Critical infrastructure
News
Regulation, Standards and Compliance
Threat Landscape

European Commission proposes draft recommendations to build resilience of EU critical infrastructure

October 19, 2022
European Commission proposes draft recommendations to build resilience of EU critical infrastructure

The European Commission proposes to strengthen the resilience of EU critical infrastructure, building on the five-point plan for resilient critical infrastructure presented by EU President Ursula von der Leyen at the European Parliament earlier this month. The draft recommendations aim to maximize and accelerate the work to protect critical infrastructure in three priority areas – preparedness, response, and international cooperation.

The proposed Council Recommendation seeks to intensify the support to increase the resilience of EU critical infrastructure and ensure EU-level coordination in terms of preparedness and response, the EU said. It aims to maximize and accelerate work to protect the assets, facilities, and systems necessary for the economy’s functioning and provide essential services in the internal market, which citizens rely on, and mitigate the impact of any attack by ensuring the swiftest possible recovery. 

While all such infrastructure should be protected, the priority is currently with the energy, digital infrastructure, transport, and space sectors due to their particularly horizontal character for society and the economy, and current risk assessments, the agency identified.

The draft recommendations work on building preparedness, response, and international cooperation. For that purpose, the Commission foresees a stronger support and coordination role to enhance preparedness and response against the current threats and strengthened cooperation among member states and with neighboring third countries. Priority should be given to the key energy, digital infrastructure, transport, and space sectors.

The EU has a particular role to play in respect of infrastructure that crosses borders or provides cross-border services, thus impacting several member states’ interests. Accordingly, clear identification of such infrastructure and entities operating them and collective commitment to protect them is in the interest of all member states. The Commission also encourages member states to conduct stress tests of entities operating critical infrastructure based on a common set of principles developed at the Union level.

The stress test exercise will be complemented by producing a blueprint for EU critical infrastructure incidents and crises. It will describe and set out the objectives and modes of cooperation between the member states and EU institutions, bodies, offices, and agencies in responding to incidents against critical infrastructure, in particular where these entail significant disruptions in the provision of essential services for the internal market.

The draft recommendation aims to strengthen the capacity of early warning and response to disruptions of EU critical infrastructure through the Union Civil Protection Mechanism. In addition, the Commission will regularly review the adequacy and readiness of the existing response capacity and organize tests of cross-sectoral cooperation at the EU level.

The draft recommendation also calls for strengthened cooperation with key partners and neighboring countries on the resilience of EU critical infrastructure. The Commission and the High Representative will strengthen coordination with NATO through the EU-NATO structured dialogue on resilience and will set up a Task Force for the purpose.

The new legislation is expected to come into force in late 2022 or early 2023, and member states should prioritize transposition and application. The CER directive puts forward a new framework for cooperation and obligations for member states and critical entities to strengthen physical non-cyber resilience. Eleven sectors are now covered: energy, transport, digital infrastructure, banking, financial market infrastructure, health, drinking water, wastewater, public administration, space, and food. 

The NIS2 directive will put in place a broad sectoral coverage of cybersecurity obligations and will encompass a new requirement for member states to include, where relevant, undersea cables in their cybersecurity strategies.

The five-point plan has set out a coordinated approach to the necessary work ahead, underlining the value of anticipating the legislation already enjoying political agreement. Its elements include enhancing preparedness, working with member states to stress test EU critical infrastructure, starting with the energy sector and then followed by other high-risk sectors, and increasing the response capacity, particularly through the Union Civil Protection Mechanism. It also looks to make good use of satellite capacity to detect potential threats and strengthen cooperation with NATO and key partners on the resilience of critical infrastructure. 

The proposal is also in line with the NIS Directive and the forthcoming NIS2 Directive, which will repeal the NIS Directive by calling for an early start to implementation and transposition work. It also reflects the Nevers Joint Call of March 2022 and the Council Conclusions on the EU cyber posture of May 2022 regarding member states’ request to the Commission to develop risk assessments and scenarios. 

The proposal is also in line with EU policy on civil protection, where in case of an overwhelming disruption to the operations of critical infrastructure/entities, member states, and third countries can request assistance through the Emergency Response Coordination Centre (ERCC) under the Union Civil Protection Mechanism (UCPM).

Equipping the EU to deal with the changing threat landscape requires constant vigilance and adaptation. For example, Russia’s war of aggression against Ukraine has brought new risks, often combined as a hybrid threat. One of these is the disruption of the provision of essential services by entities operating critical infrastructure in Europe. This has become even more evident with the apparent sabotage of the Nord Stream gas pipelines and other recent incidents. 

The agency said that society “relies heavily on both physical and digital infrastructure and the interruption of essential services, whether through conventional physical attacks or cyberattacks, or a combination of the two, can have serious consequences for citizens’ well-being, our economies, and trust in our democratic systems.” Ensuring the smooth functioning of the internal market is another key goal of the EU, including when it comes to the essential services provided by entities operating critical infrastructure, it added.

The EU has already taken a number of measures to reduce vulnerabilities and increase the resilience of critical entities, both in respect of cyber and non-cyber risks. However, action is urgently needed to step up the EU’s capacity to stand up to potential attacks against critical infrastructure, principally in the EU itself, but where relevant, also in its direct neighborhood.

The proposed Council Recommendation welcomes the approach to structure support to member states and coordinates their efforts in raising risk awareness, preparedness, and response to the current threats. In this regard, meetings of experts are convened to discuss the resilience of entities operating critical infrastructure in anticipation of the entry into force of the CER directive and the Critical Entities Resilience Group (CERG) established thereby. 

Strengthened cooperation with key partners and neighboring and other relevant third countries on the resilience of entities operating EU critical infrastructure will be essential, particularly through the EU-NATO structured dialogue on resilience, the EU said. 

“The focus of this Recommendation is the reinforcement of the Union’s capacity to anticipate, prevent and respond to the new threats arising from Russia’s war of aggression against Ukraine,” the EU said. “The proposed recommendations therefore focus on addressing security-related risks and threats to critical infrastructure. Nevertheless, it should be noted that recent events have also underscored the pressing need to pay increased attention to climate change impacts on critical infrastructure and services in terms of, for example, seasonally compromised and unpredictable water supplies for nuclear power plant cooling, hydro power and inland navigation, or the risk of material damages to transport infrastructure, which may cause major disruptions in essential services.”

The proposal is also in line with other relevant sectoral legislation. Therefore, the implementation of the recommendation should be consistent with specific measures that regulate or may regulate certain aspects of the resilience of entities operating in concerned sectors, such as transport. 

The proposal is also in line with the Strategic Compass for Security and Defence, which emphasizes the need to substantially enhance the resilience and ability to counter hybrid threats and cyber attacks, strengthen the resilience of partner countries, and cooperate with NATO. It is also in line with the Framework for a coordinated EU response to hybrid threats and campaigns affecting the EU, member states, and partners.

President von der Leyen will present the proposal for a Council Recommendation on Critical Infrastructure Resilience to EU leaders at the European Council on October 20-21.

The EU announcement comes when the U.S. administration is working towards securing cyberspace and strengthening critical infrastructure. Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging threats, said last week that the U.S. is slow in the regulatory arena. Neuberger acknowledges that the nation has been “pretty much last in the race on putting in place standards for critical infrastructure among our peers.” She, however, confirmed that the communications, water, and healthcare sectors are looking at new cybersecurity standards.

Last week, the Australian government also announced that it has begun consulting on the Risk Management Program Rule under Part 2A of the Security of Critical Infrastructure Act 2018. The initiative works towards a strong and effective government-industry partnership central to achieving the government’s vision for critical infrastructure security and resilience.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems