Friday, June 14, 2024

EU countries lay bare Europe’s limits in securing critical infrastructure

Must read

National governments have opposed several fundamental parts of the European Commission’s plan to strengthen the resilience of critical infrastructure, according to written feedback seen by EURACTIV.

The vulnerability of the EU’s critical infrastructure came under the spotlight at the end of September following the detected leakage of two Nord Stream pipelines in the Baltic Sea, an act of deliberate sabotage that Western security agencies attributed to Russia.

A few days later, sabotage of the cables underpinning the rail services disrupted traffic in several regions in Germany, episodes which prompted a sense of urgency for EU leaders, who have since been scrambling to secure gas pipelines, undersea cables and transport networks.

On 5 October, Commission President Ursula von der Leyen presented a five-point plan to secure critical European infrastructure, which included carrying out stress tests and early implementation of the Critical Entities Resilience directive (CER).

This proposal was put on paper as a recommendation to the EU countries. While most member states expressed support for the overall initiative, there was no shortage of critical voices raised against the Commission’s draft, according to the written comments.

Scope

The main criticism of the Commission’s text is that it goes significantly beyond what was already agreed upon in the CER directive, as raised by Germany, France, Sweden and Slovenia.

“Any obligation by the Council Recommendation that goes beyond the extent of the measures specified in the CER Directive is rejected. The recommendation should only focus on bringing forward the measures set out in the CER directive, not expanding them,” Germany commented.

Similarly, France and the Netherlands reiterated that the CER directive does not cover nuclear plants.

Paris pointed out that the question of common responses to incidents related to critical infrastructure should be voluntary. Similarly, the Hague stressed that the Commission should not prioritise cross-border infrastructure, as the Commission proposed, since the decision should be left to the countries.

France and Austria consider the early implementation of the revised Networks and Information Security directive (NIS2) challenging, since it will introduce obligations on private entities that cannot be enforced without a legal basis.

Capacity

In terms of early implementation of the CER and NIS2 directive, legally due to come into effect in 2024, the Netherlands and Germany highlighted that it might not be realistic and that national authorities do what is possible.

Hungary asked the Commission for a timely release and adoption of secondary legislation related to the NIS2 and CER directives. For Croatia, strengthening national and EU critical infrastructure should be financed under the EU budget, with a new financial mechanism to support smaller member states.

Underwater infrastructure

A notable criticism from France is that the CER directive does not cover maritime infrastructure, only terrestrial, where internet cables and gas pipelines are submarine and outside national territories.

Finland emphasised relying on trusted vendors for subsea cable systems. Since many of these cables are at the end of their lifecycle, substantial investments should be considered to ensure global connections.

Two weeks ago, EURACTIV revealed that the Commission is considering financing an internet cable connecting Finland to Japan via the Arctic, a project pushed by the Finnish company Cinia.

Ireland highlighted the challenges of its monitoring of underwater infrastructure, due to the large size of its territorial waters, the fact that cables are mostly privately owned and its geographical role of a bridge between the EU and the US in data transfers.

Added value

The Commission’s response to significant infrastructure should be coordinated within the Integrated Political Crisis Response (IPCR). For Germany, it is unclear whether the IPCR should provide a platform for constant coordination or just in case of significant disruptions.

Moreover, the Commission proposed the development of a new blueprint for critical infrastructure incidents and crises to define how the IPCR would coordinate its response. By contrast, Berlin deemed it unacceptable that the Commission could unilaterally determine the cooperation between member states, considering it a decision for the Council.

France, the Netherlands, Finland, Slovakia, Austria, and Poland all requested further clarity on the blueprint, notably its added value compared to existing initiatives such as the EU Hybrid Playbook.

Information sharing

Another sensitive topic for national governments was the sharing of sensitive information. Italy, the Netherlands, Poland, Sweden, Slovakia and France all share concerns about sharing details about critical infrastructure, as it could have disastrous consequences if they were intercepted.

Paris and Bratislava expressed reluctance towards sharing information on vulnerabilities and risks related to undersea cables. Moreover, France stressed that a distinction be  made between the cutting one or two cables, which only has minor consequences, and a massive cut with severe consequences.

Stress tests

Denmark, Ireland, Poland, and the Netherlands asked the Commission to clarify what these stress tests should entail. There appears to be a consensus among member states that these stress tests should be voluntary.

5G Toolbox

The draft recommendation urged member states to implement the 5G Toolbox, an initiative designed to hit suppliers for critical assets considered at high-risk, such as Huawei.

Ireland and Sweden reiterated the optional nature of the toolbox, whereas Denmark stressed that strategic diversification is needed before full implementation.

[Edited by Nathalie Weatherald]

Read more with Euractiv

Subscribe now to our newsletter EU Elections Decoded

Latest article