Explanatory Memorandum to COM(2022)551 - Coordinated approach by the Union to strengthen the resilience of critical infrastructure

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

Security is an essential goal of the European Union. While Member States have the primary responsibility for protecting citizens, collective action at Union level makes a major contribution to the security of the EU as a whole. Coordination helps to reinforce resilience, to improve alertness, and to strengthen our collective response. In the context of the EU Security Union, important steps have been taken to build capabilities and capacities for prevention, detection and rapid response to many security threats, and to link players in the public and private sectors in a common effort.

Equipping the EU to deal with the ever-changing threat landscape requires constant vigilance and adaptation. Russia’s war of aggression against Ukraine has brought new risks, often combined as a hybrid threat. One of these is the risk of disruption for the provision of essential services by entities operating critical infrastructure in Europe. This has become even more evident with the apparent sabotage of the Nord Stream gas pipelines and other recent incidents. Society relies heavily on both physical and digital infrastructure and the interruption of essential services, whether through conventional physical attacks or cyberattacks, or a combination of the two, can have serious consequences for citizens’ well-being, our economies, and trust in our democratic systems.

Ensuring the smooth functioning of the internal market is another key goal of the EU, including when it comes to the essential services provided by entities operating critical infrastructure. The EU has therefore already taken a number of measures to reduce vulnerabilities and increase the resilience of critical entities, both in respect of cyber and non-cyber risks.

Action is urgently needed to step up the EU’s capacity to stand up to potential attacks against critical infrastructure, principally in the EU itself but where relevant also in its direct neighbourhood.

The proposed Council Recommendation seeks to intensify the EU’s support to increasing the resilience of critical infrastructure, and to ensuring an EU-level coordination, in terms of preparedness and response. It aims to maximise and accelerate work to protect those assets, facilities, and systems that are necessary for the functioning of the economy and to provide essential services in the internal market, which citizens rely on, as well as to mitigate the impact of any attack by ensuring the swiftest possible recovery. While all such infrastructure should be protected, the first priority is currently with the energy, digital infrastructure, transport and space sectors due to their particularly horizontal character for society and the economy, and to current risk assessments.

The EU has a particular role to play in respect of ensuring the resilience of infrastructure that crosses terrestrial or maritime borders impacting the interests of several Member States, or that is used to provide essential services that cross borders. Critical infrastructure with relevance for several Member States may, however, lie in one Member State alone or even outside the territory of a Member State, for example in the case of undersea cables or pipelines. Clear identification of the critical infrastructure and the entities operating them, as well as the risks threatening them, and a collective commitment to protect them, is in the interests of all Member States and the EU as a whole.

The European Parliament and the Council have already reached political agreement to deepen the legislative framework for the EU to help strengthen the resilience of entities operating critical infrastructure. In the summer of 2022, agreements were reached on the Directive on the resilience of critical infrastructure (‘CER Directive’) 1 and the revised Directive on the security of network and information systems (‘NIS2 Directive’) 2 . These will represent a major intensification of capabilities compared to the existing legislative framework, Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (‘ECI Directive’) 3 and Directive (EU) 2016/1148 of the European Parliament and of the Council concerning measures for a high common level of security of network and information systems across the Union (‘NIS Directive’) 4 . The new legislation is expected to come into force in late 2022 or early 2023, and transposition and application should be prioritised by Member States, in accordance with Union law.

That being so, and given the potential urgency to address threats that are arising from Russia’s war of aggression against Ukraine, the steps outlined in the new legislation should, where possible and appropriate, be frontloaded as of today. Intensifying mutual cooperation already now would also help to create the momentum for an effective implementation when the new legislation is fully in force.

The result would be to already move beyond the current frameworks, both in terms of the depth of action and the breadth of sectors covered. The new CER Directive puts forward a new framework for cooperation as well as obligations for Member States and critical entities aimed at strengthening the physical non-cyber resilience against natural and man-made threats of those entities that provide essential services in the internal market, with eleven sectors specified 5 . The NIS2 Directive will put in place a broad sectoral coverage of cybersecurity obligations. This will encompass a new requirement for Member States, to include, where relevant, undersea cables in their cybersecurity strategies.

