Time Frames to Complete CISA Efforts Would Help Sector Risk Management Agencies Implement Statutory Responsibilities

Protecting critical infrastructure that helps provide necessities like water, electricity, and food is a national priority. Events like natural disasters or cyberattacks can disrupt services Americans need for daily life.

We testified that many federal agencies work to protect the nation's critical infrastructure and look to the Cybersecurity and Infrastructure Security Agency for leadership on how to do it.

A 2021 law expanded these agencies' responsibilities and added some new ones. CISA is working on guidance and more to help agencies implement these responsibilities. We've recommended that CISA set timelines for completing this work.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 expanded and added responsibilities for Sector Risk Management Agencies (SRMAs). These agencies engage with their public and private sector partners to promote security and resilience within their designated critical infrastructure sectors. Some officials from these agencies described to GAO new activities to address the responsibilities set forth in the act, and many reported having already conducted related activities. For example, the act added risk assessment and emergency preparedness as responsibilities not previously included in a key directive for SRMAs. New activities officials described to address these responsibilities included developing a communications risk register and developing emergency preparedness exercises.

The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has identified and undertaken efforts to help SRMAs implement their statutory responsibilities. For example, CISA officials stated they are updating key guidance documents, including the 2013 National Infrastructure Protection Plan and templates for revising sector-specific guidance documents. CISA officials also described efforts underway to improve coordination with sector partners, such as reconvening a leadership council. SRMA officials for a majority of critical infrastructure sectors reported that additional guidance and improved coordination from CISA would help them implement their statutory responsibilities. However, CISA has not developed milestones and timelines to complete its efforts. Establishing milestones and timelines would help ensure CISA does so in a timely manner.
Why GAO Did This Study

Critical infrastructure provides essential functions––such as supplying water, generating energy, and producing food––that underpin American society. Disruption or destruction of the nation's critical infrastructure could have debilitating effects. CISA is the national coordinator for infrastructure protection.

The William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 includes a provision for GAO to report on the effectiveness of SRMAs in carrying out responsibilities set forth in the act. This statement addresses (1) how the act changed agencies' responsibilities, and the actions agencies have reported taking to address them; and (2) the extent to which CISA identified and undertook efforts to help agencies implement their responsibilities set forth in the act.

This statement is based on GAO's February 2023 report on SRMA efforts to carry out critical infrastructure protection responsibilities and CISA's efforts to help SRMAs implement those responsibilities. For that report, GAO analyzed the act and relevant policy directives, collected written responses from all 16 sectors using a standardized information collection tool, reviewed other DHS documents, and interviewed CISA officials.

In its February 2023 report, GAO recommended that CISA establish milestones and timelines to complete its efforts to help sector risk management agencies carry out their responsibilities. DHS concurred with the recommendation. Additionally, GAO has made over 80 recommendations which, when fully implemented, could help agencies address their statutory responsibilities.

The impact of cybersecurity in the energy industry

Cyber resilience is a challenge for organizations globally and for the electricity industry in particular. Power systems are among the most complex and critical of all infrastructure types and act as the backbone of economic activity.

Large-scale incidents such as blackouts can have socio-economic ramifications for households, businesses and vital institutions. For example, a six-hour winter blackout in mainland France could result in damages totalling over €1.5 billion ($1.7 billion).

In 2018, the World Economic Forum Centre for Cybersecurity and the Platform for Shaping the Future of Energy, Materials and Infrastructure launched the Cyber Resilience in the Electricity Industry initiative to improve the cyber resilience of global electricity infrastructure. This initiative brought together leaders from more than 50 businesses, governments, civil society and academia to collaborate and develop a clear and coherent cybersecurity vision for protecting the power infrastructure.

Building on the first phase of the initiative, the Forum is now developing a unique exchange platform for cybersecurity leaders across the electricity industry in collaboration with Dragos, EDP, Enel, Hitachi Energy, Iberdrola, Naturgy, Ørsted, Schneider Electric, Siemens Energy, Southern and Vestas. This new platform serves as a central hub where industry experts can exchange knowledge, ideas and best practices to improve cyber resilience as a whole.

By bringing together the leading minds in cybersecurity worldwide, the initiative is fostering collaboration and innovation in this critical field, with the ultimate goal of enhancing the security and reliability of the electricity infrastructure that powers the modern world.

