European Parliament

EUROPEAN PARLIAMENT

   2004   2009   

Session document

FINAL A6-0270/2007

2.7.2007

* REPORT

on the proposal for a Council directive on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection (COM(2006)0787 – C6-0053/2007 – 2006/0276(CNS))

Committee on Civil Liberties, Justice and Home Affairs

Rapporteur: Jeanine Hennis-Plasschaert

RR\674990EN.doc PE 384.638v03-00 EN EN PR_CNS_art51am

Symbols for procedures

* Consultation procedure majority of the votes cast **I Cooperation procedure (first reading) majority of the votes cast **II Cooperation procedure (second reading) majority of the votes cast, to approve the common position majority of Parliament’s component Members, to reject or amend the common position *** Assent procedure majority of Parliament’s component Members except in cases covered by Articles 105, 107, 161 and 300 of the EC Treaty and Article 7 of the EU Treaty ***I Codecision procedure (first reading) majority of the votes cast ***II Codecision procedure (second reading) majority of the votes cast, to approve the common position majority of Parliament’s component Members, to reject or amend the common position ***III Codecision procedure (third reading) majority of the votes cast, to approve the joint text

(The type of procedure depends on the legal basis proposed by the Commission.)

Amendments to a legislative text

In amendments by Parliament, amended text is highlighted in bold italics. Highlighting in normal italics is an indication for the relevant departments showing parts of the legislative text for which a correction is proposed, to assist preparation of the final text (for instance, obvious errors or omissions in a given language version). These suggested corrections are subject to the agreement of the departments concerned.

PE 384.638v03-00 2/58 RR\674990EN.doc EN CONTENTS

Page

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION ...... 5

EXPLANATORY STATEMENT ...... 26

OPINION OF THE COMMITTEE ON ECONOMIC AND MONETARY AFFAIRS...... 28

OPINION OF THE COMMITTEE ON INDUSTRY, RESEARCH AND ENERGY...... 41

OPINION OF THE COMMITTEE ON TRANSPORT AND TOURISM...... 55

PROCEDURE...... 58

RR\674990EN.doc 3/58 PE 384.638v03-00 EN PE 384.638v03-00 4/58 RR\674990EN.doc EN DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION on the proposal for a Council directive on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection (COM(2006)0787 – C6-0053/2007 – 2006/0276(CNS))

(Consultation procedure)

The European Parliament,

– having regard to the Commission proposal to the Council (COM(2006)0787),

– having regard to Article 308 of the EC Treaty, pursuant to which the Council consulted Parliament (C6-0053/2007),

– having regard to the Council Conclusions of 1-2 December 2005 on the principles for a European Programme on Critical Infrastructures,

- having regard to its recommendation of 7 June 2005 to the European Council and to the Council on the protection of critical infrastructure in the framework of the fight against terrorism1,

– having regard to Rule 51 of its Rules of Procedure,

– having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs and the opinions of the Committee on Economic and Monetary Affairs, the Committee on Industry, Research and Energy and the Committee on Transport and Tourism (A6-0270/2007),

1. Approves the Commission proposal as amended;

2. Calls on the Commission to alter its proposal accordingly, pursuant to Article 250(2) of the EC Treaty;

3. Calls on the Council to notify Parliament if it intends to depart from the text approved by Parliament;

4. Calls for initiation of the conciliation procedure under the Joint Declaration of 4 March 1975 if the Council intends to depart from the text approved by Parliament;

5. Asks the Council to consult Parliament again if it intends to amend the Commission proposal substantially;

6. Instructs its President to forward its position to the Council and Commission.

1 OJ C 124 E, 25.5.2006, p. 250.

RR\674990EN.doc 5/58 PE 384.638v03-00 EN Text proposed by the Commission Amendments by Parliament

Amendment 1 Title

Proposal for a directive of the Council on the Proposal for a directive of the Council on the identification and designation of European identification and designation of priority Critical Infrastructure and the assessment of sectors with European Critical Infrastructure the need to improve their protection and the assessment of the need to improve their protection

Justification

Member States should not be required to notify their specific critical infrastructure to the Commission since this would run counter to national security interests. A European list of critical infrastructure should not be produced in this aggregated form.

Amendment 2 Recital 2

(2) On 17 November 2005 the Commission (2) On 17 November 2005 the Commission adopted a Green Paper on a European adopted a Green Paper on a European Programme for Critical Infrastructure Programme for Critical Infrastructure Protection which provided policy options Protection which provided policy options on the establishment of the programme and on the establishment of the programme and the Critical Infrastructure Warning the Critical Infrastructure Warning Information Network (CIWIN). The Information Network (CIWIN). The responses received to the Green Paper responses received to the Green Paper clearly showed the need to set up a underlined the possible added value of a Community framework concerning critical Community framework concerning critical infrastructure protection. The need to infrastructure protection. The need to increase the critical infrastructure increase the critical infrastructure protection capability in Europe and to help protection capability in Europe and to help reduce vulnerabilities concerning critical reduce vulnerabilities concerning critical infrastructures was acknowledged. The infrastructures was acknowledged. The importance of the principle of subsidiarity importance of the key principles of and of stakeholder dialogue was subsidiarity, proportionality and emphasised. complementarity as well as of stakeholder dialogue was emphasised.

Justification

More in line with reality.

PE 384.638v03-00 6/58 RR\674990EN.doc EN Amendment 3 Recital 3

(3) In December 2005 the Justice and Home (3) In December 2005 the Justice and Home Affairs Council called upon the Commission Affairs Council called upon the Commission to make a proposal for a European to make a proposal for a European Programme for Critical Infrastructure Programme for Critical Infrastructure Protection (EPCIP) and decided that it Protection (EPCIP) and decided that it should be based on an all-hazards approach should be based on an all-hazards approach while countering threats from terrorism as a while countering threats from terrorism as a priority. Under this approach, manmade, priority. Under this approach, manmade, technological threats and natural disasters technological threats and natural disasters should be taken into account in the critical should be taken into account in the critical infrastructure protection process, but the infrastructure protection process, while threat of terrorism should be given priority. structurally determined threats must also If the level of protection measures against a be recorded. The threat of terrorism should, particular high level threat is found to be however, be given priority. adequate in a critical infrastructure sector, stakeholders should concentrate on other threats to which they are still vulnerable.

Amendment 4 Recital 4

(4) The primary responsibility for (4) The primary and ultimate protecting critical infrastructures currently responsibility for protecting critical falls on the Member States and the infrastructures falls on the Member States owners/operators of critical infrastructures. and the owners/operators of critical This should not change. infrastructures. Bearing in mind that national services know best what is happening in their countries, a bottom-up approach towards European Critical Infrastructure (ECI) should therefore be taken.

Justification

It must be clear that the primary and ultimate responsibility falls on the MS. The Community approach should not duplicate the work of the Member States.

