National Centre for the Protection of Critical Infrastructure
Español (España)  English (United Kingdom)
CNPIC - Introduction

Critical Infrastructures and Security

Nowadays, modern States face new challenges, such as international terrorism and the proliferation of mass-destruction weapons, which make national security an even more complicated matter. This, together with the increasing dependency societies have from the infrastructure system that ensure keeping essential services, make their protection a priority to every state. Spain is not an exception to this situation.

As a result, a global strategy has been developed in order to solve this problem. At EU level, several initiatives launched. First, the European Programme for Critical Infrastructure Protection (EPCIP) was approved in 2004. Second, the EU Council Directive 2008/114 for the identification and designation of European Critical Infrastructures and for the evaluation of the need to protect them entered into force on 12 January 2012. Both documents establish that the responsibility to protect critical infrastructures lies on the Member States and on their owners/operators, and imposes the fulfillment of a series of obligations and the undertaking of certain actions. Additionally, the Directive had to be transposed to national legislations.

Spanish approach

In Spain, the actions needed to optimize critical infrastructure security are mainly in the framework of protection against malevolent actions, and very especially against terror attacks, reason why these actions are led by the Ministry of the Interior. Nevertheless, critical infrastructure security makes it necessary to foresee actions that go beyond merely materially protecting assets or infrastructures against aggressions or attacks. That is why involving other organisms from both the public and private sectors, is unavoidable. Counting with the cooperation of all involved actors in order to regulate, plan and operate the different infrastructures that supply essential public services to society, by means of public-private partnerships beneficial to everyone, is a must.

Initiatives such as the approval of a National Plan for Critical Infrastructure Protection (PNPIC) by the Secretariat of State for Security, of the Ministry of the Interior, on 7 May 2007, the elaboration of a first National Strategic Infrastructure Catalogue, the reaching to an Agreement on Critical Infrastructure Protection by the Minister Council, on 2 November 2007, and the creation of the National Centre for Critical Infrastructure Protection (CNPIC), meant an important operational step forward in order to guarantee our citizens´ security and the correct functioning of essential services. Nevertheless, a norm with the rank of a law on which to base the abovementioned initiatives and that established the obligations and responsibilities by the different agents involved in the protection of national critical infrastructure, was missing.

The issuing of Law 8/2011, of 28 April, which established the measures for critical infrastructure protection (better known as CIP Law), answers to those needs long asked for by most of the agents of the public and private sector in Spain. Apart from fulfilling the mandate established by the EU legislation, the main objective of the Law and of the Royal Decree 704/2011, 20 May, that developed it, was to establish a series of CIP measures in order to provide an adequate ground on which to base the effective coordination of Public Administrations and owners/operators of critical infrastructures that supply services that are essential to society, with a view to provide better global security.

Key concepts

The Spanish CIP model is based on the following parameters:

INTEGRITY: Undertaking CIP as a whole and looking for a convergence of physical- and cyber-security is necessary. This must be perfectly understood both by Public Administrations and private companies and organisms, in such a way that organizational, procedural and operational structures suitable for facing the new threats will be available in the short- or mid-term. The reason for this is that the security of the whole chain is the one the weakest link has.

SHARED RESPONSIBILITY: Our infrastructures are operated by organizations that belong to either the public or the private sector, which brings us to the concept of public-private partnership, based on cooperation and mutual understanding. Both parts (Administration and private sector) must, therefore, accept their responsibility. The continuity of the supply of services that are essential to society can only be undertaken with disinterested collaboration, mutual trust and the exchange of useful information between both parts.

EFFICIENT REGULATION: Based on genuine collaboration, it is necessary to put in place a series of norms and procedures in order to enable public and private sectors to understand each other. From this perspective, the CIP Law must be considered as another tool for putting in touch all actors involved in CIP. The game rules determine mutually recognized responsibilities that are transparent enough as not to make those organizations with more sense of their accountability in front of the citizens be hindered by less responsible competitors. In this way, we try to take into account multiple strategic sectors which are totally different from one another, engulfing a great number of actors with very different profiles from every field. By starting this way, we basically have to change consciences and outdated concepts, by means of developing a new strategy that could be assumed by everyone and in which everyone would take part.