BAKGRUNN (fra kommisjonsforslaget)

In the current geopolitical context, characterised by growing instability, notably due to Russia’s war of aggression against Ukraine and increasing complexity of security threats, as well as by climate change effects such as an increase in unusual climate events or water scarcity, the Union must remain vigilant and adapt constantly. Citizens, companies and authorities in the Union rely on critical infrastructure because of the essential services that the entities operating such infrastructure provide. Such services are crucial for the maintenance of vital societal functions, economic activities, public health and safety or the environment and must be provided in an unobstructed manner in the internal market. Therefore, due to the importance of these essential services for the internal market and, consequently, the need to make critical infrastructure more resilient and, more broadly, to ensure the resilience of critical entities providing these services, the Union must take measures to enhance such resilience and mitigate any disruptions in the provision of such essential services. Such disruptions may otherwise have serious consequences for citizens in the Union, our economies and trust in our democratic systems and may affect the smooth functioning of the internal market, in particular in a context of growing interdependencies between sectors and across borders.

The Union has already taken a number of measures to enhance the protection of critical infrastructure, notably as regards cross-border infrastructure, and the resilience of critical entities, in order to avoid or mitigate the effects of disruptions in the essential services that they provide in the internal market.

Directive 2008/114/EC on the identification and designation of European critical infrastructures (‘’ECI Directive’’) was the first legal instrument to establish an EU-wide procedure for identifying and designating European critical infrastructures and a common Union approach to assess the need to improve the protection of such infrastructure against man-made threats – both intentional and accidental – as well as natural disasters. However, it only focused on the energy and transport sectors and the protection of critical infrastructure and did not provide for wider measures to enhance the resilience of the entities operating such infrastructure.

Due to the increasingly inter-connected and cross-border nature of operations in the internal market, there was a need to cover more than two sectors and go beyond protective measures of individual assets. That is why Directive (EU) 2022/2557 on the resilience of critical entities (‘’CER Directive’’) was adopted in 2022, together with Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (‘’NIS 2 Directive’’). The aim is to ensure a comprehensive level of physical and digital resilience of critical entities. The CER Directive entered into force on 16 January 2023 and aims at helping Member States to enhance the overall resilience of critical entities, while reinforcing coordination at Union level. It will replace the ECI Directive as of 18 October 2024, by which date Member States will have to take the necessary measures to comply with the CER Directive. The CER Directive applies to 11 sectors. It shifts the focus from the protection of critical infrastructure to the wider concept of resilience of critical entities operating such critical infrastructure, covering the before-during-after of an incident. The NIS 2 Directive also entered into force on 16 January 2023 and modernises the existing legal framework to adapt to the increased digitisation and an evolving cybersecurity threat landscape. The NIS2 Directive also expands the scope of the cybersecurity rules to new sectors and entities and improves the resilience and incident response capacities of public and private entities, competent authorities and Union as a whole.

The CER Directive comprises provisions regarding incident notification by the critical entity to the national competent authority, notification of other (potentially) affected Member States by the national competent authority and notification of the Commission if the incident affects six Member States or more. The CER Directive stipulates certain incident notification obligations where the incident has or might have a significant impact on critical entities and the continuity of the provision of essential services to or in one or more other Member States.

As illustrated by the sabotage of the Nord Stream gas pipelines in September 2022, the security context in which critical infrastructure operates has changed significantly and additional urgent action is needed at Union level in order to enhance the resilience of critical infrastructure, not only as regards preparedness but also as regards a coordinated response.

In this context, a Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (“the Critical Infrastructure Resilience Recommendation”) was adopted on 8 December 2022 following a Commission proposal. That Recommendation highlights, among others, the need to ensure at Union level a coordinated and effective response to current and future risks to the provision of essential services. More specifically, the Council invited the Commission “to draft a Blueprint on a coordinated response to disruptions of critical infrastructure with significant cross-border relevance”. The Recommendation mentions that the Blueprint should be coherent with the EU Protocol for countering hybrid threats, take into account the Commission Recommendation 2017/1584 on coordinated response to large scale cybersecurity incidents and crises (‘’Cyber Blueprint’’) and respect the Integrated Political Crisis Response (‘’IPCR’’) arrangements.

Against this background, the current proposal for an additional Council Recommendation contains such a Blueprint. The proposal aims at complementing the current legal framework by describing the coordinated response at Union level when it comes to disruptions of critical infrastructure with significant cross-border relevance while making use of existing Union-level arrangements. Concretely, the proposal describes the scope and the objectives of the Blueprint and the actors, the processes and existing tools that could be used in order to respond, in a coordinated way at Union level, to a disruptive critical infrastructure incident with significant cross-border effect and describes the modes of cooperation between the Member States, Union institutions, bodies, offices and agencies in such situations.