Synergies between Directives the Critical Entities Resilience Directive (CER), GDPR, NIS2 and DORA

Major incidents – floods, forest fires and terrorist attacks – do not respect national borders, and cooperation within the EU is a prerequisite for effective risk, security and crisis management.

Before 2008, the situation regarding critical infrastructure protection (CIP) at the national level varied greatly: for example, eleven countries did not even have a national definition of critical infrastructure. While some Member States were only beginning to recognise the need for action, others had national CIP programmes that were more advanced than the proposed European initiatives. There were also differences in leadership: in some countries critical infrastructure protection was overseen by the defence ministries, in others by the interior ministries or by civil protection departments, etc.

The European Union is based on the rule of law. Every action taken by the EU is based on the treaties - the binding agreements between EU member states, which set out the objectives of the EU, the rules for EU institutions, the way decisions are taken, and the relations between the EU and its members. The Treaties are the starting point for EU law and are known in the EU as primary law. The body of law that follows from the principles and objectives of the Treaties is known as secondary law and it includes regulations, directives, decisions, recommendations, and opinions.

Regulations are binding legislative acts. They must be applied in its entirety across the EU. In turn, Directives require EU countries to achieve certain results, and, sometimes, introduce certain frameworks, but leave members free to choose how precisely to do that. EU countries must take measures to incorporate (transpose) directives into national law in order to achieve the objectives set out in the directive. National authorities must notify these measures to the European Commission.

Directive 2008/114/EC on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection

The terrorist attacks in Madrid (2004) and in London (2005) drew attention to the risk of terrorist attacks on European critical infrastructure. To counter potential vulnerabilities, the European Council asked the European Commission to prepare a common strategy and action plan to improve the protection of the European Critical Infrastructure (ECI). As a result of this request, the Commission proposed the establishment of the European Critical Infrastructure Protection Programme (EPCIP, which consisted of three main parts:

• the Directive on the identification and marking of ECI,

• the financial programme, and

• the Information Alert Network (CIWIN).

While the Directive formed the core of the programme, the other two components represented key measures designed to facilitate the implementation of the Directive.

First of all, the Directive introduced the concept of European Critical Infrastructure and was based on an ‘all-hazards approach’, with terrorism being given priority. The scope of EPCIP was limited to the energy and transport sectors, as these two sectors had horizontal implications and were also the most advanced in terms of developing sectoral criteria.

If we consider the conceptual basis for understanding the EU crisis management cycle for critical infrastructures protection in 2008, then EPCIP fell under the stages of prevention and preparedness.

The primary responsibility for protecting critical infrastructure at member state lied with the Member States, their national authorities and the owners/operators of such infrastructure. This was also recognised by the Directive. The principle of subsidiarity and the fact that CIP is closely interlinked with national defence issues was one of the explanation for the partial reluctance of Member States to share information and kept national primacy in this area. (MK&LK: Subsidiarity is a principle that allows individual members of a larger organisation to make decisions on issues that concern them, rather than leaving these decisions to the group as a whole).

The following years after Directive 2008 were marked by significant events and challenges for EU. Among the most important were terrorist attacks, pandemic of covid 19, floods  and acts of sabotage on CI.

The COVID 19 pandemic has revealed a more insidious risk picture, with increased spillover risks (those that usually trigger different types of crises), greater interconnectedness of sectors and the need for more coordinated response mechanisms in the EU. For example, the pandemic has demonstrated how disrupted supply chains can negatively impact societies and economies across sectors and borders.

New and developing trends, which, first, thought to be primarily positive, further challenged the existing situation with CIP. Among such trends were across the board digitalization, the emergence of smart city systems, and the growing interdependence of critical infrastructure.

CIs in Europe often use old software and hardware. This situation creates a problem of “bad legacy” when these old technologies with their large technical debt get integrated into new “smart” system, a system of systems.

