Non-Binding Guidelines for the application of the Directive on the identification and designation of European Critical Infrastructures and the assessment of the need to improve their protection - Hoofdinhoud

Inhoudsopgave van deze pagina:

Delen

1. Tekst
2. Originele weergave

3. Meer informatie

COVER NOTE From :

General Secretariat of the Council

To : Delegations

Subject : Non-Binding Guidelines for the application of the Directive on the identification and designation of European Critical Infrastructures and the assessment of the need to improve their protection

• 1. 

  In line with Article 3 paragraph 2 of the Political agreement on the Directive on the identification and designation of European Critical Infrastructures and the assessment of the

need to improve their protection (doc. 9403/08) 1 , the foreseen non-binding guidelines have been developed by the Commission together with Member States.

1 The text finalized by the lawyer-linguists is set out in doc. 10934/08.

• 2. 

  On 11 November 2008, the Working Party on Civil Protection confirmed the informal 2

consensus on the guidelines including on the classified Sectoral Criteria reached during a number of meetings and workshops, subject to the following modifications:

• - 

  the procedure with a view to updating the guidelines has been clarified, i.e. an update will take place when deemed necessary and for the first time three years after the entry into force

of the Directive;

• - 

  the parts of the cross-cutting criteria specifying when an effect becomes significant in terms of fatalities, injuries, economic loss, physical suffering, disruption of daily life and loss of

3

public confidence will be part of a classified document .

The above consensus will be noted by the Permanent Representatives Committee, at a forthcoming

meeting.

2

The most recent version of the Sectoral Criteria is in doc. 15613/08 RESTREINT UE. 3

Doc 15615/08 ("RESTREINT UE"); the sectoral criteria in the energy and transport sectors are set out in document 15613/08 ("RESTREINT UE").

Non-Binding Guidelines

For application of the Council Directive on the identification and

designation of European Critical Infrastructures and the assessment of the

need to improve their protection

Revision Date Description of change 0 01/06/08 Creation

0.5 18/06/08 First draft sent out

0.6 23/06/08 First draft corrected and reedited, distributed to first workshop 0.7 16/07/08 Second draft integrating comments from first workshop nd

0.8 12/09/08 Draft sent before 2 workshop on guidelines nd

Prepared after the 2 workshop on guidelines, awaiting for the 0.8.5 23/09/08 final text of the Directive

Prepared to reflect the changes of version CS/2008/10934 of

0.9 02/10/08 the Directive

Final version integrating comments from CIP contact point

1.0 11/11/08

meeting 6/10/08 and decisions of PROCIV meeting 11/11/08

When these guidelines make implicitly or explicitly reference to `the Directive' this reference is to council document CS/2008/10934, (also indicated as 10934/08)

Table of contents

1 Introduction 8 1.1 Background 8 1.2 Objective 9 1.3 Structure 9

1.4 Updating of the guidelines 10 2 Timeline 10 3 The procedures of Identification and Designation of European Critical Infrastructure

(Articles 3 and 4) 13

3.1 The identification procedure 13 3.2 The Designation procedure 15

3.3 Detailed explanation of the Identification and Designation procedures 16 3.4 Aspects for scenario construction in the Identification and Designation procedures

21

4 Sectoral criteria 24 4.1 Introduction 24

4.2 Sectoral Criteria in the Energy Sector 25

4.3 Sectoral Criteria in the Transport Sector 25 5 Cross-Cutting Criteria 26 5.1 Introduction 26

5.2 Casualties Criteria 26

5.3 Economic Effects Criteria 28 5.4 Public Effects Criteria 32

6 Commission support for European Critical Infrastructure (Article 8) 37 Annexes 38

Annex 1: Flowchart 38 Annex 2:Existing Community measures for SLO and OSP or equivalent 40

List of Figures

Figure 1 ­ Timeline of actions indicating deadlines for Member States ....................12

Figure 2 ­ Representation of the 4-step identification procedure...............................13

Figure 5 ­ Issues for the application of the casualties criteria ...................................27

Figure 7 ­ Issues for the application of the economic criteria ...................................31

Figure 11 ­ Severity as a function of impact duration...............................................33

All the figures mentioned below can be found in the document 15615/08 (RESTREINT UE):

Figure 3 Casualties Criteria - Fatalities

Figure 4 Casualties Criteria - Injuries

Figure 6 Cross cutting criteria on economic effect

Figure 8 CCC on public effects (physical suffering)

Figure 9 CCC on public effects (disruption of daily life)

Figure 10 CCC on public effects (public confidence)

Glossary and Acronyms

Critical Infrastructure:

"means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social wellbeing of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions."

European Critical Infrastructure or ECI:

"means critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure."

European Critical Infrastructure owners/operators:

"means those entities responsible for investments or day-to-day operation and investment in a particular asset, system or part thereof designated as a European Critical Infrastructure under this Directive."

Risk analysis:

"means consideration of relevant threat scenarios, in order to assess the vulnerability and the potential impact of disruption or destruction of critical infrastructure."

Sensitive Critical Infrastructure Protection related Information:

"means facts about a critical infrastructure, which if disclosed could be used to plan and act with a view to causing disruption or destruction of critical infrastructure installations."

Protection:

"means all activities aimed at ensuring the functionality, continuity and integrity of critical infrastructures in order to deter, mitigate and neutralise a threat, risk or vulnerability."

Loss of Service:

The expression `loss of service' is used in this document to mean unacceptable degradation below the service level expected to be provided by the infrastructure.

Acronym Full name Affected Member State: a Member State which is

potentially affected by the loss of service

AMS

originating from an infrastructure located in another

Member State

CCC Cross-Cutting Criteria CI Critical Infrastructure

CIP Critical Infrastructure Protection ECI European Critical Infrastructure EPCIP European Programme on CIP GDP Gross Domestic Product

ICT Information and Communication Technology MS Member State Originating Member State: a Member State on

OMS

whose territory the infrastructure is located.

