In its EPCIP Communication of 12 December 2006, the Commission set out an overall policy approach and framework for critical infrastructure protection (CIP) activities in the EU.
Critical infrastructure is an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens.
Reducing the vulnerabilities of critical infrastructure and increasing their resilience is one of the major objectives of the EU. An adequate level of protection must be ensured and the detrimental effects of disruptions on the society and citizens must be limited as far as possible.
The European Programme for Critical Infrastructure Protection (EPCIP) sets the overall framework for activities aimed at improving the protection of critical infrastructure in Europe - across all EU States and in all relevant sectors of economic activity. The threats to which the programme aims to respond are not only confined to terrorism, but also include criminal activities, natural disasters and other causes of accidents. In short, it seeks to provide an all-hazards cross-sectoral approach. The EPCIP is supported by regular exchanges of information between EU States in the frame of the CIP Contact Points meetings.
A key pillar of this programme is the 2008 Directive on European Critical Infrastructures. It establishes a procedure for identifying and designating European Critical Infrastructures (ECI) and a common approach for assessing the need to improve their protection. The Directive has a sectoral scope, applying only to the energy and transport sectors.
The Directive also requires owners/operators of designated ECI to prepare Operator Security Plans (advanced business continuity plans) and nominate Security Liaison Officers (linking the owner/operator with the national authority responsible for critical infrastructure protection).
The Commission has funded over 100 diverse projects under the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks programme (CIPS), during the 2007-2012 period. The programme is designed to protect citizens and critical infrastructures from terrorist attacks and other security incidents by fostering prevention and preparedness, namely by improving the protection of critical infrastructures and addressing crisis management. The key objective is to support CIP policy priorities by providing expert knowledge and a scientific basis for a better understanding of criticalities and interdependencies at all levels.
The Commission has developed a Critical Infrastructure Warning Information Network (CIWIN), providing an internet based multi-level system for exchanging critical infrastructure protection ideas, studies and good practices. The CIWIN portal, which has been up and running since mid-January 2013, also serves as a repository for CIP related information. This initiative seeks to raise awareness and contribute to the protection of critical infrastructure in Europe.
A European Reference Network for Critical Infrastructure Protection (ERN-CIP) has also been created by the Commission to 'foster the emergence of innovative, qualified, efficient and competitive security solutions, through networking of European experimental capabilities'. It aims to link together existing European laboratories and facilities, in order to carry out critical infrastructure-related security experiments and test new technology, such as detection equipment.
Taking into account the developments since the adoption of the 2006 EPCIP Communication, an updated approach to the EU CIP policy has become necessary. Moreover, Article 11 of the Directive 2008/114/EC on the identification and designation of European Critical Infrastructures refers to a specific review process of the Directive. Therefore, a comprehensive review has been conducted in close cooperation with the Member States and stakeholders during 2012. The preliminary results of this review have been summarised in a Commission Staff Working Document. Based on the results of this review and considering other elements of the current programme, the Commission adopted a 2013 Staff Working Document on a new approach to the European Programme for Critical Infrastructure Protection. It sets out a revised and more practical implementation of activities under the three main work streams – prevention, preparedness and response. The new approach aims at building common tools and a common approach in the EU to critical infrastructure protection and resilience, taking better account of interdependencies.