Today, the Commission is proposing to strengthen the resilience of EU critical infrastructure. The proposal for a Council Recommendation builds on the 5-point plan for resilient critical infrastructure presented by President von der Leyen at the European Parliament on 5 October.
European critical entities are more interconnected and interdependent, which makes them stronger and more efficient but also more vulnerable in case of an incident. Russia’s war of aggression against Ukraine has brought new risks, physical and cyber-attacks, often combined as a hybrid threat. The sabotage of the Nord Stream gas pipelines and other recent incidents made it clear that the resilience of the EU critical infrastructure is under threat. Action is urgently needed to step up the EU’s capacity to protect itself against attacks on critical infrastructure, both in the EU and its direct neighbourhood.
As a key part of the EU’s work to build a Security Union, the Commission proposed already in 2020 updated rules to increase the resilience of critical entities. With the recently-agreed Directive on the resilience of critical infrastructure (CER Directive) and the Revised Directive on the security of network and information system (NIS2 Directive), the EU will soon have an updated and comprehensive legal framework to strengthen both the physical and cyber-resilience of critical infrastructure. However, in view of the fast-evolving threat landscape, the application of the new rules needs to be accelerated.
The draft Recommendation aims at maximising and accelerating the work to protect critical infrastructure in three priority areas: preparedness, response and international cooperation. For that purpose, it foresees a stronger support and coordination role by the Commission to enhance preparedness and response against the current threats as well as a strengthened cooperation among Member States, and with neighbouring third countries. Priority should be given to the key sectors of energy, digital infrastructure, transport and space.
The EU has a particular role to play in respect of infrastructure that crosses borders or that provides cross-border services and thus impacting the interests of several Member States. Clear identification of such infrastructure and entities operating them and collective commitment to protect them is in the interest of all Member States. The Commission encourages Member States to conduct stress tests of entities operating critical infrastructure, based on a common set of principles developed at Union level.
The stress test exercise will complemented by the production of a Blueprint on critical infrastructure incidents and crises. This will describe and set out the objectives and modes of cooperation between the Member States and EU institutions, bodies, offices and agencies in responding to incidents against critical infrastructure, in particular where these entail significant disruptions of the provision of essential services for the internal market. This Blueprint will be developed by the Commission in cooperation with the HRVP, in consultation with Member States and with the support of relevant agencies. It will make use of the existing Integrated Political Crisis Response (IPCR) arrangements for the coordination of the response.
The draft Recommendation aims to strengthen the capacity of early warning and response to disruptions of critical infrastructure through the Union Civil Protection Mechanism. The Commission will regularly review the adequacy and readiness of the existing response capacity and it will organise tests of cross-sectoral cooperation at EU level.
The draft Recommendation also calls for strengthened cooperation with key partners and neighbouring countries on the resilience of critical infrastructure. The Commission and the High Representative will strengthen coordination with NATO through the EU-NATO structured dialogue on resilience and will set up a Task Force for this purpose.
Vice-President for Promoting our European Way of Life, Margaritis Schinas, said: “Critical infrastructures have become increasingly interlinked as well as mutually dependent. Be it pipelines, transport ways, or undersea cables, a disruption in one country can have a cascading effect with ramifications of the Union as a whole. The Commission acted early on in our mandate to build a robust system to protect infrastructure online and off. The Nord Stream sabotage and other recent incidents show we need to accelerate the implementation of this new system and build strong crisis coordination mechanisms to act today.”
Commissioner for Home Affairs, Ylva Johansson said: “In view of fast-evolving threats, with Russia’s war of aggression against Ukraine, the sabotage of Nord Stream and the German rail network – it’s clear we need to accelerate our work to protect our infrastructure. The European Parliament and the Council already agreed to deepen the legislative framework to strengthen the resilience of entities operating critical infrastructure. However, with the threats we see today, we need to accelerate the application of the new rules and intensify our work with additional measures and closer cooperation.”
Commissioner for Internal Market, Thierry Breton added: ”The geopolitical reality pushes us to strengthen the resilience of European critical infrastructure in all dimensions, cyber and physical. The two new directives, NIS2 and CER are 2 sides of the same coin that we want to achieve even faster. We have already laid the foundations with cooperation, coordination and preparedness in the cyber domain and that can serve as inspiration. The Commission has also set-up a short-term emergency scheme to support Member States in boosting their cyber preparedness for instance by supporting penetration testing.”
President von der Leyen will present the proposal for a Council Recommendation on Critical Infrastructure Resilience to EU leaders at the European Council on 20-21 October.