Critical Information Infrastructure Protection - a new initiative in 2009
Electronic Communication services and networks provide the backbone of the European economy and are vital to citizens, businesses and governments. They are often referred to as critical information infrastructure. Information infrastructures like telephone lines, fibre optic cables and computer networks rule our lives, and they have to be safe. Large parts of the EU economy are relying on this. Many services and processes have become increasingly dependent on the functioning of information and communication technology (ICT) networks. As these networks tend to be decentralised, highly interconnected and interdependent, failures of these infrastructures could cascade and spread beyond national borders. To address this, the European Commission is launching a policy initiative to protect these Critical Information Infrastructures.
Protecting Europe from large scale cyber-attacks and disruption
The Critical Information Infrastructure Protection (CIIP) policy proposed by the Commission focuses on prevention, preparedness and awareness and defines a plan for immediate actions to strengthen the security and resilience of CIIs.
The planned activities complement the European Programme for Critical Infrastructure Protection (EPCIP), which is a separate but related Commission activity. A key element of EPCIP is the Council Directive on the identification and designation of European Critical Infrastructures, which explicitly states that the ICT sector is a part of critical infrastructures which will need to be specifically addressed.
The proposed actions complement existing measures in the area of police and judicial cooperation to prevent, fight and prosecute criminal and terrorist activities targeting CIIs. These proposals are also reflected in the EU research efforts in the field of network and information security and are in line with the international initiatives in this area.
To achieve an enhanced level of awareness and preparedness throughout the EU, the Commission proposes the following set of actions:
- Preparedness and prevention: to ensure preparedness by defining a baseline of capabilities and services of national/governmental Computer Emergency Response Teams, creating a European Public-Private Partnership for Resilience and a European Forum of Member States to share information and good policy and operational practices.
- Detection and response: to provide adequate early warning mechanisms, by supporting the development and deployment of a European Information Sharing and Alert System, reaching out to citizens and SMEs and being based on national and private sector information and alert sharing systems.
- Mitigation and recovery: to reinforce EU defence mechanisms for CII, via the development by Member States of national contingency plans and the organisation of regular exercises for large scale networks security incident response and disaster recovery, as a step towards closer pan-European coordination, and by strengthening the cooperation between national/governmental Computer Emergency Response Teams.
- International and EU wide cooperation: to promote EU priorities internationally, by driving a Europe-wide debate, involving all relevant public and private stakeholders, to define EU priorities for the long term resilience and stability of the Internet, by working with Member States to define guidelines for the resilience and stability of the Internet and by working on a roadmap to promote principles and guidelines at the global level, possibly leveraging strategic cooperation with third countries.
- Criteria for the ICT sector: to support future implementation of EPCIP, by continuing to develop, in cooperation with Member States and all relevant stakeholders, the criteria to identify the European critical infrastructures in the ICT sector.
Links:
NEW Communication "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience", COM (2009)149:
- Communication on CIIP
- Citizens
summaries NEW
- Impact Assessment Summary
- Impact Assessment part 1 - part 2 - part 3
- Press release and MEMO
- CIIP - Preparatory activities
- CIIP - Implementation activities
Return to the list of Activities
Last updated: 29.05.2009