Beyond Compliance: Conceptual and Implementation Cycles in Critical Infrastructure Protection
By Michael Kolatchev, Principal, Rossnova Solutions & Lina Kolesnikova, Senior consultant, Rossnova Solutions, Belgium
Protection of critical infrastructure (CI) is a core national security responsibility that cannot be ensured by any single actor and therefore requires sustained national-level coordination. As a result, it has become a strategic public policy priority in many states. Although CI protection involves multiple public and private stakeholders, international practice confirms the central role of the state in providing strategic direction, ensuring policy coherence, and integrating security considerations, particularly in response to hybrid threats and malicious activities.
Given the systemic and cross-sectoral nature of CI-related risks, the state typically acts as the principal coordinator by establishing governance structures, adopting national strategies, defining mandatory security and resilience requirements, and overseeing their implementation. Effective CI protection enhances resilience, deterrence, and strategic stability by reducing vulnerabilities to disruption and coercion, while avoiding unnecessary centralisation of operational functions.
CI protection cannot be achieved through a single decision or strategy. Resource, expertise, and time constraints, combined with evolving infrastructures, societal needs, and threat landscapes, render one-off approaches insufficient. CI protection should therefore be understood as an iterative and adaptive process rather than a fixed objective. National CI frameworks usually require several years to develop and should allow for periodic updates, for example every three to five years, enabling continuity within a coherent framework.
Such an approach requires continuous coordination, information sharing, and education of stakeholders and society. Static measures, including legislation or information websites alone, are insufficient. Information on requirements and planned changes must remain accessible, current, and actively communicated. Ultimately, effective CI protection depends on the feasibility of objectives and strategies relative to national preparedness and, critically, on people. Responsible behaviour and long-term cultural change among key stakeholders and society are essential to sustainable CI protection.
Cycles in the Development of CIP
Experience across jurisdictions suggests that the development of critical infrastructure protection (CIP) can be structured around two interrelated cycles: a strategic conceptualization cycle and a practical implementation cycle. Their iterative interaction enables continuous adaptation of CIP systems and alignment between strategic objectives and operational outcomes.
The conceptualization cycle covers the formulation, review, and adjustment of CIP strategy. Over time, strategies typically become more refined and aligned with implementation capacities. Maintaining consistency between strategic ambitions and available resources is essential, as persistent misalignment may undermine institutional credibility and stakeholder trust.
A key output of conceptualization is an effective legal and regulatory framework. Legislation should be treated as an integral component of CIP strategy and a tool for its enforcement. The choice of legislative model — umbrella or sector-specific — should reflect institutional maturity and stakeholder compliance capacity. Given the dynamic threat environment, legal frameworks must allow regular adaptation without requiring comprehensive redesign, balancing stability with flexibility.
Conceptualization of the CIP Strategy
The conceptualization of a critical infrastructure protection (CIP) strategy can be understood as an iterative process in which each cycle produces answers to a set of core strategic questions. Where necessary, these answers are formalised through legal and regulatory instruments in order to ensure implementation and accountability. Together, these questions define the key dimensions of CIP strategy development:
• What?
• Who?
• How?
• When?
These dimensions structure strategic decision-making and link policy objectives with governance, operational capabilities, and timelines.
Dimension Key Question Strategic Focus
C.1.1 - What?
Definition of what constitutes critical infrastructure, including sectors, assets, functions, and services. Identification of protection objectives and priorities, including the balance between protection and resilience. Determination of system boundaries, external dependencies, and relevant threat categories.
C.1.2 - Who?
Allocation of roles and responsibilities among state authorities, regulators, operators, and other stakeholders, including responsibility for strategy development, implementation, coordination, oversight, and effectiveness assessment.
C.1.3 - How?
Selection of protection approaches and instruments, including risk assessment methods, security and resilience measures, operational readiness requirements, coordination mechanisms, and capacity-building. Assessment of the ability of the state and operators to implement these measures.
C.1.4 - When?
Establishment of timelines for strategic decisions, implementation phases, entry into force of requirements, evaluation cycles, and periodic review and adjustment of the strategy and regulatory framework.
Taken together, these dimensions ensure that CIP strategies are not limited to declarative objectives, but are grounded in governance structures, operational feasibility, and temporal discipline — factors that are essential for managing systemic security risks and maintaining strategic stability.
One of the key techniques useful in both formulating the concept and verifying its coherence and feasibility is backward planning and dependency analysis. It starts from the end – imagine, the objective is achieved – and analyses what that future looks like, how that future must function, who does what, etc. Then the analysis goes further backwards finding which necessary components of the future should become available and by when, etc.
Outcomes of Conceptualization and link to Implementation
The outcome of conceptualization is typically formalised in a roadmap defining strategic objectives, timelines, and means. Each conceptualization cycle may encompass multiple implementation cycles aimed at building and sustaining CIP capabilities. This approach enables anticipation of future requirements while ensuring alignment between near-term actions and long-term objectives.