What are the challenges of cybersecurity in the energy industry?

The unprecedented pace of technological change driven by the Fourth Industrial Revolution means that health, transport, communication, production and distribution systems will demand rapidly increasing energy resources to support global digitalization and the advancement of interconnected devices.

Digitalization is driving growth and innovation in the electricity industry and has tremendous potential to deliver shareholder, customer and environmental value. However, new technologies and business models affecting operating assets present both opportunities and risks.

In the past, managing these risks had only meant dealing with issues such as component failure or weather damages, while today’s resilience plans must consider cybersecurity-related threats.

Our approach to strengthening cybersecurity in the energy industry

The Cyber Resilience in the Electricity Industry programme focuses on three main pillars:

- Developing scenarios and use cases that industry executives and boards can use to create a culture of cyber resilience and good governance in the electricity sector.
- Improving the implementation of cyber resilience regulations by fostering dialogue between policy-makers and businesses.
- Improving supply chain resilience by establishing standards for cybersecurity roles and responsibilities across all stakeholders involved to ensure that every entity is taking appropriate steps to protect against cyberthreats.

The initiative has published a series of reports to guide chief executives and board members in meeting the unique challenges of managing cyber risks:

- Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards
- Cyber Resilience in the Electricity Ecosystem: Playbook for Boards and Cybersecurity Officers
- Cyber Resilience in the Electricity Ecosystem: Securing the Value Chain

In 2021, following a request from the European Commission (EC) Energy Directorate, the initiative also developed a collection of 15 lessons learned and recommendations for improvement on the new EC Cybersecurity Directive considering the implications of supply chain attacks and other systemic risks for cybersecurity in the energy industry.

Study uses AI to predict fragility of power grid networks - double trouble when 2 disasters strike electrical transmission infrastructure

One disaster can knock out electric service to millions. A new study suggests that back-to-back disasters could cause catastrophic damage, but the research also identifies new ways to monitor and maintain power grids.

Researchers at The Ohio State University have developed a machine learning model for predicting how susceptible overhead transmission lines are to damage when natural hazards like hurricanes or earthquakes happen in quick succession.

An essential facet of modern infrastructure, steel transmission towers help send electricity across long distances by keeping overhead power lines far off the ground. After severe damage, failures in these systems can disrupt networks across affected communities, taking anywhere from a few weeks to months to fix.

The study, published in the journal Earthquake Engineering and Structural Dynamics, uses simulations to analyze what effect prior damage has on the performance of these towers once a second hazard strikes. Their findings suggest that previous damage has a considerable impact on the fragility and reliability of these networks if it can’t be repaired before the second hazard hits, said Abdollah Shafieezadeh, co-author of the study and an associate professor of civil, environmental and geodetic engineering.

“Our work aims to answer if it’s possible to design and manage systems in a way that not only minimizes their initial damage but enables them to recover faster,” said Shafieezadeh.

The machine learning model not only found that a combination of an earthquake and hurricane could be particularly devastating to the electrical grid, but that the order of the disasters may make a difference. The researchers found that the probability of a tower collapse is much higher in the event of an earthquake followed by a hurricane than the probability of failure when the hurricane comes first and is followed by an earthquake.

That means while communities would certainly suffer some setbacks in the event that a hurricane precedes an earthquake, a situation wherein an earthquake precedes a hurricane could devastate a region’s power grid. Such conclusions are why Shafieezadeh’s research has large implications for disaster recovery efforts.

“When large-scale power grid systems are spread over large geographic areas, it’s not possible to carefully inspect every inch of them very carefully,” said Shafieezadeh. ”Predictive models can help engineers or organizations see which towers have the greatest probability of failure and quickly move to improve those issues in the field.”

After training the model for numerous scenarios, the team created “fragility models” that tested how the structures would hold up under different characteristics and intensities of natural threats. With the help of these simulations, researchers concluded that tower failures due to a single hazardous event were vastly different from the pattern of failures caused by multi-hazard events. The study noted that many of these failings occurred in the leg elements of the structure, a segment of the tower that helps bolt the structure to the ground and prevents collapse.

Overall, Shafieezadeh said his research shows a need to focus on re-evaluating the entire design philosophy of these networks. Yet to accomplish such a task, much more support from utilities and government agencies is needed.

