With the aim to secure the functioning of the internal market, it is in the interests of all Member States and the Union as a whole to clearly identify and protect relevant critical infrastructure that provides essential services within that market, especially in key sectors such as energy, digital infrastructure, transport and space, as well as critical infrastructure with significant cross-border relevance (1), the disruption of which could significantly impact other Member States.
(2)
This Recommendation, which is a non-binding act, demonstrates the political will of the Member States to cooperate together and their commitment to the recommended measures, highlighted in a five-point plan issued by the President of the European Commission, while fully respecting Member States’ competences. This Recommendation does not affect the protection of the essential interests of Member States’ national security, public security or defence and no Member State should be expected to share information that is detrimental to those interests.
(3)
While the primary responsibility for ensuring the security and provision of essential services by critical infrastructure rests with the Member States and their critical infrastructure operators, increased coordination at Union level is appropriate, especially in light of evolving threats that may impact several Member States simultaneously, such as Russia’s war of aggression against Ukraine and hybrid campaigns against Member States, or affect the resilience and good functioning of the Union’s economy, internal market and society as a whole. Particular attention should be paid to critical infrastructure outside the territory of the Member States, such as undersea critical infrastructure or offshore energy infrastructure.
(4)
The European Council has, in its conclusions of 20 and 21 October 2022, strongly condemned the acts of sabotage against critical infrastructure, such as those against the Nord Stream pipelines, indicating the Union’s will to meet any deliberate disruption of critical infrastructure or other hybrid actions with a united and determined response.
(5)
In view of the fast-evolving threat landscape, resilience-enhancing measures should be taken as a matter of priority in key sectors such as energy, digital infrastructure, transport and space, and in other relevant sectors identified by the Member States. Such measures should focus on enhancing the resilience of critical infrastructure taking into account relevant risks, especially cascading effects, supply chain disruption, dependence, impacts of climate change, unreliable vendors and partners, and hybrid threats and campaigns including foreign information manipulation and interference. Where national critical infrastructure is concerned, in view of the possible consequences priority should be given to critical infrastructure with significant cross-border relevance. Member States are encouraged to provide such resilience-enhancing measures, where appropriate, as a matter of urgency, while maintaining the approach set out in the evolving legal framework.
(6)
The protection of European critical infrastructure in the energy and transport sectors is currently regulated by Council Directive 2008/114/EC (2), and security of network and information systems across the Union focused on cyber-related threats is assured by Directive (EU) 2016/1148 of the European Parliament and Council (3). With a view to ensuring a higher common level of resilience and the protection of critical infrastructure, cybersecurity and the financial market, the existing legal framework is being amended and supplemented by the adoption of new rules applicable to critical entities (the ‘CER Directive’), reinforced rules for a high common level of cybersecurity across the Union (the ‘NIS2 Directive’) and new rules applicable for digital operational resilience for the financial sector(‘DORA’).
(7)
Member States should, in accordance with Union and national law, use all available tools to move forward and help strengthen physical and cyber resilience. In this regard, critical infrastructure should be understood as comprising relevant critical infrastructure identified by a Member State at national level or designated as a European critical infrastructure under Directive 2008/114/EC as well as critical entities to be identified under the CER Directive or, where relevant, entities under the NIS2 Directive. The concept of resilience should be understood as referring to a critical infrastructure’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate or recover from events that significantly disrupt or have the potential to significantly disrupt the provision of essential services in the internal market, that is services which are crucial for the maintenance of vital societal and economic functions, public safety and security, the health of the population, or the environment.
(8)
National experts should be convened in order to coordinate work on achieving a higher common level of resilience and protection for critical infrastructure to be introduced by the new rules applicable for critical entities. That coordinated work would enable cooperation between Member States and information sharing regarding activities such as elaborating methodologies to identify essential services provided by critical infrastructure. The Commission has already started convening those experts and facilitating their work, and the Commission intends to continue this work. Once the CER Directive has entered into force and a Critical Entities Resilience Group under that Directive has been established, such anticipatory work should be continued by that group in accordance with its tasks.