Amendment 5 Recital 4 a (new)

(4a) The protection of critical

RR\674990EN.doc 7/58 PE 384.638v03-00 EN infrastructure is of vital significance for internal security in the EU and for the well- being of its citizens. In the final analysis, destroying or disrupting certain infrastructure can wreck human lives, the environment and economic assets as well as cause lasting damage to public confidence in State protection and care.

Justification

The effects of destroying or disrupting certain infrastructure must be emphasised. In the final analysis, it is only the possible consequences and/or the avoidance of these consequences that justify the measures contained in the draft directive.

Amendment 6 Recital 5

There are a certain number of critical (5) There are a number of critical infrastructures in the Community, the infrastructures in the Community, the disruption or destruction of which would disruption of which would affect three or affect two or more Member States or a more Member States or at least two other Member State other than that in which the Member States other than that in which the critical infrastructure is located. This may critical infrastructure is located. This may include transboundary cross-sector effects include transboundary cross-sector effects resulting from interdependencies between resulting from interdependencies between interconnected infrastructure. Such interconnected infrastructure. Such European critical infrastructures should be European critical infrastructure should be identified and designated by means of a identified by means of a common common procedure. The need to improve procedure. On the basis of common the protection of such critical criteria a list of priority sectors with infrastructures should be assessed under a European critical infrastructure should common framework. Bilateral schemes for be drawn up. A common action cooperation between Member States in the framework should be laid down for the field of critical infrastructure protection protection of such European critical constitute a well established and efficient infrastructures that puts Member States in means of dealing with transboundary a position to reduce the potential danger critical infrastructure. EPCIP should build to critical infrastructure on their territory on such cooperation. by taking appropriate measures. Bilateral schemes for cooperation between Member States in the field of critical infrastructure protection constitute a well established and efficient means of dealing with transboundary critical infrastructure. EPCIP should build on such cooperation.

PE 384.638v03-00 8/58 RR\674990EN.doc EN Amendment 7 Recital 5 a (new)

(5a) A series of measures governing the identification, designation and protection of critical infrastructures already exists for some sectors. Any future Community-wide regulation should not result in duplicate regulation in these sectors in the absence of added security.

Amendment 8 Recital 6

(6) Since various sectors have particular (6) Since various sectors have particular experience, expertise and requirements experience, expertise and requirements concerning critical infrastructure concerning critical infrastructure protection, a Community approach to protection, a Community approach to critical infrastructure protection should be critical infrastructure protection should be developed and implemented taking into developed and implemented taking into account sector specificities and existing account sector specificities and existing sector based measures including those sector based measures including those already existing at EU, national or regional already existing at EU, national or regional level, and where relevant cross-border level, and where relevant cross-border mutual aid agreements between mutual aid agreements between owners/operators of critical infrastructure owners/operators of critical infrastructure already in place. Given the very significant already in place. Given the very significant private sector involvement in overseeing private sector involvement in overseeing and managing risks, business continuity and managing risks, business continuity planning and post-disaster recovery, a planning and post-disaster recovery, a Community approach will need to Community approach should ensure full encourage full private sector involvement. private sector involvement. The The establishment of a common list of establishment of a common list of critical critical infrastructure sectors is necessary infrastructure sectors is necessary in order in order to facilitate the implementation of to facilitate the implementation of the the sector-by-sector approach to critical sector-by-sector approach to European infrastructure protection. critical infrastructure protection.

Justification

As most critical infrastructure is privately owned and operated, the EU approach should fully involve the private sector and be built on existing sector-based protection measures, taking into account sector characteristics.

Amendment 9 Recital 6 a (new)

RR\674990EN.doc 9/58 PE 384.638v03-00 EN (6a) Critical infrastructure should be designed in a way that minimises any links with and localisation in third countries. The localisation of elements of critical infrastructures outside the European Union increases the risk of terrorist attacks with spill-over effects on the whole infrastructure, access by terrorists to data stored outside the European Union, as well as risks of non- compliance with Community legislation, thus rendering the entire infrastructure more vulnerable.

Justification

The recent SWIFT case showed that critical data needs to be protected against illegal use by foreign authorities or private actors.

Amendment 10 Recital 7

(7) Each owner/operator of European (7) Each owner/operator of European critical infrastructure should establish an critical infrastructure should establish an Operator Security Plan identifying critical Operator Security Plan identifying critical assets and laying down relevant security assets and laying down relevant security solutions for their protection. The Operator solutions for their protection. The Operator Security Plan should take into account Security Plan should take into account vulnerability, threat and risk assessments, vulnerability, threat and risk assessments, as well as other relevant information as well as other relevant information provided by Member State authorities. provided by Member State authorities. These Operator Security Plans should be forwarded to the CIP Contact Point in the Member States. Compliance with existing sector-based protection measures could satisfy the requirement to establish and update an Operator Security Plan.

Amendment 11 Recital 8

(8) Each owner/operator of European (8) Each owner/operator of European critical infrastructure should designate a critical infrastructure should designate a Security Liaison Officer in order to Security Liaison Officer in order to facilitate cooperation and communication facilitate cooperation and communication

PE 384.638v03-00 10/58 RR\674990EN.doc EN with relevant national critical infrastructure with relevant national critical infrastructure protection authorities. protection authorities. Compliance with existing sector-based protection measures could satisfy the requirement to designate a Security Liaison Officer.

Justification

The Community approach should be built on existing sector-based protection measures, taking into account sector characteristics. Contradictions or duplications should be avoided at all costs.

Amendment 12 Recital 10

(10) In order to facilitate improvements in (10) In order to facilitate improvements in the protection of European critical the protection of European critical infrastructures, common methodologies infrastructures, common methodologies should be developed for the identification should be developed and implemented for and classification of vulnerabilities, threats the identification and classification of threats and risks to infrastructure assets. and risks to, and structural vulnerabilities affecting infrastructure assets.

Justification

Need to be more specific.

Amendment 13 Recital 11

(11) Only a common framework can (11) By defining the respective provide the necessary basis for a coherent responsibilities of all relevant implementation of measures to protect stakeholders a common framework can European critical infrastructure and clearly provide the necessary basis for a coherent define the respective responsibilities of all implementation of measures to protect relevant stakeholders. Owners/operators of European critical infrastructure. Member European critical infrastructure should be States and Owners/operators of European given access to best practices and critical infrastructure should be given methodologies concerning critical access to best practices and methodologies infrastructure protection. concerning critical infrastructure protection.

Justification

Wording of original recital is too strong.

