Today, the Commission is proposing to strengthen the resilience of EU critical infrastructure. The proposal for a Council Recommendation builds on the 5-point plan for resilient critical infrastructure presented by President von der Leyen at the European Parliament on 5 October.
European critical entities are more interconnected and interdependent, which makes them stronger and more efficient but also more vulnerable in case of an incident. Russia's war of aggression against Ukraine has brought new risks, physical and cyber-attacks, often combined as a hybrid threat. The sabotage of the Nord Stream gas pipelines and other recent incidents made it clear that the resilience of the EU critical infrastructure is under threat. Action is urgently needed to step up the EU's capacity to protect itself against attacks on critical infrastructure, both in the EU and its direct neighbourhood.
As a key part of the EU's work to build a Security Union, the Commission proposed already in 2020 updated rules to increase the resilience of critical entities. With the recently-agreed Directive on the resilience of critical infrastructure (CER Directive) and the Revised Directive on the security of network and information system (NIS2 Directive), the EU will soon have an updated and comprehensive legal framework to strengthen both the physical and cyber-resilience of critical infrastructure. However, in view of the fast-evolving threat landscape, the application of the new rules needs to be accelerated.
The draft Recommendation aims at maximising and accelerating the work to protect critical infrastructure in three priority areas: preparedness, response and international cooperation. For that purpose, it foresees a stronger support and coordination role by the Commission to enhance preparedness and response against the current threats as well as a strengthened cooperation among Member States, and with neighbouring third countries. Priority should be given to the key sectors of energy, digital infrastructure, transport and space.
The EU has a particular role to play in respect of infrastructure that crosses borders or that provides cross-border services and thus impacting the interests of several Member States. Clear identification of such infrastructure and entities operating them and collective commitment to protect them is in the interest of all Member States. The Commission encourages Member States to conduct stress tests of entities operating critical infrastructure, based on a common set of principles developed at Union level.
The stress test exercise will complemented by the production of a Blueprint on critical infrastructure incidents and crises. This will describe and set out the objectives and modes of cooperation between the Member States and EU institutions, bodies, offices and agencies in responding to incidents against critical infrastructure, in particular where these entail significant disruptions of the provision of essential services for the internal market. This Blueprint will be developed by the Commission in cooperation with the HRVP, in consultation with Member States and with the support of relevant agencies. It will make use of the existing Integrated Political Crisis Response (IPCR) arrangements for the coordination of the response.
The draft Recommendation aims to strengthen the capacity of early warning and response to disruptions of critical infrastructure through the Union Civil Protection Mechanism. The Commission will regularly review the adequacy and readiness of the existing response capacity and it will organise tests of cross-sectoral cooperation at EU level.
The draft Recommendation also calls for strengthened cooperation with key partners and neighbouring countries on the resilience of critical infrastructure. The Commission and the High Representative will strengthen coordination with NATO through the EU-NATO structured dialogue on resilience and will set up a Task Force for this purpose.
Vice-President for Promoting our European Way of Life, Margaritis Schinas, said: “Critical infrastructures have become increasingly interlinked as well as mutually dependent. Be it pipelines, transport ways, or undersea cables, a disruption in one country can have a cascading effect with ramifications of the Union as a whole. The Commission acted early on in our mandate to build a robust system to protect infrastructure online and off. The Nord Stream sabotage and other recent incidents show we need to accelerate the implementation of this new system and build strong crisis coordination mechanisms to act today.”
Commissioner for Home Affairs, Ylva Johansson said: "In view of fast-evolving threats, with Russia's war of aggression against Ukraine, the sabotage of Nord Stream and the German rail network – it's clear we need to accelerate our work to protect our infrastructure. The European Parliament and the Council already agreed to deepen the legislative framework to strengthen the resilience of entities operating critical infrastructure. However, with the threats we see today, we need to accelerate the application of the new rules and intensify our work with additional measures and closer cooperation.”
Commissioner for Internal Market, Thierry Breton added: ”The geopolitical reality pushes us to strengthen the resilience of European critical infrastructure in all dimensions, cyber and physical. The two new directives, NIS2 and CER are 2 sides of the same coin that we want to achieve even faster. We have already laid the foundations with cooperation, coordination and preparedness in the cyber domain and that can serve as inspiration. The Commission has also set-up a short-term emergency scheme to support Member States in boosting their cyber preparedness for instance by supporting penetration testing.”
Next Steps
President von der Leyen will present the proposal for a Council Recommendation on Critical Infrastructure Resilience to EU leaders at the European Council on 20-21 October.
Background
In the summer of 2022, the co-legislators reached a political agreement to deepen the EU legislative framework to strengthen the resilience of entities operating critical infrastructure. Agreements were reached on the Directive on the resilience of critical infrastructure (CER Directive) and the Revised Directive on the security of network and information systems (NIS2 Directive). The new legislation is expected to come into force in late 2022 or early 2023, and transposition and application should be prioritised by Member States. The CER Directive puts forward a new framework for cooperation, as well as obligations for Member States and critical entities aimed at strengthening the physical non-cyber resilience. Eleven sectors are now covered: energy, transport, digital infrastructure, banking, financial market infrastructure, health, drinking water, waste water, public administration, space, and food. The NIS2 Directive will put in place a broad sectoral coverage of cybersecurity obligations. This will encompass a new requirement for Member States, to include, where relevant, undersea cables in their cybersecurity strategies.
Following the acts of sabotage against the Nord Stream pipelines, on 5 October 2022, President von der Leyen presented a 5-point plan for resilient critical infrastructure. Its key elements are: enhancing preparedness; working with Member States with a view to stress test their critical infrastructure, starting with the energy sector and then followed by other high-risk sectors; increasing the response capacity in particular, through the Union Civil Protection Mechanism; making good use of satellite capacity to detect potential threats; and strengthening cooperation with NATO and key partners on the resilience of critical infrastructure.
For More Information
Commission welcomes agreement on new rules on cybersecurity (NIS2)
EU Toolbox on 5G Cybersecurity