Critical Infrastructure Protection and Resilience
Attacks on critical infrastructure sites are now a fact of life not simply a potential threat. Power stations, chemical plants, nuclear facilities are routinely targeted by cyber-attacks, the most successful so far being the Ukraine power outage that caused 225,000 customers to lose electricity. Last year an activist landed a UAV carrying small traces of radiation on the roof of the Japanese Premier’s office and this year a UAV collided with a aircraft at London’s Heathrow airport. And of course the terrible attacks on the metro and airport in Brussels. This is just the start of what we can expect to be the repeated targeting of our critical infrastructure. The potential effects not only in terms of loss of life but also in terms of damage to infrastructure, economic disruption and costs, can be enormous.
Once again widespread flooding across Europe in 2015 caused even bigger outages of power and for longer periods than cyber-attacks and the damage to lives, property and businesses was larger still, emphasising the need for planning and preparation on European scale.
We must be prepared!
The European Commission has adopted a communication on Critical Infrastructure Protection in the fight against terrorism, enhancing European prevention, preparedness and response in the event of terrorist attacks involving critical infrastructures.
The European Programme for Critical Infrastructure Protection (EPCIP) considers measures that will enhance the level of protection of infrastructure against external threats, with the Operator Security Plan for all infrastructures designated as European critical.
The European Union is also developing its policy on critical energy infrastructures in relation to the European Programme for Critical Infrastructure Protection (“EPCIP”) which considers measures that will enhance, where necessary, the level of protection of certain infrastructures against external threats.
Critical Infrastructure Protection and Resilience Europe brings together leading stakeholders from industry, operators, agencies and governments to collaborate on securing Europe. The conference will look at developing on the theme of previous events in helping to create better understanding of the issues and the threats, to help facilitate the work to develop frameworks, good risk management, strategic planning and implementation.
The integrity of critical infrastructures and their reliable operation are vital for the well-being of the citizens and the functioning of the economy.
Learn about the importance of the updated NIS2 Directive…
An important discussion will centre around the EU cybersecurity rules introduced in 2016 and updated by the NIS2 Directive that came into force in 2023. It modernised the existing legal framework to keep up with increased digitisation and an evolving cybersecurity threat landscape. By expanding the scope of the cybersecurity rules to new sectors and entities, it further improves the resilience and incident response capacities of public and private entities, competent authorities and the EU as a whole.
Businesses identified by the Member States as operators of essential services in the above sectors will have to take appropriate security measures and notify relevant national authorities of serious incidents. Key digital service providers, such as search engines, cloud computing services and online marketplaces, will have to comply with the security and notification requirements under the Directive.
Learn about the importance of the new directive on the Resilience of Critical Entities…
The Directive on the Resilience of Critical Entities entered into force on 16 January 2023. Member States have until 17 October 2024 to adopt national legislation to transpose the Directive.
The Directive aims to strengthen the resilience of critical entities against a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies. Under the new rules:
- Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for the society and the economy.
- In turn, the critical entities will need to carry out risk assessments of their own and take technical, security and organisational measures to enhance their resilience and notify incidents.
- Critical entities in the EU providing essential services in six or more Member States, will benefit from extra advice on how best to meet their obligations to assess risks and take resilience-enhancing measures.
- Member States will need to provide support to critical entities in enhancing their resilience. The Commission will provide complementary support to Member States and critical entities, by developing a Union-level overview of cross-border and cross-sectoral risks, best practices, guidance material, methodologies, cross-border training activities and exercises to test the resilience of critical entities, among others.
Why the Need for Such a Discussion?
Article 196 of the Lisbon Treaty enshrines in law that the Union shall encourage cooperation between Member States in order to improve the effectiveness of systems for preventing and protecting against natural or man-made disasters.
The Union’s action shall aim to:
(a) support and complement Member States’ action at national, regional and local level in risk prevention, in preparing their civil-protection personnel and in responding to natural or man-made disasters within the Union;
(b) promote swift, effective operational cooperation within the Union between national civil-protection services;
(c) promote consistency in international civil-protection work.
The ever changingnature of threats, whether natural through climate change, or man-made through terrorism activities, either physical or cyber-attacks, means the need to continually review and update policies, practices and technologies to meet these demands.