RR\674990EN.doc 11/58 PE 384.638v03-00 EN Amendment 14 Recital 12

(12) Effective protection of critical (12) Effective protection of European infrastructure requires communication, critical infrastructure requires coordination, and cooperation at national communication, coordination, and and Community levels. This is best cooperation at national and Community achieved through the nomination of CIP levels. This is best achieved through the Contact Points in each Member State, nomination of ECIP Contact Points in each which should coordinate CIP issues Member State, which should coordinate internally, as well as with other Member CIP issues internally, as well as with other States and the Commission. Member States and the Commission.

Amendment 15 Recital 13

(13) In order to develop Critical (13) In order to develop European Critical Infrastructure Protection activities in areas Infrastructure Protection activities in areas which require a degree of confidentiality, it which require a degree of confidentiality, it is appropriate to ensure a coherent and is appropriate to ensure a coherent and secure information exchange in the secure information exchange in the framework of this Directive. Certain framework of this Directive. Certain Critical Infrastructure Protection European Critical Infrastructure Protection information is of such nature that its information is of such nature that its disclosure would undermine the protection disclosure would undermine the protection of the public interest as regards public of the public interest as regards public security. Specific facts about a critical security. Specific facts about a critical infrastructure asset, which could be used to infrastructure asset, which could be used to plan and act with a view to causing plan and act with a view to causing unacceptable consequences for critical unacceptable consequences for critical infrastructure installations should be infrastructure installations should be classified and access granted only on a classified and access granted only on a need-to-know basis, both at Community need-to-know basis, both at Community level and at Member State level. level and at Member State level.

Amendment 16 Recital 14

(14) Information sharing regarding Critical (14) Information sharing regarding Infrastructure should take place in an European Critical Infrastructure should environment of trust and security. The take place in an environment of trust and sharing of information requires a security. The sharing of information relationship of trust such that companies requires a relationship of trust such that and organisations know that their sensitive companies and organisations know that data will be sufficiently protected. To their sensitive data will be sufficiently

PE 384.638v03-00 12/58 RR\674990EN.doc EN encourage information sharing, it should protected. be clear for the industry that the benefits of providing Critical Infrastructure related information outweigh the costs for the industry and society in general. Critical Infrastructure Protection information exchange should therefore be encouraged.

Justification

Not appropriate.

Amendment 17 Recital 15

(15) This Directive complements existing (15) This Directive complements existing sectoral measures at Community level and in sectoral measures at Community level and in the Member States. Where Community the Member States. Where Community mechanisms are already in place, they mechanisms and legislation are already in should continue to be used and will place, they should be implemented and contribute to the overall implementation of applied so as to contribute to the this Directive. improvement of public safety. In so doing, overlaps and contradictions with this Directive and the imposition of additional costs without an additional gain in security are to be avoided.

Justification

This is not just about implementation of the directive. Rather, the aim must be to make a contribution to public safety. The additional passage about avoiding overlapping and contradictions is intended to ensure that the rules have the desired effect. A consistent and efficient system that is not at cross-purposes with itself is therefore essential. Furthermore, needless bureaucratic burdens with no gain in security are to be avoided.

Amendment 18 Recital 17

RR\674990EN.doc 13/58 PE 384.638v03-00 EN improve the protection of such the assessment of the needs to improve the infrastructures, cannot be sufficiently protection of such infrastructures, cannot achieved by the Member States and can in all cases be sufficiently achieved by the therefore, by reason of the scale of the Member States and can therefore, by action, be better achieved at Community reason of the scale of the action, be better level, the Community may adopt measures achieved at Community level, the in accordance with the principle of Community may adopt measures in subsidiarity as set out in Article 5 of the accordance with the principle of Treaty. In accordance with the principle of subsidiarity as set out in Article 5 of the proportionality, as set out in that Article, Treaty. In accordance with the principle of this Directive does not go beyond what is proportionality, as set out in that Article, necessary in order to achieve those this Directive does not go beyond what is objectives. necessary in order to achieve those objectives. As regards proportionality, particular attention should be paid to financial acceptability for owners or operators and for the Member States.

Amendment 19 Article 1

This directive establishes a procedure for the This directive establishes a procedure for the identification and designation of European identification and designation of priority Critical Infrastructures, and a common sectors with European Critical approach to the assessment of the needs to Infrastructures, and a common approach to improve the protection of such the assessment of the needs to improve the infrastructures. protection of such infrastructures.

Justification

Amendment 20 Article 2, point (b)

b) “European Critical Infrastructure” b) “European Critical Infrastructure” means critical infrastructures the disruption means critical infrastructures the disruption or destruction of which would significantly or destruction of which would significantly affect two or more Member States, or a affect three or more Member States, or at single Member State if the critical least two Member States if the critical infrastructure is located in another Member infrastructure is located in another Member State. This includes effects resulting from State. This includes effects resulting from

PE 384.638v03-00 14/58 RR\674990EN.doc EN cross-sector dependencies on other types of cross-sector dependencies on other types of infrastructure; infrastructure;

Justification

A European approach is justified if at least three Member States would be affected or at least two Member States other than that in which the critical infrastructure is located.

Amendment 21 Article 2, point (d) d) “vulnerability” means a characteristic of d) “structural vulnerability” means a an element of the critical infrastructure's characteristic of an element of the critical design, implementation, or operation that infrastructure's design, implementation, or renders it susceptible to disruption or operation that renders it susceptible to destruction by a threat and includes disruption or destruction by a threat and dependencies on other types of includes dependencies on other types of infrastructure; infrastructure; (This amendment applies throughout the legislative text and its adoption would necessitate technical adjustments throughout the entire text.)

Justification

Necessary clarification.

Amendment 22 Article 3, paragraph 1

The cross-cutting criteria having a The cross-cutting criteria having a horizontal application to all critical horizontal application to all European infrastructure sectors shall be developed Critical Infrastructure sectors shall be taking into account the severity of the developed taking into account the severity effect of the disruption or destruction of a of the effect of the disruption or destruction particular infrastructure. They shall be of a particular infrastructure. They shall be

RR\674990EN.doc 15/58 PE 384.638v03-00 EN adopted by [one year after the entry into adopted by [one year after the entry into force of this Directive] at the latest. force of this Directive] at the latest. The sectoral criteria shall be developed for The sectoral criteria shall be developed for priority sectors while taking into account priority sectors and be built on existing the characteristics of individual critical sector-based protection measures taking infrastructure sectors and involving, as into account the characteristics of appropriate, relevant stakeholders. They individual critical infrastructure sectors, shall be adopted for each priority sector at and involving all relevant stakeholders as the latest one year following the sectors possess particular experience, designation as a priority sector expertise and requirements concerning the protection of their critical infrastructure. They shall be adopted for each priority sector at the latest one year following the designation as a priority sector.

Where Community mechanisms are already in place, they shall continue to be used. Duplications of, or contradictions between, different acts or provisions shall be avoided at all costs.

Amendment 23 Article 3 paragraph 2

2. The priority sectors to be used for the deleted purposes of developing the criteria provided for in paragraph 1 shall be identified by the Commission on an annual basis from among those listed in Annex I.

