|
|
EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE, FREEDOM AND SECURITY
Directorate D : Internal security and criminal justice Unit D1 : Fight against terrorism, trafficking and exploitation of human beings, and law enforcement cooperation
|
Brussels, 03/14/2006
JLS/D1/PR/vdb D(2006) 4675
Report
Results of the EPCIP Green Paper consultation
Responses of the Member States
Twenty-two Member States provided official responses to the EPCIP Green Paper consultation process by the end of February 2006. Official responses were not received from: EL, IT and MT.
The Member States welcomed the Commission's initiative and work on the development of the European Programme for Critical Infrastructure Protection. The national responses to the EPCIP Green Paper supported the fundamental approach of addressing the issue of critical infrastructure protection (CIP) from a European perspective and of developing a European Programme for Critical Infrastructure Protection (EPCIP). The need for increasing the critical infrastructure protection capability in Europe and helping reduce vulnerabilities concerning critical infrastructures was acknowledged. The importance of the principle of subsidiarity was repeatedly stressed in the responses of the Member States.
A number of Member States mentioned that the EPCIP Green Paper was a useful instrument in terms of aiding the launch of national discussions concerning critical infrastructure protection. In this respect, the importance of the EPCIP Green Paper as an awareness raising tool was acknowledged.
Goal of EPCIP (question 3.1)
The EPCIP Green Paper stated that “the goal of EPCIP would be to ensure that there are adequate and equal levels of protective security on critical infrastructure, minimal single points of failure and rapid, tested recovery arrangements throughout the Unionâ€. Ten Member States (AT, BE, CZ, DK, FR, LU, NL, PT, SE, UK) felt that this goal was incorrectly formulated as it is the responsibility of each Member State, and not of a European programme, to guarantee the security of critical infrastructures. Nine (CY, DE, ES, FI, LT, LV, PL, SI, SK) Member States found this goal appropriate. Three Member States (EE, HU, IE) did not offer a specific opinion on this issue.
Several Member States made reference to the different legal traditions and organizational systems present in each Member State and underlined that EPCIP should take into account these differences.
In general, most Member States felt that EPCIP’s broad goal should be to raise CIP capability in Europe. EPCIP should support and facilitate work on CIP and should, in particular, provide the tools necessary to improve the protection of critical infrastructures.
It was highlighted, that the attainment of equal and adequate levels of security across the entire EU and at all times would be an impossible task and should therefore not be the goal of EPCIP. Moreover, the level of protection of particular critical infrastructures cannot be equal as they should depend on the level of risk involved and on the effect the destruction of a critical infrastructure would have.  The goal of EPCIP should be more to bring together the expertise and provide the necessary framework to allow the Member States to improve their capacities to protect critical infrastructures.
It was acknowledged however, that the creation of certain harmonized minimum levels of protection may be needed in certain sectors, which could otherwise be prone to a distortion of competition. The Member States supported the idea that EPCIP should be concerned with the potential negative effects of CIP measures on the competitiveness of particular industries. A number of Member States were of the opinion however that EPCIP’s impact on European competitiveness should not be a goal in itself, but rather a principle.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Is this an appropriate goal for EPCIP? |
- |
- |
+ |
- |
+ |
- |
? |
x |
+ |
+ |
- |
? |
? |
x |
+ |
- |
+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Is this an appropriate goal for EPCIP? |
x |
- |
+ |
- |
+ |
+ |
- |
- |
+ (9) - (10) ? (3) |
Scope of EPCIP (question 3.2)
The EPCIP Green Paper posed the question whether EPCIP should be based on an all hazards approach, an all-hazards approach with a terrorism priority or a terrorism hazards approach. A vast majority of Member States (twenty) expressed their support for the adoption of an all-hazards approach for EPCIP. Out of these Member States fifteen recognized that terrorism should be the priority (with two Member States emphasizing that the Council in its conclusions concerning critical infrastructure protection adopted in December 2005, already decided to support the all-hazards approach with a terrorism priority). Two Member States did not offer specific comments on this issue (HU, IE).
A number of Member States also stressed that their support for the all-hazards approach does not mean that critical infrastructures can be protected from all hazards, but rather that, all threats need to be taken into account in the risk management process in order to determine what measures need to be taken and how to mitigate the consequences. Emphasis was made on the need to be able to prioritize certain threats.
Several Member States mentioned that EPCIP must make clear how other types of threat, beside terrorism, can be included in the Programme.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Option A |
|
+ |
|
+ |
|
|
|
x |
|
+ |
|
? |
? |
x |
|
|
+ |
|
Option B |
+ |
|
+ |
|
+ |
+ |
+ |
x |
+ |
|
+ |
? |
? |
x |
+ |
+ |
|
|
Option C |
|
|
|
|
|
|
|
x |
|
|
|
? |
? |
x |
|
|
|
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Option A |
x |
|
|
|
|
|
+ |
|
a (5) b (15) c (0) ? (2) |
|
Option B |
x |
+ |
+ |
+ |
+ |
+ |
|
+ |
|
|
Option C |
x |
|
|
|
|
|
|
|
|
Option A |
 an all hazards approach |
|
Option B |
 an all hazards approach with a terrorism priority |
|
Option C |
 a terrorism hazards approach |
Key principles (question 4)
The EPCIP Green Paper listed five key principles: subsidiarity, complementarity, confidentiality, stakeholder cooperation and proportionality.