“Our work would be greatly beneficial in creating new infrastructure regulations in the field,” Shafieezadeh said. “This along with our other research shows that we can substantially improve the entire system’s performance with the same amount of resources that we spend today, just by optimizing their allocation.”

This work was supported by the Korea Institute of Energy Technology Evaluation and Planning (KETEP) and the Ministry of Trade, Industry & Energy of the Republic of Korea (MOTIE).

Burying short sections of power lines could drastically reduce hurricanes' impact on coastal residents

Princeton researchers funded by the U.S. National Science Foundation investigated the risk of this compound hazard occurring in the future under a business-as-usual climate scenario, using Harris County, Texas, as one example. They estimated that the risk of a hurricane-blackout-heat wave lasting more than five days in a 20-year span would increase 23 times by the end of the century.

But there is good news: Strategically burying just 5% of power lines — specifically those near main distribution points — would almost halve the number of affected residents.

"The results of this work, part of NSF's Coastlines and People Megalopolitan Coastal Transformation Hub, show the value of convergence science approaches for developing actionable solutions to society's major challenges, such as the increasing frequency of storm events," says Rita Teutonico, director of NSF's CoPe program.

Heat waves are among the deadliest types of weather events and can become even more dangerous when regions that rely on air conditioning lose power. Historically, a heat wave following a hurricane has been rare because the risk of extreme heat usually passes before the peak of the Atlantic hurricane season in late summer. As global temperatures rise, however, heat waves are expected to occur more often and hurricanes are likely to become more common and more severe, increasing the odds of hurricane-blackout-heat wave events.

"Hurricane Laura in 2020 and Hurricane Ida in 2021 both had heat waves following them after they destroyed the power distribution network," said Ning Lin, a civil and environmental engineer who led the study. "For this compound hazard, the risk has been increasing, and it is now happening."

In a new study, published in Nature Communications, Lin and co-authors looked at the risks associated with the compound hazard and how infrastructure changes could mitigate the potentially deadly effects. They combined projections of how often and when hurricanes and heat waves would strike in the future with estimates of how quickly power could be restored in areas with outages after a major storm.

The team chose Harris County — the home of Houston — as their model county because it has the highest population density of any city on the Gulf Coast. Hurricanes Harvey and Ike both walloped Houston, causing an estimated 10% of residents to lose power.

The team also considered power grid improvements that would reduce the impact of a hurricane-blackout-heat wave for residents. Burying 5% of wires near the roots of the distribution network would reduce the expected percentage of residents without power from 18.2% to 11.3%.

"Mostly, our current practice is randomly burying lines," Lin said. "By burying lines more strategically, we can be more efficient and more effective at reducing the risk."

New IAEA Safety Guide on Emergency Preparedness and Response for the Transport of Radioactive Material

Historically, emergencies during the transport of radioactive material have had none or very limited radiological consequences, which have been resolved quickly. However, no matter how safe packages for the transport of radioactive material are, emergencies can still occur during transit, for which prompt action is required to ensure that the public and the environment are protected effectively. A newly released IAEA Safety Guide — Specific Safety Guide on Preparedness and Response for a Nuclear or Radiological Emergency Involving the Transport of Radioactive Material — addresses a wide range of possible emergencies, including those associated with very low probability events which might have significant radiological consequences.

"The field of transportation of radioactive material is one where radioactive material is intentionally moved across the public domain. Hence, transport activities involving radioactive material should be carried out in accordance with safety requirements and security guidance,” said Farid Abdelmounim, Senior Engineer at the Centre National de Radioprotection, Ministry of Health, Morocco. “This new guide addresses important emergency preparedness and response (EPR) concepts such as the protection strategy, the concept of operations and the interface with nuclear security. “

This publication, co-sponsored with the International Civil Aviation Organization and the International Maritime Organization, provides recommendations on preparedness and response for a nuclear or radiological emergency involving the transport of radioactive material.
Preparedness and response for transport emergencies

The recommendations in this guide are aimed at countries; “consignors”, who prepare shipments for transport, carriers, who transport them; “consignees”, who receive them; regulatory bodies; and, response organizations.