OSP Operator Security Plan PE Public Effect

SLO Security Liaison Officer

1 I NTRODUCTION 1.1. Background

In June 2004, the European Council asked the European Commission to prepare an overall strategy

to protect European critical infrastructures. In response, in October 2004, the Commission adopted a

Communication on Critical Infrastructure Protection (CIP) in the Fight against Terrorism. The

Communication put forward suggestions on what would enhance European prevention,

preparedness and response to terrorist attacks involving Critical Infrastructures (CI). After a

comprehensive preparatory phase, which included the organization of seminars, the publication of a

Green Paper and discussions with both public and private stakeholders, these suggestions were

transformed into a package of policy measures referred to as the European Programme for Critical

Infrastructure Protection (EPCIP), that was adopted by the Commission in December 2006.

A key element of EPCIP is the proposal of a new Directive on the "identification and designation

of European Critical Infrastructures and the assessment of the need to improve their protection".

Under this Directive, such European Critical Infrastructures (ECIs) should be identified and

designated by means of a common procedure and the evaluation of security requirements for such

infrastructures should be done under a common minimum approach.

The Directive defines critical infrastructure as "an asset, system or part thereof ... which is

essential for the maintenance of vital societal functions, health, safety, security, economic or social

well-being of people, and the disruption or destruction of which would have a significant impact in

a Member State as a result of the failure to maintain those functions."

In other words, critical infrastructure provides services which are essential for our society.

Degradation or total loss of such services, because the physical underlying system is disrupted or

destroyed, may result in a significant impact on society. Criticality is therefore directly connected to

a notion of service, or more precisely, to the potential effects that a loss of such a service would

create. This notion of service is important because it limits the infrastructures that will fall under the

scope of the Directive.

The Directive also defines ECI as "critical infrastructure located in the Member States the

disruption or destruction of which would have a significant impact on at least two Member States"

In other words, it is the transboundary nature of the impact of the loss of service of a CI that makes

it an ECI. If the impact remains national, then the associated CI will never be designated as ECI.

For the purposes of implementing the Directive, only the Energy and Transport sectors are used.

This will be reviewed after three years, to assess its impact and the possible need to include other

sectors within its scope - inter alia the Information and Communication Technology (ICT) sector.

1.2. Objective

The objective of this document is to provide guidance to assist Member States with the application

of the Directive on the identification and designation of European critical infrastructures and the

assessment of the need to improve their protection.

As stated in Article 3(2)

"The use of such guidelines will be optional for the Member States"

This document contains sectoral criteria for the Energy and Transport sectors, Cross-Cutting

Criteria (CCC) with indicative thresholds and examples of common methodological practices which

may be of assistance in the application of the criteria. A timeline indicating key milestones in the

implementation of the Directive is also given.

1.3. Structure

The document provides in Section 2 an overall description of the timeline as defined by the

Directive. Section 3 describes the identification and designation procedures of ECI and a detailed

flowchart for such activities. Section 4 contains the sectoral criteria and Section 5 the cross-cutting

criteria. Annex 1 is a flowchart depicting the identification and designation procedure. Annex 2

provides a list of existing measures for SLO and OSP or equivalent.

The text of the Directive is quoted in italics within the document in order to make a clear distinction

between the text of the Directive and those sections that form the guidelines.

1.4. Updating of the guidelines

These guidelines will be updated, when deemed necessary and for the first time, in conjunction with

the review of the Directive as laid down in Article 11. The impetus to update these guidelines can

be given by the Council or the Commission. The updating of the document will be done by the

relevant Directorates General of the Commission, (e.g. DG JLS, DG JRC) together with the

Member States.

• 2. 

  T IMELINE Article 13 states that, "This Directive shall enter into force on the twentieth day following that of its

publication in the Official Journal of the European Union." Therefore this date will be taken as the

zero point on the timeline chart, see figure 1.

Two years after this date, the measures necessary to implement the Directive must be completed, as

per Article 12: "Member States shall take the necessary measures to comply with this Directive at

the latest two years after its entry into force."

The identification and designation of ECI is covered under Article 4(6) and its footnote: "The

process of identifying and designating ECI pursuant to Articles 3 and this Article shall be

§

completed by ... and reviewed on a regular basis." This means that the first identification and designation of ECI to be carried out by Member States, must be completed within two years. This

will be reviewed on a regular basis and other ECIs may be designated as a result.

From the moment of ECI designation, several actions need to be taken.

· A Security Liaison Officer (SLO) has to be designated if one does not already exist. Article

6(3) "If a Member State finds that a Security Liaison Officer or equivalent does not exist in relation to a designated ECI, it shall ensure by any measures deemed appropriate, that such a Security Liaison Officer or equivalent is designated." Although no timeframe for this appointment is given in the Directive, it is assumed that the designation of the SLO is carried out as quickly as possible. The SLO is considered a pre-requisite for discussions on the availability and creation of the Operator Security Plan (OSP), and a SLO should thus be established in time to deliver the OSP within its specified timeframe of one year.

§

OJ: Two years after the entry into force of this Directive.

· An OSP needs to be established, if one does not already exist for the designated

infrastructure. Article 5(3), "If a Member State finds that such an OSP or equivalent has not been prepared, it shall ensure by any measures deemed appropriate, that the OSP or equivalent is prepared." The OSP has to be in place within one year of designation and reviewed on a regular basis.

· In parallel to the OSP, a threat assessment needs to be performed under Article 7(1), "Each

Member State shall conduct a threat assessment in relation to ECI sub-sectors within one year following the designation of critical infrastructure on its territory as ECI within those sub-sectors."

The timeline chart indicates the maximum time allowed to perform these tasks.

Designation of an ECI can take place at any time within the first two years following the Directives

entry into force; the actual date to complete the OSP and threat assessment may vary, but will

always be no more that one year following designation.

The Directive requires Member States to compile three types of report to submit to the Commission.

• 1. 

  Every 12 months the number of infrastructures per sector for which discussions were held

concerning the CCC thresholds must be reported to the Commission. See Article 3(2), "The precise thresholds applicable to the cross-cutting criteria shall be determined on a case-bycase basis by the Member States concerned by a particular critical infrastructure. Each Member State shall inform the Commission on an annual basis of the number of infrastructures per sector for which discussions were held concerning the cross-cutting criteria thresholds."

• 2. 

  Member States shall inform the Commission as to the number of designated ECI per sector

and of the number of Member States dependent on each designated ECI. See Article 4(4), "The Member State on whose territory a designated ECI is located shall inform the Commission on an annual basis of the number of designated ECIs per sector and of the number of Member States dependent on each designated ECI." If no ECI is designated, then no report is to be provided to the Commission.

