A pan-European plan to safeguard critical infrastructure against terrorist attacks in areas including energy, health, communication and transport was backed on 10 July 2007 by the European Parliament. However, MEPs also declared that responsibility for protecting critical infrastructure still rests primarily with national governments and private stakeholders.
The report, by centre party Alliance of Liberal Democrats for Europe (ALDE) Rapporteur Jeanine Hennis-Plasschaert MEP, concerned an EU-wide strategy to protect critical infrastructure against terrorist attacks.
The Parliament agreed that the primary responsibility for protecting critical infrastructure lies with the member states and the owners or operators. A draft Directive, tabled by the Commission in 2006, would oblige member states to identify and designate existing infrastructure as European Critical Infrastructure (ECI), according to sector-specific criteria established by national governments, the Commission and stakeholders. Once the list is ready, the directive would oblige owners and operators of the ECIs to establish an “operator security plan”, with permanent and graduated security measures in the event of a terrorist attack.
Parliament’s consultation report agrees on the need to identify what national facilities can be designated ECI and to assess their protection needs. However, a Community approach, MEPs stated, can be justified only if at least three member states agree.
This, MEPs argue, is to avoid the EU duplicating the work of member states and adding unnecessary costs and administrative burdens for owners and operators. Future common-risk assessments should always take into account existing methodologies in each country. Even when a given facility is designated as ECI, its compliance with existing protection measures might be enough to satisfy the requirement to establish and update an “operator security plan”.
Finally, the European Parliament agrees with the Commission that appropriate measures must be taken to protect sensitive and confidential information revealing the vulnerability of each piece of infrastructure. According to MEPs, the recent SWIFT case showed that critical data needs to be protected against illegal use by foreign authorities or private actors as well, therefore all sensitive data “shall be carried out within the EU and any mirroring data shall not be allowed in third countries for reasons of security”.
Jeanine Hennis-Plasschaert said: “The protection of critical infrastructures requires communication, coordination and cooperation on a national and European level. But we should not try to manage everything on a European level. The member states and operators have the main responsibility for the protection of critical infrastructure. It is in no one’s interest to duplicate the work of member states and add unnecessary costs for owners and operators.”