Nineteen Member States (all responses except EE, HU, IE) generally supported the five key principles identified in the EPCIP Green Paper although nine of these Member States (AT, BE, CZ, DE, DK, NL, PL, SE, UK) proposed to make slight revisions to the text. Several Member States underlined the importance of the confidentiality principle especially vis-Ã -vis the private sector. Three Member States (EE, HU, IE) did not offer any specific comments on the list of principles.
A number of Member States identified additional key principles, which could also form the basis of EPCIP. These could include:
- Sector-by-sector approach - To assure complementarity to existing measures and respect for the differences between the CI sectors, the development of EPCIP and initiatives under EPCIP should to the largest extent possible be anchored in the relevant CI sectors.
- Industry competitiveness - EPCIP should minimise as much as possible any negative impact that increased security requirements for EU critical infrastructure might have on the competitiveness of a particular industry. However considerations of industry competitiveness must not lead to lowering of CIP standards.
- Added value - Each initiative must contribute to an increased level of protection without making the protective efforts more complex for MS, owners/operators and users. In each case it should be carefully considered how the desired outcome is best achieved, e.g. through structured exchange of lessons-learned, voluntary standards, regulations, etc. Successful CIP requires tailor-made solutions.
- Effectivity
- Solidarity – scarce EU resources would be used in proportion to the needs of various countries.
- Coordination – the European Commission will play a coordinating role in EPCIP
- Responsibility - It is the responsibility of actors within each sector to ensure an adequate level of security. EPCIP will guide and support sectors in exercising this responsibility.
- Interdependencies - The degree and complexity of interdependencies are increasing as the EU becomes more dependent on shared information technology systems and communication technologies, transportation systems, electricity networks etc. The Commission, the Member States and the owners/operators of critical infrastructures need to work together to identify these interdependencies and apply appropriate strategies to reduce risk where possible.
- Risk-based methodology - Identification of European critical infrastructure must be through a risk-based methodology which will assess EU critical infrastructure based on impact of disruption. We understand that, as part of PASR, work is being undertaken on this by the VITA consortium. This needs to be aligned to EPCIP.
- Sectoral differences - Different approaches may be justified across the various sectors of ECI.
- Industry competitiveness - EPCIP should minimise as much as possible any negative impact that increased security requirements for European critical infrastructure might have on the competitiveness of a particular industry. In calculating the proportionality of the cost, one must not lose sight of the need to maintain stability of markets that is crucial for long-term investment, the influence security has on the evolution of stock markets and on the macro-economic dimension.
- Bottom-up approach – the support of owners and primary users of critical infrastructure must be obtained for the development of EPCIP.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Are the key principles acceptable |
+? |
+? |
+ |
+? |
+? |
+? |
? |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+ |
+ |
|
Should protection levels be proportional to the risk involved |
+ |
? |
+ |
+ |
? |
+ |
? |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+ |
+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Are the key principles acceptable |
x |
+? |
+? |
+ |
+ |
+ |
+? |
+? |
+ (10) +? (9) ? (3) |
|
Should protection levels be proportional to the risk involved |
x |
+ |
+ |
+ |
+ |
+ |
? |
+ |
+ (16) ? (6) |
Common EPCIP framework (question 5)
The EPCIP Green Paper raised several issues concerning the need and format of a potential EPCIP framework in the EU.
Would a common framework be effective in strengthening CIP?
Fifteen Member States clearly stated that a common framework would be effective in strengthening CIP (AT, BE, CY, ES, FI, FR, LT, LU, LV, NL, PL, PT, SI, SK, SE). A further five Member States (CZ, DE, DK, EE, UK) presented a more cautious approach to the idea of a common EPCIP framework, underlining especially the need for further clarification concerning content and for a step-by-step approach. Two Member States (HU, IE) did not offer clear views on this issue.
A strong emphasis was put on the key role of the Member States in the protection of critical infrastructure and that the subsidiarity principle must be observed at all times. Several Member States underlined that this role cannot be limited by the common framework. No Member State expressed disagreement with the need for a common framework. Four Member States underlined however, that the creation of a common framework will only be possible following the definition of what is European Critical Infrastructure. One Member State was of the opinion that the EPCIP framework should be called a “joint approach†rather than a “common frameworkâ€. One Member State was of the opinion that the proposed broad scope of EPCIP would make it very difficult to create any common framework, which would be effective across such a vast range of activity.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Would a common framework strengthen CIP |
+ |
+ |
+ |
+/- |
+/- |
+/- |
+/- |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+ |
+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Are the key principles acceptable |
x |
+ |
+ |
+ |
+ |
+ |
+ |
+/- |
+ (15) +/- (5) ? (2) |
If a legislative framework is required, what elements should it contain?