• 3. 

  The final report required under Article 7(2) states that, "Each Member State shall report

every two years to the Commission generic data on a summary basis on the types of risks, threats and vulnerabilities encountered per ECI sector in which an ECI has been designated pursuant to Article 4 and is located on its territory."

Figure 1 ­ Timeline of actions indicating deadlines for Member States

• 3. 

  T HE PROCEDURES OF I DENTIFICATION AND D ESIGNATION OF E UROPEAN C RITICAL I NFRASTRUCTURE (A RTICLES 3 AND 4)

3.1. The identification procedure

The Directive sets out the procedure to be followed for the identification of ECI. This procedure is

described in Article 3 and Annex III to the Directive:

As stated in Article 3(1), "each Member State shall identify the potential ECI which both satisfy the

cross-cutting and sectoral criteria and meet the definitions set out in Article 2(a) and 2(b)."

Article 3 of the Directive should be read together with Annex III to Annex I (of the same Directive)

which sets out the procedure to be followed in the identification of ECI:

"Article 3 requires each Member State to identify the critical infrastructures which may be designated as an ECI. This procedure shall be implemented by each Member State through the following series of consecutive steps.

A potential ECI which does not satisfy the requirements of one of the following sequential steps is considered to be "non-ECI" and is excluded from the procedure. A potential ECI which does satisfy the requirements shall be subjected to the next steps of this procedure."

The procedure that is set out by the Directive comprises of four consecutive steps.

"Each Member State shall apply the sectoral criteria in order to

make a first selection of critical infrastructures within a sector."

Are the Sectoral Criteria met?

Step 1

"Each Member State shall apply the definition of critical

infrastructure pursuant to Article 2(a)"

Is the Infrastructure Critical according to Article 2(a)?

Step 2

"Each Member State shall apply the transboundary element of

the definition of ECI pursuant to Article 2(b)"

Step 3 Does the infrastructure have a significant transboundary impact

on other Member States?

"Each Member State shall apply the cross-cutting criteria to the

Step 4

remaining potential ECIs."

Are the Cross-Cutting criteria met?

Figure 2 ­ Representation of the 4-step identification procedure

The procedure may be entered at any point, as long as they are all completed.

The steps are the following (see Annex III of the Directive):

Step 1:

"Each Member State shall apply the sectoral criteria in order to make a first selection of critical infrastructures within a sector."

For the purposes of implementing the Directive, these sectoral criteria will relate only to Energy and

Transport sectors. The sectoral criteria can be found in section 4 of these guidelines.

As a result of this step only infrastructures providing essential services are considered.

Step 2:

"Each Member State shall apply the definition of critical infrastructure pursuant to Article 2(a) to the potential ECI identified under step 1.

The significance of the impact will be determined either by using national methods for 2identifying critical infrastructures or with reference to the cross-cutting criteria, at an appropriate national level. For infrastructure providing an essential service, the availability of alternatives, and the duration of disruption/recovery will be taken into account."

This step provides a check to see if the infrastructure satisfies the definition of critical

infrastructure, as defined by the Directive and whether the loss of service from that infrastructure

would have a significant impact.

As a result of this step, only infrastructures which are perceived by the Originating Member State

(OMS) as critical are considered.

For the purpose of the Directive:

" `critical infrastructure' means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions."

A flexible approach is used in terms of determining whether or not an impact is significant, as either

national thresholds or the Cross-Cutting Criteria may be used in this respect.

Step 3:

"Each Member State shall apply the transboundary element of the definition of ECI pursuant to Article 2(b) to the potential ECI that has passed the first two steps of this procedure. A potential ECI which does satisfy the definition will follow the next step of the procedure.

For infrastructure providing an essential service, the availability of alternatives, and the duration of disruption/recovery will be taken into account."

This step provides a check to see if the disruption or destruction of the infrastructure would have a

significant transboundary impact on other Member States.

Step 4:

"Each Member State shall apply the cross-cutting criteria to the remaining potential ECIs. The cross-cutting criteria shall take into account: the severity of impact; and, for infrastructure providing an essential service, the availability of alternatives; and the duration of disruption/recovery. A potential ECI which does not satisfy the cross-cutting criteria will not be considered to be potential ECI."

Section 5 gives indicative thresholds for the cross-cutting criteria, although the precise thresholds to

be used shall be established on a case-by-case basis between the involved Member States.

With this step, only infrastructures which are perceived jointly by the OMS and Affected Member

State (AMS) as critical will be considered.

CCC provides a check that ensures that only infrastructures with similar associated potential

transboundary impacts, or in other words, with similar criticality, are considered for ECI

designation. Three types of effect are considered by the Directive, namely casualty, economic and

public. These are further explained in section 5.

3.2. The Designation procedure Article 4 states a number of rights and obligations of an OMS.

Obligations:

· It shall inform the other Member States which may be significantly affected by a potential

ECI, about its identity and the reasons for designating it as a potential ECI (Article 4(1)).

· It shall engage in discussions with Member States that may be affected by this potential ECI

(Article 4(2)).

· It shall designate this infrastructure following agreement with Member States that may be

affected by this potential ECI (Article 4(3)). The acceptance of the Member States on whose territory the ECI is located shall be required.

· It shall inform the Commission annually about the number of infrastructures that are

designated as ECI (Article 4(4)).

· It shall inform the owner/operator regarding this designation (Article 4(5)).

· It shall complete the identification procedure within two years of the entry into force of this

Directive.

· It shall review the designation on a regular basis.

Rights:

· Its agreement is required for designation

The article also gives rights to potentially affected Member States (MS).

· Article 4(2):

"A Member State that has reason to believe that it may be significantly affected by the potential ECI, but has not been identified as such by the Member State on whose territory the potential ECI is located, may inform the Commission about its wish to be engaged in bilateral and/or multilateral discussions on this issue. The Commission shall without delay communicate this wish to the Member State on whose territory the potential ECI is located and endeavour to facilitate agreement between the parties."

· Article 4(2) thus also obliges the Commission to take action if a Member State considers it

may be potentially affected.

