The quality of life of EU citizens and their security, as well as the correct and efficient functioning of the internal market, depend on the provision of essential services through different critical infrastructures in a wide range of sectors. It is therefore imperative that critical infrastructures are adequately protected against a wide spectrum of threats, both natural and man-made, unintentional and with malicious intent. Where this fails and disruptions nevertheless follow, critical infrastructures must be resilient, i.e. able to recover quickly within an acceptable amount of time. As a reflection of the importance of this issue, the Commission adopted in 2006 the European Programme for Critical Infrastructure Protection (EPCIP), which sets out a European-level all-hazards framework for critical infrastructure protection (CIP).
One of the central pillars of the EPCIP is Directive 2008/114, which establishes a procedure for identifying and designating European Critical Infrastructures (ECIs) in the transport and energy sectors that, were they to be disrupted or destroyed, would have significant cross-border impacts. The Directive also provides for a common approach for assessing the need to improve the protection of designated ECIs.
However, a recent review of the ECI Directive indicates that the current framework is inadequate in the light of increasing interdependencies within and between critical infrastructure sectors as well as the evolving risks that they face. As these infrastructures grow ever more reliant upon one another, disruptions in one sector have the potential to generate immediate and in some cases long-lasting effects on operations in others that, in turn, can disrupt the provision of the essential services that critical societal/economic functions rely on. Situations such as these can have severe consequences for security, both in individual EU Member States and across the EU, and can lead to uncertainty or undermine confidence in the responsible authorities and providers of essential services.
The Commission’s proposal for additional measures on critical infrastructure protection, which is included in the Commission work programme 2020 (CWP 2020 - Annex), will be developed in coordination with other planned/ongoing initiatives in related sectors. For instance, the proposal will necessarily account for cross-sectoral measures in the financial services sector on operational and cyber resilience and the civil protection sector, as well as the ongoing review of Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (the NIS Directive).
The overall objective of this initiative is to enhance further the protection, but also the resilience of critical infrastructures in the EU (which in turn will contribute to securing the provision of essential services in the wake of disruptions), taking into account the increasingly deep nature of sectoral interdependencies and the evolving risks facing critical infrastructures. More specifically, the initiative aims to:
- Ensure greater coherence to the EU’s overall approach to critical infrastructure protection and resilience;
- Ensure a more level playing field for operators across the EU by providing them with consistent requirements, including reporting mechanisms;
- Ensure that all relevant sectors responsible for the provision of different types of essential services are included in the revised approach to critical infrastructure protection and resilience, and that cross-sectoral/cross-border disruptions are effectively managed;
- Put in place new/refine existing mechanisms aimed at enhancing further the ability of Member States to protect and ensure the resilience of critical infrastructures that are considered vital at national level;
- Ensure a higher level of understanding of the risks/threats that critical infrastructures face now and might come to face in the future, as well as the means to address them;
- Improve information exchange and cooperation.
This legislative initiative will be supported by an Impact Assessment, which the public is invited to feed into by way of an Inception Impact Assessment that was recently published on the Commission’s website (see below).
View the Inception Impact Assessment for this initiative
The Inception Impact Assessment is intended to inform stakeholders and citizens about this initiative. All feedback that is received will be published alongside the Inception Impact Assessment and considered in the context of the aforementioned Impact Assessment. Stakeholders are invited to provide feedback on the Inception Impact Assessment until 7 August 2020.
Additional consultation activities in preparing the proposal
The Commission is carrying out targeted stakeholder consultations in preparing the proposal. These involve, among others, Member States, critical infrastructure operators, industry associations, subject matter experts and academia.
View the relevant documents
- Communication on Critical Infrastructure Protection in the Fight against Terrorism, June 2004
- European Programme for Critical Infrastructure Protection (EPCIP), December 2006
- Council Directive 2008/114 of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection
- Evaluation of Council Directive 2008/114 on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection, SWD(2019) 308 final
- European Commission Adjusted Work Programme 2020