The Member States were divided concerning the need for the development of the EPCIP framework in the form of a legislative package. Seven Member States (CY, ES, LT, LU, LV, PT, SK) expressed their support for some sort of legislative approach, seven were against (DE, DK, FI, FR, NL, SE, UK) and eight did not offer a clear opinion. Among those Member States which felt that a legislative framework was not needed at this time one (FR) nevertheless supported the idea of adopting a framework decision concerning EPCIP. The idea of having a legislative framework in the future was not expressly ruled out.Â
A number of Member States seemed to be of the opinion that there is no need for a legislative package at this point, as there will be no new redistribution of competences concerning the protection of critical infrastructure. CIP would remain the responsibility of the Member States so there would be no need for EU level legislation on the subject.
A majority of Member States were of the opinion that at least in the early stages of development of EPCIP, a legislative framework would not be required. One Member State expressed the view that a general legislative framework would not be needed, but that sector-specific solutions could be envisaged.
A number of Member States saw the potential for added value of basing EPCIP on a framework decision, rather than on stronger legislative instruments. Such a framework decision could contain the basic ideas behind EPCIP including the objectives, principles, strategies, structures, plans and evaluation methods.
Regardless of the approach used, some Member States attempted to define the potential contents of a common EPCIP framework. The possible contents of such a framework could include:
- Common CIP principles;
- Common CIP definitions, on the basis of which sector specific definitions could be agreed;
- Commonly agreed codes/standards, with due regard to the different needs of the sectors, and the need to ensure proportionality
- CI criteria, that can then be adapted to fit each sector;
- List of CI sectors;
- A description of responsibilities of EPCIP compared with national public bodies and EU sectoral bodies.
- CIP priority areas;
- CIP related methodologies
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Some sort of legislative framework? |
? |
? |
+ |
? |
- |
- |
? |
x |
+ |
- |
- |
? |
? |
x |
+ |
+ |
+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Some sort of legislative framework? |
x |
- |
? |
+ |
? |
+ |
- |
- |
+ (7) - (7) ? (8) |
To what extent should such a common framework be obligatory and to what extent voluntary?
The Member States were divided concerning the issue of whether EPCIP should be of a voluntary or obligatory nature. Seven Member States (CY, CZ, ES, LT, LU, PL, PT) were of the opinion that parts of the common framework could be obligatory. Views varied however concerning exactly which parts of the framework could be obligatory (some Member States underlined that those parts referring to ECI, others that those parts having a strategic importance). A further two Member States (AT, NL) were of the opinion that the framework could be voluntary at first and become obligatory once it is tested and well established. Five Member States (BE, DK, EE, SE, UK) supported a voluntary approach for the common framework. Eight Member States did not present clear views on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Obligatory vs voluntary? |
-/+ |
- |
+/- |
+/- |
? |
- |
- |
x |
+/- |
? |
? |
? |
? |
x |
+/- |
+/- |
? |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Obligatory vs voluntary? |
x |
-/+ |
+/- |
+/- |
? |
? |
- |
- |
-/+ (2) - (5) +/- (7) ? (8) |
|
KEY |
|
|
-/+ |
1st voluntary, then obligatory |
|
- |
voluntary |
|
+/- |
parts obligatory |
Would a common framework be helpful in clarifying the responsibilities of the stakeholders concerned?
A vast majority of the responses received were positive or neutral concerning the usefulness of the common framework in clarifying the responsibilities of the stakeholders concerned. One Member State (UK) underlined however that EPCIP could not define the responsibilities of all stakeholders involved in the CIP process, and especially not in relation to NCI.
What should be the scope of the common framework?
A majority of Member States did not present clear views on this issue. At least two Member States (DK, NL) expressed the view that the framework should only deal with ECI. One Member State (ES) explicitly stated that the common framework should encompass all types of CI.
Do you agree that the criteria for identifying different types of ECI, and the protection measures considered necessary, should be identified sector-by-sector?
Fifteen Member States (AT, BE, CZ, DK, ES, FI, FR, LT, LU, LV, NL, PL, PT, SK, UK) agreed that the criteria for identifying different types of ECI, and the protection measures considered necessary, should be identified sector-by-sector. Seven Member States did not present a clear view on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Sector-by sector? |
+ |
+ |
? |
+ |
? |
+ |
? |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+ |
+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Sector-by sector? |
x |
+ |
+ |
+ |
? |
+ |
? |
+ |
+ (15) ? (7) |
Do you agree with the list of indicative terms and definitions in annex I on the basis of which, sector specific definitions (where relevant) can be created? Do you agree with the list of indicative CI sectors in annex II?
