The Commission proposed on 16 December to ‘dust off’ its regulatory framework to protect critical infrastructure not only from cyberattacks, but also from other types of hazards, such as pandemics and other natural disasters.
While its framework dates back several years—or even as far back as the 11 September 2001 attacks in the United States—and only covers threats of a terrorist nature, the Commission has also proposed extending the list of physical infrastructures to be protected. It has proposed adding areas such as hospitals, public administrations or the financial sector beyond just the transport and energy sectors alone.
The Commission detected 450 cybersecurity incidents in 2019 involving finance and energy; last week it was the European Medicines Agency that was targeted by cyber pirates apparently looking for information on the authorisation of the Covid-19 vaccine.
Recently, a hospital in Düsseldorf was again the target of a cyberattack, explained Vice-President Margaritis Schinas, responsible for promoting the European Way of Life. Its services were paralysed for a while and a woman who needed to be taken care of quickly by this hospital died as a result of the attack, the Vice-President said.
The proposal for a Critical Entities Resilience (CER) Directive further extends the scope of the 2008 Directive on European Critical Infrastructure, which only deals with terrorist attacks.
10 sectors would be covered by the new directive: energy, transport, banking services, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration and space.
In concrete terms, each Member State will be required to put in place a national strategy to ensure the resilience of critical entities and will have to carry out regular risk assessments.
The critical entities concerned would also have to make their own risk assessment, communicate to the public authorities the problems identified and would have to adopt technical and organisational measures to address them, as the Directive does not specify what kind of measures.
A Critical Entity Resilience Group bringing together Member States and the Commission will then assess national strategies and facilitate cooperation and exchange of good practice.
Member States should also ensure that national authorities have the powers and means to carry out on-site inspections. They should also provide for sanctions in case of non-compliance with national strategies, but the Directive does not specify the type of sanctions.
Link to the directive: https://bit.ly/2Wk7SQx (Original version in French by Solenn Paulic)