(9)
Acknowledging the changed threat landscape, the potential of conducting critical infrastructure stress tests at national level should be further developed as such tests could be useful for enhancing the resilience of critical infrastructure. With regard to the specific importance of the energy sector, and Union-wide consequences stemming from its possible disruption, that sector could benefit the most from conducting stress tests based on commonly agreed principles. Such tests fall within the competence of the Member States, who should encourage and support critical infrastructure operators to conduct such tests where assessed as beneficial and in accordance with their national legal frameworks.
(10)
In order to ensure a coordinated and effective response to current and anticipated threats, the Commission is encouraged to provide additional support to Member States, in particular by providing relevant information in the form of briefings, non-binding manuals and guidelines. The European External Action Service (EEAS), in particular through the EU Intelligence and Situation Centre and its Hybrid Fusion Cell, with the support of the European Union Military Staff (EUMS) Intelligence Directorate under the Single Intelligence Analysis Capacity (SIAC) framework, should provide threat assessments. The Commission is also invited, in cooperation with Member States, to promote the uptake of Union-funded research and innovation projects.
(11)
With the increasing interdependence of physical and digital infrastructure, it is possible for malicious cyber activities targeting critical areas to result in disruption or damage to physical infrastructure, or for sabotage of physical infrastructure to render digital services inaccessible. Member States are invited to accelerate preparatory work for the transposition and application of the new legal framework applicable to critical entities and of the reinforced legal framework for cybersecurity, building on the experience gained within the Cooperation Group established by Directive (EU) 2016/1148 (the ‘NIS Cooperation Group’), as soon as possible, while keeping in mind the time-limits for transposition and that such preparatory work should progress in parallel and in coherence.
(12)
In addition to enhancing preparedness, it is also important to bolster the capabilities to respond swiftly and effectively to a disruption of essential services provided by critical infrastructure. Therefore, this Recommendation contains measures at both Union and national level, including by highlighting the supporting role and added value that can be obtained by introducing reinforced cooperation and exchange of information in the context of the Union Civil Protection Mechanism (UCPM) established by Decision No 1313/2013/EU of the European Parliament and of the Council (4) and by using relevant assets of the Union Space Programme established under Regulation (EU) 2021/696 of the European Parliament and of the Council (5).
(13)
The Commission, the High Representative of the Union for Foreign Affairs and Security Policy (the ‘High Representative’) and the NIS Cooperation Group in cooperation with relevant civilian and military bodies and agencies and established networks, including the European cyber crisis liaison organisation network (EU-CyCLONe), are to conduct a risk evaluation and build risk scenarios. Moreover, following up on the Joint Ministerial Call of Nevers a risk assessment is currently being conducted by the NIS Cooperation Group, with the support of the Commission and the European Cybersecurity Agency (ENISA), and in cooperation with the Body of European Regulators for Electronic Communications (BEREC). Those two exercises will be consistent and coordinated with the scenario-building exercise under the UCPM, including cybersecurity events and their real-life impact, currently being developed by the Commission and Member States. In the interest of efficiency, effectiveness and consistency, and for the good application of this Recommendation, the outcomes of those exercises are supposed to be reflected at national level.
(14)
In order to immediately reinforce preparedness and the capacity to respond to a large-scale cybersecurity incident, the Commission has set up a short-term programme to support Member States, through additional funding allocated to ENISA. Services proposed include, among others, preparedness actions, such as penetration testing of entities in order to identify vulnerabilities. The programme can also strengthen possibilities to assist Member States in the event of a large-scale cybersecurity incident affecting critical entities. This is a first step in line with the Council conclusions of 23 May 2022 on the development of the European Union’s Cyber posture (the ‘Council conclusions on the EU’s Cyber posture’) requesting the Commission to come forward with a proposal for a Cyber Emergency Fund. Member States should make full use of those opportunities, in accordance with the applicable requirements, and are encouraged to continue work in the area of Union cyber crisis management, in particular by regularly monitoring and taking stock of progress achieved in the implementation of the Cyber Crisis Management Roadmap recently developed in the Council. That Roadmap is a living document and should be revisited and updated when needed.
