Overview (table of contents) Annex 1
Annex III the full text notice on European critical infrastructure in the rail sector (EPCIP) 1)
Pursuant to paragraph 8 (d) (5) and § 26 paragraph 1 1. paragraph, of the law on rail, see. lovbekendtgørelse nr. 1249 of 11. November 2010, be determined in accordance with the authorisation granted pursuant to § 24 (h) (1): § 1. Executive order implementing Council Directive 2008/114/EC of 8. December 2008 on the identification and designation of European critical infrastructure and the assessment of the need to protect it better (IE. the provisions of the directive relating to European critical infrastructure in the rail sector).
(2). The directive is attached as annex 1 to the Decree.
§ 2. Member States ' competences in the rail sector under Directive 2008/114/EC is exercised by public transport.
§ 3. The notice shall enter into force on 10 June. January 2011.
The traffic Agency, the 14. December 2010 Carley H/L k
COUNCIL DIRECTIVE 2008/114/EC
by 8. December 2008
on the identification and designation of European critical infrastructure and the assessment of the need to protect it better
(Text with EEA relevance)
THE COUNCIL OF THE EUROPEAN UNION —
having regard to the Treaty establishing the European
Community, and in particular Article 308,
having regard to the proposal from the Commission,
having regard to the opinion of the European Parliament 1),
having regard to the opinion of The European Central Bank2), and
on the basis of the following considerations:
(1) in June 2004 the European Council asked for the formulation of an overall strategy for the protection of critical infrastructure. In response, the Commission adopted on 20 October. October 2004 a communication on critical infrastructure protection in the fight against terrorism, which contains proposals for how the EU can improve the prevention of, preparedness in the context of and reaction to terrorist attacks that affect critical infrastructures.
(2) on 17 December. November 2005, the Commission adopted a green paper on a European programme for critical infrastructure protection, setting out policy options for defining the program and set up an information-critical infrastructure warning information network. In the responses to the Green Paper stressed the added value of a Community framework for the protection of critical infrastructure. It was confirmed that there is a need to increase the opportunities for protecting critical infrastructure in the EU and reduce the critical infrastructure vulnerability. The importance of the fundamental principles of subsidiarity, proportionality and complementarity as well as dialogue with those affected was highlighted.
(3) in december 2005, the Council invited the justice and Home Affairs (JHA) Commission to propose a European programme for critical infrastructure protection (EPCIP (European Programme for Critical Infrastructure Protection)) and decided that it should include all kinds of dangers, but should pay particular attention to terrorist threats. That should be taken into account for man-made technological threats and natural disasters in connection with the protection of critical infrastructure, but the threat of terrorism should be the first priority.
(4) in april 2007, the Council adopted conclusions on the EPCIP in which it reiterated that Member States have the ultimate responsibility for the management of arrangements for the protection of critical infrastructures within their national borders, while at the same time, it welcomed the Commission's efforts to develop a European procedure for the identification and designation of European critical infrastructure and the assessment of the need to protect the welcome.
(5) this directive is the first step in a step-by-step method to identify and designate ECIS and assess the need to protect it better. The directive is as such concentrated on transport and energy sectors and will be reviewed in order to assess the impact of it and the need to expand its scope to include other sectors, inter alia. information and communication technology sector (ICT).
(6) the main responsibility and ultimate responsibility for protecting European critical infrastructure is the responsibility of the Member States and the owners/operators of the infrastructure concerned.
(7) there are a certain number of critical infrastructures in the community, if disrupted or destroyed would have a significant impact across borders. It can URf.eks. be consequences across borders and sectors as a result of the interdependence of interrelated infrastructures. These European critical infrastructures should be identified and designated by means of a common procedure. Evaluation of security requirements for such an infrastructure should be governed by a common minimum approach. Bilateral cooperation schemes between Member States in the field of critical infrastructure protection constitute a well established and effective means to address the problems with critical infrastructures that go across borders. EPCIP should build on such cooperation. Information in connection with the designation of a particular infrastructure as an ECI should be classified at an appropriate level of security in accordance with the existing legislation in the community and in the Member States.
(8) Since various sectors have particular experience and expertise and specific requirements with regard to critical infrastructure protection, a community approach should be developed for the protection of critical infrastructure, as shall be implemented taking into account sector characteristics and existing sector based measures including those already existing at Community level, at national or regional level, and, where relevant, already concluded agreements between owners/operators of critical infrastructure for mutual assistance across borders. Since the private sector plays a very significant role in the supervision and risk management, plans for the continuation of the operation and restoration after a disaster, the Community strategy should promote the full involvement of the private sector.
