ANNEX

This Annex describes the objectives, the principles, the main relevant actors, the interplay with other relevant crisis and emergency management mechanisms, and the functioning of a Blueprint to coordinate the response to critical infrastructure incidents with significant cross-border relevance (‘EU Critical Infrastructure Blueprint’) and, where necessary, improve cooperation between Member States and the relevant Union institutions, bodies, offices and agencies as regards such incidents, in accordance with the applicable rules and procedures. This EU Critical Infrastructure Blueprint does not affect in any way the role and functioning of other arrangements.

Part I: Objectives, principles, actors and other instruments

1.   Objectives

The EU Critical Infrastructure Blueprint aims to promote the following three main objectives in response to a critical infrastructure incident with significant cross-border relevance, where appropriate:

(a)

Shared situational awareness, since a good understanding of the critical infrastructure incident with significant cross-border relevance in the Member States, of its origin and of its potential consequences for all relevant stakeholders at operational and strategic/political level is essential for an appropriate coordinated response.

(b)

Coordinated public communication, since it helps to mitigate the negative effects of a critical infrastructure incident with significant cross-border relevance and to minimise discrepancies in the messages conveyed to the public among Member States, fully respecting national competences for crisis communication. Where it is in the interest of the public and where this communication does not hamper crisis and emergency management operations, clear public communication is also important to mitigate the consequences of disinformation.

(c)

Coordinated and effective response, since strengthening the response of Member States and cooperation between them and with relevant Union institutions, bodies, offices and agencies can contribute to mitigating the effects of a critical infrastructure incident with significant cross-border relevance and to enabling swift reestablishment of essential services in a way that minimises vulnerability to further significant incidents.

2.   Principles

Proportionality

Incidents that disrupt critical infrastructure and/or the provision of essential services often fall below the threshold of a critical infrastructure incident with significant cross border relevance as specified in point 2 of this Recommendation. As such, they can, in principle, be addressed effectively at national level. Therefore, the application of the EU Critical Infrastructure Blueprint should be limited to critical infrastructure incidents with significant cross-border relevance.

Subsidiarity

Member States have the primary responsibility in responding to disruptions of a critical infrastructure or of essential services provided by critical entities, in accordance with Union law. However, relevant Union institutions, bodies, offices and agencies, in particular the European External Action Service (‘EEAS’) can have an important complementary role in case of a critical infrastructure incident with significant cross-border relevance, since such an incident may impact several or even all sections of economic activity within the internal market, the life of citizens living in the Union, the security of the Union and its international relations with partners without prejudice to the Member States’ responsibility for safeguarding national security and defence.

Complementarity

The EU Critical Infrastructure Blueprint should take into account and reflect the working of existing crisis and emergency management mechanisms at Union level, namely the Council’s Integrated Political Crisis Response (‘IPCR’) arrangements, the Commission’s internal crisis coordination process ARGUS, the Union Civil Protection Mechanism (‘UCPM’), supported by the Emergency Response Coordination Centre (‘ERCC’) established under the UCPM by Decision No 1313/2013/EU of the European Parliament and of the Council (1), and the EEAS Crisis Response Mechanism. It should also draw on sectoral arrangements, including the provisions for coordinated management of large-scale cybersecurity incidents provided for by Directive (EU) 2022/2555 of the European Parliament and of the Council (2), the EU-SCICF framework recommended by the European Systemic Risk Board (3) (ESRB), the Network of transport contact points (4), the European Aviation Crisis Coordination Cell (5) and the Coordination Groups for Electricity (6), Gas (7) and Oil (8).

Furthermore, the EU Critical Infrastructure Blueprint should rely on and use the existing structures and mechanisms at Union level, including the relevant Working Parties of the Council (namely the PROCIV CER Working Party) and those established by Directive (EU) 2022/2557 of the European Parliament and of the Council (9), in particular as regards the cooperation between competent authorities of the Member States and with the Commission and in the Critical Entities Resilience Group (‘CERG’) established by Directive (EU) 2022/2557. It should also take into account the responsibilities of relevant Union institutions, bodies, offices and agencies under the legal framework applicable to them. Critical infrastructure crisis response activities are complementary with other crisis and emergency management mechanisms at Union, national and sectoral levels that support multi-sectoral coordination.