In relation to the indicative list of CIP sectors, a majority of Member States considered the indicative list as a good basis for discussion. Nevertheless, a number of detailed amendments were proposed. At least one Member State (UK) explicitly stated that the armed forces, although correctly identified as part of the national critical infrastructure, will not fall under the EPCIP framework. At least two Member States (NL, UK) found that the “research and space†sector should not be included in the indicative list.
A number of Member States (AT, DE) found the indicative list too detailed and expressed their preference for a more general list of sectors.
The indicative list of terms and definitions was generally seen as a good basis for discussion, although some Member States underlined the need to have these terms and definitions elaborated by experts. Three Member States (CZ, DE, PT) disagreed with the list of definitions.
Definition of EU critical infrastructure (question 6.1)
The Member States were divided concerning the question whether ECI should be infrastructure that has a potentially serious cross-border impact on two or more, or three or more Member States. Nine Member States (AT, CY, ES, FI, LT, LU, LV, PT, SK) expressed their support for the 2+ approach and another nine (BE, CZ, DK, EE, IE, NL, SI, SE, UK) for the 3+ approach. Three Member States did not offer an opinion on this subject. One Member State (DE) completely rejected the idea of classifying infrastructures as ECI and NCI, underlining that regardless of any such classifications, the Member State on whose territory the infrastructure is located will be responsible and interested in its protection.
A number of Member States underlined that the definition of ECI should not only be based on the number of Member States affected. Other issues should also be taken into account (e.g. “criticalityâ€). At least two Member State emphasized the need for flexibility and underlined that the establishment of criteria which are too strict may not be desirable and may be counterproductive (a number of infrastructures may be critical for Europe but may not fall into the strict criteria outlined by the 2+ or 3+ criteria).
A number of Member States emphasized the role of bilateral agreements in the protection of critical infrastructure and stressed that these cooperation mechanisms should not be circumvented or duplicated by EPCIP.
One Member State (PT) underlined the importance of the principle of co-existence under which a single Member State possessing vulnerable infrastructures whose destruction or disruption can have serious consequences in another Member State should consider that infrastructure as ECI under a common framework in the interest of protecting the common interest.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Definition of ECI |
2+ |
3+ |
2+ |
3+ |
-? |
3+ |
3+ |
x |
2+ |
2+ |
? |
? |
3+ |
x |
2+ |
2+ |
2+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Definition of ECI |
x |
3+ |
? |
2+ |
3+ |
2+ |
3+ |
3+ |
2+ (9) 3+ (9) ? (3) -? (1) |
|
KEY |
|
|
2+ |
CI involving 2 or more MS |
|
3+ |
CI involving 3 or more MS |
|
-? |
Rejection of classifying CI as ECI and NCI |
|
? |
No clear opinion |
Interdependencies (question 6.2)
Most Member States underlined the importance of identifying interdependencies, but there were considerable differences of opinions concerning how exactly this can be done. One Member State (DE) underlined that the identification of interdependencies is a laborious task and yields little benefit (consequently EPCIP should consider interdependencies only briefly, if at all).
Ten Member States (CZ, DE, ES, FI, FR, LV, NL, PL, PT, SI) highlighted the need to analyze interdependencies both at the Member State and EU level (often specifying that this must first be done at national level and later at EU level). Two further Member State (BE, SE) explicitly stated that interdependencies must be analyzed at all levels. Six Member States (CY, DK, LT, LU, SK, UK) identified the EU level as the most appropriate for the analysis of interdependencies with two MS (DK, UK) specifying that this would be done only in relation to ECI. A single (AT) Member State declared that interdependencies should only be identified at MS level, but that common principles and methods could be developed to help this process. Three Member States (EE, HU, IE) did not offer a clear position on this issue.
Several Member States underlined that interdependencies should be taken into account in EPCIP through existing and future research both at Member State and EU level. A number of specific methodologies were suggested.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
At what level should interdependencies be identified? |
MS |
All |
EU |
MS + EU |
MS + EU |
EU for ECI |
? |
x |
MS + EU |
MS + EU |
MS + EU |
? |
? |
x |
EU |
EU |
MS + EU |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
At what level should interdependencies be identified? |
x |
MS + EU |
MS + EU |
MS + EU |
MS + EU |
EU |
All |
EU for ECI |
MS + EU (10) All (2) EU for ECI (6) MS (1) ? (3) |
Implementing steps for ECI (question 6.3)
The Member States were divided concerning the usefulness of the implementing steps proposed in the Green Paper. Thirteen Member States (BE, CY, DK, ES, FI, LT, LU, LV, NL, PL, PT, SI, SK) found the proposed steps acceptable although a number of modifications were proposed. Three Member States (CZ, EE, UK) were of the opinion that it is currently too early to develop such steps when the principles and definitions have not yet been agreed. Three Member States (DE, FR, SE) disagreed with the proposed steps. Three Member States did not present a clear opinion on this subject (AT, HU, IE).
