Incidents affecting critical infrastructures can have severe, cross-border, consequences on many aspects of EU citizens’ lives, potentially affecting their safety and security. What is more, as noted in the United Nations (UN) Security Council resolution 2341 (2017) on the protection of critical infrastructure against terrorist attacks, there are “increasing cross-border critical infrastructure interdependencies between countries” in a large number of sectors.

To address the matter of critical infrastructure protection (CIP) on European level, the EU agreed in 2008 on the Directive 2008/114 on the identification and designation of European Critical Infrastructures (ECI).

The security landscape has changed tremendously since then, which is why the European Commission has recently evaluated the implementation of the Directive – an evaluation that CoESS highly welcomes. CoESS sees in Directive 2008/114 an important milestone for providing an EU framework for cross-border cooperation in CIP. The Commission’s evaluation, however, describes significant shortcomings that have been addressed by CoESS in the preceding public consultation, and in its White Paper Critical Infrastructure Security and Protection – a Public-Private Opportunity. As a consequence, CoESS recommends in a new position paper, published on 06 January 2020, an ambitious revision of Directive 2008/114 on a number of matters:

First of all, a renewed EU framework should take into account current and emerging threats against ECI on an ongoing basis. Since the adoption of Directive 2008/114 in 2008, many new threats and challenges for CIP emerged, such as drones, cyber risks, Insider Threats, CBRN-E and evolved terrorist modus operandi. They all require an enhanced level of protection and resilience, and the European Commission rightfully concludes in its evaluation that the Directive is only partially relevant today.

Further, it is important to extend the Directive’s scope from a sector- to a system-focused approach. CoESS recommends that a revised Directive 2008/114 has a broader scope, which does not focus on the protection of isolated assets and sectors, but takes into account the entire system of existing critical infrastructures and respective interdependencies. For example, the scope of Directive 2008/114 currently does not account for an attack on the energy, financial or telecommunication sectors, which could have severe cascading effects across sectors and Member States. A revision should be done in coherence with the Directive on Security of Network and Information Systems (NIS Directive).

With regard to the private security sector, CoESS calls on the European Commission to establish a CIP framework that fosters public-private partnerships and prescribes mandatory compliance of private security services protecting ECI with European Standards, where applicable. Whilst two European standards already exist, which list the quality criteria for security services suppliers for Aviation and Airport environments (EN16082:2011) and for Maritime and Port environments (EN16747:2015), CEN TC 439 “Private Security Services” is currently working on an overarching standard for security services supplied in any type of critical infrastructure (prEN17483). The position paper also calls for further action to enforce best value procurement for private security services protecting ECI, and to limit private operators’ liability for acts of terrorism against ECI.

All recommendations provided by CoESS are in line with the Report on findings and recommendations of the European Parliament’s Special Committee on Terrorism, published in November 2018, and the UN Security Council resolution 2341 (2017).

For further details, the CoESS position paper can be found here.