· The agreement of the affected MS on designation is also required. (Article 4(3))

3.3. Detailed explanation of the Identification and Designation procedures This section introduces a flowchart that describes and explains the identification and designation

procedures of a single infrastructure as well as all post designation activities. See annex 1 for a

reproduction of the flowchart. The flowchart follows the Directive as closely as possible. It

describes all steps and processes explicitly mentioned in the Directive, as well as those which are

implicit, but required in practice.

The flowchart depicts a common procedure; a MS can enter the flowchart at any point, as long as

Annex III to the Directive is met.

The actual workflow to be undertaken by Member States is more complex than described here. For

instance no assumptions are made about actors or processes beyond the level of the Member States

and the Commission. Several iterations may be required to complete some parts of the procedure.

Three actors are considered:

· OMS (Originating Member State).

· AMS (Affected Member State).

· The European Commission.

In the flowchart the role and responsibility of the actors are indicated by colour coding:

· light blue boxes for the OMS,

· green boxes for the AMS,

· dark blue boxes for the Commission,

· purple for joint activities by the Commission and Member States,

· orange boxes indicate that the OMS and AMS have shared responsibility and collaborate,

possibly facilitated by the Commission.

There are two types of connecting arrows:

· red arrows indicate flows which are directly connecting all processes described in the

Directive and are therefore required by the Directive;

· blue arrows connect processes that are not explicit in the Directive, but which are required to

make the explicit processes possible.

The flowchart uses common symbols:

· ovals for start and end points,

· rectangles for processing steps,

· diamonds for decisions, and

· rectangles with a wavy bottom for a document. Documents can be either real documents

such this guidelines document, or may be simple data records. The documents shall have an appropriate level of classification.

There exist three possible points to initiate the identification and designation procedures, these are

at the top of the flowchart, identified as IP1, IP2 and IP3.

Initiation Point 1: Initiation by the OMS as set out by the Directive in Articles 3 and 4. The

common initiator is the Member State on whose territory the infrastructure is located.

The sectoral criteria would normally have been consulted, enabling a pre-selection of infrastructures

to undergo the procedure. In some (sub-)sectors, the sectoral criteria indicate directly for which

infrastructures the identification procedure should be initiated. A further explanation regarding the

different kinds of sectoral criteria is given in section 4.1.

Initiation Point 2: The second route corresponds to Article 3(1) of the Directive which gives the

Commission the possibility to initiate the procedure:

"The Commission may draw the attention of the relevant Member States to the existence of potential critical infrastructures which may be deemed to satisfy the requirements for designation as an ECI."

Initiation Point 3: The third route is initiated by a Member State on whose territory the

infrastructure is not located, but which has reason to believe that it may be significantly affected by

a loss of service, as set out by Article 4(2).

The second and third initiation points are further explained at the end of this section. The

identification and designation procedure is however the same in all subsequent steps.

Entry into procedure: Though an infrastructure may enter the procedure via any of the three

initiation points, the normal route will be initiation by the OMS.

Optionally, the OMS can assess whether the infrastructure has been considered before and whether

there is a need to reconsider its status by repeating the identification procedure. This situation may

occur when the designation (or non-designation) of an infrastructure is reviewed after a number of

years, or when the procedure is started by the Commission or a potential AMS.

Step 1: The assessment against the sectoral criteria is the first official identification step. The

applicable criteria given in section 4 of this document are applied by the OMS. If the OMS

considers that these are met, the assessment proceeds to step 2. Otherwise the infrastructure is

regarded as non-ECI.

Step 2: When the infrastructure has passed the first step, the OMS shall assess whether it is critical

infrastructure pursuant to the definition as given in article 2(a) of the Directive:

"`critical infrastructure' means an asset, system or part thereof located in the EU Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions"

The infrastructure is considered to be critical according to the national criteria used internally by the

OMS. Alternatively, the OMS may assess criticality using a version of the CCC adapted in such a

way that they become appropriate for use at national level. This is described as follows by the

Directive in Annex III:

"The significance of the impact will be determined either by using national methods for identifying critical infrastructures or with reference to the cross-cutting criteria, at an appropriate national level. For infrastructure providing an essential service, the availability of alternatives, and the duration of disruption/recovery will be taken into account."

If the infrastructure is found to be critical, by using one of these approaches, the OMS proceeds to

the third step. Otherwise it is not considered ECI.

Step 3: The third step considers whether the infrastructure has a transboundary nature. The

assessment should be done pursuant to the definition in Article 2(b):

"`European Critical Infrastructure' or `ECI' means critical infrastructure located in the EU Member States the disruption or destruction of which would have a significant impact on at least two Member States of the EU;"

The third step is intended as a check on whether the infrastructure can actually affect one or more

Member States outside of the territory of the OMS significantly, and which Member States they are.

This step does not require contact with the AMS but may benefit from it. Determining the

significance of the impact using the CCC is done as part of the fourth step, since fully evaluating

these requires contact with the AMS. To produce a first estimate of the potential significance, the

OMS may apply the CCC, or use another means of estimation, for instance when assessment

appears not possible without contact. In this step, determining the possibility of transboundary

consequences is more important than determining the significance of these.

Following confirmation of the potential European Criticality of this infrastructure, the OMS shall

proceed to step 4. If loss of service of this infrastructure cannot cause transboundary consequences,

the infrastructure will again not be considered ECI.

Engagement with AMS: Though a first estimate can be made of whether the consequences of

service loss of an infrastructure meet the CCC, the nature of the CCC does not allow a complete

evaluation by the OMS. Involvement of the AMS is required. The Directive does not define a

procedure for this; a possible route is via the CIP contact points of the potential AMS. The legal

basis for informing the AMS is described in article 4(1):

"Each Member State shall inform the other Member States which may be significantly affected by a potential ECI about its identity and the reasons for designating it as a potential ECI."

Whilst the infrastructure has not yet been strictly identified as critical at this stage, the potential

AMS are known as a result of step 3, which has been completed before engagement. The AMS

would normally be expected to accept this engagement. If it does not accept engagement however,

it would be left out from the possible bilateral or multilateral discussion process concerning the

potential ECI.

Step 4: The fourth step involves collaboration between the AMS and OMS, though how this should

occur is left to the MS involved. It will use the CCC as given in this document to finally identify

ECI.

