The context of the war in Ukraine has created new risks, both physical attacks and cyber attacks, which can lead to hybrid threats. The sabotage of the Nord Stream gas pipelines and other recent incidents have clearly shown that the resilience of the EU’s critical infrastructure is at risk. Urgent action is therefore needed to strengthen the EU’s ability to protect itself from attacks on its critical infrastructure. This is particularly true as European infrastructures are more interconnected and interdependent, making them both more powerful and efficient, but also more vulnerable in the event of an incident.
European legislation was strengthened in the summer of 2022. The co-legislators agreed to deepen the policy framework to strengthen the resilience of entities operating critical infrastructure. Agreements were reached on the Critical Infrastructure Resilience Directive (“CER Directive”) and the revised Network and Information Systems Security Directive (“NIS 2 Directive”).
The new ERC Directive proposes a new framework for cooperation, as well as obligations for states to strengthen physical resilience outside cyberspace. Eleven sectors are now covered: energy, transport, digital infrastructure, banking, financial market infrastructure, health, drinking water, waste water, public administration, space and food.
The NSI 2 Directive will give rise to cybersecurity obligations in many sectors.
Following the Nordstream 2 sabotage, Commission President Ursula von der Leyen presented a plan to the European Parliament on 5 October, based on five points:
- enhancing preparedness
- working with Member States with a view to stress test their critical infrastructure, starting with energy sector and then followed by other high-risk sectors
- increasing the response capacity in particular, through the Union Civil Protection Mechanism
- making good use of satellite capacity to detect potentiel threats
- strenghthening cooperation with NATO and key partners on the resilience of critical infrastructure