- Digital networks, services and infrastructures are classified as essential facilities and services in emergency situations. Therefore, in an emergency, all authorities, administrative bodies and the State Security Forces and Corps will collaborate to facilitate their recovery or maintenance.
- Telecommunications operators and other subjects that will be affected by this regulatory development will be obliged to submit a General Security Plan and specific plans by type of network, service, and incident type. These plans will detail, among others, the conditions of electric autonomy that their telecommunications infrastructures have
- The obligations of notification of incidents are also strengthened and a special focus is placed on the operation and continuity of the emergency centers (number 112) and public alerts
The Ministry for Digital Transformation and the Civil Service has today published the text of the draft Royal Decree on Security and Resilience of Electronic Communications and Digital Infrastructure Networks and Services, in order to submit it to a public hearing.
Various incidents such as the COVID-19 pandemic, the volcanic eruption of La Palma, the DANA that devastated the Valencian Community in 2024 and the recent electricity blackout last April have highlighted the transcendence of telecommunications networks and services and the need to establish a complete, detailed and up-to-date legal framework for the security and resilience of telecommunications networks and services.
This regulatory project aims to strengthen security measures in the telecommunications sector, prevent or minimize the impact of security incidents on users and recover communications as soon as possible.
In the text that has been submitted to the public since today, telecommunications networks and services and certain digital infrastructures are classified as essential facilities and services in emergency situations. Therefore, in an emergency, all authorities, administrative bodies and the State Security Forces and Corps will collaborate and contribute to facilitate their recovery or maintenance.
New obligations: security plans
The obligations of this royal decree will affect, among others, telecommunications operators in Spain and those who operate digital infrastructures such as submarine cables, satellite systems, data centers and Internet exchange points that meet certain criteria: more than half a million users or more than 50 million revenues. Also those who are designated as critical operators, or provide emergency services, among others. It does not apply to networks linked to National Security and Defense.
All the subjects mentioned must present a General Security Plan with risk analysis and priority measures, as well as specific plans by type of network and service, and by type of incident.
In these plans, each telecommunications operator will classify all its facilities into different categories. In the event of an interruption of electricity supply, the first level infrastructures must be guaranteed to be operational for at least 24 hours. Facilities classified as intermediate level shall be operational for at least 12 hours. The rest must be guaranteed to be operational for four hours.
In the case of a mobile network, these four hours must maintain coverage for 85% of the population. Each operator will establish a strategy in which it will be able to prioritize some technologies over others (voice over data, for example) or facilities that it considers appropriate depending on its link to the provision of public services and services of economic and social relevance.
The normative project also focuses on strengthening the operability and continuity of emergency communications addressed to 112 centers and public alerts. These centers, as well as the operators that provide them with connectivity, must prepare and present Security Plans.
Notification and monitoring procedure
In order to have reliable information in the shortest possible time, incident reporting obligations are strengthened. Thus, it is expected that there will be an initial notification at most one hour after the beginning of the event, periodic intermediate notifications, a final notification and a subsequent detailed report that analyzes the causes, the impact, the measures adopted and lessons learned.
In addition, criteria for classifying incidents as significant or minor are defined based on the number of users affected, the duration, the geographical area affected and the type of service.
The Office of the Secretary of State for Telecommunications and Digital Infrastructure shall be the competent authority to oversee the fulfilment of obligations and coordination with national bodies, CCAA and with European and international bodies.
The text provides for the creation of the Coordination Committee on Security and Resilience of Electronic Communications Networks and Services, which will be a forum for debate and dialogue and will allow contact between all those involved and the carrying out of simulations.
The hearing will be open until January 8, 2026.