The normal working of essential services for the general population is based on a series of infrastructures administered both publicly and privately, the functioning of which does not allow for alternative solutions: the so-called critical infrastructures. For this reason, a homogeneous and global policy needs to be designed within organisations, specifically aimed at critical infrastructures, defining subsystems of security which will be introduced to protect them. The objective is to prevent their destruction, interruption and disruption, thereby avoiding any subsequent damage to the provision of essential services to the population.
Law 8/2011, 28 April, in accordance with which measures are established for the protection of critical infrastructure, aims to establish appropriate organisational strategies and structures which allow for the management and coordination of the workings of a range of organs of public administration in relation to the protection of critical infrastructure, once they are identified and confirmed. The collaboration and involvement of the organisms and companies (critical operators) of these infrastructures are also encouraged in order to optimise the level of protection in the face of these intentional attacks which may affect the provision of essential services. Royal decree 704/2011, 20 May, which approves the regulations corresponding to the protection of critical infrastructure, sets out this law.
Article 13 of the same Law 8/2011 specifies commitments for public and private critical operators, stressing the need to elaborate an operator security plan (PSO) and specific protection plans to be determined (PPE).
There are further details available in Resolution 8 September 2015 of the State Department of Security, in accordance with which new minimum components of the security plans of the operator and of plans of specific protection are passed.