In order to minimize the level of work required, the most relevant of the three CCC, i.e. the one

expected the most likely to be met is selected first. Subsequently the MS will determine the precise

thresholds for these criteria, based on the actual nature of this infrastructure and of the

consequences that would occur following its loss of service. The OMS shall inform the

Commission, on an annual basis of the number of infrastructures per sector for which discussions

were held concerning the CCC (Article 3(2)).

The procedure continues by drawing up the `reasonable worst case scenario', see section 3.4. When

the predicted outcome meets the selected CCC, it is identified, but not yet designated as ECI, and

the procedure proceeds to the next step. If it is not identified as such, the remaining CCC may be

applied as well, if relevant. As in all previous steps, if none of the CCC are met, the infrastructure is

considered non-ECI.

Identification: If one of the CCC is met, then the infrastructure is identified as potential ECI. The

parties involved proceed to the final bi- or multi- lateral discussions on the actual designation. The

Commission may participate in these discussions, following invitation from the concerned Member

States, without being informed about the specific nature of the infrastructure (Article 4(2)). These

discussions provide the participating MS with the opportunity to reach agreement on designation,

but also to verify the need for designation. Furthermore there is opportunity to re-evaluate previous

work on the criteria with different actors or at different national levels. Then, if all parties agree

they proceed to designation.

Designation: Designation can only occur if the OMS agrees. If the OMS does not agree, the

infrastructure is considered non-ECI even though it has been identified as such (Article 4(3)). In

other words the OMS has the right to veto designation.

Post designation activities: When the infrastructure is designated as ECI, the OMS shall inform

the AMS (Article 4(4)). The OMS shall also communicate the designation to the operator of the

infrastructure (Article 4(5)) for further implementation of articles 5 and 6. Additionally, the OMS

shall have some mechanism in place to communicate the number of designated infrastructures

annually to the Commission.

The OMS has to assess whether an OSP or equivalent exists for the ECI. If an OSP or equivalent

exists then no further action needs to take place, except a regular review of it. If an OSP or

equivalent does not exist, then the following actions need to be carried out, in line with Annex II of

the Directive describing the OSP procedure. The important assets of the infrastructure need to be

identified and a risk analysis based on major threat scenarios needs to be performed. Once

completed, then the potential counter measures against such threats need to be identified.

A non-exhaustive list of measures, principles and guidelines applicable in some sectors, compliance

with which may satisfy the OSP requirements of this Directive is given in Annex 2.

Entry via initiation points 2 and 3: The entry of an infrastructure into the procedure can also

occur following suggestion by the Commission (initiation point 2) or an AMS (initiation point 3).

Regarding initiation point 3, a potential AMS that has reason to believe that it may be significantly

affected by a loss of service, supplied from another Member State, can request that the

infrastructure that provides the service undergoes the procedure to identify and subsequently

designate the infrastructure. If this has not yet been identified as such by the OMS, the AMS has

two possibilities to enter it into the procedure. It may approach the Member State concerned directly

or may inform the Commission regarding its wish. The Commission shall communicate this wish

without delay to the OMS. Only the route via the Commission is set out by the Directive, but there

would be nothing hindering the AMS to contact the OMS directly. Article 4(2):

"A Member State that has reason to believe that it may be significantly affected by the potential ECI, but has not been identified as such by the Member State on whose territory the potential ECI is located, may inform the Commission about its wish to be engaged in bilateral and/or multilateral discussions on this issue. The Commission shall without delay communicate this wish to the Member State on whose territory the potential ECI is located and endeavour to facilitate agreement between the parties."

It is expected that the AMS has already checked whether the loss of the service concerned would

indeed be likely to meet the CCC on its territory. The Directive however does not require this. The

OMS may be required to identify the infrastructure or infrastructures that provide this service. If

more than one infrastructure is identified then each of these will have to undergo the procedure. As

before designation can only occur if the OMS agrees.

3.4. Aspects for scenario construction in the Identification and Designation procedures This section describes key aspects that should be considered in building scenarios for applying

criteria for the identification and designation of ECIs. No attempt is made to prescribe the use of a

certain method. The Member States themselves are responsible for implementing a methodology

that works within their national context. The scenario building process is essential for the evaluation

of CCC.

• 1. 

  Loss of Service. Central to the objectives of the Directive is the need to protect European Society against the disruption or destruction of critical infrastructure. More precisely, it strives to protect an infrastructure "which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being, and the disruption or destruction of which would have a significant impact in a MS as a result of the failure to maintain those functions". In other words, if an infrastructure provides a service that maintains vital societal functions, it may merit protection, depending on the significance of the potential loss or degradation of the service that the infrastructure is expected to provide. The expression `loss of service' is used in this document to mean unacceptable degradation below the service level expected to be provided by the infrastructure. 2. Ex-ante analysis. The evaluation of the criteria requires ex-ante analysis, or before the event, as opposed to ex-post or after the event. During ex-ante analysis an all hazards approach as prescribed by the Directive shall be followed. In other words the consequences of all relevant natural hazards, terrorist acts, deliberate or non-deliberate man made accidents that could possibly lead to a loss of service should be considered during the ex-ante analysis. 3. Reasonable Worst-Case scenarios. A reasonable worst case scenario is the basis on which the consequences are calculated for evaluating the criteria. In the context of the Directive the assessment should concentrate on national and transboundary effects. Worst case scenarios are the most unfavourable ones, leading to the worst expected outcome out of all possible scenarios. Reasonable worst case scenarios are those scenarios that can possibly happen and are feasible on the basis of existing knowledge. 4. Duration of event and escalation. A failure that occurs during the day and is restored the

next morning may have few consequences. It may take more than a week for certain industries to run out of stock following disruption of supply. Based on the events that can occur following the loss of service, a reasonable escalation scenario should be established as part of the worst case estimation, taking time into account. The duration of the loss of service and development of escalating events need to be evaluated. 5. Availability of alternatives. Closely related to event duration are potentially existing

redundancies, storage capacity and other means that would mitigate or delay the impact. These shall be taken into account. For example, if a pipe-line fails and can be repaired in three days whilst end-user storage lasts for four days, the adverse consequences of the pipe-line failure will not be considered critical. Similarly, fuel for emergency power generation might only last for a day, causing escalation (e.g. hospitals without power) when a black-out could reasonably last longer then a day. 6. Cascading effects. It is important and requested by the Directive to take into consideration

cross-sector dependencies and possible cascading effects upon other infrastructures leading to more severe impacts. To be effective, the ex-ante evaluation of the effects of an initial loss of service will have to balance the efforts put into the modelling of the consequences and the uncertainties that this modelling brings. In other words, the Member State should only take into account those events that can reasonably be expected to follow from a loss of service, and of which the magnitude in that case can be reasonably forecasted.

