Overwegingen bij COM(2023)526 - Blauwdruk om de respons op verstoringen van kritieke infrastructuur van aanzienlijk grensoverschrijdend belang op Unieniveau te coördineren - Hoofdinhoud
Dit is een beperkte versie
U kijkt naar een beperkte versie van dit dossier in de EU Monitor.
| dossier | COM(2023)526 - Blauwdruk om de respons op verstoringen van kritieke infrastructuur van aanzienlijk grensoverschrijdend belang op Unieniveau ... |
|---|---|
| document | COM(2023)526  |
| datum | 6 september 2023 |
(2)In the current evolving risk landscape and in light of growing interdependencies between infrastructure and sectors and, more broadly, interconnections across sectors and borders, there is a need to address and enhance, in a comprehensive and coordinated manner, the protection of critical infrastructure and the resilience of critical entities operating such infrastructure.
(3)An incident which disrupts critical infrastructure and thereby disables or severely hampers the provision of essential services may have significant cross-border effects and negatively impact the internal market. In order to ensure a targeted, proportionate and effective approach, measures should be taken to address, in particular, significant critical infrastructure incidents, as specified in this Recommendation, covering for instance situations where the disruption caused by the incident is of long duration or may have considerable cascading effects in the same or other sectors or Member States.
(4)A coordinated response to significant critical infrastructure incidents is essential in order to avoid major disruptions in the internal market and to ensure the restoration of the provision of those essential services as soon as possible, since such incidents may have serious consequences on the economy and citizens in the Union. A timely and effective Union-level response to such incidents requires swift and effective cooperation amongst all relevant actors and coordinated action supported by at Union-level. Such response relies, therefore, on the existence of previously established and, to the extent possible, well-rehearsed cooperation procedures and mechanisms with specified roles and responsibilities of the key actors at national and Union level.
(5)While the primary responsibility for ensuring response to significant critical infrastructure incidents rests with the Member States and the entities operating critical infrastructure and providing essential services, increased coordination at Union level is appropriate in case of disruptions with significant cross-border relevance. A timely and effective response is dependent not only on the deployment of national mechanisms by Member States but also on coordinated action supported at Union level, including having relevant cooperation in a swift and effective manner.
(6)The protection of European critical infrastructure is currently regulated by Council Directive 2008/114/EC 13 , which covers only two sectors, namely transport and energy. That Directive establishes a procedure for the identification and designation of European critical infrastructure and a common approach on assessing the need to improve the protection of such infrastructure. It is the central pillar of the European Programme for Critical Infrastructure Protection 14 (‘’EPCIP’’) adopted by the Commission in 2006 that has set out a European-level all-hazards framework for critical infrastructure protection.
(7)In order to go beyond the protection of critical infrastructure and to ensure, more broadly, resilience of critical entities operating such infrastructure that provide essential services in the internal market, Directive (EU) 2022/2557 of the European Parliament and of the Council 15 will replace Directive 2008/114/EC as of 18 October 2024. Directive (EU) 2022/2557 covers 11 sectors and provides for resilience-enhancing obligations for Member States and critical entities, cooperation between Member States and with the Commission as well as for support by the Commission for national authorities and critical entities and support from the Member States to the critical entities.
(8)Following the sabotage of the Nord Stream gas pipelines, there is a need for more resilience-enhancing measures for critical infrastructure to be adopted at Union level. Therefore, based on a Commission proposal, the Council adopted Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure (‘’Recommendation 2023/C 20/01’’) 16 , which aims at enhancing preparedness, response and international cooperation in this area. That Recommendation highlighted notably the need to ensure at Union level a coordinated and effective response to risks to the provision of essential services.
(9)Therefore, it is necessary to complement the existing legal framework by an additional Council Recommendation setting out a Blueprint on a coordinated response to disruptions of critical infrastructure with significant cross-border relevance (‘’the Critical Infrastructure Blueprint’’), while making use of existing Union-level arrangements.
(10)This Recommendation should be aligned with Recommendation 2023/C 20/01, to ensure consistency and avoid duplication. Therefore, this Recommendation should not, as such, cover the other elements of the crisis management lifecycle, namely prevention, preparedness and recovery.