Confidentiality of information

The EU Critical Infrastructure Blueprint should take account of the importance of safeguarding the confidentiality of classified information and sensitive non-classified information related to critical infrastructure and critical entities.

No Member State is expected to supply information the disclosure of which would be contrary to the essential interests of its national security, public security or defence. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union or national rules, such as rules on business confidentiality, should be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Recommendation. The information exchanged should be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information should preserve the confidentiality of that information and the security and commercial interests of critical entities, while respecting the security of Member States.

3.   Relevant actors

Each Member State and relevant Union institutions, bodies, offices and agencies referred to in points (a) to (g) below should identify, in accordance with the rules and procedures applicable to them, the relevant actors for each critical infrastructure incident with significant cross-border relevance, where appropriate, depending on the sector affected and the type of incident.

(a)   Member States

—

Competent authorities (e.g. authorities in charge of critical infrastructure, relevant sectoral authorities, single points of contact designated or established pursuant to Article 9(2) of Directive (EU) 2022/2557, authorities designated or established pursuant to Article 9(1) of Directive (EU) 2022/2557).

—	Other stakeholders, including entities or persons from the private sector holding specific functions, such as operators of critical infrastructure, including the ones identified as critical entities.

—	Ministers responsible for critical infrastructure resilience and/or Ministers responsible for the sector or sectors most affected by the critical infrastructure incident with significant cross-border relevance in question.

(b)   The Council

—	The Presidency of the Council.

—	COREPER, the Political and Security Committee and IPCR arrangements.

—	The relevant Working Parties, such as the Working Party on Civil Protection – Critical Entities Resilience (‘PROCIV CER Working Party’) and the chairs of other relevant Working Parties.

—	The General Secretariat of the Council.

(c)   The European Council

—	The President of the European Council.

(d)   The Commission

—	The designated lead service and the Directorate-General for Migration and Home Affairs as the service responsible in the area and, in case of a cross-sectoral incident, the Directorate-General for Migration and Home Affairs and other relevant Commission services.

—	The Directorate-General for Communication and the Spokesperson’s service.

—	The Directorate-General HERA, European Health Emergency Preparedness and Response Authority.

—	The CERG, chaired by a Commission representative (Directorate-General Migration and Home Affairs), and other relevant expert groups and committees.

—	The ERCC established under the UCPM (24/7 operational emergency management hub under the UCPM located in Directorate-General European Civil Protection and Humanitarian Aid Operations).

—	The Health Security Committee established by Article 4 of Regulation (EU) 2022/2371 of the European Parliament and of the Council (10).

—	The Secretariat-General of the Commission (ARGUS secretariat) and the (Deputy) Secretary-General (ARGUS process), the Directorate-General for Human Resources (Security Directorate).

—	Other relevant Commission expert groups assisting the Commission in the coordination of measures in an emergency or a crisis situation.

—	Other crisis and emergency management networks, including sectoral (e.g. Network of transport contact points managed by Directorate-General Mobility and Transport, the interinstitutional Cyber Crisis Task Force (11), the European Aviation Crisis Coordination cell).

—	The President and/or the responsible Vice-President/Commissioner.

—	Other Commission services which may have competence in specific areas of expertise.

(e)   The EEAS

—	The Single Intelligence Analysis Capacity (‘SIAC’) composed of the Intelligence and Situation Centre (‘IntCen’) and the EU Military Staff Intelligence Directorate (‘EUMS Int’).

—	The Crisis Response Centre (‘CRC’).

—	The High Representative of the Union for Foreign Affairs and Security Policy/Vice-President of the Commission (‘High Representative’).