• 7. 

  Misuse and "weaponisation". For the Energy and Transport sectors misuse and

weaponisation shall not be considered.

• 8. 

  System granularity and designation of critical components. The Directive does not fully

define what an infrastructure actually is. It says: "an asset, system, or part thereof". An infrastructure can be analyzed as a system at a high level, for instance the national or even European transportation system, which includes among other modalities railway transport. At the lowest system level the individual pieces of metal, plastic, nuts and bolts that make up a railway are found. At some intermediate level, which should be defined in the scope of the assessment by the concerned Member State, the analysis of criticality must take place; at a possibly lower level the components are identified that shall be designated as ECI.

The sectoral criteria provide the first guidance on defining the scope, though experts may need to clarify this. The following additional guidance can be given: The criticality of infrastructure should be determined at a level at which potentially significant consequences may be suffered by the end users of the infrastructure and at a level that the operators concerned can be identified.

• 9. 

  Existing protection measures. The existence of protection measures that harden an

infrastructure should not preclude it as a potential CI during the identification procedure. Typical examples of such measures include fencing, security gates, computer firewalls, fire protection, flood barriers, and other forms of hardening the infrastructure against disruption or destruction by attacks or natural events. In other words, an infrastructure should not be excluded as CI solely on the grounds that it is adequately hardened; the existence of such measures is irrelevant during the procedure. It should be noted however that in case the infrastructure is designated as ECI, such measures shall be considered in the context of the OSP.

• 4. 

  S ECTORAL CRITERIA 4.1. Introduction

Sectoral criteria are technical or functional criteria that should help identify at the start of the

identification procedure the infrastructures that could potentially become critical. These criteria

however do not consider the potential impact of disruption or destruction of the infrastructure on

society, but just its nature.

As stated in Article 3(3), "the sectors to be used for the purposes of implementing this Directive

shall be the energy and transport sectors. The sub-sectors are identified in Annex I." Furthermore,

article 3(3) of the Directive states:

"If deemed appropriate and in conjunction with the review of this Directive as laid down in Article 11, subsequent sectors to be used for the purpose of implementing this Directive may be identified. Priority shall be given to the ICT sector."

Thus far four different kinds of sectoral criteria are used. The distinction between these determines

how an infrastructure is firstly identified, and this affects the start of the identification procedure

discussed in section 3.3.

Sectoral criteria either:

• 1. 

  Prescribe specific properties. For example dimensions, capacities, and distances which an

infrastructure should have in order for the criteria to be met; this is the most traditional form of a criteria.

Thresholds for the specific properties may be decided by the concerned Member States.

For instance the criteria may set out a minimum capacity and minimum distance it should have from similar infrastructures. Or it might specify a pipeline diameter as could be the case in oil and gas transmission.

In general a Member State will work within the sectors to identify all infrastructures that meet the properties set out by the criteria. In some cases a list of such infrastructures may already exist, and therefore the first step of the identification procedure has essentially been completed. Otherwise, it should be carried out as indicated in the flowchart in Annex 2. 2. Identify networks of which the `key elements' must be determined. Identification of

these key elements needs to take place by analysing the system as a whole and identifying those elements that can potentially cause large disruptions of the system, which could lead to significant losses in Member States. If these losses are indeed significant within the context of the Directive, the element (more precisely its parts) shall enter the designation procedure. 3. Name a specific infrastructure asset directly. In this case the identification procedure

immediately proceeds to step 2.

• 4. 

  Allow an MS to identify an asset directly. There may be cases where no sectoral criteria

exist, but nevertheless a potential ECI may be identified taking into account particular situations. The identification procedure will follow the flowchart from step 2.

4.2. Sectoral Criteria in the Energy Sector

This section of the guidelines is classified and is omitted in the present version of the document.

4.3. Sectoral Criteria in the Transport Sector

This section of the guidelines is classified and is omitted in the present version of the document.

• 5. 

  C ROSS -C UTTING C RITERIA 5.1. Introduction

Cross-cutting criteria consist of three families of criteria, namely casualties criteria, economic

effects criteria and public effects criteria Article 3 (2):

" (a) casualties criterion (assessed in terms of the potential number of fatalities or injuries);

(b) economic effects criterion (assessed in terms of the significance of economic loss and/or degradation of products or services; including potential environmental effects);

(c) public effects criterion (assessed in terms of the impact on public confidence, physical suffering and disruption of daily life; including the loss of essential services)." As stated in Article 3(2), "the cross-cutting criteria thresholds shall be based on the severity of the

impact of the disruption or destruction of a particular infrastructure. The precise thresholds

applicable to the cross-cutting criteria shall be determined on a case-by-case basis by the Member

States concerned by a particular critical infrastructure."

As the Directive states that the precise thresholds to be used in the identification and designation

shall be determined on a case-by-case basis by the concerned Member States, the thresholds that are

put forward in these guidelines are indicative only. They are meant to reflect when an impact could

start to become significant. Member States may use these indicative thresholds to determine the

threshold they will use for the assessment of the transboundary impact.

It is sufficient that one of the cross-cutting criteria is met to satisfy Step 4 of the identification procedure.

5.2. Casualties Criteria Definitions

· A casualty is either a fatality or an injured person.

· An injured person is defined as a person requiring more than 24 hours of hospitalization.

There is no limit given on a maximum time following the event that causes the disruption or destruction of the infrastructure during which the fatalities should occur.

All fatalities or injured persons related to loss of service shall be counted.

This section of the guidelines is classified and is omitted in the present version of the document.

Guidelines for the application of the casualties criteria

In the assessment of casualties the precise number is not required, only an order of

magnitude.

