The evaluation (see here) confirms the continued relevance of Directive 2008/114. However, the document states that it would be only partially relevant today in view of technological developments and evolving threats (drones, cyber, insider threats) since 2008. Also, its added value would be limited by the considerably heterogeneous interpretation of the Directive in the different Member States. As a result, the European Commission cannot exclude that actual levels of Critical Infrastructure Protection (CIP) vary across Member States and proposes, among others, the following improvements which CoESS strongly supports:

• Widening the scope of the Directive to other Critical Infrastructure as well as their interdependencies on system-, not sector-level.
• Provision of more detailed and new definitions/terms.
• More precise definition and description of Operator Security Plans and the roles and responsibilities of Security Liaison Officers.
• Demands for more detailed reporting and provided risk assessments from the Member States to the European Commission.

Unfortunately, the designation of roles and responsibilities as well as public and private cooperation for CIP is neglected in the text. CoESS also recommends to establish mandatory quality criteria for the procurement of security services. To support this process on the industry’s side, CoESS continues its work on an over-arching standard for security services providers to Critical Infrastructure within CEN TC 439 – the CEN Technical Committee on Private Security Services.

The overall objective of the evaluation was to assess the implementation of the Directive in the Member States, following an extensive stakeholder consultation over 1.5 years. CoESS has participated twice in these consultations. In 2016, CoESS published a White Paper on Critical Infrastructure Protection.