(11)This Recommendation should complement Directive (EU) 2022/2557, in particular in terms of coordinated response, and should be implemented whilst ensuring coherence with that Directive and any other applicable rules of Union law. Therefore, this Recommendation should also rely on and use, to the extent possible, the notions, tools and processes of that Directive, such as the Critical Entities Resilience Group, acting within the limits of its tasks as set out in that Directive, and points of contact. In addition, the notion of ‘’critical infrastructure’’ as used in this Recommendation should be understood in the same way as set out in recital 7 of Recommendation 2023/C 20/01, that is, as comprising relevant critical infrastructure identified by a Member State at national level or designated as a European critical infrastructure under Directive 2008/114/EC, as well as critical entities to be identified under Directive (EU) 2022/2557. In order to ensure consistency with Directive (EU) 2022/2557, those notions used in this Recommendation should therefore be interpreted as having the same meaning as in that Directive. For instance, the concept of resilience, as defined in Article 2, point 2, of that Directive, should also be understood as referring to a critical infrastructure’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate or recover from events that significantly disrupt or have the potential to significantly disrupt the provision of essential services in the internal market, that is, services which are crucial for the maintenance of vital societal and economic functions, public safety and security, the health of the population, or the environment.
(12)In addition, the notion of “significant disruptive effect” should be understood in light of the criteria provided by Article 7(1) of Directive (EU) 2022/2557, which refer to: i) the number of users relying on the essential service provided by the entity concerned; ii) the extent to which other sectors and subsectors as set out in the Annex to the Directive depend on the essential service in question; iii) the impact that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public safety and security, or the health of the population; iv) the entity’s market share in the market for the essential service or essential services concerned; v) the geographic area that could be affected by an incident, including any cross-border impact, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, remote regions or mountainous areas; vi) the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.
(13)In the interest of efficiency and effectiveness, the Critical Infrastructure Blueprint should be fully coherent and interoperable with the revised Union operational protocol for countering hybrid threats 17 and take into account the existing Blueprint on coordinated response to large-scale cross-border cybersecurity incidents and crises laid down by Commission Recommendation (EU) 2017/1584 18 (‘’Cyber Blueprint’’), and the European cyber crisis liaison organisation network (‘’EU-CyCLONe’’) mandate laid down in Directive (EU) 2022/2555 of the European Parliament and of the Council 19 and avoid the duplication of structures and activities. It should also fully respect the Council’s Integrated Political Crisis Response 20 (‘‘IPCR’’) arrangements for the coordination of the response.
(14)This Recommendation builds on and is, more broadly, consistent and complementary with the established Union crisis management mechanisms, notably the Council’s IPCR arrangements, the Commission’s internal crisis coordination process ARGUS 21 and the Union Civil Protection Mechanism (‘’UCPM’’) 22 , supported by the Emergency Response Coordination Centre (‘’ERCC’’), 23 the European External Action Service (‘’EEAS’’) Crisis Response Mechanism, as well as the Single Market Emergency Instrument 24 , all of which may play a role in responding to a major disruption to critical infrastructure operations.
(15)In responding to a significant critical infrastructure incident, the above tools or mechanisms at Union level may be used, in accordance with the rules and procedures applicable thereto, which this Recommendation should complement but leave unaffected. For instance, the Council’s IPCR arrangements remain the main tool for coordination of the response at political Union level among Member States. Internal coordination in the Commission takes place in the framework of the ARGUS cross-sectoral crisis coordination process. If the crisis entails an external or Common Security and Defence Policy (‘’CSDP’’) dimension, the EEAS Crisis Response Mechanism can be used. In line with Decision No 1313/2013/EU on a Union Civil Protection Mechanism (‘’UCPM’’), operational responses under the UCPM to actual or imminent natural and human-induced disasters within and outside the Union (including those affecting critical infrastructure) are organised by the ERCC, the Commission’s single 24/7 operational hub managing crisis responses. In such instances, the ERCC can provide early warning, notification, analysis, and supports information-sharing and, in the event of a UCPM activation by a Member State, the deployment of operational assistance and experts to affected areas. In addition, the ERCC can facilitate sectoral and cross-sectoral coordination at both EU level and between the EU and relevant national authorities, including ones responsible for civil protection and critical infrastructure resilience.