Estimation of the exposed population

Estimations can be derived from statistics on the use of a service among a

population, on the number of customers provided by the operator, on the population

living in the area where the service is delivered, etc.

· How many people are using the service and are impacted by the loss of

service?

· How many people are using other services that are dependent on the service

that is lost?

· Are there sensitive structures where people could suffer more from the

service disruption (e.g. hospitals, retirement houses, schools, etc.)?

· Within these exposed populations, are there sensitive groups?

(Sensitive groups are typically people over 65, children, disabled people, etc. They

are considered as more vulnerable to the loss of service)

Evaluation of the vulnerability of the population exposed

This may be done for instance on the basis of lessons learnt taken from past events,

where relevant or using existing vulnerability functions when they exist on the basis

of expert judgment. This vulnerability assessment should take into account the

duration of the service's disruption.

· Is the service disruption more susceptible to causing fatalities or injuries?

· Are there similar events that in the past caused casualties? In which

proportion?

· Are there already existing vulnerability functions that are used at national

level to assess casualties in case of a service's disruption?

Assessment of the coping capacities and alternatives

· What is the level of coping capacities of the population (stocks of food,

water, alternative resources for heating, etc.)?

· Are the rescue services prepared to face this kind of service disruption?

Figure 5 ­ Issues for the application of the casualties criteria

5.3. Economic Effects Criteria Definitions

· Economic losses are those losses related to the loss of service.

Main assumptions

· This calculation should take into account whether alternatives or temporary solutions may

be found, including the additional costs these incur.

· The environmental impact and related costs should be included in the calculation of the

economic impact.

· Cascading effects should be counted where it can be demonstrated that they can be

reasonably calculated.

· Restoration costs shall be considered on a sectoral basis. For the Energy and Transport

sectors, restoration costs shall not be considered.

This section of the guidelines is classified and is omitted in the present version of the document.

Economic losses due to loss of service

The starting point for the assessment is that a loss of service will lead to a loss of production of

services and goods. This loss and its effect incurred in the supply chain constitute the total size and

extent of economic damage.

The economic criteria is evaluated based on the impact of infrastructure failure on the dynamics of

national economies (macro perspective), rather than on individual actors (micro perspective). In

other words, a distinction is made between losses to private actors (often called private or financial

losses) and losses to society as a whole (often called social or economic losses). Within the context

of evaluating the economic criteria private losses shall not be taken into account, since these losses

do not necessarily affect the economy as a whole.

Private losses do not necessarily affect the GDP. For instance, suppose that a farm in a given year

loses its production due to a given cause (whether it be man-made, natural, etc.). The loss to the

farmer equals the value of that year's production. The (net) loss to the nation however depends on

the availability of alternatives. If other farmers do not lose their crop and can substitute the demand

the loss to the national economy would be negligible.

If however such alternatives do not exist within the Member State, crops must be imported; this

incurs a national loss, equal to the value of the imports, which does affect the GDP.

The assessment should consider the impact of the loss of service on the national economy of a

Member State taking into account possible alternatives and the substitution of goods and services as

well as taking into account the duration of the loss.

Environmental Impact

For the purpose of this Directive environmental impact is limited to the loss of land and

displacement of people.

· Loss of land

For the purposes of this Directive, the economic value of land is determined by the possible

contribution of the use of this land to the national income of a Member State.

· Displaced people

For the purpose of the Directive, the economic effect of the displacement of people has to be

assessed on the basis of the cost incurred by the Member State to relocate the displaced

persons (such as shelter, transport, food etc) and its impact on the national economy.

Possible assessment methods

A suitable calculation method is input-output analysis. This method has the advantages that it

automatically excludes private losses, includes cascading economic effects, and uses current data.

In short, an input-output model is a description of the dependencies that exist within an economy

amongst all its sectors of activities. An input-output model explains, for example, how the output of

the oil and gas sector is used within other sectors such as, industry, agriculture, etc. What is

important to note is that there is a direct link between the input-output table and the national

accounts. This makes it possible to express the consequences of a disruption in one sector and its

rippling effect to the rest of the economy and eventually on the GDP. The required data for building

input-output models is available from Eurostat. Another source of information may be cost benefit

analysis prepared when the infrastructure was in its planning phase.

Issues for the application of the economic criteria

Economic losses include

· Loss of production which represents a real impact on the national economy.

· Environmental impact which represents a real impact on the national economy.

Key issues for assessing economic losses in a scenario

The impact of a disruption is assessed in terms of how business is interrupted for the

duration of the disruption. The following questions provide further guidance in the

assessment of the infrastructure.

Impact

· How is the infrastructure used in the production process?

· What would be the scale of the disruption if the infrastructure fails?

(local/regional/national)

· How long will it take before the service is restored, once it has been lost?

· What is the number of end users being affected in the category agriculture?

· What is the number of end users being affected in the category households?

· What is the number of end users being affected in the category industrial

producers?

· What is the number of end users being affected in the category service sector?

· What is the normal income received by the previously mentioned categories for a

period with a length equal to the duration of the loss of service?

Alternatives

Alternatives are a key issue in assessing the net effect of a disruption in infrastructure.

Currently no standard methods exist, however a few rules of thumb or key questions can

be identified:

· In the affected area, is there any specialized industry?

· In the affected area is there any unique installation, for which no alternatives

exist, that would be interrupted in its normal business in case of a disruption in one of the infrastructures?

· Do sufficient producers exist which can replace the lost production within the

geographic limits of the area of interest?

· Is there any cost associated with transferring production and/or using these

alternatives?

Net-impact

· When taking into account the issues mentioned under the section "alternatives"

above, how much of the lost production under the section "impact" can be made up for in un-affected areas?

Assessing cascading effects

Cascading effects may constitute a significant part of the loss incurred due to a disruption

in critical infrastructure. The following provides indications on when to pay special

attention to cascading effects.

· Long duration of disruption

· Event affecting significant proportion of the area (region, Member State) of

interest

· Impacts on highly concentrated and specialized industry or services

· Nodal points in networks (communications, transport, energy, information) are

affected.