(9) with regard to the energy sector and in particular the methods of production and transmission of electricity (for energy) is it clear that electricity generation, as appropriate, may include electricity transmission parts of nuclear power plants without to include the specifically nuclear elements covered by relevant nuclear legislation, including nuclear treaties and Community law.
(10) this directive complements existing sectoral measures at Community level and in Member States. The places where there is already Community mechanisms, should continue to be used, and they will help to ensure the overall implementation of this directive. Overlap or inconsistency between different acts or provisions should be avoided.
(11) the OSPs or similar measures, which include the identification of important assets, a risk assessment and the identification, selection and prioritisation of counter-measures and procedures should be available for all designated ECIS. In order to avoid unnecessary work and duplication, each Member State should first assess whether the owners/operators of designated ECIS possess a relevant OSPs or similar measures. If there are no such plans, each Member State should ensure the implementation of appropriate measures. Each Member State can decide for themselves what will be the most appropriate approach to design of OSPs.
(12) Measures, principles, guidelines including Community measures as well as bilateral and/or multilateral cooperation schemes that provide for a plan similar or equivalent to an OSP, security or provide for a security liaison officer or equivalent, should be deemed to meet the requirements of this directive to a security plan for operators and a security liaison officer.
(13) it is appropriate to be appointed security liaison officers for all designated ECIS in order to facilitate cooperation and communication with relevant national critical infrastructure protection authorities. In order to avoid unnecessary work and duplication, each Member State should first assess whether the owners/operators of designated ECIS already has a a security liaison officer or equivalent. If such a security liaison officer does not exist, each Member State should ensure the implementation of appropriate measures. Each Member State can decide for themselves what will be the most appropriate approach to designation of security liaison officers.
(14) the efficient identification of risks, threats and vulnerabilities in the particular sectors requires communication both between owners/operators of European critical infrastructure and the Member States and between Member States and the Commission. Each Member State should collect information concerning European critical infrastructure located on its territory. The Commission should receive generic information from the Member States concerning risks, threats and vulnerabilities in the sectors where ECIS were identified, including relevant information on possible improvements in the ECIS and cross-sector dependencies, which may constitute the basis for the formulation of specific proposals for improving the protection of European critical infrastructure when it is necessary.
(15) in order to make it easier to improve the protection of European critical infrastructures may be developed a common methodology for the identification and classification of risks, threats and vulnerabilities in the context of infrastructure.
(16) Owners/operators of European critical infrastructure should be given access primarily through relevant Member States ' authorities to best practices and best practices with regard to the protection of critical infrastructure.
(17) the effective protection of ECIS requires communication, coordination, and cooperation at national and community level. It is best accomplished by designating contact points for European critical infrastructure protection (CIP (Critical Infrastructure Protection)) in each Member State, who should coordinate issues relating to the protection of European critical infrastructure internally, as well as with other Member States and the Commission.
(18) in order to develop activities related to the protection of European critical infrastructure in areas which require a degree of confidentiality, it is appropriate to ensure a coherent and secure information exchange in the framework of this directive. It is important that the rules on confidentiality pursuant to the applicable national law or European Parliament and Council Regulation (EC) No 1782/2003. No 1049/2001 of 30. May 2001 regarding public access to European Parliament, Council and Commission dokumenter3) are observed with regard to specific data on critical infrastructure, which can be used to plan and act with a view to causing unacceptable consequences for infrastructure. Classified information should be protected in accordance with the relevant Community legislation and legislation in the Member States. Each Member State and the Commission should respect the security classification, as the author of a document has given it.
(19) information sharing in respect of European critical infrastructure should take place in an atmosphere of trust and security. Information sharing requires relationships built on trust, so that companies and organisations know that their sensitive and confidential information is protected adequately.
(20) since the objectives of this directive, namely the introduction of a procedure for the identification and designation of European critical infrastructure and a common approach to the assessment of the needs to improve the protection of such infrastructures, cannot be sufficiently achieved by the Member States and can therefore, by reason of the scale of the measures, be better achieved at Community level; The community may therefore adopt measures, in accordance with the principle of proportionality, as Article 5 of the Treaty. In accordance with the principle of proportionality referred to in article 6. that article, this directive does not go beyond what is necessary to achieve those objectives.
(21) This Directive respects the fundamental rights and observes the principles recognised in particular. The European Union's charter of fundamental rights —
HAS ADOPTED THIS DIRECTIVE:
The scope of the
This directive lays down a procedure for the identification and designation of European critical infrastructure and a common approach to the assessment of the need to protect this type of infrastructure in order to contribute to the protection of people.