(16)While the processes laid down in this Recommendation should be considered, where appropriate, in connection to those other tools or mechanisms once they are used, this Recommendation should also describe the actions that could be undertaken at Union level as regards shared situational awareness, coordinated public communication and effective response outside the framework of those Union crisis coordination mechanisms, in case they are not used.
(17)In order to better coordinate response in case of significant critical infrastructure incidents, there should be enhanced cooperation between Member States and Union institutions, relevant agencies, bodies and offices of the Union working through existing arrangements, in accordance with the framework of the Critical Infrastructure Blueprint. The Critical Infrastructure Blueprint should therefore apply when the threshold of six or more Member States provided for in Directive (EU) 2022/2557 as regards the identification of critical entities of particular European significance is met, as well as when incidents affecting a smaller number of Member States occur because such incidents could have a wide-ranging impact, due to cascading effects across borders and therefore Union-level response coordination would be beneficial.
(18)While a cooperation framework at Union level for a coordinated response to significant critical infrastructure incidents is deemed necessary, it should not divert resources of critical entities and competent authorities from incident handling, which should be the priority.
(19)The relevant actors involved in the implementation of the Critical Infrastructure Blueprint should be clearly identified so that there is a clear and comprehensive overview of the institutions, bodies, offices, agencies and authorities that could be responding to a significant critical infrastructure incident.
(20)Responding to critical infrastructure incidents, including significant ones, is the primary responsibility of the competent authorities of the Member States. This Recommendation should not affect Member States’ responsibility for safeguarding national security and defence or their power to safeguard other essential State functions, in particular concerning public security, territorial integrity and the maintenance of law and order, in accordance with Union law. Further, this Recommendation should not affect national processes, such as the communication and liaison of operators of critical infrastructure with the competent national authorities. This Recommendation should apply without affecting relevant bilateral or multilateral arrangements concluded between Member States.
(21)Designating or establishing points of contact by the relevant actors is essential for an effective and timely cooperation within the framework of the Critical Infrastructure Blueprint. To ensure coherence, Member States should consider the possibility to have as the points of contact designated or established within this framework the single points of contact to be designated or established in the framework of Directive (EU) 2022/2557.
(22)In the interest of effectiveness, testing and practicing the Critical Infrastructure Blueprint, as well as reporting and discussing lessons learnt after its application, should be an essential part of maintaining a high level of readiness in the event of significant critical infrastructure incidents and of ensuring the ability to deliver a swift and well-coordinated response, with the involvement of the relevant actors.
(23)Considering the structure of the Council’s crisis coordination mechanism IPCR and taking into account, more broadly, the potential activation of the crisis coordination mechanisms already existing at Union level, the Critical Infrastructure Blueprint should encompass two modes of cooperation to respond to a significant critical infrastructure incident. The first should consist of the exchange of information involving all relevant actors, coordination of public communication and, where used, coordination via already existing mechanisms such as the IPCR arrangements in the Council, or ARGUS coordination within the Commission, supported by the ERCC as operational 24/7 contact point, and the EEAS Crisis Response Mechanism. The second should comprise further response action due to the scale of the incident. This cooperation should involve engagement at operational, strategic/political levels, which reflects the levels in Recommendation 2017/1584 and the Union Protocol for countering hybrid threats, in order to coordinate actions and respond to the significant critical infrastructure incident in an effective and efficient manner. Based on the principles of proportionality, subsidiarity, confidentiality of information and complementarity and in order to ensure effective cooperation, the Critical Infrastructure Blueprint should describe how shared situational awareness by the relevant actors takes place, as well as coordinated public communication and effective response.
(24)The exchange of information pursuant to this Recommendation should be carried out without jeopardising national security or the security and commercial interests of entities operating critical infrastructure. Therefore, sensitive information should be accessed, exchanged and handled prudently, in accordance with the applicable rules, and with particular attention to the transmission channels and storage capacities used,