The National Commission on Markets and Competition (CNMC) (https://www.cnmc.es) is Spain's independent regulatory authority responsible for ensuring effective competition across strategic sectors including energy, telecommunications, transport and audiovisual services.
Its institutional portal is the official channel for publishing regulatory resolutions, public consultations, sanctions, reports and other legally binding documentation that directly impacts companies, public administrations and millions of citizens.
To guarantee the long-term sustainability, security and performance of this critical digital platform, ALTIA has collaborated with CNMC for more than eight years, providing continuous maintenance, technological evolution and cybersecurity improvements while keeping the platform permanently updated to supported Drupal versions.
The project focused on strengthening security, improving editorial management, optimizing performance under demanding publication workloads and ensuring business continuity through a scalable enterprise architecture.
About the project
The project focused on continuously evolving one of Spain's most critical institutional websites, combining cybersecurity, performance optimization and editorial governance while ensuring uninterrupted service for a public regulatory authority operating in highly sensitive sectors.
Project Goals
The CNMC required a modern digital platform capable of supporting the operational and security requirements of one of Spain's most important regulatory authorities. The project focused on strengthening cybersecurity, ensuring regulatory compliance, maintaining high availability and guaranteeing the long-term sustainability of the platform.
- Strengthened security and defense in depth: Protect a high-profile public institution against Layer 7 attacks, brute-force attempts and unauthorized access through corporate LDAP authentication and Two-Factor Authentication (TFA) for editorial and technical staff.
- Regulatory compliance and accessibility: Ensure compliance with password policies, security standards and accessibility requirements applicable to public administrations while maintaining an intuitive editorial experience.
- Performance under heavy publication workloads: Support significant traffic peaks generated by the publication of major regulatory resolutions through a high-performance caching architecture based on Redis and AdvAgg.
- Continuous technological evolution: Maintain the platform permanently updated on supported Drupal versions, avoiding technical debt and ensuring long-term sustainability.
Project Challenges
As Spain's national competition and market regulator, CNMC operates one of the country's most critical institutional websites. The platform had to combine enterprise-grade security, high availability and advanced editorial capabilities while supporting a continuously growing repository of official documentation.
The main challenges included:
- High attack surface: As the regulator of strategic sectors such as energy and telecommunications, the portal is a frequent target of automated attacks. The solution required advanced application-layer protection without affecting legitimate users.
- Highly regulated editorial workflows: Hundreds of official documents, sanctions, reports and public consultations must be published under strict regulatory procedures with granular permissions and complete traceability.
- Large and complex document repository: The platform manages a very large volume of official documentation requiring reliable indexing, faceted navigation and near real-time search.
- Business continuity: Any service interruption during the publication of high-impact regulatory resolutions could have immediate public and economic consequences, making platform availability a critical requirement.
Solution
To address these requirements, ALTIA designed and implemented a secure, enterprise-grade Drupal architecture focused on cybersecurity, performance, maintainability and editorial governance.
Key elements of the solution included:
- Defense in depth: Development of a custom "CNMC Security" module providing application-layer protection against Layer 7 attacks, combined with LDAP authentication and Two-Factor Authentication (TFA) for privileged users.
- Advanced password and encryption policies: Password Policy was implemented to enforce corporate security standards together with Real AES encryption for sensitive information and reCAPTCHA v3 to mitigate automated attacks against public forms.
- Enterprise caching architecture: Redis was implemented as Drupal's object cache backend while AdvAgg optimized CSS and JavaScript delivery, significantly improving performance during high-demand publication periods.
- Advanced document search: Search API and Apache Solr were integrated with custom enhancements to provide real-time indexing and faceted search across the regulator's extensive document repository.
- Custom regulatory back office: More than forty custom Drupal modules were developed to support specialized business processes including executive agendas, meetings with regulated companies, statistical dashboards, organizational chart generation, granular permissions and controlled deployment processes.
- Secure configuration management: Config Split was adopted to safely manage configuration differences between development, staging and production environments.
- Custom frontend implementation: A fully customized institutional theme was developed on top of Bootstrap Barrio, aligned with CNMC's corporate identity.
Enterprise Architecture
The platform was designed as a secure enterprise Drupal solution capable of supporting mission-critical public services.
Key architectural components included:
- Enterprise security architecture: Integration of LDAP, Two-Factor Authentication, Password Policy, Real AES encryption and custom application-layer protection significantly strengthened the organization's cybersecurity posture.
- Distributed caching: Redis and AdvAgg work together to reduce database load, accelerate content delivery and ensure stable performance during publication peaks.
- Enterprise search platform: Apache Solr provides advanced full-text search, faceted navigation and near real-time indexing for thousands of official documents.
- Configuration management: Config Split enables secure and controlled deployments across multiple environments while protecting sensitive configuration.
- Modular architecture: More than forty custom modules extend Drupal without modifying core functionality, ensuring maintainability while addressing highly specialized regulatory processes.
Results
The project has provided CNMC with a secure, resilient and continuously evolving institutional platform capable of supporting both current operational requirements and future regulatory challenges.
- Improved cybersecurity: Defense-in-depth architecture, LDAP integration and Two-Factor Authentication have significantly strengthened protection against cyber threats without affecting usability.
- Greater stability and performance: Redis and AdvAgg enable the platform to absorb publication traffic peaks while maintaining excellent response times.
- Long-term technological sustainability: Continuous evolution over more than eight years has kept the platform permanently updated to supported Drupal versions, avoiding technical debt.
- Greater editorial autonomy: More than forty custom modules provide tailored management tools that simplify complex regulatory workflows while improving governance and traceability.
Why Drupal was chosen
Drupal was selected because it combines enterprise-level security, flexibility and long-term maintainability, making it an ideal platform for a highly regulated public-sector organization.
Its mature security ecosystem enabled the implementation of advanced authentication mechanisms including LDAP integration, Two-Factor Authentication (TFA), Password Policy enforcement and custom application-level security modules while preserving Drupal core maintainability.
Drupal's native support for Redis, Search API Solr and Config Split allowed the platform to achieve high performance, secure multi-environment deployments and enterprise-grade search capabilities without requiring proprietary technologies.
Its extensibility also enabled ALTIA to develop more than forty custom modules covering highly specialized regulatory business processes while continuing to benefit from Drupal's long-term support model.
Technical Specifications
Drupal version:
LDAP: Corporate authentication integrated with the organization's directory services.
TFA: Added an extra security layer for privileged users.
Password Policy: Enforced enterprise password complexity and lifecycle policies.
Real AES: Encrypted sensitive information stored within Drupal.
CAPTCHA / reCAPTCHA: Protected public forms against automated submissions.
Redis: Optimized Drupal object caching while reducing database load.
AdvAgg: Improved frontend performance through CSS and JavaScript optimization.
Search API + Search API Solr: Delivered enterprise-grade indexing, faceted navigation and near real-time search capabilities.
Config Split: Safely managed configuration across multiple environments.
Webform: Supported secure public forms and data collection.
Protected Pages: Restricted access to confidential content where required.