European Programme for Critical Infrastructure Protection
The European Commission sets out the principles and instruments needed to implement the European Programme for Critical Infrastructure Protection (EPCIP), aimed at both European and national infrastructure.
Communication from the Commission of 12 December 2006 on a European Programme for Critical Infrastructure Protection [COM(2006) 786 final – Official Journal C 126 of 7.6.2007].
In December 2005, the Justice and Home Affairs Council called on the Commission to make a proposal for a European Programme for Critical Infrastructure Protection * (EPCIP). In response, the Commission adopted this communication and a proposal for a directive on the identification and designation of European critical infrastructure with a view to improving the protection of the latter.
The communication sets out the principles, processes and instruments proposed to implement EPCIP. The threats to which the programme aims to respond are not confined to terrorism, but also include criminal activities, natural hazards and other causes of accidents, using an all-hazards approach.
The general objective of EPCIP is to improve the protection of critical infrastructure in the European Union (EU). This will be achieved by implementing the European legislation set out in this communication.
The legislative framework for the EPCIP consists of the following:
- a procedure for identifying and designating European critical infrastructure and a common approach to assessing the need to improve the protection of such infrastructure. This will be implemented by means of a directive;
- measures designed to facilitate the implementation of EPCIP, including an EPCIP action plan, the Critical Infrastructure Warning Information Network (CIWIN), the setting up of Critical Infrastructure Protection (CIP) expert groups at EU level, CIP information sharing processes, and the identification and analysis of interdependencies;
- support for EU countries regarding National Critical Infrastructures (NCIs) that may optionally be used by a particular EU country, and contingency planning;
- an external dimension;
- accompanying financial measures, and in particular the Specific EU Programme on "Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks" for the period 2007-13, which will provide funding opportunities for CIP related measures.
EPCIP action plan
The ECPIP action plan has three main work streams:
- the first relates to the strategic aspects of EPCIP and the development of measures horizontally applicable to all CIP work;
- the second concerns the protection of European critical infrastructures and aims to reduce their vulnerability;
- the third is a national framework to assist EU countries in the protection of their NCIs.
The action plan is an ongoing process and regular reviews will be carried out.
Critical Infrastructure Warning Information Network (CIWIN)
A warning network (the CIWIN) will be set up by a specific Commission proposal for the purposes of exchanging best practices and providing an optional platform for the exchange of rapid alerts linked to the Commission's ARGUS system.
Where specific expertise is needed, the Commission may set up CIP expert groups at EU level to address clearly defined issues. Depending on the sector of critical infrastructure, the functions of experts may include:
- assistance in identifying vulnerabilities, interdependencies and sectoral best practices;
- development of measures to reduce vulnerabilities and of performance metrics;
- formulation of case studies.
Information sharing on Critical Infrastructure Protection (CIP)
Stakeholders must share information on CIP, particularly on measures concerning the security of critical infrastructure and protected systems, interdependency studies and CIP related vulnerability, threat and risk assessments. At the same time, there must be assurance that shared information of a proprietary, sensitive or personal nature is not publicly disclosed and that any personnel handling classified information will have an appropriate level of security vetting by their EU country.
Identification of interdependencies
To make a better assessment of the weak points, threats or risks relating to critical infrastructures, interdependencies of a geographic or sectoral nature must be identified and analysed.
CIP Contact Group
The Commission plans to set up a contact group for the protection of critical infrastructure. The contact points will be designated by each EU country and will be responsible for coordinating national CIP issues with other EU countries, the Council and the Commission.
Protection of National Critical Infrastructures (NCIs)
While recognising that the protection of NCIs is the responsibility of owners, operators and of EU countries themselves, the Commission does provide support in this area at the request of EU countries. Each EU country is encouraged to draw up a national protection programme including:
- classification of NCIs, taking account of the effects of disruption or destruction of a particular infrastructure (geographic extent of the damage and seriousness of the consequences);
- identification of geographic and sectoral interdependencies;
- contingency planning.
An important aspect of EPCIP is the external dimension of CIP. The interconnected and interdependent nature of modern economies means that disruption to or destruction of a particular infrastructure may have consequences for countries outside the Union and vice versa. It is therefore essential to strengthen international cooperation in this area through sectoral agreements.
Accompanying financial measures
The EPCIP will be co-financed by the Community Programme "Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks" for the period 2007-13.
On 17 and 18 June 2004, the European Council asked the Commission to prepare an overall strategy to enhance the protection of critical infrastructure. In response, on 20 October 2004, the Commission published the communication "Critical infrastructure protection in the fight against terrorism".
The Commission's intention to propose a European Programme for Critical Infrastructure Protection (EPCIP) and a Critical Infrastructure Warning Information Network (CIWIN) was accepted by the European Council of 16 and 17 December 2004, both in its conclusions on prevention, preparedness and response to terrorist attacks and in the Solidarity Programme adopted by the Council on 2 December 2004.
Throughout 2005, intensive work was carried out on EPCIP. On 17 November 2005, the Commission adopted a Green Paper on a European Programme for Critical Infrastructure Protection.
On 15 September 2005, a decision on the financing of a pilot project containing a set of preparatory actions with a view to strengthening the fight against terrorism was adopted. This was followed by a second decision on 26 October 2006 on financing the EPCIP pilot project.
On 12 December 2006, the Commission presented a proposal for a directive on the identification and designation of European critical infrastructures and a common approach to assess the need to improve their protection. On the same day, the Commission also adopted this communication. These documents give a clear idea of how the Commission proposes to address the issue of critical infrastructure protection in the EU.
Finally, the proposed EU Programme on "Prevention, Preparedness and Consequence Management of Terrorism and other Security Related Risks" was adopted on 12 February 2007.