Protecting critical infrastructure

SUMMARY OF:

Directive 2008/114/EC — identification and designation of European critical infrastructures and assessment of the need to improve their protection

WHAT IS THE AIM OF THE DIRECTIVE?

It establishes a European Union (EU) process for identifying and designating European critical infrastructures* (ECIs), and sets out an approach for improving their protection.

KEY POINTS

Identification and designation of ECIs

EU countries go through a process of identifying potential ECIs, with the help of the European Commission if required. When identifying potential ECIs, they should use:
- cross-cutting criteria such as possible casualties, economic effects and effect on the public; and
- sectoral criteria specific to the type of ECI.
EU countries go through a cooperative designation process (e.g. discussions with other EU countries) for potential ECIs located on their territory.
EU countries regularly review the identification and designation of ECIs.
The directive applies only to the energy and transport sectors (see Annex I of the directive). In time, other sectors may be added to its scope.

Operator security plans

EU countries ensure that an operator security plan (OSP) is in place for each ECI.
The purpose of the OSP process is to identify the critical assets of the ECI, as well as the existing security solutions for protecting them.

Security liaison officers

EU countries ensure that a security liaison officer is designated for each ECI.
The officer serves as the contact point between the owner/operator of the ECI and the EU country’s authority concerned.

Reporting

EU countries conduct threat assessments in relation to ECIs within 1 year following the designation of critical infrastructure.
EU countries report general data to the Commission on the types of risks, threats and vulnerabilities every 2 years.

FROM WHEN DOES THE DIRECTIVE APPLY?

It has applied since 12 January 2009. EU countries had to incorporate it into national law by 12 January 2011.

BACKGROUND

National authorities are predominantly responsible for the protection of critical infrastructure. However, disruptions to critical infrastructure can be felt across national borders. That is why an EU dimension to help manage these risks is needed. In 2007, the Council of the EU adopted conclusions on a European programme for critical infrastructure protection (EPCIF). This programme aims to improve the protection of critical infrastructures against all types of threats and hazards.
Following a review of Directive 2008/114/EC, the Commission, in 2013, set out a new approach towards implementing the European programme for critical infrastructure protection. This aims at building common tools and a common approach in the EU to critical infrastructure protection and resilience, taking better account of interdependencies between critical infrastructures, industry and state actors.
For more information, see:
- ‘ Critical infrastructure ’ on the European Commission's website.

* KEY TERMS

Critical infrastructure: assets or systems essential for the maintenance of vital social functions, health, safety, security, and economic or social wellbeing of people. European critical infrastructure (ECI) is critical infrastructure in EU countries whose disruption or destruction would have a significant impact on at least 2 EU countries (e.g. electricity power plants or oil transmission pipelines).

MAIN DOCUMENT

Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, pp. 75–82)