Annex I may be amended in accordance with the procedure referred to in Article 11(3) in so far as this does not broaden the scope of this Directive.

Justification

The Commission proposal makes no provision for Member States to influence the selection of the priority sectors. However, since Member States bear ultimate responsibility for the protection of critical infrastructure they should be the ones to select the priority sectors. They are the better judges of which sectors are of significance for their countries.

PE 384.638v03-00 16/58 RR\674990EN.doc EN Amendment 24 Article 3, paragraph 3

3. Each Member State shall identify the 3. Each Member State shall identify the critical infrastructures located within its possible European Critical Infrastructures territory as well as critical infrastructures located within its territory as well as outside its territory that may have an possible European Critical Infrastructures impact on it, which satisfy the criteria outside its territory that may have an adopted pursuant to paragraphs 1 and 2. impact on it, which satisfy the criteria adopted pursuant to paragraphs 1 and 2, at the latest one year after the adoption of relevant criteria and thereafter on an ongoing basis. Each Member State shall notify the Commission of the critical infrastructures thus identified at the latest one year after the adoption of the relevant criteria and thereafter on an ongoing basis.

Amendment 25 Article 4, Title

Designation of European Critical Identification and designation of priority Infrastructure sectors

Justification

Member States should not be required to notify their specific critical infrastructure to the Commission since this would run counter to national security interests. Since Member State bear the ultimate responsibility for the protection of critical infrastructure, they should decide the priority sectors themselves and simply be required to advise the Commission of the priority sectors.

Amendment 26 Article 4 paragraph -1 (new)

-1. Each Member State shall identify the priority sectors within its territory, as well as those outside its territory that may have an impact on it, which are to be used for the purposes of developing the criteria adopted pursuant to Article 3(1) and (2).

RR\674990EN.doc 17/58 PE 384.638v03-00 EN Each Member State shall notify the Commission of the priority sectors thus identified at the latest one year after the adoption of the relevant criteria and thereafter on an on-going basis.

Justification

Amendment 27 Article 4, paragraph 1

1. On the basis of the notifications made 1. On the basis of the notifications made pursuant to the second paragraph of pursuant to paragraph -1 and any other Article 3(3) and any other information at information at its disposal, the Commission its disposal, the Commission shall propose shall propose a list of priority sectors with a list of critical infrastructures to be critical infrastructure. designated as European Critical Infrastructures

Amendment 28 Article 4, paragraph 1 a (new)

1a. European Critical Infrastructures shall be designed so as to minimise any links with and localisation in third countries.

Justification

The recent SWIFT case showed that critical data needs to be protected against illegal use by foreign authorities or private actors.

Amendment 29 Article 4, paragraph 2

2. The list of critical infrastructures 2. The list of priority sectors with critical

PE 384.638v03-00 18/58 RR\674990EN.doc EN designated as European Critical infrastructure shall be adopted and Infrastructure shall be adopted in amended by the Council. accordance with the procedure referred to in Article 11(3).

The list may be amended in accordance with the procedure referred to in Article 11(3).

Amendment 30 Article 4, paragraph 2 a (new)

2a. The processing of personal data carried out directly or through an intermediary by, and necessary for the activities of, European Critical Infrastructures shall be carried out in accordance with the provisions of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data1 and of the applicable principles with regard to data protection. The data processing shall be carried out within the EU and any mirroring of data shall not be allowed in third countries for reasons of security.

Justification

The recent SWIFT case showed that critical data needs to be protected against illegal use by foreign authorities or private actors.

Amendment 31 Article 5, paragraphs 1 and 2

1. Each Member State shall require the 1. Each Member State shall require the owners/operators of each European Critical owners/operators of each European Critical Infrastructure located on its territory to Infrastructure located on its territory to establish and update an Operator Security establish and update an Operator Security Plan and to review it at least every two

1 OJ L 281, 23.11.1995, p. 31

RR\674990EN.doc 19/58 PE 384.638v03-00 EN Plan and to review it at least every two years. years. The Commission and the Council shall adopt a list of existing protection measures applicable to specific sectors listed in Annex I. Compliance with one or more of the listed protection measures satisfies the requirement to establish and update an Operator Security Plan.

2. The Operator Security Plan shall identify 2. The Operator Security Plan shall identify the assets of the European Critical the assets of the European Critical Infrastructure and establish relevant Infrastructure and establish relevant security solutions for their protection in security solutions for their protection in accordance with Annex II. Sector specific accordance with Annex II. Sector specific requirements concerning the Operator requirements concerning the Operator Security Plan taking into account existing Security Plan taking into account existing Community measures may be adopted in Community measures may be adopted by accordance with the procedure referred to the Council. in Article 11(3). Acting in accordance with the procedure referred to in Article 11(2), the Commission may decide that compliance with measures applicable to specific sectors listed in Annex I satisfies the requirement to establish and update an Operator Security Plan.

Amendment 32 Article 5, paragraph 3

3. The owner/operator of a European 3. The owner/operator of a European Critical Infrastructure shall submit the Critical Infrastructure shall submit the Operator Security Plan to the relevant Operator Security Plan to the relevant CIP Member State authority within one year Contact Point within one year following following designation of the critical designation of the critical infrastructure as infrastructure as a European Critical a European Critical Infrastructure. Infrastructure. Where sector specific requirements Where sector specific requirements concerning the Operator Security Plan are concerning the Operator Security Plan are adopted based on paragraph 2, the operator adopted based on paragraph 2, the operator security plan shall only be submitted to the security plan shall only be submitted to the relevant Member State authority within 1 relevant CIP Contact Point within 1 year

PE 384.638v03-00 20/58 RR\674990EN.doc EN year following the adoption of the sector following the adoption of the sector specific requirements. specific requirements.

Justification

One-stop-shop principle.

Amendment 33 Article 5, paragraph 5

5. Compliance with Directive 2005/65/EC deleted of the European Parliament and of the Council of 26 October 2005 on enhancing port security satisfies the requirement to establish an Operator Security Plan.

Justification

By listing one, you exclude others. See the proposed addition to paragraph 1.

Amendment 34 Article 6, paragraph 1

1. Each Member State shall require the 1. Each Member State shall require the owners/operators of European Critical owners/operators of European Critical Infrastructures on their territory to Infrastructures on their territory to designate a Security Liaison Officer as the designate a Security Liaison Officer as the point of contact for security related issues point of contact for security related issues between the owner/operator of the between the owner/operator of the infrastructure and the relevant critical infrastructure and the CIP Contact Point in infrastructure protection authorities in the the Member State. The Security Liaison Member State. The Security Liaison Officer shall be designated within one year Officer shall be designated within one year following the designation of the critical following the designation of the critical infrastructure as a European Critical infrastructure as a European Critical Infrastructure Infrastructure. The Commission and the Council shall adopt a list of existing protection measures applicable to specific sectors listed in Annex I. Compliance with one or more of the listed protection measures satisfies the requirement to designate a Security Liaison Officer.