(15)
Global undersea communications cables are essential for global and intra-EU connectivity. Due to the significant length of such cables and their installation on the seabed, underwater visual monitoring for most cable sections is extremely challenging. The shared jurisdiction and other jurisdictional issues relating to such cables represent a specific case for European and international cooperation concerning infrastructure protection and recovery. It is therefore necessary to complement ongoing and planned risk assessments concerning digital and physical infrastructure underpinning digital services with specific risk assessments and options for mitigating measures concerning undersea communications cables. The Member States invite the Commission to carry out studies for that purpose and share its findings with Member States.
(16)
The energy and transport sectors can also be impacted by threats related to digital infrastructure, for example in relation to energy technologies embedding digital components. The security of the associated supply chains is important for the continuity of the provision of essential services and for the strategic control of critical infrastructure in the energy sector. Those circumstances should be taken into account when taking measures to enhance the resilience of critical infrastructure in accordance with this Recommendation.
(17)
The growing importance of space infrastructure, space-related ground assets, including production facilities, and space-based services for security-related activities makes it essential to ensure resilience and the protection of the Union’s space and its ground-related assets and services within the Union. For the same reasons, it is also essential, in the framework of this Recommendation, to make more structured use of space-based data and services, which are provided by space systems and programmes for surveillance and tracking and for protection of critical infrastructure in other sectors. The forthcoming EU Space Strategy for Security and Defence will propose appropriate actions in this regard, which should be taken into account when implementing this Recommendation.
(18)
Cooperation at international level is also needed in order to effectively address risks to critical infrastructure, among others, in international waters. Therefore, the Member States are invited to cooperate with the Commission and the High Representative to take certain steps towards achieving such cooperation, keeping in mind that any such steps are only to be taken in accordance with their respective tasks and responsibilities under Union law, in particular the provisions of the Treaties regarding external relations.
(19)
As established in its Communication of 15 February 2022 entitled ‘Commission Contribution to European defence’, in support of the Strategic Compass for Security and Defence - For a European Union that protects its citizens, values and interests, and contributes to international peace and security, the Commission will assess the Sectoral Hybrid Resilience Baselines in cooperation with the High Representative and the Member States, by identifying gaps and needs as well as steps to address them by 2023. That initiative should inform work under this Recommendation, helping to strengthen sharing of information and coordination of action on further strengthening of resilience, including that of critical infrastructure.
(20)
The 2014 EU Maritime Security Strategy and its Revised Action Plan called for increased protection of critical maritime infrastructure, including underwater, and in particular maritime transport, energy and communication infrastructure, among others by enhancing maritime awareness through improved interoperability and streamlined information exchange (mandatory and voluntary). That Strategy and that Action Plan are currently being updated, and will include enhanced actions that aim to protect critical maritime infrastructure. Those actions should complement this Recommendation.
(21)
Strengthening the resilience of critical infrastructure contributes to wider efforts to counter hybrid threats and campaigns against the Union and its Member States. This Recommendation builds upon the Joint Communication to the European Parliament and the Council entitled ‘Joint Framework on countering hybrid threats – a European Union response’. Action 1 of the Joint Framework, namely the Hybrid Risk Survey, plays a key role in identifying vulnerabilities potentially affecting national and pan-European structures and networks. In addition, the implementation of the Council conclusions of 21 June 2022 on a Framework for a coordinated EU response to hybrid campaigns will provide for a stronger coordinated action through the application of the EU Hybrid Toolbox in all affected domains.