(f)   Relevant Union bodies, offices and agencies, such as Europol or ENISA, depending on the sector affected (12)

(g)   Other relevant structures

—	The European cyber crisis liaison organisation network (‘EU-CyCLONe’) established by Article 16 of Directive (EU) 2022/2555;

—	The Computer Security Incident Response Teams (‘CSIRTs’) network established by Article 15 of Directive (EU) 2022/2555;

—	The pan-European systemic cyber incident coordination framework (‘EU-SCICF’) as referred to in Recommendation ESRB/2021/17 of the ESRB.

4.   Interplay with other relevant crisis and emergency management mechanisms and instruments

The EU Critical Infrastructure Blueprint should be a flexible tool that maps various actions that could be taken partially or fully using different existing arrangements, depending on the nature and gravity of the critical infrastructure incident with significant cross-border relevance and on the need for operational or strategic/political coordination.

(a)   Integrated Political Crisis Response arrangements (‘IPCR’)

In line with Council Implementing Decision (EU) 2018/1993 (13), in case of a crisis for which the IPCR arrangements have been activated, measures under the EU Critical Infrastructure Blueprint could be part of the EU response at the political level. In such a case, the decision-making process of the IPCR would apply and the EU Critical Infrastructure Blueprint could be used as a complementary tool providing specific support on critical infrastructure to the IPCR to ensure a well-coordinated response. The IPCR arrangements are designed to allow a timely policy coordination and response at the Union political level (COREPER/Council) in the event of major emergencies or crises. The IPCR is also used to coordinate, at the strategic/political level, the response to the invocation of the solidarity clause (Article 222 TFEU) to ensure the coherence and complementarity of Union and Member State action. The arrangements for the implementation by the Union of the solidarity clause are defined by Council Decision 2014/415/EU (14).

(b)   The Union Civil Protection Mechanism (‘UCPM’)

Under Decision No 1313/2013/EU, the UCPM can be activated to respond to actual or imminent natural and man-made disasters within and outside the Union (including those stemming from incidents affecting critical infrastructure) with the operational support from the ERCC. The ERCC works in close contact with national civil protection authorities and relevant Union bodies to promote a cross-sectoral approach to disaster management.

(c)   The EU Hybrid Toolbox and the EU Protocol for countering hybrid threats

The EU Protocol for countering hybrid threats (15) (‘EU Protocol for countering hybrid threats’) outlines processes and tools applicable in case of hybrid threats or campaigns throughout the whole crisis and emergency management cycle.

In case of a significant critical infrastructure incident with a hybrid dimension, the processes and tools described in the EU Protocol for countering hybrid threats apply in complementarity with the EU Critical Infrastructure Blueprint, where appropriate, e.g. for specific information, analysis or communication on hybrid aspects of the critical infrastructure incident with significant cross-border relevance and regarding cooperation with external partners. In particular, the EU Hybrid Toolbox (16) provides a framework for a coordinated response to hybrid campaigns. Since the primary responsibility for countering hybrid threats lies with the Member States, the decision-making process described in the Implementing guidelines for the Framework for a coordinated Union response to hybrid campaigns applies.

(d)   The provisions for coordinated management of large-scale cybersecurity incidents provided for by Directive (EU) 2022/2555

Directive (EU) 2022/2555 contains provisions for coordinated management of large-scale cybersecurity incidents through the existing cooperation networks, in particular the EU-CyCLONe and the CSIRTs network. EU-CyCLONe and the CSIRTs network cooperate on the basis of procedural arrangements that specify the details of that cooperation and avoid any duplication of tasks.

EU-CyCLONe works as an intermediary between the technical and political level during large-scale cybersecurity incidents and crises, and enhances cooperation at operational level and supports decision-making at political level. EU-CyCLONe builds on the CSIRTs network findings and use its own capabilities to create impact analysis of large-scale cybersecurity incidents and crises. In case of a critical infrastructure incident with significant cross-border relevance which coincides with, or appears to be related to a large-scale cybersecurity incident, the relevant Council Working Parties should determine appropriate coordination at an operational level, including in cooperation with EU-CyCLONe. The purpose of the coordination should be to determine which actor, tool(s) or mechanism(s) could contribute most effectively to responding to the critical infrastructure incident with significant cross-border relevance, while avoiding duplication and parallel work strands. Such coordination should be coherent with existing relevant arrangements at the time of the incident.

