety delegate for that infrastructure.

2. the deadline for making such communication, as well as the specific functions of the safety delegate of the critical infrastructure, will be those who according to the rules established.

Article 18. Security of classified data.

Critical operator shall ensure the security of classified data relating to their own infrastructures, through the means of protection and appropriate information systems to be determined by regulation.

First additional provision. Regulations and economic regime for the National Commission for the protection of the critical infrastructure and for the protection of the critical infrastructure interdepartmental working group.

In matters not provided for in this law, it shall apply provisions for the functioning of the colleges in chapter II of title II of law 30/1992, of November 26, of the legal regime of public administrations and common administrative procedure. Likewise, the functioning and work of the Commission, as well as the Working Group referred to in this standard be held charged to budgetary allocations and media personal and technology of the Ministry of the Interior, unless they involve increased government spending.

Second additional provision. Classification of the plans.

Plans referred to in article 14 of this law shall have the classification that corresponds to them pursuant to the current legislation on the matter, which must be entered explicitly in the instrument of approval.

Third additional provision. Forces and security corps.

In any case, references made in this law security bodies and forces include police forces dependent on the autonomous communities with statutory expertise recognized for the protection of persons and goods and for the maintenance of public order.

Fourth additional provision. Ceuta and Melilla.

In accordance with the provisions of the statutes of autonomy of the cities of Ceuta and Melilla, councils of Government, in accordance with the respective Government delegation, may issue reports and proposals in connection with the adoption of specific measures on infrastructure located in them which are the subject of this Act.

First final provision. Skill-related title.

This law is issued under cover of the competence attributed to the State by virtue of article 149.1.29. ª of the Spanish Constitution in matters of public security.

Second final provision. Competences in the field of Civil protection.

The provisions of this law is understood notwithstanding what set the autonomic regulations in the field of civil protection, in accordance with the competencies corresponding to each territory under the provisions of the relevant statutes of autonomy.

Third final provision. Incorporation of Community law.

By this law and its subsequent regulatory developments it incorporates into Spanish law Directive 2008/114/EC of the Council of 8 December, identification and classification of European critical infrastructure and the assessment of the need to improve their protection.

Fourth final provision. Enabling the regulatory development.

1 it enables the Government to within six months of the regulation of this law it is handed down.

2. also enabled the Government to modify by Royal Decree, on a proposal from the head of the Ministry of the Interior and the head of the relevant Department by reason of the matter, the annex to this law.

3. in the field of its competences, autonomous communities may also develop the necessary regulations for the development of this law.

Fifth final provision. Entry into force.

This law shall enter into force the day following its publication in the "Official Gazette".

Therefore, command to all Spaniards, private individuals and authorities, which have and will keep this law.

Madrid, April 28, 2011.

JUAN CARLOS R.

The Prime Minister, JOSÉ LUIS RODRÍGUEZ ZAPATERO annex sectors strategic and ministries/agencies competent system Sector Ministry/Agency of the system administration.





Ministry Presidency.






Interior Ministry.






Defense Ministry.






National Intelligence Center.






Ministry of Territorial policy and public administration.






Space.





Defense Ministry.






Nuclear industry.





Ministry of industry, tourism and trade.






Consejo de Seguridad Nuclear.






Chemical industry.





Interior Ministry.






Research facilities.





Science and innovation Ministry.






Ministry of environment and Rural and marine affairs.






Water.





Ministry of environment and Rural and marine affairs.






Ministry health, Social policy and equality.






Power.





Ministry of industry, tourism and trade.






Bless you.





Ministry health, Social policy and equality.






Science and innovation Ministry.






Technologies of information and communications (ICT).





Ministry of industry, tourism and trade.






Defense Ministry.






National Intelligence Center.






Science and innovation Ministry.






Ministry of Territorial policy and public administration.






Transport.





Ministry development.






Power.





Ministry of environment and Rural and marine affairs.






Ministry health, Social policy and equality.






Ministry of industry, tourism and trade.






Financial and tax system.





Ministry of economy and finance.

Related Laws