Policy and legislation :: Policy on Critical Information Infrastructure Protection (CIIP)
7 February 2013
On March 30 2009, the European Commission adopted a Communication on Critical Information Infrastructure protection (CIIP) focusing on the protection of Europe from cyber disruptions by enhancing security and resilience. The Communication launched an action plan, involving also Member States and the private sector. It is based on five pillars: (i) preparedness and prevention, (ii) detection and response, (iii) mitigation and recovery, (iv) international cooperation and (v) criteria for European Critical Infrastructures in the field of ICT.
Two years later, in March 2011, the Commission took stock of the results achieved that far and announced follow-up actions in the Communication on CIIP on "Achievements and next steps: towards global cyber-security". This Communication concluded that purely national approaches to tackling security and resilience challenges are not sufficient, and that Europe should continue its efforts to build a coherent and cooperative approach across the EU.
In its Conclusions on CIIP of 27 May 2011,, the Council of the European Union stressed the pressing need to make ICT systems and networks resilient and secure to all possible disruptions, whether accidental or intentional; to develop across the Union a high level of preparedness, security and resilience capabilities and to upgrade technical competences to help Europe face the challenge of network and information infrastructure protection; and to foster Member States' cooperation by developing incident cooperation mechanisms between them.
Two Ministerial Conferences on CIIP took place respectively in Tallinn in 2009 and in Balatonfüred in 2011. Tallinn started the debate on the general direction of the European efforts towards an increased network and information security for the future. Balatonfüred provided a forum to take stock of progress, assess lessons learnt and discuss the challenges ahead and next steps. It also investigated the way forward to engaging all stakeholders and in particular the private sector.
The European Parliament Resolution of 12 June 2012 on "Critical Information Infrastructure Protection: towards global cyber-security" broadly endorsed the 2011 Communication and made recommendations to the Commission for the way forward. Many of these recommendations have been taken on board in the Cybersecurity strategy and proposal for a Directive on network and information security published in 2013.
Among the main achievements of the CIIP policy are: establishment of the European Forum for Member States and of the European Public-Private Partnership for Resilience; carrying out of pan-European exercises (Cyber Europe 2010 and 2012); adoption, by ENISA, of a minimum set of baseline capabilities and services and related policy recommendations for National/Governmental Computer Emergency Response Teams (CERTs) to function effectively.
In some cases, the Cybersecurity strategy is taking forward such actions (for example, in carrying out pan-European exercises). In other cases, the voluntary approach of the CIIP policy would be strengthened by the proposal for a Directive on network and information security, which would require the Member States to put in place a minimum level of capabilities at national level and to cooperate cross-border.