Often, considerations of the risk of criminal activity to critical national infrastructure (CNI), assume that threats come only from outside the CNI. That assumption cannot hold anymore. In recent years, we have seen the rise of organized crime networks that see CNI as a means to use and abuse convenient, publicly accessible legitimate infrastructures for their own gain.

In the past, criminal enterprises built their own infrastructures to be independent of the legitimate world. Today, providing adequate services is very expensive and time-consuming, and the infrastructure needed may be too large to hide. Consequently, criminals are no longer interested in building their own critical infrastructure. Instead, these legitimate critical (and non-critical) infrastructures that provide modern services, regardless of domain, will increasingly be used by criminals, leading to a need for criminals to participate in such infrastructure, have influence, create a specialized layer, and even a controlling position.

CIP is becoming an area where protection and control over processes and data are key factors. In the context of evolving risks and emerging systems of systems, it is becoming increasingly difficult to trust (and to verify and control) existing security measures and governance. They (both measures and governance) require dialogue, consultation, participation, education and awareness; there is no substitute for good management. All parties involved must become comparable, compatible and speak the same language.

That is the context where new Directives fit, set to define common approach to common problems, and to align Members around objectives, frameworks and methods of achieving them.

Modern landscape is more and more thought of as a complex system, whose components are themselves complex systems. As with any complex system, it is rather impossible to get it in full detail at once. Hence, the step by step, piece by piece, process of singling out one view, on one or few components of a complex system. Legislation follows the same pattern, putting one piece at a time, with us all hoping these pieces will come to work together.

Currently, the following Directives are the primary ones related to Critical Infrastructure Protection:

• Directive 2022/2557 (CER, Critical Entities Resilience Directive)

• Directive 2022/2555 (on measures for a high common level of cybersecurity across the Union)

• DORA (Digital Operational Resilience Act)

• GDPR (General Data Protection Regulation)

CER Directive highlights shifting focus (from protection to resilience) while maintaining an all-hazards and all-risks approach. Identifying critical infrastructure across EU, in a uniform way. The CER Directive recognises that the effects of significant disruptions are felt well beyond the virtual realm and can impact facilities, roads, railways, electricity generation and other infrastructure on which essential services depend. The CER Directive aims at improving and harmonising resilience strategies and plans of Member States and organisations. The Directive covers three priority areas: preparedness, response and international cooperation. It invites Member States to update their risk assessments to reflect current threats and calls on them to stress test undertakings operating critical infrastructure, with the energy sector being a priority. It also calls on Member States to develop, in cooperation with the Commission, a coordinated response plan to critical infrastructure disruptions of significant cross-border significance. The EU will support partner countries in strengthening their resilience.

While the CER Directive defines critical infrastructure and related industries and takes an all-hazards, cross-domain approach, the other directives provide more specific guidance: NIS2 focuses on cybersecurity, DORA addresses the financial sector, while the GDPR takes a holistic view of customer (personal) data protection.

In today’s world of conflicting cultural views, social interests, political agendas, individual career aspirations and risks, strong domestic, national, intra-national and geopolitical dependencies, finding common ground is a complex task. Reconciling interests and goals, values and visions requires long-term commitment and courage from those who usually work in short-term positions. Critical thinking is the key skill required to achieve this. It all starts with defining a goal (or set of goals with their interrelationships) that is equally clear and understandable. Goals and even core values such as free speech, security and prosperity must be honestly agreed upon.

It is very difficult, if not impossible, to create a comprehensive, perfectly coordinated and non-controversial legislation that covers all relevant topics at the same time. Interested parties can legislate on one or more topics at the same time. Over time, these individual pieces will hopefully form a puzzle without holes, without unevenness in approach, breadth and depth of coverage. As they say in science, a clear definition of the problem already contains half the solution. Each of the above-mentioned directives addresses one aspect or part of a larger problem. These are the pieces of the future illustrated puzzle that we should all strive to complete.