We are migrating the content of this website during the first semester of 2014 into the new EUR-Lex web-portal. We apologise if some content is out of date before the migration. We will publish all updates and corrections in the new version of the portal.
Do you have any questions? Contact us.
European critical infrastructures
This directive establishes a European process for identifying and designating European critical infrastructures (ECIs), and sets out an approach for assessing the need to improve their protection. In its first stage, the directive focuses on the transport and energy sectors.
Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
This directive sets up a procedure for identifying and designating European critical infrastructures (ECIs) *. At the same time, it provides a common approach for assessing these infrastructures, with a view to improving them to better protect the needs of citizens.
Member States must go through a process of identifying potential ECIs, with the help of the Commission if required. Member States should make use of a series of criteria to identify these potential ECIs. The cross-cutting criteria take into account possible casualties and economic and public effects, while the sectoral criteria consider the specificities of each ECI sector. This directive currently concerns only the energy and transport sectors and their subsectors as identified in Annex I. Additional sectors might be added with the review of the directive.
Each Member State should go through a cooperative designation process for potential ECIs located on its territory. This process involves discussions with other Member States, which could be significantly affected in case of the loss of service provided by an infrastructure. In order for an infrastructure to be formally designated as an ECI, the Member State on whose territory it is located must give its assent.
The identification and designation of ECIs by Member States must be completed before 12 January 2011, after which they are to be reviewed regularly.
The Member State on whose territory an ECI is located must inform the Commission annually of the number of potential and designated ECIs for each sector.
Member States must ensure that an operator security plan (OSP) or an equivalent measure is in place for each designated ECI. The purpose of the OSP process is to identify the critical assets of the ECI as well as the existing security solutions for protecting them. The minimum content to be covered is defined in Annex II of the directive. The OSPs must be reviewed regularly.
Member States must also ensure that a security liaison officer or equivalent is designated for each ECI. The officer serves as the contact point between the owner/operator of the ECI and the Member State authority concerned. The purpose is to allow for the exchange of information regarding the risks and threats relating to the ECI.
Within a year from designating an ECI in the subsectors, Member States are to conduct an assessment of the threats relating to it. In addition, Member States are to report to the Commission every two years on the risks, threats and vulnerabilities the different ECI sectors are facing. The need for additional Community measures to protect ECIs will be assessed on the basis of these reports.
To support the owners/operators of ECIs, the Commission provides access to best practices and methodologies regarding the protection of critical infrastructure. Furthermore, it supports the related training activities and exchanges of new technical information.
Any sensitive information regarding the protection of ECIs may be treated only by persons having the appropriate level of security clearance and only for the purposes the information was originally intended.
A European critical infrastructure contact point (ECIP contact point) is to be appointed in each Member State. Their purpose is to coordinate any ECI-related issues among Member States and the Commission.
On 12 December 2006, the Commission adopted the communication on a European Programme for Critical Infrastructure Protection (EPCIP), which sets out an overall framework for critical infrastructure protection activities at EU level. The process of identifying and designating ECIs is one of the key elements of EPCIP.
The Council conclusions of April 2007 reaffirmed Member States’ responsibility in managing the protection of critical infrastructures located on their respective territories. Simultaneously, the Council welcomed the Commission’s efforts in developing a European procedure to identify and designate ECIs and in assessing them with a view to improving their protection.
|Act||Entry into force||Deadline for transposition in the Member States||Official Journal|
OJ L 345 of 23.12.2008