The legislation requires the Commission to take on a substantial coordination role. Under the CER Directive, the Commission has a supporting and facilitating role, to be carried out with the support and involvement of the Critical Entities Resilience Group (CERG) established by that Directive, and should complement Member States’ activities by developing best practices, guidance material and methodologies. As for cybersecurity, the Council has already in its Conclusions on the EU’s Cyber Posture in summer 2022 invited the Commission, the High Representative, and the NIS Cooperation Group to work on risk assessments and scenarios from a cyber-security perspective. Such coordination can inspire an approach for other key critical infrastructure.

On 5 October 2022, President von der Leyen presented a 5-point plan, setting out a coordinated approach to the necessary work ahead. Its key elements were: enhancing preparedness; working with Member States with a view to stress test their critical infrastructure, starting with the energy sector and then followed by other high risk sectors; increasing the response capacity in particular, through the Union Civil Protection Mechanism; making good use of satellite capacity to detect potential threats; and strengthening cooperation with NATO and key partners on the resilience of critical infrastructure. The 5-point plan underlined the value of anticipating the legislation already enjoying political agreement.

The proposed Council Recommendation welcomes this approach, to structure support to Member States and coordinate their efforts in raising risk awareness, preparedness, and response to the current threats. In this regard, meetings of experts are convened to discuss the resilience of entities operating critical infrastructure in anticipation of the entry into force of the CER Directive and the CERG established thereby.

Strengthened cooperation with key partners and neighbouring and other relevant third countries on the resilience of entities operating critical infrastructure will be essential, in particular through the EU-NATO structured dialogue on resilience.

The focus of this Recommendation is the reinforcement of the Union’s capacity to anticipate, prevent and respond to the new threats arising from Russia’s war of aggression against Ukraine. The proposed recommendations therefore focus on addressing security-related risks and threats to critical infrastructure. Nevertheless, it should be noted that recent events have also underscored the pressing need to pay increased attention to climate change impacts on critical infrastructure and services in terms of, for example, seasonally compromised and unpredictable water supplies for nuclear power plant cooling, hydro power and inland navigation, or the risk of material damages to transport infrastructure, which may cause major disruptions in essential services. These concerns will continue to be addressed through relevant legislation and coordination.

Consistency with existing policy provisions in the policy area

This proposal for a Council Recommendation is fully in line with the current and future legal framework on the resilience of entities operating critical infrastructure, the ECI Directive and the CER Directive respectively, since it aims inter alia at facilitating cooperation between Member States in this area and supporting concrete measures to enhance resilience against the current imminent threats against entities operating critical infrastructure in the EU.

It also complements and anticipates the CER Directive by already inviting Member States to prioritise the timely transposition of the Directive, by cooperating through expert meetings convened as part of the 5-point plan announced by the Commission and by aiming at coordinating the way to a common approach on conducting stress tests on critical infrastructure in the EU.

The proposal is also in line with the NIS Directive and the forthcoming NIS2 Directive, which will repeal the NIS Directive, by calling for an early start to implementation and transposition work. It also reflects the Nevers Joint Call of March 2022 as well as the Council Conclusions on the EU cyber posture of May 2022 as regards the request of Member States to the Commission to develop risk assessments and risk scenarios.

The proposal is also in line with EU policy on civil protection, where in case of an overwhelming disruption to the operations of critical infrastructure/entities Member States and third countries can request assistance via the Emergency Response Coordination Centre (ERCC) under the Union Civil Protection Mechanism (UCPM). In the event of a UCPM activation, the ERCC is able to coordinate and co-finance the deployment of essential equipment, materials and expertise available in Member States (in part within the context of the European Civil Protection Pool) and under rescEU to the affected country. Assistance that can be made available upon request includes, for example, fuel, generators, electricity infrastructure, shelter capacity, water purification capacity, and emergency medical capacities.

The proposal is also in line with the EU acquis related to security of energy supply.

The nuclear energy sector is not specifically included in the proposed Council Recommendation, except for example related infrastructure (such as transmission lines to nuclear power plants) that may affect security of supply. Specific nuclear elements are covered by relevant nuclear legislation under Euratom Treaty and/or national legislation 6 . Drawing from the lessons of the Fukushima accident, the European nuclear safety legislation was reinforced and consequently regular periodic safety reviews have to be conducted by national authorities for each installation to ensure continued compliance with the highest safety requirements and to identify further safety improvements as well as six yearly topical peer reviews at EU level.

The EU Maritime Security Strategy 7 and its action plan 8 highlight the changing nature of threats in the maritime domain and call for renewed commitment to the protection of critical maritime infrastructure, including underwater, and in particular maritime transport, energy and communication infrastructure, inter alia by enhancing maritime awareness through improved interoperability and streamlined information exchange.

