Explanatory Memorandum to COM(2006)787 - Identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2006)787 - Identification and designation of European Critical Infrastructure and the assessment of the need to improve their ... |
|---|---|
| source | COM(2006)787  |
| date | 12-12-2006 |
- Grounds for and objectives of the proposal
The European Council of June 2004 asked the Commission to prepare an overall strategy to protect critical infrastructure. The Commission adopted on 20 October 2004 a Communication on Critical Infrastructure Protection in the Fight against Terrorism which put forward suggestions on what would enhance European prevention, preparedness and response to terrorist attacks involving critical Infrastructures (CI).
The Council conclusions on “Prevention, Preparedness and Response to Terrorist Attacks” and the “EU Solidarity Programme on the Consequences of Terrorist Threats and Attacks” adopted by Council in December 2004 endorsed the intention of the Commission to propose a European Programme for Critical Infrastructure Protection (EPCIP) and agreed to the set-up by the Commission of a Critical Infrastructure Warning Information Network (CIWIN).
In November 2005, the Commission adopted a Green Paper on a European Programme for Critical Infrastructure Protection (EPCIP) which provided policy options on how the Commission could establish EPCIP and CIWIN.
In December 2005 the Justice and Home Affairs (JHA) Council called upon the Commission to make a proposal on EPCIP by June 2006.
This proposal for a Directive presents the measures that the Commission is proposing on the identification and designation of European Critical Infrastructures (ECI) and the assessment of the need to improve their protection.
- General context
There exist a number of critical infrastructures in the European Union, which if disrupted or destroyed, would affect two or more Member States. It may also happen that failure of a critical infrastructure in one Member State causes effects in another Member State. Such critical infrastructures with a trans-national dimension should be identified and designated as European Critical Infrastructures (ECI). This can only be done through a common procedure concerning ECI identification and the assessment of the need to improve their protection.
Because of the trans-national dimension, when investigating the weaknesses and vulnerabilities and identifying gaps in protective measures, an integrated EU-wide approach would usefully complement and add value to the national programmes for critical infrastructure protection already in place in the Member States and would add important value to the continued viability and wealth creation capabilities of the European internal market.
Since various sectors possess particular experience, expertise and requirements concerning critical infrastructure protection (CIP), an EU approach to CIP should be developed and implemented taking into account critical infrastructure (CI) sector specificities and should be built on existing CI sector-based measures. The establishment of a common list of critical infrastructure sectors is needed in order to facilitate the implementation of the sector-by-sector approach to critical infrastructure protection.
- The need for a common framework
Only a common framework can provide the necessary basis for a coherent and uniform implementation of measures to enhance the protection of ECI, as well as defining clearly the respective responsibilities of ECI stakeholders. Non-binding voluntary measures, while flexible, would not provide the necessary stable foundation as they would not provide enough clarity on who does what, nor would they clarify the rights and obligations for ECI stakeholders involved.
A procedure for the identification and designation of European Critical Infrastructures, and a common approach to the assessment of the needs to improve the protection of such infrastructures can only be established by way of a directive in order to ensure:
- adequate levels of protection concerning ECI;
- all ECI stakeholders are subjected to similar rights and obligations;
- the stability of the Internal Market is maintained.
The damage or loss of a piece of infrastructure in one MS may have negative effects on several others and on the European economy as a whole. This is becoming increasingly likely as new technologies (e.g. the Internet) and market liberalisation (e.g. in electricity and gas supply) mean that much infrastructure is part of a larger network. In such a situation protection measures are only as strong as their weakest link. This means that a common level of protection may be necessary.
- A sector dialogue with stakeholders
Effective protection requires communication, coordination, and cooperation nationally and at EU level involving all relevant stakeholders.
Full involvement of the private sector is important as most critical infrastructure is privately owned and operated. Each operator needs to control the management of their risks as it is normally the operator's sole decision which protection measures and business continuity plans to implement. Continuity planning should respect normal business processes and logic and where possible solutions should be based on standard commercial arrangements.
Sectors possess particular experience, expertise and requirements concerning the protection of their critical infrastructure.
Hence, in line with the responses to the EPCIP Green Paper the EU approach should fully involve the private sector, taking into account sector characteristics and should be built on existing sector-based protection measures.
- Existing provisions in the area of the proposal
No horizontal provisions on critical infrastructure protection currently exist at EU level. This directive establishes a procedure for the identification and designation of European Critical Infrastructures, and a common approach to the assessment of the needs to improve the protection of such infrastructures.