Two Member States (FR, LU) highlighted in their responses the need for a risk analysis process before any further implementing steps.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Is the list of implementing steps acceptable? |
? |
+/- |
+ |
-/+ |
- |
+ |
-/+ |
x |
+ |
+ |
- |
? |
? |
x |
+ |
+ |
+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Is the list of implementing steps acceptable? |
x |
+ |
+ |
+/- |
+ |
+ |
- |
-/+ |
+ (11) +/- (2) - (3) -/+ (3) ? (3) |
|
KEY |
|
|
-/+ |
It is to early to decide on the implementing steps |
|
- |
The list is unacceptable |
|
+ |
The list is acceptable |
|
+/- |
The list is acceptable but certain modifications are proposed |
The role of the Commission was generally seen as that of a facilitator. In the eyes of the Member States, the Commission should actively contribute to the ECI designation process. Â Among the tools which could be used by the Commission is facilitating the exchange of best practices, providing experts, funding the necessary research work and participating in relevant meetings. The Commission could be seen, according to one response, as a driving force of the process.
In reference to the question on the legal status of the designation of ECI, six Member States (FI, FR, LT, PL, PT, SK) were of the opinion that a legal decision is needed in order to designate ECI, three were against (DK, NL, UK) and the rest did not provide a clear view.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Should the designation of ECI be a legal decision |
? |
? |
? |
? |
? |
- |
? |
x |
? |
+ |
+ |
? |
? |
x |
+ |
? |
? |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Should the designation of ECI be a legal decision |
x |
- |
+ |
+ |
? |
+ |
? |
- |
+ (6) - (3) ? (13) |
In reference to the possibility of designating infrastructures as ECI by one Member State in other Member States, most Member States found the idea useful, but further work would be needed on the development of the details. A number of Member States were of the opinion that this process should involve deepened discussions. A majority of Member States underlined however, that whatever the procedure, the Member State on whose territory the infrastructure is located, must agree to the designation. Several Member States were of the opinion, that if EPCIP is prepared and implemented correctly, situations in which there would be disagreement among Member States concerning the designation of certain infrastructures as ECI would be very infrequent. A number of Member States mentioned that a dedicated arbitration mechanism may be required and that the Commission should play an active role in the arbitration mechanism at EU level.
The NCI role in EPCIP (question 7.1)
The EPCIP Green Paper raised the issue of what should be the relationship between EPCIP and National Critical Infrastructure. Twelve Member States seemed to be of the opinion that EPCIP should address all types of critical infrastructures, although Member States varied as to the exact extent to which this should happen. Out of these twelve Member States, at least two Member States underlined that EPCIP could deal with NCI but only by promoting the exchange of best practices and the building of generic knowledge. Four Member States (BE, DK, PT, UK) were against having EPCIP address NCI. Five Member States did not offer a clear opinion, while one Member State completely rejected the notion of classifying infrastructures as ECI and NCI.
Several Member States underlined that EPCIP would have to deal to a certain degree with NCI as it would be infrastructures already designated by a Member State as National Critical Infrastructures which would additionally be designated as European Critical Infrastructures. Consequently, EPCIP would also have to apply to certain National Critical Infrastructures.
In terms of the concrete options identified in the EPCIP Green Paper, eleven Member States (BE, CZ, EE, FI, FR, LT, LU, LV, PT, SK, SE) were of the opinion that the best relationship between EPCIP and NCI would be to allow the use of parts of EPCIP at their own volition in relation to NCI, but that they would be under no obligation to do so. Three Member States (DK, NL, UK) specifically stated the NCI should be outside the scope of EPCIP. One Member State (CY) found that NCI should be fully integrated. One Member State (DE) repeated its objection to classifying critical infrastructure as ECI and NCI. Six Member States did not offer a clear view on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
What should be the relationship between EPCIP and NCI? |
? |
c |
a |
c |
-? |
b |
c |
x |
? |
c |
c |
? |
? |
x |
c |
c |
c |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
What should be the relationship between EPCIP and NCI? |
x |
b |
? |
c |
? |
c |
c |
b |
a (1) b (3) c (11) ? (6) -? (1) |
|
KEY |
|
|
a |
NCI is fully integrated within EPCIP |
|
b |
NCI is outside the scope of EPCIP |
|
c |
MS may use parts of EPCIP at their own volition in relation to NCI, but are under no obligation to do so |
|
-? |
Rejection of classifying CI as ECI and NCI |
National CIP programmes (question 7.2)
The EPCIP Green Paper proposed that each Member State develop a National CIP Programme for its NCI based on the common EPCIP framework. A clear majority of Member States (sixteen) saw added value in having each Member State develop some sort of National CIP Programme. Three Member States (DE, DK, UK) rejected this approach. Three Member States (EE, HU, IE) did not have an opinion on this issue.
In the group of sixteen Member States who saw a need for National CIP Programmes, opinions were very much varied as to the relationship with EPCIP. Eleven Member States seemed to support the idea of basing National CIP Programmes on EPCIP (AT, CY, ES, FI, FR, LT, LU, LV, PL, SI, SK). Three Member States (BE, NL, SE) were of the opinion that the National CIP Programmes could be inspired by EPCIP (BE), that EPCIP could be complementary to the National CIP Programmes (NL) or that EPCIP could be a tool to support national efforts (SE). Two Member States saw the need for National CIP Programmes, but underlined that it would be up to the Member State in question to decide on its relationship to EPCIP (CZ, PT).