For the purposes of this directive: (a)) critical infrastructure ' means assets, systems or parts thereof, which are located in the Member States, and which are essential for the maintenance of vital societal functions and human health, safety and economic or social welfare, and if disrupted or destroyed would substantially affect a Member State as a result of the fact that these functions cannot be sustained
b) ECI ' means critical infrastructure located in Member States and, if disrupted or destroyed would have a significant impact on two or more Member States. The significance of the effects shall be assessed by the cross-cutting criteria. This also includes the consequences as a result of dependence across sectors of other types of infrastructure
c) risk analysis ': consideration of relevant threat scenarios to assess vulnerability and the potential consequences of that critical infrastructure is interrupted or destroyed
d) sensitive information relating to the protection of critical infrastructure ' means data about critical infrastructure, which, if made public, could be used to plan and act with a view to cause disruption or destruction of critical infrastructure installations
e) protection ' means all activities aimed at securing critical infrastructure functionality, continuity and integrity in order to deter, mitigate and neutralise a threat, risk or vulnerability
f) owners/operators of European critical infrastructure ' means devices that have responsibility for investments or the day-to-day operation of, and investment in a particular asset, system or part thereof designated as an ECI pursuant to this directive.
Identification of European critical infrastructure
1. Each Member State in accordance with the procedure referred to in annex III identifies the potential ECIS which both satisfy the cross-cutting and sectoral criteria and is in accordance with the definitions given in article 2, subparagraph (a)) and (b)).
The Commission may, on the request of the Member States to assist them with identifying potential ECIS. The Commission may draw the attention of Member States relevant to the existence of potential critical infrastructures which may be deemed to meet the requirements for designation as an ECI.
Each Member State and the Commission will continue on an ongoing basis the process of identifying potential ECIS.
2. The cross-cutting criteria include the following: (a) the criterion concerning victims rite) (an assessment of the potential number of fatalities or injuries)
(b) the criterion concerning the economic impact of the rite) (an assessment of the size of the financial loss and/or degradation of products or services; including potential environmental consequences)
(c) the criterion relating to the General consequences rite) (an assessment of the consequences in terms of public confidence, physical suffering and disruption of daily life; including the outcome of the essential services).
Threshold values for the cross-cutting criteria shall be based on the seriousness of the consequences of the disruption or destruction of a particular infrastructure. The precise thresholds applicable to the cross-cutting criteria shall be determined in each case by the Member States concerned by a particular critical infrastructure. Each Member State shall inform the Commission annually of the number of infrastructures per sector, which has been the subject of discussions with regard to thresholds for the cross-cutting criteria.
The sectoral criteria shall take account of the particular characteristics of individual sectors with European critical infrastructure.
The Commission shall draw up, together with the Member States guidelines on the application of the cross-cutting and sectoral criteria and approximate thresholds to be used for the identification of European critical infrastructure. The criteria to be classified. Member States are free to choose whether they want to apply such guidelines.
3. The sectors in which the implementation of this directive to be implemented, is the energy and transport sectors. Subsectors specified in Annex i.
In the context of the revision of this directive, without prejudice to article. Article 11, may, if deemed appropriate, designation of further sectors, where the implementation of this directive should be implemented. Information and communication technology sector (ICT) must be the first priority.
Designation of European critical infrastructure
1. Each Member State shall inform the other Member States which may be significantly affected by a potential ECI about its identity and the reasons for designating it as a potential European critical infrastructure.
2. Each Member State on whose territory a potential ECI is initiating bilateral and/or multilateral discussions with the other Member States which may be significantly affected by the potential ECI. The Commission may participate in these discussions, but do not have access to detailed information, which will allow for an unambiguous identification of a specific infrastructure.
A Member State which has reason to believe that it can be affected significantly by a potential ECI which does not, however, have been identified as such by the Member State on whose territory the potential ECI is located, may inform the Commission of its desire to enter into bilateral and/or multilateral discussions on this issue. The Commission shall immediately inform the Member State on whose territory the potential ECI is located, about this wish and endeavour to facilitate an agreement between the parties.
3. The Member State on whose territory a potential ECI is located shall designate it as European critical infrastructure on the basis of an agreement between that Member State and those Member States that may be affected to a considerable extent.
The acceptance by the Member State on whose territory the infrastructure to be designated as an ECI is located, is necessary.
4. The Member State on whose territory a designated ECI is located shall inform the Commission annually of the number of designated ECIS per sector and the number of Member States that are dependent on each designated ECI. Only those Member States which may be significantly affected by an ECI becomes aware of its identity.