Given evolving threats and constraints, both conceptual and implementation frameworks must adapt over time. Legal and regulatory instruments should therefore support adjustment without undermining legal certainty—an essential requirement in a national security context.
Implementation Cycles
Implementation cycles translate strategic intent into operational reality and provide the feedback necessary for subsequent refinement of the CIP strategy. Multiple implementation cycles may be executed within a single conceptualization cycle, allowing strategic priorities to be pursued through phased, resource-constrained actions.
Each implementation cycle can be structured around four core processes:
• Planning – identification of priority sectors, assets, functions, risks, and acceptable disruption thresholds; development of policies, procedures, response plans, performance indicators, and resource allocation mechanisms.
• Implementation – execution of technical, organisational, and administrative measures, including security enhancements, monitoring, training, redundancy development, exercises, and testing.
• Verification and Evaluation – assessment of effectiveness and compliance through audits, monitoring, testing, exercises, and incident analysis; identification of gaps, deficiencies, and deviations from planned outcomes.
• Improvement and Adaptation – implementation of corrective and preventive actions, adjustment of plans and architectures, scaling of effective solutions, and incorporation of lessons learned into subsequent cycles.
Each implementation cycle is time-bound, reflecting budgetary and resource constraints, while the operation of the protection system itself remains continuous. The use of multiple, iterative cycles enables earlier learning, timely scaling of successful measures, and adjustment of strategy in response to evolving threats.
At the same time, the adaptive capacity of implementation cycles is fundamentally shaped by the objectives, priorities, and boundaries defined during conceptualization. In this sense, conceptualization serves as a strategic constraint and enabler for operational flexibility, directly influencing the effectiveness of CIP as an instrument of national security and resilience.
Wrapping up and drawing from experience
The conceptualization cycle plays a decisive role in defining the objectives, principles, architecture, and core mechanisms of critical infrastructure (CI) protection. Each cycle results in an agreed set of strategic objectives and a corresponding strategy for their achievement, while establishing the parameters that guide subsequent implementation cycles.
Within this process, the definition of objectives — the “what” dimension (C.1.1) — is of central importance. Objectives are rarely fixed at the outset and may be revised multiple times within a single cycle based on analysis across the remaining dimensions: “who” (C.1.2), “how” (C.1.3), and “when” (C.1.4), which reflect governance structures, available instruments, and temporal constraints. As a result, conceptualization typically proceeds through iterative adjustments that align strategic intent with feasibility and capacity.
This iterative logic enhances strategic coherence and realism, reducing the risk of setting objectives that are unattainable or disproportionate to available resources—a common source of failure in national security policy design.
Drawing on international practice, several core recommendations can be identified for the development of CI protection systems:
Conceptualization cycle
• Clearly define the scope of protection, prioritising critical functions and services and accounting for cascading and cross-border dependencies.
• Establish a clear allocation of roles and responsibilities among state authorities, operators, and other stakeholders, supported by central coordination.
• Develop a realistic strategy aligned with national capabilities, resources, and an adaptive legal and regulatory framework.
Implementation cycles
• Apply phased, time-bound implementation with achievable objectives and measurable outcomes.
• Ensure coordination mechanisms capable of operating in both routine and crisis conditions.
• Institutionalise regular testing and exercises as a core element of resilience and readiness.
Cross-cutting principles
• Embed continuous feedback and improvement through the integration of implementation results into governance and strategic review.
• Maintain transparency and predictability of requirements while avoiding excessive or purely formal regulation.
• Prioritise resilient and reliable operation over formal compliance, treating day-to-day system performance as the primary measure of effectiveness.
While international experience provides valuable guidance, its effectiveness depends on careful adaptation to national legal frameworks, institutional arrangements, infrastructure maturity, and resource constraints. In a security context, successful CI protection is achieved not through replication of external models, but through the disciplined translation of international best practices into nationally viable strategies.
Policy Implications and Initial Steps
As initial steps toward the development of a national concept and legal framework for critical infrastructure (CI) protection, states should adopt a risk-governance–driven approach grounded in an explicit understanding of the evolving threat environment. Priority actions include:
• conducting a systematic inventory of infrastructures, functions, and services based on their criticality, interdependencies, and potential national-level impact under diverse threat scenarios;
• assessing maturity and readiness of key operators and public authorities to manage risks arising from cyber, physical, hybrid, and systemic disruptions;
• defining core principles and strategic priorities for CI protection that reflect national risk tolerance, security objectives, and available capabilities and resources;
• defining (estimating) the pace of continuous CIP build-up as the country and the society can realistically afford, with, for example, 3-or 5-year iterations;
• developing a framework concept and roadmap that enable phased implementation and adaptive responses to changing threat dynamics;
• initiating preparation or adaptation of legal and regulatory instruments designed to support continuous risk assessment, feedback, and periodic revision of requirements.
Together, these steps provide the institutional and analytical foundation for integrating CI protection into broader national security risk governance and resilience planning, while staying realistic and adequate to individual country situation, balancing the “would” with the “could”.
