|Title:||Proposal for a Directive of the Council on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection
Note: the present overview describes a norm in draft stage, which is susceptible to significant change in the course of finalisation!
|Topic:||Identification and protection of European Critical Infrastructures|
|Direct / indirect relevance||Direct. The text directly prescribes an obligation to identify European Critical Infrastructures and to draft adequate plans for their continuity.|
|Scope:||Applicable to Member States and to the operators of European Critical Infrastructure (defined by the draft directive as ‘critical infrastructures the disruption or destruction of which would significantly affect two or more Member States, or a single Member State if the critical infrastructure is located in another Member State. This includes effects resulting from cross-sector dependencies on other types of infrastructure’).|
|Legal force:||None; the norm is currently only in draft stage. Upon finalisation: an EU Directive, requires transposition into national law.|
|Affected sectors:||Member States and to the operators of European Critical Infrastructure|
|Relevant provision(s):||Article 3 - Identification of European Critical Infrastructure
3. Each Member State shall identify the critical infrastructures located within its territory as well as critical infrastructures outside its territory that may have an impact on it, which satisfy the criteria adopted pursuant to paragraphs 1 and 2.
Each Member State shall notify the Commission of the critical infrastructures thus identified at the latest one year after the adoption of the relevant criteria and thereafter on an ongoing basis.
Article 4 - Designation of European Critical Infrastructure
1. On the basis of the notifications made pursuant to the second paragraph of Article 3(3) and any other information at its disposal, the Commission shall propose a list of critical infrastructures to be designated as European Critical Infrastructures.
Article 5 - Operator Security Plans
1. Each Member State shall require the owners/operators of each European Critical Infrastructure located on its territory to establish and update an Operator Security Plan and to review it at least every two years.
2. The Operator Security Plan shall identify the assets of the European Critical Infrastructure and establish relevant security solutions for their protection in accordance with Annex II. Sector specific requirements concerning the Operator Security Plan taking into account existing Community measures may be adopted in accordance with the procedure referred to in Article 11(3).
Acting in accordance with the procedure referred to in Article 11(2), the Commission may decide that compliance with measures applicable to specific sectors listed in Annex I satisfies the requirement to establish and update an Operator Security Plan.
3. The owner/operator of a European Critical Infrastructure shall submit the Operator Security Plan to the relevant Member State authority within one year following designation of the critical infrastructure as a European Critical Infrastructure.
Where sector specific requirements concerning the Operator Security Plan are adopted based on paragraph 2, the operator security plan shall only be submitted to the relevant Member State authority within 1 year following the adoption of the sector specific requirements.
4. Each Member State shall set up a system ensuring adequate and regular supervision of the Operator Security Plans and their implementation based on the risk and threat assessments conducted pursuant to Article 7(1).
5. Compliance with Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security satisfies the requirement to establish an Operator Security Plan.
Article 6 Security Liaison Officers
1. Each Member State shall require the owners/operators of European Critical Infrastructures on their territory to designate a Security Liaison Officer as the point of contact for security related issues between the owner/operator of the infrastructure and the relevant critical infrastructure protection authorities in the Member State. The Security Liaison Officer shall be designated within one year following the designation of the critical infrastructure as a European Critical Infrastructure.
2. Each Member State shall communicate relevant information concerning identified risks and threats to the Security Liaison Officers of the European Critical Infrastructure concerned.
Article 7 Reporting
1. Each Member State shall conduct a risk and threat assessment in relation to ECI situated on their territory within one year following the designation of the critical infrastructure as an ECI.
|Relevance to RM/RA:||The cited articles require Member States to identify critical infrastructures on their territories, and to designate them as ECIs. Following this designation, the owners/operators of ECIs are required to create Operator Security Plans (OSPs), which should establish relevant security solutions for their protection.|