A number of sectoral measures exist including:
- In the IT sector:
- Universal Service Directive (2002/22/EC) which deals inter alia with the integrity of public electronic communications networks
- Authorisation Directive (2002/20/EC) which deals inter alia with the integrity of public electronic communications networks
- E Privacy Directive (2002/58/EC) which deals inter alia with the security of public electronic communications networks
- Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems
- Regulation (EC) No 460/2004 of 10 March 2004 establishing the European Network and Information security Agency ENISA
- In the health sector:
- Decision No 2119/98/EC of the European Parliament and of the Council of 24 September 1998 setting up a network for the epidemiological surveillance and control of communicable diseases in the Community
- Commission Directive 2003/94/EC of 8 October 2003 laying down the principles and guidelines of good manufacturing practice in respect of medicinal products for human use and investigational medicinal products for human use
- In the financial sector:
- Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments (MiFID)
- Oversight standards for euro retail payment systems adopted in June 2003 by the Governing Council of the European Central Bank (ECB)
- Directive 2006/48/EC of the European Parliament and of the Council of 14 June 2006 on the taking up and pursuit of the business of credit institutions
- Directive 2006/49/EC of the European Parliament and of the Council of 14 June 2006 on the capital adequacy of investment firms and of credit institutions
- Proposal for a Directive on payment services in the internal market amending Directive 97/7/EC, 2000/12/EC and 2002/65/EC (COM(2005) 603)
- Directive 2000/46/EC of the European Parliament and of the Council of 18 September 2000 on the taking up, pursuit of and prudential supervision of the business of electronic money institutions
- Directive 1998/26/EC of the European Parliament and of the Council of 19 May 1998 on Settlement Finality.
- In the transport sector:
- Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security
- Commission Regulation (EC) No 884/2005 of 10 June 2005 laying down procedures for conducting Commission inspections in the field of maritime security
- Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security
- Regulation (EC) No 2320/2002 of the European Parliament and of the Council of 16 December 2002 establishing common rules in the field of civil aviation security
- Regulation (CE) No 622/2003 of the Commission of 4 April 2003 laying down measures for the implementation of the common basic standards on aviation security
- Commission Regulation (EC) No 1217/2003 of 4 July 2003 laying down common specifications for national civil aviation security quality control programmes
- Commission Regulation (EC) No 1486/2003 of 22 August 2003 laying down procedures for conducting Commission inspections in the field of civil aviation security
- Commission Regulation (EC) No 68/2004 of 15 January 2004 amending Commission Regulation (EC) No 622/2003 laying down measures for the implementation of the common basic standards on aviation security
- Regulation (EC) No 849/2004 of the European Parliament and of the Council of 29 April 2004 amending Regulation (EC) No 2320/2002 establishing common rules in the field of civil aviation security
- Commission Regulation (EC) No 1138/2004 of 21 June 2004 establishing a common definition of critical parts of security restricted areas at airports
- Commission Regulation (EC) No 781/2005 of 24 May 2005 amending Regulation (EC) No 622/2003 laying down measures for the implementation of the common basic standards on aviation security
- Commission Regulation (EC) No 857/2005 of 6 June 2005 amending Regulation (EC) No 622/2003 laying down measures for the implementation of the common basic standards on aviation security
- Directive 2001/14/EC on the allocation of railway infrastructure capacity
- The transport of Dangerous Goods by rail is covered by D Directive. 1996/49/EC (amended by Directive 2004/110/EC, adopting RID 2005)
- Convention on the Physical Protection of Nuclear Materials (signed in 1980, acceded to in 1981 and entered into force in 1987)
- In the chemical sector:
- Hazardous Installations under the Seveso-II-Directive (Council Directive 96/82/EC of 9 December 1996 on the control of major-accident hazards involving dangerous substances, 'Seveso II Directive') amended by Directive 2003/105/EC of the European Parliament and of the Council of 16 December 2003
- In the nuclear sector:
- Council Directive 89/618/Euratom of 27 November 1989 on informing the general public about health protection measures to be applied and steps to be taken in the event of a radiological emergency
- Council Decision 87/600/Euratom of 14 December 1987 on Community arrangements for the early exchange of information in the event of a radiological emergency
- Consistency with other policies and objectives of the Union
This proposal is fully consistent with the objectives of the Union and specifically with the objective 'to maintain and develop the Union as an area of freedom, security and justice, in which the free movement of persons is assured in conjunction with appropriate measures with respect to external border controls, asylum, immigration and the prevention and combating of crime'.
This proposal is consistent with other policies as it does not aim to replace existing measures, but to complement them in order to improve the protection of ECI.
- Consultation of interested parties
All relevant stakeholders have been consulted concerning the development of EPCIP. This has been done through:
- The EPCIP Green Paper adopted in on 17 November 2005 with the consultation period ending on 15 January 2006. 22 Member States provided official responses to the consultation. Around 100 private sector representatives also provided comments to the Green Paper. The responses were generally supportive of the idea of creating EPCIP.