5. The Member State on whose territory the ECI is located shall inform the owner/operator of the infrastructure of its designation as an ECI. Information about the designation of an infrastructure as an ECI shall be classified at an appropriate level of security.
6. The process of identification and designation of European critical infrastructure, see. Article 3 and the present article, shall be completed no later than the 12. January 2011 and must be regularly reviewed.
1. Using the procedure for security plan for operators identified the critical infrastructure assets in the context of the European critical infrastructures, and which security solutions exist or are implemented in order to protect them. it is clear from annex II, what a proceeding concerning a security plan for operators, as a minimum, should include.
2. Each Member State shall check that all designated European critical infrastructures located within its territory, have a backup plan for operators or have implemented similar measures, covering the points listed in annex II. If a Member State finds that such an OSP or equivalent security is available and regularly updated, it is not necessary to make any further action with a view to implementation.
3. If a Member State finds that such a security plan has not been prepared for operators, or equivalent, it shall ensure by means of appropriate measures, that the OSP or equivalent security drawn up and covers the points set out in annex II. Each Member State shall ensure that, no later than one year after the critical infrastructure as an ECI has been designated to security plans, OSP or equivalent is implemented and regularly reviewed. This period may be extended in exceptional circumstances, by agreement with the Member State's authority, and the Commission shall be informed accordingly.
4. If there already exists the supervisory or monitoring arrangements in respect of European critical infrastructures, these arrangements are not affected by this article and the relevant Member State authority, as referred to in this article shall be the supervisor under those existing arrangements.
5. in compliance with measures including Community measures which in a particular sector require, or refer to a need to have a plan similar to a security plan for operators, and the monitoring of such a plan made by the appropriate authority shall be deemed to be all Member States ' requirements in, or adopted pursuant to, this article in order to be fulfilled. The guidelines for application referred to in article 3(2) shall contain an indicative list of such measures.
Security liaison officers
1. Security liaison officer serves as the point of contact in connection with security related issues between the owner/operator of European critical infrastructure and the relevant Member State authority.
2. Each Member State shall check that all designated European critical infrastructures located within its territory, has a security liaison officer or equivalent. Where a Member State establishes that the existence of such a security liaison officer or equivalent, it is not necessary to make any further action with a view to implementation.
3. If a Member State finds that there is no such a security liaison officer or equivalent in relation to a designated ECI, it shall ensure by means of appropriate measures, the appointment of such a security liaison officer or equivalent.
4. Each Member State shall establish an appropriate communication mechanism between the relevant Member State authority and the security liaison officer or equivalent with a view to exchanging relevant information concerning identified risks and threats in the context of the European critical infrastructure concerned. This communication mechanism shall be without prejudice to national requirements concerning access to sensitive and classified information.
5. in compliance with measures including Community measures which in a particular sector require, or refer to a need to have a security liaison officer or equivalent, all Member States ' requirements in, or adopted pursuant to, this article in order to be fulfilled. The guidelines for application referred to in article 3(2) shall contain an indicative list of such measures.
1. Each Member State shall conduct a threat assessment in relation to the ECI subsectors within one year after the critical infrastructure on its territory has been designated as an ECI within those sub-sectors.
2. Each Member State shall report to the Commission every two years a brief general information about the types of risks, threats and vulnerabilities that are found per sector for European critical infrastructure within which the designated European critical infrastructure in accordance with article 4 in its territory. The Commission may, in cooperation with the Member States, shall design a common model for these reports. Each report shall be classified at an appropriate level which the Member State of origin deems necessary.
3. On the basis of the reports referred to in paragraph 2, the Commission and the Member States shall assess on a sectoral basis whether further protection measures should be considered at Community level for European critical infrastructure. This procedure is carried out in the context of the revision of this directive, without prejudice to article. Article 11.
4. the Commission may, in cooperation with the Member States, develop common methodological guidelines for the implementation of risk analyses of European critical infrastructure. Member States choose freely whether or not to use such guidelines.
Support from the Commission to the European critical infrastructure
The Commission will support, through the relevant Member State authority, owners/operators of designated European critical infrastructures by giving them access to best practices and methodologies as well as through training and exchange of information on new technical developments related to critical infrastructure protection.
Sensitive European critical infrastructure protection-related information
1. Any person who, on behalf of a Member State or the Commission's handling confidential information pursuant to this directive, must be security cleared at an appropriate level. Member States, the Commission and the relevant regulatory authorities shall ensure that sensitive European critical infrastructure protection-related information provided to the Member States or the Commission shall not be used for any purpose other than the protection of critical infrastructures.
