Anastasiya Kazakova, Public Affairs Manager
The policy framework on critical infrastructure protection (CIP) in the European Union (EU) is one of the world’s most advanced. It relies on:
Since the ECI direction applies only to the energy and transportation sectors, we also identify an additional legal instrument:
Last year the ECI Directive was subject to an external evaluation, after which the Directorate-General of the European Commission (DG HOME) published a Staff Working Document. In 2019, Directorate-General for Communications Networks, Content and Technology (DG CONNECT) published a report assessment of the NIS Directive’s effectiveness, which revealed gaps in consistency in the application of the Directive by Member States and concluded that fragmented application across the EU ‘can have a negative impact on the level playing field in the internal market and potentially render entities more vulnerable’ to cyberthreats. Based on that, the newly established Commission announced a review of the NIS Directive scheduled for Q4 2020.
From that perspective, the least helpful advice for policy makers wishing to improve the CIP policy framework would certainly be to leave the situation as it is. But what would be good to advice then?
Suggestions for strengthening the CIP policy framework in the EU
Apparently, since the first legal instruments were created, the threat landscape risking the integrity and security of CI in Europe has significantly changed. In particular, the rapid development of emerging technologies have the potential to dramatically impact the EU’s CIP:
In this regard, we welcome the European Commission’s decision to develop a new proposal on CIP and conduct a review of the NIS Directive to adjust both legal instruments to new threats and risks. To support this process, we share the following suggestions to strengthen the CIP policy framework in the EU. In particular, we recommend actions for:
A detailed position paper can be found here.
Following also the conclusions made in the 2019 Staff Working Document that ECI and NIS Directives, we believe that it could be necessary to explore advantages for aligning both directives into a single legal instrument for greater harmonization. A single policy legal instrument on CIP would be central to outlining the holistic approach with regard to CI sectors and their risk profiles, security technical and organizational measures, and mechanisms for deepening cross-border cooperation in the EU.