Each of these roles are vital in emergency preparedness and response and their responsibilities include the following:

governments, for example, should ensure that the responsibilities of national and local government for a transport emergency are clearly defined, and that the national coordinating mechanism for nuclear and radiological emergencies includes the authorities responsible for transport safety and security;

consignors and carriers have the primary responsibility to ensure that adequate emergency arrangements are in place for a given shipment, and that those arrangements follow the national emergency arrangements of all the States relevant to the shipment; and,

carriers should ensure that emergency instructions and information applicable to the consignment are carried with the consignment on the conveyance (road vehicle, train, aircraft or sea vessel) at all times, and that this information is readily available to response organizations in the event of an emergency.

“The main objectives of the publication, and the associated training, are to bring together the emergency preparedness and response community and the transport community, to exchange ideas and experiences including on how best to coordinate and integrate emergency arrangements with safety and security measures in protecting the public and the environment from harmful effects of exposure to ionizing radiation,” said Svetlana Nestoroska Madjunarova, Emergency Preparedness Coordinator at the IAEA’s Incident and Emergency Centre.
Bridging the transport and emergency preparedness and response (EPR) communities

Radioactive material has a wide range of applications, and as a result, millions of packages containing radioactive material are transported every year by rail, road, sea, air or inland waterway. This includes the movement of containers (casks) carrying spent nuclear fuel from operating and decommissioning nuclear reactors and sealed radioactive sources, which are used widely in medicine, industry, and agriculture.

Effective preparedness and response for transport emergencies involving radioactive material is thus a topic that has broad relevance for all countries, irrespective of whether they have a nuclear power programme.

To heighten awareness of this topic, two trainings on the new guide were carried out last year, with at least two more planned for 2022.

“A transport emergency is different than an emergency in a fixed facility. A transport emergency can take place anywhere, in the middle of a busy city, or in a remote location where first responders may be hours away,” said Luis Portugal, Head of the Emergency Preparedness and Response Unit of the Portuguese Environment Agency, who contributed to the development of the training in conjunction with the IAEA. “When we designed the training, we wanted to raise awareness in the emergency preparedness and response community, and the transport safety community, of the particularities of an emergency occurring during the transport of radioactive materials and how these can impact the planning for, and response to, any event,” he added.

“The transport safety regulatory requirements set out in the IAEA Safety Standard Series — SSR-6 (Rev.1) — have benefitted from continuous review and development since they were first introduced in 1961. Complemented by the IAEA safety requirements in the IAEA General Safety Requirements Part 7, they help in effective regulation of transport safety and establishment of effective emergency arrangements during the transport of radioactive material,” said Stephen Whittingham, former Head of the Transport Safety Unit in the Division of Radiation, Transport and Waste Safety. “With this Safety Guide and associated training material supporting the implementation of these two sets of safety requirements, we contribute further to their practical implementation in countries to protect the public and the environment effectively from the harmful effects of ionizing radiation.”

China loses hydropower As drought dries up Yangtze River

No rain and a 70-day heat wave spur crop failures, power cuts, and dangerously-low reservoirs across parts of China.

A historic drought in the southwest of China is drying up rivers, intensifying forest fires, damaging crops, and severely curtailing electricity in a region highly dependent on hydropower.

The Yangtze River, the third largest in the world, has dropped to half its average water levels, affecting shipping routes, limiting drinking water supplies, causing rolling blackouts, and even exposing long-submerged Buddhist statues. Some 66 rivers across 34 counties in Chongqing were dried up. The province of Sichuan, which gets more than 80 percent of its energy from hydropower, cut or limited electricity to thousands of factories in an effort to “leave power for the people.” Poyang Lake, the largest freshwater lake in China, is just a quarter of its normal size for this time of year.

China issued its first national drought alert in nine years. Rainfall in the Yangtze River Basin is down 45 percent from last July, the lowest it has been since 1961.

Sichuan is a major manufacturing hub and the curbing of electricity to factories has had global impacts, affecting suppliers of Toyota, Volkswagen, Tesla, Intel and Apple, as well as pesticide and solar panel manufacturers. Companies have been asked to continue rationing electricity. Toyota has slowly resumed operations using a generator; Tesla asked the government of Shanghai to ensure that its suppliers received enough power, saying it faced shortages of components as plants scaled back production. Other areas that source power from Sichuan have also made cuts, including Shanghai, China’s largest city, which turned off decorative lighting as a symbolic gesture.