- Three Critical Infrastructure Protection seminars hosted by the Commission (in June 2005, September 2005 and March 2006). All three seminars brought together representatives of the Member States. The private sector was invited to the seminars held in September 2005 and March 2006.
- Informal meetings of CIP Contact Points. The Commission hosted two meetings of the CIP Contact Points of the Member States (December 2005 and February 2006).
- Informal meetings with private sector representatives. Numerous informal meetings were held with representatives of particular private business as well as with industry associations.
- Internally, within the Commission, work on the development of EPCIP was taken forward with the help of regular meeting of the sub-group on Critical Infrastructure Protection on the Inter-Service Group on the Internal Aspects of Terrorism.
- Collection and use of expertise
Available expertise was collected through numerous meetings and seminars held in 2004, 2005 and 2006, as well as through the EPCIP Green Paper consultation process. Information was collected from all relevant stakeholders.
- Impact assessment
A copy of the EPCIP Impact Assessment is attached.
3)
Contents
- Summary of the proposed action
The proposed action creates a horizontal framework for the identification and designation of European Critical Infrastructures and for the assessment of needs to improve their protection.
- Legal basis
The legal basis for the proposal is Article 308 of the Treaty establishing the European Community.
- Subsidiarity principle
The subsidiarity principle is satisfied as the measures being undertaken through this proposal cannot be achieved by any single EU Member State and must therefore be addressed at EU level. Although it is the responsibility of each Member State to protect the critical infrastructure under its jurisdiction, it is crucial for the security of the European Union to make sure that infrastructure having an impact on two or more Member States or a single Member State if the critical infrastructure is located in another Member State are sufficiently protected and that one or more Member States are not made vulnerable by weaknesses or lower security standards in other Member States. Similar rules concerning security would also help to make sure that the rules of competition within the internal market are not distorted.
- Proportionality principle
This proposal does not go beyond what is necessary in order to achieve the underlying objectives of improving the protection of European critical infrastructure. The key ideas put forward by the proposal include the creation of a basic EU level coordination mechanism, putting an obligation on the Member States to identify their critical infrastructures, implementation of a set of basic security measures for critical infrastructures and finally the identification and designation of key European critical infrastructures. The proposal therefore puts forward the minimal number of requirements needed to begin work to improve the protection of critical infrastructures. This objective cannot be sufficiently achieved through other measures, namely by adopting a guideline approach to EPCIP, as this would not ultimately ensure improved levels of protection across the entire EU and the full participation of all stakeholders.
- Choice of instruments
The Member States have varying approaches to critical infrastructure protection and different legal systems. A directive is therefore best suited to create a common procedure for the identification and designation of European Critical Infrastructures, and a common approach to the assessment of the needs to improve the protection of such infrastructures.
4)
The budgetary impact is estimated in the accompanying financial statement.
The programme ' Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks' for the period 2007-2013 will contribute to the implementation of this directive in the protection of people against security risks and those physical resources, services, and information technology facilities, networks and infrastructure assets which, if disrupted or destroyed, would have a serious impact on the critical societal functions as part of the general programme entitled 'Security and safeguarding liberties'.
This programme does not apply to matters that are covered by other financial instruments and in particular by the Rapid Response Instrument in the event of major emergencies, and the EU Solidarity Fund.
- Repeal of existing legislation
No existing legislation has to be repealed.
- Detailed explanation of the proposal
Article 1 – the subject-matter of the Directive is presented. The Directive establishes a common procedure for the identification and designation of European Critical Infrastructures, meaning those infrastructures, the destruction or disruption of which would affect two or more MS, or a single Member State if the critical infrastructure is located in another Member State. The Directive also introduces a common approach to the assessment of the needs to improve the protection of European Critical Infrastructures. This assessment will help prepare specific protection measures in the individual CIP sectors.
Article 2 – a list of basic definitions pertinent to the Directive is presented.
Article 3 – the procedure for the identification of ECI is presented. ECI means those critical infrastructures the disruption or destruction of which would have a serious impact on two or more Member States or a single Member State if the critical infrastructure is located in another Member State. This procedure is based on a three step process. First, the Commission together with the Member States and relevant stakeholders develop cross-cutting and sectoral criteria for the identification of ECI, which are then adopted through the comitology procedure. The cross-cutting criteria are developed on the basis of severity of the disruption or destruction of the CI. The severity of the consequences of the disruption or destruction of a particular infrastructure should be assessed on the basis, where possible, of:
- Public effect (number of population affected);
- Economic effect (significance of economic loss and/or degradation of products or services);
- Environmental effect;
- Political effects;
- Psychological effects;
- Public health consequences.