RR\674990EN.doc 21/58 PE 384.638v03-00 EN Amendment 35 Article 6, paragraph 2

2. Each Member State shall communicate 2. Each Member State shall communicate relevant information concerning identified relevant information concerning identified risks and threats to the Security Liaison risks and threats to the Security Liaison Officers of the European Critical Officers of the European Critical Infrastructure concerned. Infrastructure concerned through the national CIP Contact Point.

Justification

One-stop-shop principle. The administrative burden should be as limited as possible.

Amendment 36 Article 7, paragraph 2

2. Each Member State shall report to the 2. Each Member State shall report to the Commission on a summary basis on the Commission on a summary basis on the types of vulnerabilities, threats and risks types of structural vulnerabilities, threats encountered in each sector referred to in and risks encountered in European Critical Annex I within 18 months following the Infrastructures within 12 months adoption of the list provided for in Article following the adoption of the list provided 4(2) and thereafter on an ongoing basis for in Article 4(2) and thereafter on an every two years. ongoing basis every two years. A common template for these reports shall A common template for these reports shall be developed in accordance with the be developed by the Commission and procedure referred to in Article 11(3). approved by the Council.

Amendment 37 Article 7, Paragraph 3

3. The Commission shall assess, on a 3. The Commission and the Member States sectoral basis, whether specific protection shall assess, on a sectoral basis, whether measures are required for European Critical specific protection measures are required for Infrastructures. European Critical Infrastructures. Account shall be taken in this context of existing good practice and methodologies.

PE 384.638v03-00 22/58 RR\674990EN.doc EN Justification

The Member States should be involved in the assessment of the critical sectors.

Amendment 38 Article 7, paragraph 4

4. Common methodologies for carrying out 4. If deemed to be necessary, common vulnerability, threat and risk assessments in methodologies carrying out structural respect of European Critical Infrastructures vulnerability, threat and risk assessments in may be developed on a sectoral basis in respect of European Critical Infrastructures accordance with the procedure referred to may be developed on a sectoral basis. Such in Article 11(3). common methodologies shall take into account existing methodologies.

Amendment 39 Article 8

The Commission shall support the The Commission and the Member States owners/operators of designated European shall support the owners/operators of Critical Infrastructures by providing access designated European Critical to available best practices and infrastructures providing access to methodologies related to critical available best practices and methodologies infrastructure protection. related to critical infrastructure protection.

Amendment 40 Article 10, paragraph 2

2. Any person handling confidential 2. Any person handling confidential information pursuant to this Directive on information pursuant to this Directive on behalf of a Member State shall have an behalf of a Member State shall have an appropriate level of security vetting by the optimum level of security vetting by the Member State concerned. Member State concerned.

Amendment 41 Article 10, paragraph 3

3. Member States shall ensure that Critical 3. Member States and the Commission shall Infrastructure Protection Information ensure that European Critical Infrastructure submitted to the Member States or to the Protection Information submitted to them is

RR\674990EN.doc 23/58 PE 384.638v03-00 EN Commission, is not used for any purpose not used for any purpose other than the other than the protection of critical protection of European Critical infrastructures. Infrastructures, and that due account is taken of the principle of proportionality from a material point of view and of fundamental rights and institutions which should be protected.

Amendment 42 Article 11

1. The Commission shall be assisted by a deleted Committee composed of a representative of each CIP Contact Point.

2. Where reference is made to this paragraph, Articles 3 and 7 of Decision 1999/468/EC shall apply having regard to the provisions of Article 8 thereof. 3. Where reference is made to this paragraph, Articles 5 and 7 of Decision 1999/468/EC shall apply, having regard to the provisions of Article 8 thereof.

The period laid down in Article 5(6) of Decision 1999/468/EC shall be set at one month. 4. The Committee shall adopt its Rules of Procedure.

Justification

When issuing implementing measures or exchanging best practice, resort should be had to structures that already exist in the disaster prevention sector (workshops, etc.). The establishment of a new committee is unnecessary.

Amendment 43 Article 12, Paragraph 1, subparagraph 1

1. Member States shall bring into force the 1. Member States shall bring into force the laws, regulations and administrative laws, regulations and administrative provisions necessary to comply with this provisions necessary to comply with this Directive by 31 December 2007 at the latest. Directive by 31 December 2008 at the latest. They shall forthwith communicate to the They shall forthwith communicate to the Commission the text of those provisions and Commission the text of those provisions and a correlation table between those provisions a correlation table between those provisions

PE 384.638v03-00 24/58 RR\674990EN.doc EN and this Directive. and this Directive.

Justification

Extension of the transposition deadline is essential since transposition by the end of 2007 is unrealistic.

Amendment 44 Annex I, Title

List of critical infrastructure sectors List of possible critical infrastructure sectors

Justification Clarification.

Amendment 45 Annex I, Sector III, Sub-sector 9

Radio communication and navigation Radio communication, navigation and radio-frequency identification (RFID) spectres

Amendment 46 Annex I, Sector VII, Sub-sector 19

Payment and securities clearing and Payment and securities clearing and settlement infrastructures and systems settlement infrastructures and systems and their service providers

Amendment 47 Annex I, Sector VII, Sub-sector 19 a (new)

19a Banking and insurance

RR\674990EN.doc 25/58 PE 384.638v03-00 EN EXPLANATORY STATEMENT

GENERAL BACKGROUND:

The European Council of June 2004 asked the Commission to prepare an overall strategy to protect critical infrastructure.

The Commission adopted on 20 October 2004 a Communication on Critical Infrastructure Protection in the Fight against Terrorism which put forward suggestions on what would enhance European prevention, preparedness and response to terrorist attacks involving Critical Infrastructures (CI).

The Council conclusions on “Prevention, Preparedness and Response to Terrorist Attacks” and the “EU Solidarity Programme on the Consequences of Terrorist Threats and Attacks” adopted by the Council in December 2004 endorsed the intention of the Commission to propose a European Programme for Critical Infrastructure Protection (EPCIP) and agreed to the set-up by the Commission of a Critical Infrastructure Warning Information Network (CIWIN).

In November 2005, the Commission adopted a Green Paper on a European Programme for Critical Infrastructure Protection (EPCIP) which provided policy options on how the Commission could establish EPCIP and CIWIN.

In December 2005 the Justice and Home Affairs (JHA) Council called upon the Commission to make a proposal on EPCIP by June 2006.

This proposal for a Directive presents the measures that the Commission is proposing on the identification and designation of European Critical Infrastructures (ECI) and the assessment of the need to improve their protection.