(e)   Other sectoral or cross-sectoral mechanisms and instruments

The EU Critical Infrastructure Blueprint should not duplicate other sectoral or cross-sectoral crisis and emergency management tools or coordination mechanisms. Where such tools or mechanisms already exist, the EU Critical Infrastructure Blueprint, within its scope of application, should be used as a complementary tool to the sectoral or cross-sectoral tools or mechanisms, but should not replace them. The necessary coordination between the various actors would have to be ensured so as to avoid such duplication. In case of an activation of the IPCR, political and strategic coordination would take place in the IPCR. Within the Commission, internal crisis coordination is enabled by its internal crisis coordination process ARGUS, supported by the ERCC.

Part II: Information exchange and coordinated response

The actions described below consist of modes of cooperation, namely information exchange, coordinated communication and response. This structure corresponds to the modes of the Council’s crisis coordination mechanism IPCR and takes into account, more broadly, the potential use of the crisis coordination mechanisms already existing at Union level. This structure shows how those modes of cooperation would integrate therein if used. However, most of those actions can also be taken autonomously: they do not depend on the use of that mechanism but rather complement it. The actions are presented in a chronological order, while taking into consideration that, in case of a large-scale crisis that constitutes a critical infrastructure incident with significant cross-border relevance, several actions could be undertaken simultaneously and continuously.

1.   Information exchange

(a)   At operational level

The Member States affected by the critical infrastructure incident with significant cross-border relevance should apply their own contingency measures, ensure coordination with relevant national crisis and emergency management mechanisms, and ensure the involvement of all relevant national, regional and local actors, as appropriate.

Where relevant as regards civil protection assistance and the UCPM, the coordination between Member States and with the Commission is ensured through the ERCC and the contact points of the Member States in line with the legal provisions on the UCPM.

(i)   Information sharing and notification by the national competent authorities

In addition to the notification and information obligations pursuant to Article 15 of Directive (EU) 2022/2557, and in line with the relevant national legal frameworks, national competent authorities responsible for critical infrastructure in Member States affected by a critical infrastructure incident with significant cross-border relevance should share with the Presidency of the Council and with the Commission, through their single points of contact and without undue delay, unless operationally unable to do so, relevant information, which could include information received from critical entities or operators of critical infrastructure, or from other sources, concerning the crisis and emergency management mechanisms that were activated.

Exchange of information regarding a critical infrastructure incident with significant cross-border relevance should be limited to that which is relevant and proportionate to the purpose of that exchange and should occur via appropriate communication channels to the relevant Commission services. Where applicable and appropriate, the IPCR platform and the ERCC could be used. Information should be handled in accordance with established procedures and rules, including the handling of classified information. The potential use of the ERCC should not affect UCPM resources nor the availability of the ERCC to continue to fully serve the UCPM.

Such information sharing could include, as appropriate, the nature and cause of the critical infrastructure incident with significant cross-border relevance, the observed or estimated impact of the disruption on the critical infrastructure and the provision of essential services, consequences of the incident across sectors and borders and the mitigation measures, either already taken or envisaged, nationally or with other relevant Member States and the Commission through existing arrangements, e.g. the information sharing arrangements under Articles 9 and 15 of Directive (EU) 2022/2557. This information sharing should be provided without diverting the critical infrastructure’s or, in some cases, the critical entity’s or the Member States’ resources from activities related to incident handling, which is to be prioritised.

In order to ensure follow-up, the notified Commission services, including those responsible for the sector in which the critical infrastructure incident with significant cross-border relevance occurred, should inform the contact point in the Directorate for General Migration and Home Affairs and the Secretariat General of the Commission.

If the information could be relevant for addressing a cybersecurity dimension or be related to a cybersecurity incident, the Commission and the Presidency of the Council should share relevant information with EU-CyCLONe. The competent authorities under Directive (EU) 2022/2557 and those under Directive (EU) 2022/2555 should also cooperate and exchange information in relation to such incidents, without undue delay.

For the maritime domain, national competent authorities should consider the possibility of using the Common Information Sharing Environment (‘CISE’) to share information without undue delay.

(ii)   Information sharing at Union level

The Commission convenes as soon as possible the CERG to facilitate exchanges of relevant information between national competent authorities responsible for critical infrastructure and relevant Union institutions, bodies, offices and agencies on the incident (nature, cause, impact and consequences across sectors and borders), and informs the Presidency of the Council thereof. As that CERG meeting would be focused on the relevant critical infrastructure incident with significant cross-border relevance and its consequences, Member States are reminded that they can request the Commission to invite national experts on the subject matter to that CERG meeting to facilitate the most suitable representation of Member States. Depending on the centre of gravity of the incident, relevant Commission services could be closely associated to the meeting of the CERG, with a view to sharing information gathered through existing sectoral instruments.

In case of incidents with a combination of cybersecurity aspects and non-cyber physical aspects, the CSIRTs Network and EU-CyCLONe would cooperate on the basis of procedural arrangements mentioned in Article 15(6) of Directive (EU) 2022/2555. Coordination should be ensured by the Presidency with the relevant Working Parties, the relevant Commission services, the EEAS, CERT-EU, ENISA and Europol. Where necessary, CERT-EU would share relevant information with the CSIRTs Network, while the Commission would share information with EU-CyCLONe. In agreement with the respective chairs, the Commission (Directorate-General for Migration and Home Affairs and the Directorate-General for Communications Network, Content and Technology) may, if appropriate, propose a joint meeting of the CERG with the EU-CyCLONe and the CSIRTs network, and inform the Presidency of the Council thereof.

In the event of a cross-sectoral critical infrastructure incident with significant cross-border relevance and with wide-ranging impact or political significance at Union level, the Presidency of the Council, on its own initiative and after having consulted the affected Member States, the Commission and the High Representative, or at the request of one or several Member States, may explore options for cross-sectoral coordination through the IPCR. In case of an activation of the IPCR, such as in information sharing mode, political and strategic coordination would take place in the IPCR, with the EU Critical Infrastructure Blueprint providing the necessary input on critical infrastructure in support of the IPCR’s work.

In case a critical infrastructure incident with significant cross-border relevance also affects a third country, the Presidency of the Council, in consultation with the affected Member States and the Commission, should consider the suitability and modalities for collaborating with the third country.

(iii)   Support by the Commission and Union’s agencies

Where relevant and acting in accordance with its mandate, Europol presents an incident situation report at Union level. Other Union agencies, where relevant and acting in accordance with their respective mandates, report relevant information that contributes to the situational awareness or coordinated response to the critical infrastructure incident with significant cross-border relevance to their respective ‘parent’ Directorates-General which, in turn, report to the Commission (Directorate-General for Migration and Home Affairs) as the Chair of the CERG. The Commission keeps the Presidency of the Council adequately informed.

The Commission can provide a contribution to situational awareness using the assets of the Union Space Programme (17), such as Copernicus, Galileo or EGNOS, where relevant and in accordance with the applicable Union and national legal frameworks.

(b)   At strategic level

(i)   Production of reports based on Member States’ contributions

The Commission prepares a report within the field of critical infrastructure resilience based on information (on the critical infrastructure incident with significant cross-border relevance and existing best practices regarding the handling of such incident) shared by national competent authorities in a CERG meeting, or joint meetings with relevant services, expert groups or networks, and other available information. This report will be distributed to CERG members, PROCIV CER Working Party members and, in consultation with the Presidency of the Council, to other relevant stakeholders. If necessary, the report will be classified at the adequate level and, in any case, distributed to relevant recipients in Member States, in accordance with rules and procedures regarding information security as set out in the applicable legal frameworks.

That report will, where appropriate, take into account the outcomes of the relevant Union-level risk assessments, evaluations and scenarios from a cybersecurity perspective, including those carried out by the Commission and the High Representative and the Cooperation Group.

In case of the activation of the IPCR, that report can contribute to the Integrated Situation Awareness Analysis (‘ISAA’) prepared by the Commission services and the EEAS.