Drought’s impact on the agriculture sector has also been severe, with thousands of acres of crops damaged in Sichuan and the neighboring Hubei province. In response, the Chinese government discharged water from several large upstream reservoirs, and the Ministry of Agriculture said it will try to artificially increase rainfall through cloud seeding, as well as spray crops with a water-retaining agent.

[Source: UNDRR]

Cyber Attack on Greece’s Gas Operator

A group of cyber extortionists called Ragnar Locker claimed responsibility for the recent cyber-attack against the National Gas System Operator (DESFA) in Greece.

DESFA announced that it had suffered a cyber-attack on part of its IT infrastructure, which resulted in a “confirmed impact on the availability of certain systems and the possible leakage of a number of files and data.”

DESFA is responsible for the operation, management, exploitation, and development of the National Natural Gas System and its interconnections.

The statement said that IT services were proactively deactivated to limit any potential spillage and to investigate the incident while ensuring the adequate operation of the national gas supply system at all entry and exit points of the country without any complications.

The FBI has linked the Ragnar Locker group to attacks on at least fifty-two organizations and companies related to critical infrastructure in the US over the last two years.

DOE Announces $45 Million for Power Grid Cyber Resilience

The U.S. Department of Energy (DOE) has announced $45 million to create, accelerate, and test technology that will protect the electric grid from cyber attacks.

Cyber threats to American energy systems can shut down critical energy infrastructure and disrupt energy supply, the economy, and the health of American consumers. Cybersecurity remains a priority as clean energy technologies deployed on the grid become highly automated.

Earlier this year, Supervisory Special Agent Ted P. Delacourt, a federal civilian working in the Mission Critical Engagement Unit of the Cyber Division at the Federal Bureau of Investigation, wrote that a cyber attack on one critical infrastructure sector may initiate a failure in another or cascade to the entire interconnected critical infrastructure network.

“The ubiquitous nature of these critical infrastructure sectors and the distribution of their physical and networked assets across a wide geographical area, often spanning the entire country, make them attractive targets,” Delacourt wrote for HSToday. “State, non-state, and criminal actors continually seek victims of opportunity across all critical infrastructure sectors for monetary and strategic gain.”

Delacourt warned that cyber attacks on critical infrastructure will continue to grow in number and frequency and continue to escalate in severity.

Combined with the additional grid upgrades funded in the Bipartisan Infrastructure Law and the Inflation Reduction Act, the latest DOE announcement means the United States will have an opportunity to build greater cyber defenses into its energy sector. The $45 million funding announced on August 17 will support up to 15 research, development, and demonstration (RD&D) projects that will focus on developing new cybersecurity tools and technologies designed to reduce cyber risks for energy delivery infrastructure. Building strong and secure energy infrastructure across the country is a key component of reaching President Biden’s goal of a net-zero carbon economy by 2050.

“As DOE builds out America’s clean energy infrastructure, this funding will provide the tools for a strong, resilient, and secure electricity grid that can withstand modern cyberthreats and deliver energy to every pocket of America,” said U.S. Secretary of Energy Jennifer M. Granholm. “DOE will use this investment to continue delivering on the Biden Administration’s commitment to making energy cheaper, cleaner, and more reliable.”

DOE’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will fund up to 15 research projects that will establish or strengthen existing research partnerships with energy sector utilities, vendors, universities, national laboratories, and service providers working toward resilient energy delivery systems. The effort will lead to the creation of next-generation tools and technologies designed to reduce cyber incident disruption to energy delivery. Researchers will aim to develop tools and technologies that enable energy systems to autonomously recognize a cyber attack, attempt to prevent it, and automatically isolate and eradicate it with no disruption to energy delivery.