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Should each Member State develop a National CIP Programme based on EPCIP? |
+ |
+/- |
+ |
+/- |
- |
- |
? |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+ |
+ |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Should each Member State develop a National CIP Programme based on EPCIP? |
x |
+/- |
+ |
+/- |
+ |
+ |
+/- |
- |
+ (11) +/- (5) - (3) ? (3) |
|
KEY |
|
|
+ |
National CIP Programmes should be based on EPCIP |
|
- |
National CIP Programmes should not be based on EPCIP |
|
+/- |
National CIP Programmes may be based on EPCIP if the MS so decide. |
Single overseeing body (question 7.3)
All Member States agreed that it is the responsibility of each Member States to designate and manage CI under its jurisdiction. At least seven Member States (DE, DK, LU, NL, PT, SE, UK) rejected the notion of linking this competence to the common EPCIP framework.
The EPCIP Green Paper asked the Member States to comment on the idea of creating a single body in each Member State responsible for CIP measures. Nineteen Member States saw added value in the creation of either a single overseeing body or a single contact point for CIP matters although at least two out of these stipulated that such an obligation should not be part of the EPCIP framework. Three Member States (EE, HU, IE) did not present a clear view on this issue.
Out of the nineteen Member States who commented on the issue:
- Thirteen (AT, CY, CZ, ES, FI, FR, LT, LU, LV, PL, PT, SI, SK) were in favour of creating a single overseeing/coordination body in each Member State . Several Member States indicated that such bodies have already been set up. Out of the thirteen Member States in favour of having a single overseeing/coordination body, eleven found the possible competences specified in the Green Paper as adequate. Two Member States found these competences inadequate or emphasised that the specific competences should be left to the Member State to decide.
- The remaining six Member States (BE, DE, DK, NL, SE, UK) were in favour of having a single contact point for CIP matters. These Member States were of the opinion that each Member State should organize itself and that therefore there is no need to develop a list of competences. One Member State (SE) mentioned that it would be prepared to discuss the specific competences as part of a process of exchanging best practices.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Should each MS have a single coordination body or contact point? |
a |
b |
a |
a |
b |
b |
? |
x |
a |
a |
a |
? |
? |
x |
a |
a |
a |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Should each MS have a single coordination body or contact point? |
x |
b |
a |
a |
a |
a |
b |
b |
a (13) b (6) ? (3) |
|
KEY |
|
|
a |
Single coordination body |
|
b |
Contact point |
Implementing steps for NCI (question 7.4)
The Member States were generally supportive (14 Member States) of the list of implementing steps concerning National Critical Infrastructure proposed in the Green Paper. Out of these fourteen Member States:
· Eight found the list of steps appropriate (AT, CY, ES, FI, LT, PL, SI, SK)
· Four saw the list as a good basis for discussion (CZ, FR, LU, PT)
· Two considered the list as guidelines for what Member States could do (BE, LV).
Four Member States (DK, NL, SE, UK) explicitly stated that the list of implementing steps for NCI should not be part of the EPCIP framework as NCI should fall outside of the scope of the Programme. Two of these Member States nevertheless declared that they would be ready to discuss a list of implementing steps for the protection of NCI as part of the exchange of best practices.
One Member State (DE) repeated its objection to the idea of classifying infrastructures as ECI and NCI. Three Member States did not offer specific comments on the issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Is the list of implementing steps for NCI appropriate? |
+ |
+/? |
+ |
+/- |
-/? |
n.a. |
? |
x |
+ |
+ |
+/- |
? |
? |
x |
+ |
+/- |
+/? |
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Is the list of implementing steps for NCI appropriate? |
x |
n.a. |
+ |
+/- |
+ |
+ |
n.a. |
n.a. |
+ (8) +/- (4) +/? (2) -/? (1) n.a. (4) ? (3) |
|
KEY |
|
|
+ |
Indicative list is appropriate |
|
+/- |
Indicative list forms a good basis for discussions and should be modified |
|
+/? |
Indicative list can serve as an indication (guidelines) for MS |
|
-/? |
Rejection of classifying CI as ECI and NCI |
|
n.a. |
NCI is outside the scope of EPCIP so the implementing steps are not needed |
Responsibilities of CI owners, operators and users (question 8.1)
In general, a majority of Member States (at least fourteen – BE, CY, CZ, DK, ES, FI, FR, LT, LU, LV, PL, PT, SI, SK) found the list of potential responsibilities for CI owners/operators as acceptable. At least two of these Member States (BE, DK) underlined however, that this was only the case in relation to ECI. One Member State (SE) was of the opinion that this issue falls outside of EPCIP. Seven Member States (AT, DE, EE, HU, IE, NL, UK) did not present a clear opinion on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Are the responsibilities for CI owners/operators acceptable? |
? |
+ ECI |
+ |
+ |
? |
+ ECI |
? |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+ |
+ |
                      Â
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Are the responsibilities for CI owners/operators acceptable? |
x |
? |
+ |
+ |
+ |
+ |
- |
? |
+ (14) - (1) ? (7) |
A number of Member States emphasised the need to separate the rights/obligations of ECI and NCI, with NCI often falling outside the scope of EPCIP.