The legal basis for the proposal is Article 308 of the Treaty establishing the European Community. Information was collected from all relevant stakeholders.

As currently no horizontal provisions on critical infrastructure protection exist at EU level, the Commission's proposal intends to create a horizontal framework for the identification and designation of European Critical Infrastructures and for the assessment of needs to improve their protection.

Following the Commission's proposal only a common framework, by way of a directive, can provide the necessary basis for a coherent and uniform implementation of measures to enhance the protection of ECI, as well as defining clearly the respective responsibilities of ECI stakeholders. Non-binding voluntary measures, while flexible, would not provide the necessary stable foundation as they would not provide enough clarity on who does what, nor would they clarify the rights and obligations for ECI stakeholders involved.

PE 384.638v03-00 26/58 RR\674990EN.doc EN RAPPORTEUR'S POSITION:

The rapporteur supports the idea of a common framework. Indeed, the damage or loss of a piece of infrastructure in one MS may have negative effects on several others and on the European economy as a whole. New technologies (e.g. the internet) and market liberalisation (e.g. in electricity and gas supply) mean that much infrastructure is part of a larger network. In such a situation protection measures are only as strong as their weakest link.

The vulnerability of critical infrastructures and the ensuing vulnerability of the services they provide, require action. And effective protection of vulnerable critical infrastructures and services requires communication, coordination and cooperation - nationally and at EU level, involving all relevant stakeholders.

Furthermore, experiences from the past do tell us that if a terrorist attack occurs, the EU Heads of State will be calling for new security proposals within forty-eight hours, thereby weakening the quality of possible proposals. Or even worse, they come up with measures that are disproportionate and lack transparency, like for example the measures restricting liquids aboard aircrafts.

The establishment of horizontal provisions at EU-level, whereby the complex processes and interfaces of critical infrastructures with a trans-national dimension are taken into account, is therefore a legitimate concern.

At the same time, however, it should be recognised that the EU should support and not duplicate the work of the Member States. A bottom-up approach should be taken, bearing in mind that national services know best what is happening in their countries.

Having said that, the rapporteur is of the opinion that a Community approach can only be justified if at least three Member States would be affected or at least two Member States other than that in which the critical infrastructure is located.

It is important for her to recall that the primary and ultimate responsibility for protecting critical infrastructures falls on the Member States and the owners/operators of critical infrastructures. And as private sector possesses particular experience, expertise and requirements concerning the protection of their critical infrastructures, it is of utmost importance to fully involve the private sector.

Moreover, the rapporteur would like to stress that duplication of - or contradiction between different acts or provisions should be avoided at all costs. Possible future common assessment methodologies, if deemed to be necessary, should thus take into account existing methodologies. Cross-cutting and sectorial criteria should thus be built on existing sector- based protection measures, taking into account the characteristics of individual critical infrastructure sectors. Where Community mechanisms are already in place, they should continue to be used. And compliance with one or more of the existing protection measures, could satisfy the requirement to establish and update an Operator Security Plan and/or the requirement to designate a Security Liaison Officer.

Finally, the rapporteur believes that the administrative burden should be as limited as possible, respecting inter alia the "One-stop-shop" principle.

RR\674990EN.doc 27/58 PE 384.638v03-00 EN 6.6.2007

OPINION OF THE COMMITTEE ON ECONOMIC AND MONETARY AFFAIRS

for the Committee on Civil Liberties, Justice and Home Affairs

Draftsman: Harald Ettl

SHORT JUSTIFICATION

The Commission submitted a proposal on measures to improve European crisis management based on the Hague Programme of 5 November 2005, which covers both the efficient management of crises affecting two or more Member States, improved civil protection in the event of disasters and critical infrastructure protection (CIP) in the fight against terrorism, and on the preparatory work of the Commission in connection with the Green Paper of 17 November 2005.

Critical infrastructures consist of those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments in the Member States. Critical infrastructures extend across many sectors of the economy, including banking and finance, transport and distribution, energy, utilities, health, food supply and communications, as well as key government services.

Together with internal security, CIP in the EU constitutes a central issue for the European social system. The destruction of critical infrastructure could, from a psychological standpoint, lead to a total loss of public confidence in the EU. At the moment, the provisions made for crisis management in the individual EU Member States vary greatly. For this reason in particular, the Commission proposal provides for critical infrastructure in Europe to be identified and designated according to a common procedure.

A precondition for active crisis management is the preservation of all necessary IT and telecommunication systems. These sectors have a transversal infrastructure and at the same time constitute a critical infrastructure for other critical infrastructures such as the monetary, financial and insurance sectors. A targeted attack on the computer network of the ECB, of a major bank or of the Frankfurt stock exchange must be rapidly countered both on a technical

PE 384.638v03-00 28/58 RR\674990EN.doc EN and an institutional level.

Major corporations have no choice but to work on an international level. A European survey in the year 2000 indicated that more than half of all undertakings concerned did not carry out security audits. The potential abuse of web servers facilitates actions by radical groupings and constitutes an essential element in the use of information technology by terrorist groups.

Infrastructures of an international nature and those for which scant alternatives exist are particularly vulnerable in the event of a disaster. The power cut of 4 November 2006 affecting the European transmission grid threw this weakness into sharp relief. Despite the existence of national water supply systems, problems not confined to one country may also arise with the supply of water from aquifers, springs and rivers.

Similarly, international rail transport links and airport and air traffic control installations must be able to rely on European logistics and countermeasures in the event of a crisis.

In view of the very nature of their business, insurance and reinsurance companies have for many years had to deal with the issue of risk management. Previous directives such as that on the "Solvency I" package have already had to consider risk management issues for insurance companies, both as regards data and material cover, and these provisions will have to be brought up to date to take account of the increased risk for the "Solvency II" package. As far as insurance is concerned, the need for proportionality notwithstanding, consideration should also be given to the possibility of an additional liability risk, possibly to be borne by the state.

The draftsman welcomes and supports the Commission's intention to coordinate CIP measures at European level. However, care must be taken to avoid double regulation of existing sectoral measures, for instance with regard to the recommendations for securities settlement systems, standards for securities clearing and settlement in the EU and standards for the use of EU securities settlement systems in ESCB credit operations.

A combination of binding and non-binding measures must result in a realistic cost-benefit ratio for European added value.