Each Member State then identifies those infrastructures which satisfy the criteria. Finally, each Member State notifies the Commission of the critical infrastructures which satisfy the established criteria. Relevant work is undertaken under priority CIP sectors selected by the Commission on an annual basis from among those listed in Annex I. The list of CIP sectors contained in Annex I may be amended through the comitology procedure in so far as this does not broaden the scope of the Directive. This would in particular mean that amendments to the list would be made for the purpose of clarifying its contents. The Commission considers the transport and energy sectors as being amongst the immediate priorities for action.
Article 4 – the procedure for designating ECI is set out. Following the identification procedure completed pursuant to Article 3, the Commission prepares a draft list of ECI. The draft list is based on the notifications received from the Member States and other relevant information from the Commission. The list is then adopted through comitology.
Article 5 – Operator Security Plans (OSPs). Article 5 requires all CI owners/operators designated as ECI to establish an OSP which identify the ECI owners' and operators' assets and establish relevant security solutions for their protection. Annex II provides the minimum contents of such OSPs including:
- identification of important assets;
- a risk analysis based on major threat scenarios, vulnerability of each asset, and potential impact shall be conducted;
- identification, selection and prioritisation of counter-measures and procedures with a distinction between:
- permanent security measures , which identify indispensable security investments and means which cannot be installed by the owner/operator at short notice. This heading will include information concerning general measures; technical measures (including installation of detection, access control, protection and prevention means); organizational measures (including procedures for alerts and crisis management); control and verification measures; communication; awareness raising and training; and security of information systems,
- graduated security measures , which are activated according to varying risk and threat levels.
Each CIP sector may develop sector-specific OSPs based on the minimum requirements of Annex II. Such sector specific OSPs may be adopted through comitology.
For those sectors in which similar obligations already exist, Article 5 i foresees the possibility of being exempted from the OSP obligations based on a decision taken through comitology. It is acknowledged that Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security already satisfies the requirement to establish an Operator Security Plan.
Once an OSP has been created, each ECI owner/operator should submit the OSP to the relevant Member State authority. Each Member State will setup a supervisory system concerning OSPs which will ensure that sufficient feedback is given to the ECI owner/operator concerning the quality of the OSP and in particular the adequacy of the risk and threat assessment.
Article 6 – the Security Liaison Officer (SLO). Article 6 requires all CI owners/operators designated as ECI to appoint an SLO. The SLO would function as the point of contact for security issues between the ECI and the relevant CIP authorities in the Member States. The SLO would therefore receive all relevant CIP related information from the Member State authorities and would be responsible for providing relevant information from the ECI to the Member State.
Article 7 – reporting. Article 7 introduces a series of reporting measures. Each Member State is required to conduct a risk and threat assessment concerning ECI. This information shall form the basis for the MS' dialogue on security issues (supervision) with ECI as indicated in Article 5. Since Article 5 requires ECI owners/operators to establish OSPs and submit them to the MS authorities, each Member State is asked to elaborate a generic overview of the types of vulnerabilities, threats and risks encountered in each CIP sector, and to provide this information to the Commission. This information will form the basis for the Commission's assessment whether additional protection measures may be required. The information may later be used for the development of impact assessments, which would accompany future proposals in this area.
This article also envisages the development of common methodologies for carrying out risk, threat and vulnerability assessments in respect of ECIs. Such common methodologies would be adopted through the comitology procedure.
Article 8 – Commission support for ECI. The Commission will support ECI owners/operators by providing access to available best practices and methodologies related to CIP. The Commission will undertake to collect such information from various sources (e.g. Member States, own development) and make it available to those concerned.
Article 9 – CIP Contact Points. In order to ensure cooperation and coordination of CIP issues, each Member States is required to designate a CIP Contact Point. The Contact Point would coordinate CIP issues within the Member State, with other Member States and with the Commission.
Article 10 – Confidentiality and CIP information exchange. Confidentiality and CIP information exchange is a crucial and sensitive element of work on CIP. As a consequence, the Directive requires the Commission and MS to take appropriate measures to protect information. Any personnel handling classified CIP information should have the necessary security vetting provided by the Member State authorities.
Article 11 – Committee. Certain elements of the Directive will be implemented through comitology. The Committee will be composed of the CIP Contact Points. The advisory procedure will be used for the purpose of Article 5 i that is to exempt particular sectors from the obligation of developing an OSP.
The regulatory procedure is envisaged for the following issues:
- Article 3 i – adoption of the cross-cutting and sector specific criteria to identify ECI
- Article 3 i – amending the list of CIP sectors found in Annex I.
- Article 4 i – adoption of the draft list of ECI
- Article 5 i – development of sector specific requirements concerning OSPs
- Article 7 i – development of a common template for generic reports concerning identified risks, threats and vulnerabilities
- Article 7 i – development of common methodologies for carrying out risk, threat and vulnerability assessments.