None of the Member States offered any concrete figures concerning the likely costs for CI owners/operators.
On the issue of having CI owners/operators notify the fact that their infrastructure may be of a critical nature, twelve Member States (AT, BE, CZ, ES, FI, FR, LT, LU, LV, PL, PT, SK) found the concept useful. Two (AT, LU) of these Member States specifically underlined however, that CI owners/operators should be encouraged to notify the relevant authorities rather than be obliged to do so (a voluntary approach was preferred by these Member States). Three Member States (DK, NL, SE) were of the opinion that this issue should be left to the Member States. Two Member States (CY, DE) underlined that the conclusion that a certain infrastructure is critical should emerge from the security analysis conducted by the Member States in conjunction with operators. Five Member States did not present a clear view on this subject.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Should there be a notification obligation? |
+/? |
+ |
-/?
|
+ |
-/? |
- MS |
? |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+/? |
+ |
                      Â
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Should there be a notification obligation? |
x |
- MS |
+ |
+ |
? |
+ |
- MS |
? |
+ (10) +/? (2) - (3) -/? (2) ? (5) |
|
KEY |
|
|
+/? |
Owners/operators should have the possibility to notify |
|
-/? |
No obligation is needed. Information about criticality should emerge from joint analysis between MS and owners/operators. |
|
- MS |
Up to each Member State |
Concerning the concept of Operator Security Plans (OSP), fifteen Member States (BE, CY, CZ, DK, ES, FI, FR, LT, LU, LV, NL, PL, PT, SI, UK) found the idea useful. Out of these:
- Four Member States (CZ, DK, NL, UK) further specified that the OSP concept could be used as a best practice especially for those CI owners/operators who have little experience in dealing with similar issues.
- One (BE) Member State mentioned that the OSP concept could specifically be used for ECI.
Moreover, one Member State (AT) indicated that it has already adopted a different approach to the issue. Six Member States did not offer specific comments on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Is the OSP concept useful? |
- |
+ ECI |
+ |
+ BP |
? |
+ BP |
? |
x |
+ |
+ |
+ |
? |
? |
x |
+ |
+ |
+ |
                      Â
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Is the OSP concept useful? |
x |
+ BP |
+ |
+ |
+ |
? |
? |
+ BP |
+ (10) +/BP (4) +/ECI (1) - (1) ? (6) |
|
KEY |
|
|
+/BP |
OSP concept useful as a best practice |
|
+/ECI |
OSP concept useful for ECI |
In terms of the rights that could be given to CI owners/operators, several Member States presented potential rights which could be given. The following were mentioned:
- CI owners/operators could be informed of hazards that may be of relevance for the enterprise;
- CI owners/operators could have access to best practices and could be offered support by the relevant authorities (including training of security officers);
- EU could offer CI owners/operators some form of financial compensation in return for the implementation of preventive measures;
- CI owners/operators could be given priority to scarce resources during exceptional circumstances and crisis situations (personnel, vehicles, fuel, etc.);
- CI owners/operators could be invited to actively participate in the preparation of estimations of costs;
- CI owners/operators could be invited to actively cooperate on the harmonisation and regulation of certain measures at national level
- CI owners/operators could have an influence on the preparation of training programmes.
Two Member States indicated that this issue should be left to each Member State (DK, NL).
Dialogue with CI owners, operators and users (question 8.2)
The Member States generally agreed on the need to engage in a public-private dialogue concerning CIP. At least eight Member States differentiated between the various levels of discussions mostly by separating national discussions and EU-level discussions (DE, FR, NL, PL, PT, SI, SE, UK). Most Member States were of the opinion that such dialogue should at EU level be done on a sector-by-sector basis. One Member State specifically underlined the role of various Commission services in taking forward the sectoral dialogue at EU level.
In terms of the representation of the CI owners/operators, a majority of Member States felt that at the EU level, CI owners/operators should be represented by the relevant sectoral EU associations.
A number of Member States emphasised the importance of having a voluntary approach to the issue of public-private dialogue. Only through a voluntary partnership, will sufficient levels of trust be built.
The critical infrastructure warning information network (CIWIN) (question 9.1)
The Member States did not have a uniform view concerning the setting up of the CIWIN network. Out of the responses received:
- Nine Member States (AT, CY, ES, FI, LU, PL, PT, SI, SK) supported the setting up of CIWIN as a multi-level communication/alert system composed of two distinct functions: a rapid alert system and an electronic forum for the exchange of CIP ideas and best practices. A number of Member States underlined however the need to take a step-by-step approach to the process of setting up the network.
