Critical Infrastructure Protection

The Justice and Home Affairs Council 5-6 June has reached political agreement on a Commission proposal for a Directive on the identification and designation of European Critical Infrastructure (ECI) and the assessment of the need to improve their protection. The entry into force of the Directive is envisaged before the end of 2008.

The Directive establishes the procedure for the identification and designation of European Critical Infrastructure (ECI) and a common approach to assessment of the need to improve the protection of such infrastructure in order to contribute to the protection of people. This is part of the European Programme for Critical Infrastructure Protection (EPCIP).

ECI means critical infrastructure located in the EU Member States the disruption or destruction of which would have a significant impact on at least two Member States of the EU. The Directive concentrates on the energy and transport sector and will be reviewed after three years, to assess its impact and the need to include other sectors within its scope - inter alia the Information and Communication Technology (ICT) sector.

Each designated European Critical Infrastructure is to have an Operator Security Plan (OSP) covering inter alia identification of important assets, a risk analysis based on major threat scenarios and the vulnerability of each asset, and the identification, selection and prioritisation of counter-measures and procedures.

A Security Liaison officer will function as the point of contact for security issues between the European Critical Infrastructure owner/operator and the relevant Member State authority.

Every two years, each Member State will forward to the Commission information on threats and risks encountered in each European Critical Infrastructure sector. On the basis of those reports, the Commission and the Member States will examine whether further protection measures at the EU level should be considered.