Protecting critical infrastructure
Directive 2008/114/EC — identification and designation of European critical infrastructures and assessment of the need to improve their protection
WHAT IS THE AIM OF THE DIRECTIVE?
It establishes a European Union (EU) process for identifying and designating European critical infrastructures* (ECIs), and sets out an approach for improving their protection.
Identification and designation of ECIs
EU countries go through a process of identifying potential ECIs, with the help of the European Commission if required. When identifying potential ECIs, they should use:
cross-cutting criteria such as possible casualties, economic effects and effect on the public; and
sectoral criteria specific to the type of ECI.
EU countries go through a cooperative designation process (e.g. discussions with other EU countries) for potential ECIs located on their territory.
EU countries regularly review the identification and designation of ECIs.
The directive applies only to the energy and transport sectors (see Annex I of the directive). In time, other sectors may be added to its scope.
Operator security plans
EU countries ensure that an operator security plan (OSP) is in place for each ECI.
The purpose of the OSP process is to identify the critical assets of the ECI, as well as the existing security solutions for protecting them.
Security liaison officers
EU countries ensure that a security liaison officer is designated for each ECI.
The officer serves as the contact point between the owner/operator of the ECI and the EU country’s authority concerned.
EU countries conduct threat assessments in relation to ECIs within 1 year following the designation of critical infrastructure.
EU countries report general data to the Commission on the types of risks, threats and vulnerabilities every 2 years.
FROM WHEN DOES THE DIRECTIVE APPLY?
It has applied since 12 January 2009. EU countries had to incorporate it into national law by 12 January 2011.
National authorities are predominantly responsible for the protection of critical infrastructure. However, disruptions to critical infrastructure can be felt across national borders. That is why an EU dimension to help manage these risks is needed. In 2007, the Council of the EU adopted conclusions on a European programme for critical infrastructure protection (EPCIF). This programme aims to improve the protection of critical infrastructures against all types of threats and hazards.
Following a review of Directive 2008/114/EC, the Commission, in 2013, set out a new approach towards implementing the European programme for critical infrastructure protection. This aims at building common tools and a common approach in the EU to critical infrastructure protection and resilience, taking better account of interdependencies between critical infrastructures, industry and state actors.
For more information, see:
* KEY TERMS
Critical infrastructure: assets or systems essential for the maintenance of vital social functions, health, safety, security, and economic or social wellbeing of people. European critical infrastructure (ECI) is critical infrastructure in EU countries whose disruption or destruction would have a significant impact on at least 2 EU countries (e.g. electricity power plants or oil transmission pipelines).
Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, pp. 75–82)
Communication from the Commission to the Council and the European Parliament — Critical Infrastructure Protection in the fight against terrorism (COM(2004) 702 final, 20.10.2004)
Green Paper on a European programme for critical infrastructure protection (COM(2005) 576 final, 17.11.2005)
Communication from the Commission on a European Programme for Critical Infrastructure Protection (COM(2006) 786 final, 12.12.2006)
Commission Staff Working Document on a new approach to the European Programme for Critical Infrastructure Protection: Making European Critical Infrastructures more secure (SWD(2013) 318 final, 28.8.2013)
last update 14.11.2016