There are six proposed topic areas for the projects, which include:

- Automated Cyber Attack Prevention and Mitigation: This topic area will focus on tools and technologies that enable energy systems to autonomously recognize and prevent cyber attacks from disrupting energy.
- Security and Resiliency by Design: This topic area will focus on tools and technologies that build cybersecurity and resilience features into technologies through a cybersecurity-by-design approach.
- Authentication Mechanisms for Energy Delivery Systems: This topic area will focus on tools and technologies that strengthen energy sector authentication.
- Automated Methods to Discover and Mitigate Vulnerabilities: This topic area will focus on tools and technologies that address vulnerabilities in energy delivery control system applications.
- Cybersecurity through Advanced Software Solutions: This topic area will focus on developing software tools and technologies that can be tested in a holistic testing environment that includes a development feedback cycle.
- Integration of New Concepts and Technologies with Existing Infrastructure: This topic area will require applicants to partner with energy asset owners and operators to validate and demonstrate cutting-edge cybersecurity technology that can be retrofitted into existing infrastructure.

[source: HS Today]

Revised Regulation for Trans-European Energy Infrastructure

The Union’s energy infrastructure should be upgraded in order to prevent technical failure and to increase its resilience against such failure, natural or man-made disasters, adverse effects of climate change and threats to its security.

The Union’s energy infrastructure should be resilient to the unavoidable impacts that climate change is expected to create in Europe in spite of the mitigation efforts. Hence, strengthening the efforts on climate adaptation and mitigation, resilience building, disaster prevention and preparedness is crucial.

The development of trans-European energy infrastructure should take into account, where technically possible and most efficient, the possibility of repurposing existing infrastructure and equipment.

The nine priority corridors cover different geographic regions in the field of electricity, gas and oil infrastructure. EU support for development in these corridors will connect regions currently isolated from European energy markets, strengthen existing cross-border interconnections, and help integrate renewable energy.

The EU Strategy for Energy System Integration also underlined the need for integrated energy infrastructure planning across energy carriers, infrastructures, and consumption sectors. Such system integration starts from the point of departure of applying the energy efficiency first principle and taking a holistic approach in policy and beyond individual sectors.

Political agreement on new rules to enhance the resilience of critical entities

As a key part of the EU's work to build a Security Union, the new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage, as well as public health emergencies like the recent COVID-19 pandemic.

Against an ever more complex risk landscape, the new Directive replaces the European Critical Infrastructure Directive of 2008. A wider sectoral scope will allow Member States and critical entities to better address interdependencies and potential cascading effects of an incident. Eleven sectors will be covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food.

Vice-President for Promoting our European Way of Life, Margaritis Schinas, said: “It is essential to shield our economy and our society against physical threats that could disrupt services that are vital for people's daily lives and for the functioning of our internal market. With today's agreement, we are delivering on our commitment to enhance the resilience of critical infrastructure in the EU, complementing the recently strengthened cybersecurity legislation. Together, these new rules form a coherent and robust system to protect our infrastructure online and off”.

Commissioner for Home Affairs, Ylva Johansson, said: “In the light of the current geopolitical situation in Europe, enhancing our resilience is of key importance. The CER Directive will make us better prepared against disruptions that impact the security of our citizens and the prosperity of the internal market, following the lessons learnt from the pandemic and long-term challenges like climate change. The new Directive will ensure the provision of essential services such as energy, transport, water and healthcare while minimising the impact of natural and man-made incidents”.

The proposal introduces new rules to strengthen the resilience of critical entities:

- Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for the society and the economy.
- Critical entities will need to carry out risk assessments of their own, take technical and organisational measures to enhance their resilience and notify incidents. They will also be able to request background checks on personnel holding sensitive roles.
- Critical entities in the EU, from the sectors covered, providing essential services in six Member States or more, will benefit from extra advice on how best to meet their obligations to assess risks and take resilience-enhancing measures.
- A Critical Entities Resilience Group will facilitate cooperation among Member States and the exchange of information and good practices.
- An enforcement mechanism will help ensure that the rules are followed: Member States will need to ensure that national authorities have the powers and means to conduct on-site inspections of critical entities. Member States will also introduce penalties in case of non-compliance.
- Member States will need to provide support to critical entities in enhancing their resilience with, for instance, guidance material. The Commission will provide complementary support to Member States and critical entities, by developing a Union-level overview of cross-border and cross-sectoral risks, best practices, methodologies, cross-border training activities and exercises to test the resilience of critical entities, among others.

Next steps

The political agreement reached by the European Parliament and the Council is now subject to formal approval by the co-legislators. Once published in the Official Journal, the Directive will enter into force 20 days after publication. Member States will then need to transpose the elements of the Directive into national law within 21 months.

1 2 3