Response to Evaluation of the European Critical Infrastructure (ECI) Directive
The European Critical Infrastructure (ECI) Directive is a milestone for European governance in the protection of critical infrastructures. Threats broadly range from man-made technological threats as well as natural disasters and the technology landscape is rapidly evolving. The use of drones outside of the battlefield poses concerns in the international community, and terrorism is a continuing threat.
Meanwhile, national governments around the world are investing in greater offensive capabilities in cyberspace and nation-state cyber-attacks have hit civilian during peacetime. With the emergence of new threats that impact critical infrastructures and civilian populations in times of peace, there is a consequent need for increased, reinforced cooperation and coordination across the European Union and between the European Institutions and NATO. Therefore, we welcome the review of the 2008 European Critical Infrastructure Directive, especially assessment of its effectiveness, relevance, and coherence.
Ensuring consistency with the existing European legislative framework
Consistency between EU policies and activities is crucial, and the Directive must consider the adoption of the Directive on Security of Network and Information Systems (NIS) (EU) 2016/1148. Recital 5 of the ECI Directive envisages the inclusion of the ICT sector in the list of ECI given its cross-border nature.
However, the NIS Directive, now addresses cybersecurity risks for a broad range of Operators of Essential Services (OES) and Digital Services Providers (DSP). with obligations for appropriate security risk management and incident notification.
Therefore, rather than inclusion of the ICT sector in ECI, we believe that the focus for evaluation of the ECI Directive should instead primarily be issues of hybrid conflict that are beyond the scope of the NIS Directive.
Advancing binding norms to regulate hybrid conflict
To have an effective and long-term impact, any review and update to existing legal framework must take a holistic approach. Although traditional, armed conflict in the domains of air, land, and sea are regulated, there is currently no international legal framework to regulate hybrid conflict that combines traditional, armed conflict with conflict in cyberspace.
Existing rules and principles regarding armed conflict are laid down in International Humanitarian Law (IHL) and human rights law. However, the application of existing international law and the functioning of global governance institutions becomes increasingly blurred for hybrid conflict and threats for civilians in times of peace. Some of the present legal concepts and frameworks seldom adequately address hybrid threats. This leads increasingly to incoherent application of the existing rules and lack of appropriate punishment. Consequently, an updated legislative framework in this regard cannot be effective while nation-state adversaries continue to develop and deploy hybrid capabilities to target European Critical Infrastructures.
Now is the time for the EU and the International Community to better protect civilians and European Critical Infrastructures by advancing international norms that regulate hybrid conflict in times of peace.
The views and opinions expressed here are entirely those of the author(s) and do not reflect the official opinion of the European Commission. The Commission cannot guarantee the accuracy of the information contained in them. Neither the Commission, nor any person acting on the Commission’s behalf, may be held responsible for the content or the information posted here. Views and opinions that violate the Commission’s feedback rules will be removed from the site.