- Five Member States (DE, DK, EE, NL, SE) favoured limiting CIWIN to a forum for the exchange of CIP ideas and best practices;
- One Member State (LV) felt that CIWIN should be set up as a rapid alert system (RAS) linking MS with the Commission;
- Two Member States (CZ, UK) completely rejected the idea of setting up CIWIN in any shape;
- Five Member States did not offer a clear opinion on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Which option is best for CIWIN? |
c |
? |
c |
- |
a |
a |
a |
x |
c |
c |
? |
? |
? |
x |
? |
c |
b |
                      Â
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Which option is best for CIWIN? |
x |
a |
c |
c |
c |
c |
a |
- |
a (5) b (1) c (9) - (2) ? (5) |
|
KEY |
|
|
a |
CIWIN would a forum for the exchange of best practices |
|
b |
CIWIN would be a rapid alert system |
|
c |
CIWIN would be a multi-level communication system composed of two pillars |
In reference to the issue of connecting CI owners/operators to CIWIN, fourteen Member States favoured linking CI owners/operators to CIWIN. Out these responses, two Member States (DK, NL) underlined their support for connecting CI owners/operators to CIWIN only if CIWIN was limited to a forum for the exchange of best practices. Moreover, a number of Member States (CY, ES, LT) underlined that different access levels should be given to different types of organizations connected to the network. Five Member States (AT, CZ, FR, LV, UK) did not see a need to connect CI owners/operators to CIWIN. Three Member States did not offer comments concerning this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Should owners/operators be connected to CIWIN? |
- |
? |
+/? |
- |
+ |
+ a |
+ |
x |
+/? |
+ |
- |
? |
? |
x |
+/? |
+ |
- |
                      Â
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Should owners/operators be connected to CIWIN? |
x |
+ a |
+ |
+ |
+/- |
+ |
+/- |
- |
+ (9) +/? (3) +/- (2) - (5) ? (3) |
|
KEY |
|
|
+/- |
Owners/operators should be connected to CIWIN through national contact points |
|
+/? |
Owners/operators should be connected to CIWIN with certain safeguards |
|
+ "x" |
Owners/operators should be connected to CIWIN if option "x" is chosen for CIWIN |
Common methodologies (question 9.2)
Eleven Member States (AT, CY, CZ, ES, FI, FR, LU, PL, PT, SI, UK) saw added value in the idea of harmonizing or calibrating alert levels. Such a process was seen as generally useful. Six Member States (BE, DE, DK, LV, NL, SE) were against the idea. Five Member States (EE, HU, IE, LT, SK) did not offer concrete comments on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Is there a need to calibrate/harmonize alert levels? |
+ |
- |
+ |
+ |
- |
- |
? |
x |
+ |
+ |
+ cal |
? |
? |
x |
? |
+ |
- |
                      Â
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Is there a need to calibrate/harmonize alert levels? |
x |
- |
+ |
+ |
+ |
? |
- |
+ |
+ (11) - (6) ? (5) |
Eleven Member States (AT, CY, CZ, ES, FI, LT, LU, LV, PL, PT, SK) thought it useful to develop a common methodology of identifying and classifying threats, capabilities, risks, and vulnerabilities and drawing conclusions about the possibility, probability, and degree of severity posed by a threat. Seven Member (BE, DE, DK, FR, NL, SE, UK) States did not support this view, although two (BE, SE) specifically mentioned that they would be prepared to exchange information on this subject as part of the exchange of best practices process. Four Member States did not offer concrete comments on this issue.
|
|
AT |
BE |
CY |
CZ |
DE |
DK |
EE |
EL |
ES |
FI |
FR |
HU |
IE |
IT |
LT |
LU |
LV |
|
Should common methodologies be developed? |
+ |
- bp |
+ |
+ |
- |
- |
? |
x |
+ |
+ |
- |
? |
? |
x |
+ |
+ |
+ |
                      Â
|
|
MT |
NL |
PL |
PT |
SI |
SK |
SE |
UK |
Total |
|
Is there a need to calibrate/harmonize alert levels? |
x |
- |
+ |
+ |
? |
+ |
- bp |
- |
+ (11) - (7) ? (4) |
Funding (question 9.3)
A vast majority of Member States indicated that it is impossible at present to assess the costs of implementing the proposals put forward in the Green Paper for a European Programme for Critical Infrastructure Protection. At least one Member State (NL) highlighted however, that thanks to the use of a phased approach under which a considerable degree of analysis is first required, the costs would be relatively low in the beginning.
Evaluation and monitoring (question 9.3)
A vast majority of Member States indicated their support for some form of evaluation mechanism. At least four Member States (BE, CY, DK, NL) explicitly supported the idea of having peer evaluations. Two Member States (CZ, FI) indicated that evaluations should be left to each particular Member State.
Piotr RYDZKOWSKI