Especially in the protection of Critical Infrastructure, security services must meet the highest quality standards. However, procurement practices of operators often do not reflect this until today. CoESS therefore calls for the future EU Directive on the Resilience of Critical Facilities (CER Directive) to address this issue – most recently at a stakeholder event in Helsinki on 27 April 2022.

The background of the discussion in Helsinki was the ongoing so-called “trilogue” between the EU institutions on a final agreement on the future EU Directive on the Resilience of Critical Entities (CER Directive) – replacing the current Directive 2008/114 on the identification and designation of European critical infrastructures.

Under the presence of the Finnish Ministry of Interior, Alexander Frank, Head of EU Affairs at CoESS, highly welcomed the proposal of the European Parliament to introduce in the CER Directive binding quality control obligations for operators of Critical Infrastructure when buying security services – based on existing harmonised standards such as EN 16082 (airport and aviation security services), EN 16747 (maritime and port security services) and EN 17483 (critical infrastructure protection security services). 

He highlighted that unfortunately, even in the area of Critical Infrastructure, security service providers are still often selected primarily on the basis of cost rather than quality. Especially in todays world, where Critical Infrastructures are increasingly exposed to hybrid risks and threats, such practices would have to stop in order to avoid vulnerabilities and shortcomings in CIP. The future CER Directive could now implement this at EU level if Member States in European Council would accept the proposal of the European Parliament in the “trilogue”.

The call to action of CoESS is not new. Already in 2016, CoESS called for a corresponding revision of the current EU Directive 2008/114 in a White Paper. In 2018, CoESS brought its recommendations to a hearing in the European Parliament - with success. In its subsequent report, the Parliament’s Special Committee on Terrorism called on the Commission to promote the certification of security services in the field of CIP and to enforce specific quality criteria for their procurement. And also in its final report on the CER Directive of October 2021, the Parliament maintained its call for action from 2018 and proposed mandatory quality control measures for operators procuring security services - based on existing standards.

CoESS has also contacted the EU Member States to ask for support for its recommendations. However, they are still missing from the Councils General Approach on the CER Directive of December 2021.

Since January 2022, the EU institutions are now in the process of agreeing on a final text - possibly still under the French EU Presidency, which runs until the end of June 2022. CoESS also hopes for the support of the Finnish government that the position of the European Parliament will make it in the final legal text, which would have to be transposed into national law by Member States within 18 months after adoption in Brussels.