Considering the rise of threats and potential risks – notably with the on-going war in Ukraine or the recent Nord Stream sabotage – it appears essential, not to say urgent, to strengthen EU critical infrastructure resilience. It is to note that European critical entities are interconnected and interdependent, which can be hazardous in case of a (cyber)attack. Besides, this proposition aims to prioritize key sectors, meaning the ones of energy, digital infrastructure, transport and space. The European Commission President Ursula von der Leyen presented last October 5 a draft recommendation covering three priority areas:
- A preparedness, response, and international cooperation
- A stronger support and coordination role by the Commission
- A strengthened cooperation among Member States, and with neighboring third countries
“Critical infrastructures have become increasingly interlinked as well as mutually dependent. Be it pipelines, transport ways, or undersea cables, a disruption in one country can have a cascading effect with ramifications of the Union as a whole.” – Margaritis Schinas, Vice-President for Promoting our European Way of Life
To be more specific, von der Leyen’s proposal regards a 5-point plan for resilient critical infrastructure. The key elements are: enhancing preparedness; working with Member States with a view to stress test their critical infrastructure, starting with the energy sector and then followed by other high-risk sectors; increasing the response capacity in particular, through the Union Civil Protection Mechanism; making good use of satellite capacity to detect potential threats; and strengthening cooperation with NATO and key partners on the resilience of critical infrastructure.
In fact, the EU does have a role to play when it comes to strengthening “infrastructure that crosses borders or that provides cross-border services”. Bearing this purpose in mind, Member States are encouraged to deploy “stress tests” of entities operating critical infrastructure, relying on a defined set of principles developed on the EU level. This is to be completed with the production of a Blueprint on critical infrastructure incidents and crises : “this Blueprint will be developed by the Commission in cooperation with the HRVP, in consultation with Member States and with the support of relevant agencies”.
The draft Recommendation has the objective to reinforce early warning and response to disruptions of critical infrastructure, notably through the Union Civil Protection Mechanism. The EU Commission’s role will also encompass the revision of the “adequacy and readiness of the existing response capacity”. This new proposal will thus be complementary to existing cyber rules, such as the recently-agreed Directive on critical infrastructure (CER Directive) and the upcoming Revised Directive on the security of Network and Information System (NIS2 Directive).
“With the agreement of NIS2, we modernize rules to secure more critical services for society and economy. This is therefore a major step forward. We will complement this approach with the upcoming Cyber Resilience Act that will ensure that digital products are also more secure whenever they are used.” – Thierry Breton, Commissioner for the Internal Market
It is hence important to adopt this proposal so as to “step up the EU’s capacity to protect itself against attacks on critical infrastructure, both in the EU and its direct neighborhood”. President von der Leyen presented the proposal for a Council Recommendation on Critical Resilience to EU leaders at the European Council last October 20 and 21.