The SIAC presents an up-to-date intelligence-based assessment on the incident, where relevant.

(ii)   Activation of Union crisis coordination mechanisms and use of Union tools

In line with the legal provisions on the UCPM, the ERCC may begin providing situational awareness support surrounding the incident when the UCPM is activated (18). In addition, affected Member States may request satellite imagery of their territory via the Copernicus Emergency Management Service.

Where considered appropriate to share information across the Commission with the EEAS and relevant Union agencies, the lead Directorate-General or the Directorate-General for Migration and Home Affairs, in coordination with the Secretariat-General, activates the Commission’s internal crisis coordination process ARGUS Phase I by opening an event on the Argus IT tool. The Commission ensures that relevant information is shared with the Member States at the IPCR roundtables and via the IPCR platform.

The Presidency of the Council can activate the IPCR arrangements in information sharing mode, which entails the development of ISAA reports by the Commission and the EEAS, with contributions from national competent authorities and other sources, where appropriate. Even without activating the IPCR, a monitoring page on the IPCR web platform can be initiated by the Presidency of the Council. The General Secretariat of the Council, in agreement with the Presidency, can create a monitoring page possibly at the request of an affected Member State, the Commission services, or the EEAS.

Other (sectoral) Union crisis and emergency management mechanisms and tools may be activated following the respective procedures, as appropriate. The Commission will ensure coordination between those mechanisms and tools.

If the physical incident coincides with or appears to be related to a large-scale cybersecurity incident, as defined in Article 6, point (7), of Directive (EU) 2022/2555, the Presidency of the Council may also apply the provisions for coordinated management of large-scale cybersecurity incidents laid down in Directive (EU) 2022/2555 to determine appropriate coordination involving, inter alia, the Horizontal Working Party on Cyber Issues, the PROCIV CER Working Party, the CERG, the EU-CyCLONe and the CSIRTs Network, in accordance with their own rules and procedures.

(iii)   Coordination of public communication

The Member States affected by the critical infrastructure incident with significant cross-border relevance should coordinate their public communication on the crisis to the extent possible, while respecting national competences and administrative frameworks in this regard. The IPCR Crisis Communicators Network may be involved, as appropriate.

Based on the shared situational awareness, the PROCIV CER Working Party, in collaboration with the affected Member States and in consultation with the Commission, may organise an exchange of views on the public communication approaches of the Member States and the Commission. If needed, the PROCIV CER Working Party should try to identify common ground, to facilitate coordination among Member States.

This should be done keeping in mind that communication efforts should not undermine the national crisis and emergency management operations.

Europol and other relevant Union agencies coordinate their public communication activities with the Commission’s Spokesperson’s service, based on shared situational awareness and in consultation with the affected Member States. The ERCC will not have a role in crisis communication to the public under the Blueprint.

If the critical infrastructure incident with significant cross-border relevance entails an external or hybrid dimension, the public communication is coordinated with the EEAS and the Commission’s Spokesperson’s service, as described in the EU Protocol for countering hybrid threats.

2.   Response (involving continuous actions described under Information exchange and additional actions at strategic/political level)

(a)   At strategic level

(i)   Continuous production of situational reports

The PROCIV CER Working Party should be informed of the production of the reports (e.g. the ISAA in case of IPCR activation or the report based on Member States’ contributions within the field of critical infrastructure resilience prepared by the Commission) and should prepare the COREPER, in case the latter has not yet been convened, or the Political and Security Committee meeting, as appropriate.

The SIAC intensifies its outreach to Member States’ intelligence services, aggregates the all-source information and prepares an analysis and assessment of the incident, as well as regular updates, if necessary.

(ii)   Organisation of coordination meetings

Based on the shared situational awareness, the Presidency of the Council should convene as soon as possible meetings of the PROCIV CER Working Party to discuss, within the field of critical infrastructure resilience, gaps in the Union response to the critical infrastructure incident with significant cross-border relevance, and explore coordination options among Member States and the Union institutions, bodies, offices and agencies. If the IPCR were to be activated, the findings of those meetings could be fed by the Presidency into the IPCR crisis Roundtables. The IPCR crisis Roundtables can also identify some specific gaps in the response to the critical infrastructure incidents with significant cross-border relevance and direct, among others, the PROCIV CER Working Party to tackle those and report the results back to future IPCR crisis Roundtables to support the political and strategic coordination efforts of the IPCR.

