Spanish authorities are tightening control over personnel working at the country’s strategically important sites. New regulations approved by the Council of Ministers grant expanded access to intelligence data, including information from the CNI (Centro Nacional de Inteligencia), to assess employee reliability. This move aims to prevent threats that could impact the stability and security of key infrastructure, especially amid growing geopolitical tensions.
The Ministry of the Interior will now be able to officially request information on candidates and current employees with access to critical facilities or confidential data. Checks will cover not only standard identity verification and criminal records but also review information received from national intelligence agencies. This approach is intended to identify potential risks, including the possible involvement of foreign agents or individuals with questionable backgrounds.
Broader powers
Under the new regulatory framework, all requests to intelligence agencies will be coordinated through the Secretaría de Estado de Seguridad, which reports to Fernando Grande-Marlaska’s ministry. For this purpose, the Centro Nacional de Protección y Resiliencia de Entidades Críticas (CNPREC) has been established, replacing the previous CNPIC. Companies in strategic sectors are required to carry out their own threat assessments and develop response plans for potential incidents.
The sectors affected by the new rules include energy, transportation, healthcare, water supply, public administration, and private security. All organizations must not only identify vulnerabilities but also promptly report any incidents that could disrupt service operations. They have up to 24 hours from the moment an incident is detected to comply with these requirements. Non-compliance may result in fines of up to 10 million euros and temporary suspension of licenses.
Legislative Updates
The measures adopted expand the scope of Law 8/2011, which previously dealt only with the physical protection of facilities. The focus now shifts to overall resilience and the ability to recover swiftly from major incidents, including terrorist attacks. The law also addresses modern challenges related to digitalization and the cross-border nature of threats. The introduction of these new rules is aimed at aligning national legislation with the European Directive on the resilience of critical entities, adopted in December 2022.
The law’s implementation was delayed by almost two years compared to the deadlines set by the European Parliament. This may affect how authorities are held accountable in the event of major accidents, such as the Adamuz rail disaster that claimed dozens of lives. Under the new standards, the state is required to regularly assess risks affecting all critical infrastructure, including railway lines.
Oversight and accountability
A key innovation is the requirement for companies to immediately notify government authorities of any disruptions that impact vital services. Failure to comply can result in hefty fines or even temporary suspension of operations. The measures also include creating a national strategy for the protection and resilience of critical infrastructure, as well as a comprehensive threat and risk assessment at least once every four years.
As EL ESPAÑOL notes, the bill aims to formalize existing personnel screening practices to prevent unauthorized individuals from gaining access to sensitive positions. According to russpain.com, such measures could provide an additional barrier for those seeking access to the country’s strategic sites. Importantly, the state is now gaining broader control tools, while companies receive clear instructions on how to respond to incidents.
In light of new security requirements, it is worth recalling that Spain has already discussed tightening control in other areas. For example, recently the authorities considered measures to combat fraud among migrants awaiting legalization. This shows that the government is seeking to increase oversight not only of strategic assets, but also in other sensitive sectors.
In recent years, Spain has repeatedly faced incidents affecting critical infrastructure. In 2024, an energy system failure in Madrid caused disruptions in transport and hospitals. In 2025, an attempted cyberattack on water supplies was prevented in Catalonia. European countries are also tightening controls on staff at strategic facilities: similar measures were recently implemented in France and Germany. These events highlight the importance of timely legislative updates and constant threat monitoring to ensure the resilience of key services.