AMENDMENTS

The Committee on Economic and Monetary Affairs calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to incorporate the following amendments in its report:

Text proposed by the Commission Amendments by Parliament

Amendment 1 Recital 3

(3) In December 2005 the Justice and Home (3) In December 2005 the Justice and Home

RR\674990EN.doc 29/58 PE 384.638v03-00 EN Affairs Council called upon the Commission Affairs Council called upon the Commission to make a proposal for a European to make a proposal for a European Programme for Critical Infrastructure Programme for Critical Infrastructure Protection (EPCIP) and decided that it Protection (EPCIP) and decided that it should be based on an all-hazards approach should be based on an all-hazards approach while countering threats from terrorism as a while countering threats from terrorism as a priority. Under this approach, manmade, priority. Under this approach, manmade, technological threats and natural disasters technological threats and natural disasters should be taken into account in the critical should be taken into account in the critical infrastructure protection process, but the infrastructure protection process. threat of terrorism should be given priority. Structurally conditioned threats should also If the level of protection measures against a be identified, but the threat of terrorism particular high level threat is found to be should be given priority. If the level of adequate in a critical infrastructure sector, protection measures against a particular high stakeholders should concentrate on other level threat is found to be adequate in a threats to which they are still vulnerable. critical infrastructure sector, stakeholders should concentrate on other threats to which they are still vulnerable.

Justification

Necessary addition.

Amendment 2 Recital 4

(4) The primary responsibility for protecting (4) The primary responsibility for protecting critical infrastructures currently falls on the critical infrastructures falls on the Member Member States and the owners/operators of States and the owners/operators of critical critical infrastructures. This should not infrastructures. This must not change in the change. future.

Justification

Clarification of national responsibility.

Amendment 3 Recital 5

PE 384.638v03-00 30/58 RR\674990EN.doc EN European critical infrastructures should be European critical infrastructures should be identified and designated by means of a identified and designated by means of a common procedure. The need to improve the common procedure. The need to improve the protection of such critical infrastructures protection of such critical infrastructures should be assessed under a common should be assessed under a common framework. Bilateral schemes for framework. Bilateral schemes for cooperation between Member States in the cooperation between Member States in the field of critical infrastructure protection field of critical infrastructure protection constitute a well established and efficient constitute a well established and efficient means of dealing with transboundary critical means of dealing with transboundary critical infrastructure. EPCIP should build on such infrastructure. EPCIP should build on such cooperation. cooperation.

Justification

Subsidiarity principle.

Amendment 4 Recital 5 a (new)

Amendment 5 Recital 6 a (new)

(6a) Critical infrastructure should be designed in such a way so as to minimise any links with and localisation in third countries. The localisation of elements of critical infrastructures outside the European Union increases the risk of terrorist attacks with spill-over effects on the whole infrastructure, access by terrorists to data stored outside the European Union, as well as risks of non- compliance with Community legislation, thus rendering the entire infrastructure more vulnerable.

RR\674990EN.doc 31/58 PE 384.638v03-00 EN Justification

The recent SWIFT case showed that critical data needs to be protected against illegal use by foreign authorities or private actors.

Amendment 6 Recital 10

(10) In order to facilitate improvements in (10) In order to facilitate improvements in the protection of European critical the protection of European critical infrastructures, common methodologies infrastructures, common methodologies should be developed for the identification should be developed for the identification and classification of vulnerabilities, threats and classification of threats and risks to, and and risks to infrastructure assets. structural vulnerabilities of, infrastructure assets.

Justification

Need to be more specific.

Amendment 7 Recital 14

(14) Information sharing regarding Critical (14) Information sharing regarding Critical Infrastructure should take place in an Infrastructure should take place in an environment of trust and security. The environment of trust and security. The sharing of information requires a sharing of information requires a relationship of trust such that companies and relationship of trust such that companies and organisations know that their sensitive data organisations know that their sensitive data will be sufficiently protected. To encourage will be sufficiently protected. information sharing, it should be clear for the industry that the benefits of providing Critical Infrastructure related information outweigh the costs for the industry and society in general. Critical Infrastructure Protection information exchange should therefore be encouraged.

Justification

Subsidiarity principle.

Amendment 8 Recital 15

PE 384.638v03-00 32/58 RR\674990EN.doc EN should continue to be used and will should continue to be used and will contribute to the overall implementation of contribute to the overall implementation of this Directive. this Directive, without additional costs arising due to the duplication of requirements that carry no added security.

Justification

Avoiding unnecessary bureaucratic burdens without any security benefit.

Amendment 9 Recital 15 a (new)

(15a) This Directive does not address the particular significance of the external dimension of critical infrastructure that is a feature of, for example, the financial or energy sectors.

Justification

Clarification, pointing out that critical infrastructures outside the European Union can have a massive impact, particularly in the areas of finance and energy, and that action is needed to increase security.

Amendment 10 Article 1

This directive establishes a procedure for the This directive establishes a procedure for the identification and designation of European identification and designation of European Critical Infrastructures, and a common Critical Infrastructures, and a common approach to the assessment of the needs to approach to the assessment of the needs to improve the protection of such improve the protection of such infrastructures. infrastructures against all manner of risks.

Justification

The strategy should seek to cover all manner of risks which may result in lasting damage to the functioning and integrity of infrastructure, including those which are not the result of terrorism or natural disasters. Such risks include, inter alia, human error, inadequate training of staff, outsourcing of undertakings' essential infrastructures, epidemics, increasing dependency on IT, world-wide interconnection of IT systems, political unrest, etc..

Amendment 11 Article 2, point (b) b) “European Critical Infrastructure” means b) “European Critical Infrastructure” means

RR\674990EN.doc 33/58 PE 384.638v03-00 EN critical infrastructures the disruption or critical infrastructures the disruption or destruction of which would significantly destruction of which would significantly affect two or more Member States, or a affect three or more Member States, or at single Member State if the critical least two Member States if the critical infrastructure is located in another Member infrastructure is located in another Member State. This includes effects resulting from State. This includes effects resulting from cross-sector dependencies on other types of cross-sector dependencies on other types of infrastructure; infrastructure;

Amendment 12 Article 2, point (c), indent 1

• public effect (number of members of • effect on members of the population; the population affected);

Justification

Need to be more specific.

Amendment 13 Article 2, point (c), indent 2

• economic effect (significance of • effect on the internal market economic loss and/or degradation of (significance of economic loss and/or products or services); degradation of products or services);

Justification

Need to be more specific.

Amendment 14 Article 2, point (d)

(d) “vulnerability” means a characteristic of (d) “structural vulnerability” means a an element of the critical infrastructure's characteristic of an element of the critical design, implementation, or operation that infrastructure's design, implementation, or renders it susceptible to disruption or operation that renders it susceptible to destruction by a threat and includes disruption or destruction by a threat and dependencies on other types of includes dependencies on other types of infrastructure; infrastructure;

Justification

Need to be more specific.

Amendment 15 Article 3, paragraph 1, subparagraph 1

PE 384.638v03-00 34/58 RR\674990EN.doc EN 1. The cross-cutting and sectoral criteria to 1. The cross-cutting and sectoral criteria to be used to identify European Critical be used to identify European Critical Infrastructures shall be adopted in Infrastructures shall be built on existing accordance with the procedure referred to in protection criteria and adopted in Article 11(3). They may be amended in accordance with the procedure referred to in accordance with the procedure referred to in Article 11(3). They may be amended in Article 11(3). accordance with the procedure referred to in Article 11(3).