(iii)   Full activation of Union crisis coordination mechanisms and use of Union instruments

In case the IPCR is activated by the Presidency of the Council in full mode:

Coordination of the response at Union political level should be carried out by the Council, using the IPCR arrangements.

The Presidency of the Council calls for a timely informal Roundtable, gathering the relevant national, Union and international actors, where the affected Member State(s) can report on the incident, the Presidency can report on the findings of the relevant working parties of the Council, and the Commission services can report on the previously convened group’s meeting(s), complemented by the EEAS, as appropriate.

The SIAC and the relevant Union agencies can be invited to present a situational update on the critical infrastructure incident with significant cross-border relevance in that meeting.

The ISAA lead service (the Commission lead service or the EEAS) prepares the ISAA report with contributions from relevant Commission services, relevant Union bodies, offices and agencies and national competent authorities. The Member States are also invited to provide input, through the IPCR web platform.

In case the President of the Commission activates the Commission’s internal crisis coordination process ARGUS Phase II, Crisis Coordination Committee meetings involving the relevant Commission services, agencies, and the EEAS, where relevant, are convened on a short notice in order to coordinate as regards all aspects of the critical infrastructure incident with significant cross-border relevance.

In case of a critical infrastructure incident with significant cross-border relevance of common interest for the Union and NATO, the Commission services and the EEAS may convene an EU-NATO Structured Dialogue on Resilience meeting to contribute to shared situational awareness and exchange of information on measures taken by the Union and NATO, in full respect of Union and Member States’ competences according to the Treaties and the key principles guiding the EU-NATO cooperation as agreed by the European Council, in particular reciprocity, inclusiveness and decision-making autonomy and in full transparency towards all Member States. Reaffirming the importance of unimpeded exchange of information between the Union and NATO, information on the incidents deemed sensitive by the affected Member State could be shared with NATO with the explicit consent of the affected Member State. Member States will be informed on the outcomes of the Structured Dialogue regarding the application of the EU Critical Infrastructure Blueprint.

(iv)   Public communication

Where relevant, the Council should facilitate exchanges on public communication approaches and, if needed, try to find common ground in order to facilitate coordination among Member States and with the Commission. The informal network of crisis communicators established through the IPCR may support this work. The Commission’s services also prepare public communication messages, as appropriate and in consultation with the affected Member States.

If the critical infrastructure incident with significant cross-border relevance entails an external or hybrid dimension, the public communication should be coordinated with the EEAS and the Commission’s Spokesperson’s service. The ERCC will not have a role in crisis communication to the public under the blueprint.

(v)   Support to Member States and effective response

The Presidency of the Council can convene more meetings of the PROCIV CER Working Party and other relevant working parties to support the activities in the framework of the IPCR, if activated.

Member States affected by the critical infrastructure incident with significant cross-border relevance may request the technical support of other Member States bilaterally or through the Presidency of the Council and/or PROCIV CER Working Party, e.g. specific expertise to mitigate the adverse impacts of the critical infrastructure incident with significant cross-border relevance.

Member States affected by the critical infrastructure incident with significant cross-border relevance may also request the technical and/or financial support of the Commission or relevant Union agencies. Upon such a request, the Commission, in coordination with the relevant Union agencies, assesses its possible support and activates, where appropriate and with the agreement of affected Member States, technical mitigation measures at Union level, in accordance with their respective procedures, and coordinates technical capacities needed to stop or reduce the impact of the critical infrastructure incident with significant cross-border relevance. The Commission and the Presidency should keep each other adequately informed of those requests, with the aim of effective coordination.

Affected countries may activate the UCPM to request for assistance, after which the ERCC would work with the contact points of the Member States in line with the legal provisions on the UCPM to coordinate the rendering of assistance.