Figure 7 ­ Issues for the application of the economic criteria

5.4. Public Effects Criteria Main assumptions

For the purpose of the Directive public effects are characterized by:

o Number of people impacted

o Severity of the impact

o Duration of the impact

Public effect is expressed in three separate categories, on which the actual sub criteria is based:

o Physical suffering

o Impact on public confidence

o Disruption of daily life

Only if the criteria Physical Suffering or Impact on Public Confidence are not met shall the

Disruption of Daily Life be considered.

· Public effect shall in each of these three effect categories be measured on a severity scale

using three categories that express the magnitude of the impact.

o Low

o Medium

o High

This section of the guidelines is classified and is omitted in the present version of the document.

Possible assessment methods

The ex-ante assessment relies mainly on expert judgement. With regards to the proposed criteria,

the following steps could be followed to assess public effects:

· Estimation of the number of people potentially affected

· Assessment of the severity of the impact

· Final assessment of the public effects on the basis of the number of people impacted and the

severity of the impact

Assessment of the severity of the impact

It must be kept in mind that the duration of the disruption contributes to the increase of

severity. The assessment must reflect the severity of impact for the entire period of

disruption, i.e. the effects that are assessed are the effects as they are when the service is

about to be restored.

Figure 11 ­ Severity as a function of impact duration

Assessment of physical suffering

· Number of people affected: the estimation of the number of people potentially affected

refers to the end-users using the service of the infrastructure under consideration.

· Characterizing the severity: the physical suffering refers to the effects that can threaten the

physical integrity of the population exposed.

Possible effects to consider Low Medium High Effects on health and sanitary conditions Lack of water Lack of food

Lack of heating and energy

Lack of housing and lodging

Other deprivation and hardship Loss of personal security

· Severity levels

o Low: inconvenient or irritating effect on the individual, but short-term and not

leading to significant health consequences or loss of life

o Medium: significant effect on the individual leading to substantial health

consequence or loss of life

o High: strong effect on the individual leading to severe health consequences or loss of

life

Assessment of the Disruption of daily life

· Number of people affected: the estimation of the number of people potentially affected

refers to the end-users using the service of the infrastructure under consideration.

· Characterizing the severity: the disruption of daily life refers to significant changes in the

routine activities of the population characterized in the table below.

Possible effects to consider Low Medium High Infringement of freedom of travel Impossibility of leaving accommodation /

attending school / going to work

Inability to assemble Inability to communicate

No access to information resources Separation from social network / family

Loss of purchasing power / income /

employment

Unavailability of payment systems

· Severity levels

o Low (inconvenient): irritating for the individual but not disruptive for his/her daily

routine

o Medium (disruptive): for a limited period of time, the individual is not able to

continue his/her daily routine

o High (dysfunctional): the individual is no longer able to continue his/her daily

routine

Assessment of Public confidence:

· Number of people affected: the estimation of the number of people potentially affected

refers to the entire population of a Member State.

· Characterising the severity: this category refers to the impact a disruption of a service can

have on the confidence of the public in the capacities of their government to guarantee the delivery of essential services. The loss of confidence can be expressed through demonstrations, rioting, and changes in the behavioural patterns of a Member State.

Possible effects to consider Low Medium High Possibility of rioting

Possibility of stocking up Possibility of change of behavioural

patterns (e.g. fear, panic)

· Severity levels

o Low: inconvenient or irritating effect but short-term

o Medium: substantial effect but temporary in nature

o High : strong effect for an extended duration

• 6. 

  C OMMISSION SUPPORT FOR E UROPEAN C RITICAL I NFRASTRUCTURE (A RTICLE 8)

As stated in Article 8, "The Commission shall support, through the relevant Member State

authority, the owners/operators of designated ECIs by providing access to available best practices

and methodologies as well as support training and the exchange of information on new technical

developments related to critical infrastructure protection".

A NNEXES Annex 1: Flowchart

The flowchart is introduced in section 3.3 of this document and is reproduced on the next page in a

single A3 format.

Annex 2: Existing Community measures for SLO and OSP or equivalent

Indicative list of measures, principles or guidelines referred to in Article 5(5) and Article 6(5)

respectively include:

· Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on

enhancing port security

· Regulation (EC) No 725/2004 of the EP and of the Council of 31 March 2004 on enhancing

ship and port facility security

· Regulation (EC) No 2320/2002 of the European Parliament and the Council of 16 December

2002 establishing common rules in the field of civil aviation security; and its implementing regulations

· Regulation (EC) No 300/2008 of the EP and of the Council of 11 March 2008 on common

rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002

· Regulation (EC) No 2096/2005 of 20 December 2005 laying down common requirements

for the provision of air navigation services

· Regulation (EC) No 550/2004 of the EP and of the Council of 10 March 2004 on the

provision of air navigation services in the single European sky

· Regulation (EC) No 1315/2007 of 8 November 2007 on safety oversight in air traffic

management and amending Regulation (EC) No 2096/2005

These measures may be applicable specifically to OSP or to SLO or to both. This list may be

amended.

___________________________

• 12 dec '06
  Inventarisatie, inaanmerkingneming en bescherming van Europese kritieke infrastructuur
  
  
  
• 12 dec '06
  COM(2006)787 - Inventarisatie van Europese kritieke infrastructuur, de aanmerking van infrastructuur als Europese kritieke infrastructuur en de beoordeling van de noodzaak de bescherming van dergelijke infrastructuur te verbeteren
  
  
  
• 22 sep '05
  COM(2005)429 - Gemeenschappelijke regels op het gebied van de beveiliging van de burgerluchtvaart
  
  
  
• 10 feb '04
  COM(2004)76 - Verhogen van de veiligheid van havens
  
  
  
• 2 mei '03
  COM(2003)229 - Verbetering van de beveiliging van schepen en havenfaciliteiten
  
  
  
• 10 okt '01
  COM(2001)575 - Instelling van gemeenschappelijke regels op het gebied van de veiligheid in de burgerluchtvaart
  
  
  
• 10 okt '01
  COM(2001)564 - Levering van luchtvaartnavigatiediensten in het gemeenschappelijk Europees luchtruim
  
  
  
• Gemeenschappelijke eisen voor de verlening van luchtvaartnavigatiediensten
  
  
  
• Veiligheidstoezicht in het luchtverkeersbeheer en tot wijziging van Verordening (EG) nr. 2096/2005