The quality of life of EU citizens and their security, as well as the correct and efficient functioning of the internal market, depend on the provision of essential services through different critical infrastructures in a wide range of sectors. It is therefore imperative that critical infrastructures are adequately protected against a wide spectrum of threats, both natural and man-made, unintentional and with malicious intent. Where this fails and disruptions nevertheless follow, critical infrastructures must be resilient, i.e. able to recover quickly within an acceptable amount of time. As a reflection of the importance of this issue, the Commission adopted in 2006 the European Programme for Critical Infrastructure Protection (EPCIP), which sets out a European-level all-hazards framework for critical infrastructure protection (CIP).
One of the central pillars of the EPCIP is Directive 2008/114, which establishes a procedure for identifying and designating European Critical Infrastructures (ECIs) in the transport and energy sectors that, were they to be disrupted or destroyed, would have significant cross-border impacts. The Directive also provides for a common approach for assessing the need to improve the protection of designated ECIs.
However, a recent review of the ECI Directive indicates that the current framework is inadequate in the light of increasing interdependencies within and between critical infrastructure sectors as well as the evolving risks that they face. As these infrastructures grow ever more reliant upon one another, disruptions in one sector have the potential to generate immediate and in some cases long-lasting effects on operations in others that, in turn, can disrupt the provision of the essential services that critical societal/economic functions rely on. Situations such as these can have severe consequences for security, both in individual EU Member States and across the EU, and can lead to uncertainty or undermine confidence in the responsible authorities and providers of essential services.
The Commission’s proposal for additional measures on critical infrastructure protection, which is included in the Commission work programme 2020 (CWP 2020 - Annex), will be developed in coordination with other planned/ongoing initiatives in related sectors. For instance, the proposal will necessarily account for cross-sectoral measures in the financial services sector on operational and cyber resilience and the civil protection sector, as well as the ongoing review of Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive).
The overall objective of this initiative is to enhance further the protection, but also the resilience of critical infrastructures in the EU (which in turn will contribute to securing the provision of essential services in the wake of disruptions), taking into account the increasingly deep nature of sectoral interdependencies and the evolving risks facing critical infrastructures. More specifically, the initiative aims to:
This legislative initiative will be supported by an Impact Assessment, which the public is invited to feed into by way of an Inception Impact Assessment that was recently published on the Commission’s website (see below).
The Inception Impact Assessment (https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12462-Enhancement-of-European-policy-on-critical-infrastructure-protection) is intended to inform stakeholders and citizens about this initiative. All feedback that is received will be published alongside the Inception Impact Assessment and considered in the context of the aforementioned Impact Assessment. Stakeholders are invited to provide feedback on the Inception Impact Assessment until 7 August 2020.
The Commission is carrying out targeted stakeholder consultations in preparing the proposal. These involve, among others, Member States, critical infrastructure operators, industry associations, subject matter experts and academia.