Within their respective mandates and upon request, Europol and other relevant Union agencies can support Member States affected by a critical infrastructure incident with significant cross-border relevance in the investigation of the incident.

(b)   At political level

The Presidency of the Council can consider the necessity to convene IPCR roundtables, meetings of Council Working Groups, COREPER, Council meetings to exchange on the possible origin and expected consequences of the critical infrastructure incident with significant cross-border relevance for the Member States and for the Union, agree on common guidelines, and adopt the necessary measures to support the Member States affected by such incident and mitigate its effects. The European Council may also address the matter.

Schematic overview of the EU Critical Infrastructure Blueprint

---

(1)  Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).

(2)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).

(3)  Recommendation of the European Systemic Risk Board of 2 December 2021 on a pan-European systemic cyber incident coordination framework for relevant authorities (ESRB/2021/17).

(4)  Communication from the Commission of 23 May 2022 – A contingency plan for transport (COM(2022) 211 final).

(5)  Established under Article 19 of Commission Implementing Regulation (EU) 2019/123 of 24 January 2019 laying down detailed rules for the implementation of air traffic management (ATM) network functions and repealing Commission Regulation (EU) No 677/2011 (OJ L 28, 31.1.2019, p. 1).

(6)  Commission Decision 2012/C 353/02 of 15 November 2012 setting up the Electricity Coordination Group (OJ C 353, 17.11.2012, p. 2).

(7)  Regulation (EU) 2017/1938 of the European Parliament and of the Council of 25 October 2017 concerning measures to safeguard the security of gas supply and repealing Regulation (EU) No 994/2010 (OJ L 280, 28.10.2017, p. 1).

(8)  Council Directive 2009/119/EC of 14 September 2009 imposing an obligation on Member States to maintain minimum stocks of crude oil and/or petroleum products (OJ L 265, 9.10.2009, p. 9).

(9)  Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (OJ L 333, 27.12.2022, p. 164).

(10)  Regulation (EU) 2022/2371 of the European Parliament and of the Council of 23 November 2022 on serious cross-border threats to health and repealing Decision No 1082/2013/EU (OJ L 314, 6.12.2022, p. 26).

(11)  An informal group including relevant Commission services, the EEAS, the European Union Agency for Cybersecurity (‘ENISA’), CERT-EU and Europol, co-chaired by Directorate-General Communications Network, Content and Technology and the EEAS.

(12)  Such as, for transport: the European Union Aviation Safety Agency (‘EASA’), the European Maritime Safety Agency (‘EMSA’), the European Railways Agency (‘ERA’); for health: the European Centre for Disease Prevention and Control (‘ECDC’) and the European Medicines Agency (‘EMA’); for energy: the Agency for the Cooperation of Energy Regulators (‘ACER’); for space: the EU Space Programme Agency (‘EUSPA’); for the food sector: the European Food Safety Authority (‘EFSA’); for the maritime sector: the European Fisheries Control Agency (‘EFCA’); for cyber-security incidents: , Computer Security Incident Response Teams (‘CSIRTs’), the Computer Emergency Response Team for the Union institutions, bodies and agencies (‘CERT-EU’), ECB, ESRB, European Supervisory Authorities (‘ESAs’).

(13)  Council Implementing Decision (EU) 2018/1993 of 11 December 2018 on the EU Integrated Political Crisis Response Arrangements (OJ L 320, 17.12.2018, p. 28).

(14)  Council Decision 2014/415/EU of 24 June 2014 on the arrangements for the implementation by the Union of the solidarity clause (OJ L 192, 1.7.2014, p. 53).

(15)  Joint Staff Working Document – EU Protocol for countering hybrid threats (SWD(2023) 116 final).

(16)  Council conclusions of 21 June 2022 on a Framework for a coordinated EU response to hybrid campaigns; Implementing guidelines for the Framework for a coordinated EU response to hybrid campaigns (15880/22).

(17)  Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, p. 69).

(18)  Such as the publication of media monitoring products, Civil Protection Messages, Analytical Briefs, ECHO Daily Maps, ECHO Daily Flashes and other tailored products.