2. This article shall also apply to non-written information exchanged during meetings where discussed sensitive topics.
Contact points for European critical infrastructure protection
1. Each Member State shall designate a contact point for the protection of European critical infrastructure.
2. the focal point shall coordinate European critical infrastructure protection-related issues within the Member State, with other Member States and with the Commission. Designation of a contact point for the protection of European critical infrastructure shall not preclude other authorities in a Member State be involved in issues relating to the protection of European critical infrastructure.
This Directive shall be reviewed no later than 12. January 2012.
Member States shall take the necessary measures to comply with this directive not later than 12. January 2011. They shall forthwith inform the Commission thereof. When MemberStates adopt these measures shall contain a reference to this directive or shall be accompanied by such reference publication. The detailed rules for the reference to be determined by the Member States.
Date of entry into force of
This Directive shall enter into force on the twentieth day following that of its publication in the official journal of the European Union.
This directive is addressed to all Member States.
Done at Brussels, on 8 November, the. December 2008.
On behalf of the Council, b. KOUCHNER
President annex I list of ECI sectors Sector
1. Electricity Infrastructure and installations for electricity production and transmission for the purpose of electricity supply
2. Oil production, refining, processing and storage of oil, including transport by pipeline
3. Gas production, refining, processing and storage of gas, including transport by pipeline
4. Road transport
5. Rail transport
6. Air transport
7. Inland waterways
8. Maritime transport over long and short distances and harbours
The identification of the Member States of critical infrastructures which may be designated as an ECI shall be effected in accordance with article 3.
The list of ECI sectors in itself does not, therefore, leads to a general obligation to designate European critical
infrastructure in each sector.
Annex II PROCEDURE OSP
In the security plan for the operators identified the critical infrastructure assets, and specifying which security solutions that have been implemented or are being implemented in order to protect them. Procedure relating to security plans must cover at least the following: 1) the identification of important assets
2) implementation of a risk analysis on the basis of serious threat scenarios, vulnerability of each asset, and potential impact, and
3) identification, selection and prioritisation of counter-measures and procedures with a distinction between:
-permanent security measures with clarification of what investments and funds necessary for the safety and appropriate to use at any time. This heading includes information on general measures such as technical measures (including the installation of detectors, access control, protection and prevention means), organizational measures (including early warning procedures and crisis management), control and verification measures, communication, awareness-raising and training, as well as the security of information systems
-graduated security measures, which can be activated depending on the risk and threat levels.
Annex III Procedure for the identification of the Member States of critical infrastructures which may be designated as an ECI, see. Article 3
Pursuant to article 3, each Member State shall identify the critical infrastructures which may be designated as an ECI. This procedure shall be implemented by each Member State through the following sequential steps.
A potential ECI which does not satisfy the requirements of one of the following sequential steps is not regarded as a European infrastructure and are not subject to the proceeding. A potential ECI which comply with the definitions, review the next steps in the procedure.
Each Member State shall apply the sectoral criteria in order to make an initial selection of critical infrastructure within the sector.
Each Member State shall apply the definition of critical infrastructure, see. Article 2, point (a)), on potential European critical infrastructure as identified in step 1.
The significance of the effects shall be determined either by using national methods for identifying critical infrastructure or by reference to the cross-cutting criteria at the appropriate national level. As regards infrastructure, providing important services, account will be taken of whether there are alternatives, and the duration of disruption/recovery.
Each Member State shall apply the definition of ECI, see. Article 2, point (b)), on the potential ECI that has gone through the first two steps in this procedure. A potential ECI which complies with the definition, must undergo the next step in the procedure. As regards infrastructure, providing important services, account will be taken of whether there are alternatives, and the duration of disruption/recovery.
Each Member State shall apply the cross-cutting criteria to the remaining potential ECIS. The cross-cutting criteria take into account: how serious the consequences are, and as far as the infrastructure that delivers important services, the availability of alternatives, and the duration of disruption/recovery. A potential ECI which does not satisfy the cross-cutting criteria will not be considered as an ECI.
A potential ECI which has undergone this procedure will only be communicated to the Member States which may be significantly affected by the potential ECI.
Official notes 1) Notice implements parts of Council Directive 2008/114/EC of 8. December 2008 on the identification and designation of European critical infrastructure and the assessment of the need to protect it better (Official Journal L 345, on 23 december 2008 page 75-82) 1) opinion of 10.7.2007 (not yet published in the official journal).
2) OJ C 116 of 26.5.2007, p. 1.
OJ L 145 of 31.5.2001) 3, p. 43.