The proposal is also in line with other relevant sectoral legislation. Therefore, the implementation of this Recommendation should be consistent with specific measures that regulate or may regulate in the future certain aspects of resilience of entities operating in concerned sectors, such as transport. This includes other relevant initiatives such as the contingency plan for transport 9 or the contingency plan for food supply and food security in times of crisis 10 and the related European Food Security preparedness and response Mechanism. More generally, the Recommendation should naturally be implemented in full respect for all applicable rules of EU law, including those laid down in the ECI and NIS Directives.

The proposal is also in line with the the Strategic Compass for Security and Defence, which emphasised the need to substantially enhance the resilience and ability to counter hybrid threats and cyber attacks, as well as the need to strenghten the resilience of partner countries and to cooperate with NATO. It is also in line with the Framework for a coordinated EU response to hybrid threats and campaigns affecting the EU, Member States and partners 11 .

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

The proposal is based on Article 114 on the Treaty on the Functioning of the European Union (TFEU), which involves the approximation of laws for the improvement of the internal market, together with Article 292 TFEU. This is justified by the fact that the proposed Council Recommendation principally seeks to anticipate measures laid down in the new CER and NIS2 Directives, both of which are based on Article 114 TFEU as well. In line with the logic justifying the use of that Article as the legal basis for those Directives, EU action is needed to ensure the smooth functioning of the internal market in particular in view of the cross-border nature and scope of the services concerned and of the potential consequences in case of disruptions, as well as the actual and emerging national measures aimed at enhancing the resilience of entities operating critical infrastructure used to provide essential services in the internal market.

Subsidiarity (for non-exclusive competence)

A way forward at European level in the area of the resilience of entities operating critical infrastructure is justified given the interdependent, cross-border nature of relationships between critical infrastructure operations and the essential services provided and by the need for a more common and coordinated European approach, in order to ensure that the entities concerned are sufficiently resilient in the current geopolitical context. Whereas, many of the common challenges, such as the apparent sabotage of the North Stream gas pipelines, are first and foremost addressed through national measures or by entities operating critical infrastructure, the support of the EU including relevant agencies where appropriate is necessary to reinforce resilience, to improve alertness, and to strengthen the EU’s collective response.

Proportionality

The present proposal is in conformity with the principle of proportionality as provided for in Article 5 i Treaty on the European Union.

Neither the content nor the form of this proposed Council Recommendation exceeds what is necessary to achieve its objectives. The actions proposed are proportional to the pursued objectives as they respect Member States’ prerogatives and obligations under national law.

Finally, the proposal accommodates a potential differentiated approach that reflects Member States’ varying internal realities when it comes to preparedness and response to physical threats to critical infrastructure.

Choice of the instrument

To achieve the objectives referred to above, the TFEU provides for the adoption by the Council of Recommendations notably in its Article 292, based on a proposal from the Commission. A Council Recommendation is an appropriate instrument in this case, having regard also to the current legislative context as explained above. As a legal act, albeit one of a non-binding nature, a Council recommendation signals the commitment of Member States to the measures included and provides a strong political basis for cooperation in these areas, while fully respecting Member State authority.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

Stakeholder consultations

In developing this proposal, the views of the Member State experts expressed at the meeting of 12 October 2022 were taken into account. There was a broad consensus on the usefulness of more coordination at Union level as regards preparedness and response in the current threat context and to anticipate certain elements of the CER Directive before its formal adoption. Member States expressed openness to share experiences and best practices on the measures and methodologies to enhance the resilience of entities operating critical infrastructure. Member States also expressed openness towards a coordinated approach to stress tests of entities operating critical infrastructure on a voluntary basis and based on common principles. Member States indicated that entities operating critical infrastructure in the energy, digital infrastructure, and transport sectors should be considered a priority for the purposes of this Recommendation, notably those with relevance for several Member States. Member States also welcomed the intention of the Commission to convene further meetings of Member State experts in the coming weeks.

Detailed explanation of the specific provisions of the proposal

1.

The proposal for a Council Recommendation does the following:


–Chapter I lays down the aim of the proposal, what it covers and the prioritisation of measures recommended.

–Chapter II focuses on measures that should be taken on enhanced preparedness, both at Union and Member State level.

–Chapter III covers enhanced response, both at EU and Member State level.

–Chapter IV deals with international cooperation and the actions that should be taken for enhancing the resilience of entities operating critical infrastructure.