Amendment 16 Article 3, paragraph 1, subparagraph 2

The cross-cutting criteria having a horizontal The cross-cutting criteria having a horizontal application to all critical infrastructure application to all European critical sectors shall be developed taking into infrastructure sectors shall be developed account the severity of the effect of the taking into account the severity of the effect disruption or destruction of a particular of the disruption or destruction of a infrastructure. They shall be adopted by [one particular infrastructure. They shall be year after the entry into force of this adopted by [six months after the entry into Directive] at the latest. force of this Directive] at the latest.

Justification

Shorter procedure.

Amendment 17 Article 3, paragraph 1, subparagraph 3

The sectoral criteria shall be developed for The sectoral criteria shall be developed for priority sectors while taking into account the priority sectors and built on existing sector- characteristics of individual critical based protection measures, taking into infrastructure sectors and involving, as account the characteristics of individual appropriate, relevant stakeholders. They critical infrastructure sectors, and involving shall be adopted for each priority sector at relevant stakeholders as sectors possess the latest one year following the designation particular experience, expertise and as a priority sector. requirements concerning the protection of their critical infrastructure. They shall be adopted for each priority sector at the latest one year following the designation as a priority sector.

Amendment 18 Article 3, paragraph 1, subparagraph 3 a (new)

Where Community mechanisms are already in place, they shall continue to be used. Duplication of and conflicts between different acts or provisions shall be avoided

RR\674990EN.doc 35/58 PE 384.638v03-00 EN at all costs.

Amendment 19 Article 3, paragraph 3, subparagraph 1

3. Each Member State shall identify the 3. Each Member State shall identify the critical infrastructures located within its critical infrastructures located within its territory as well as critical infrastructures territory as well as critical infrastructures outside its territory that may have an impact outside its territory that may have an impact on it, which satisfy the criteria adopted on its territory, which satisfy the criteria pursuant to paragraphs 1 and 2. . adopted pursuant to paragraphs 1 and 2. .

Justification

Need to be more specific.

Amendment 20 Article 4, paragraph 1 a (new)

1a. European Critical Infrastructures shall be designed so as to minimise any links with and localisation in third countries.

Justification

The recent SWIFT case showed that critical data needs to be protected against illegal use by foreign authorities or private actors

Amendment 21 Article 4, paragraph 2 a (new)

2a. The processing of personal data carried out directly or through an intermediary by, and necessary for the activities of, European Critical Infrastructures is carried out in accordance with the provisions of Directive 95/46/EC and of the applicable principles with regard to data protection. The data processing shall be carried out within the European Union and any mirroring of data is not allowed in third countries for reasons of security.

Justification

The recent SWIFT case showed that critical data needs to be protected against illegal use by foreign authorities or private actors

PE 384.638v03-00 36/58 RR\674990EN.doc EN Amendment 22 Article 5, paragraph 2, subparagraph 1

2. The Operator Security Plan shall identify 2. The Operator Security Plan shall identify the assets of the European Critical the assets of the European Critical Infrastructure and establish relevant security Infrastructure and establish relevant security solutions for their protection in accordance solutions for their protection in accordance with Annex II. Sector specific requirements with Annex II. Sector specific requirements concerning the Operator Security Plan concerning the Operator Security Plan taking into account existing Community taking into account existing Community measures may be adopted in accordance measures may be fully taken into account in with the procedure referred to in Article accordance with the procedure referred to in 11(3). Article 11(3).

Justification

Insurance companies and banks belong to some of the sectors which continually invest large sums of money in security measures such as access control or the securing of information systems. State measures must not duplicate existing sectoral measures. For this reason, any future regulation should take full account f existing security plans.

Amendment 23 Article 7, paragraph 2, subparagraph 1

2. Each Member State shall report to the 2. Each Member State shall report to the Commission on a summary basis on the Commission on a summary basis on the types of vulnerabilities, threats and risks types of vulnerabilities, threats and risks encountered in each sector referred to in encountered in each sector referred to in Annex I within 18 months following the Annex I within 12 months following the adoption of the list provided for in Article adoption of the list provided for in Article 4(2) and thereafter on an ongoing basis 4(2) and thereafter on an ongoing basis every two years. every two years.

Justification

Shorter procedure.

Amendment 24 Article 7, paragraph 4

4. Common methodologies for carrying out 4. Common methodologies for carrying out vulnerability, threat and risk assessments in vulnerability, threat and risk assessments in respect of European Critical Infrastructures respect of European Critical Infrastructures may be developed on a sectoral basis in may be developed on a sectoral basis in accordance with the procedure referred to in accordance with the procedure referred to in Article 11(3). Article 11(3). Such common methodologies shall take into account existing methodologies.

RR\674990EN.doc 37/58 PE 384.638v03-00 EN Amendment 25 Article 8

The Commission shall support the At the request of the Member States, the owners/operators of designated European Commission shall support the Critical Infrastructures by providing access owners/operators of designated European to available best practices and Critical Infrastructures by providing access methodologies related to critical to available best practices and infrastructure protection. methodologies related to critical infrastructure protection.

Justification

Ensuring Member States’ involvement.

Amendment 26 Article 10, paragraph 2

2. Any person handling confidential 2. Any person handling confidential information pursuant to this Directive on information pursuant to this Directive on behalf of a Member State shall have an behalf of a Member State shall have a best appropriate level of security vetting by the possible level of security vetting by the Member State concerned. Member State concerned.

Amendment 27 Article 10, paragraph 3

3. Member States shall ensure that Critical 3. Member States shall ensure that Critical Infrastructure Protection Information Infrastructure Protection Information submitted to the Member States or to the submitted to the Member States or to the Commission, is not used for any purpose Commission, is not used for any purpose other than the protection of critical other than the protection of critical infrastructures. infrastructures and that due account is taken of the principle of proportionality from a material point of view and of fundamental rights and institutions which should be protected.

Justification

Fundamental rights and institutions which should be protected include inter alia data protection and telecommunications secrecy.

Amendment 28 Article 11, paragraph 1

1. The Commission shall be assisted by a 1. The Commission shall be assisted by a

PE 384.638v03-00 38/58 RR\674990EN.doc EN Committee composed of a representative of Committee composed of a responsible each CIP Contact Point. representative of each Member State.

Justification

Subsidiarity principle.

Amendment 29 Annex I, Sector III, Sub-sector 9

Radio communication and navigation Radio communication, navigation and radio-frequency identification (RFID) spectres

Amendment 30 Annex I, Sector VII, Sub-sector 19

Payment and securities clearing and Payment and securities clearing and settlement infrastructures and systems settlement infrastructures and systems and their service providers

Amendment 31 Annex I, Sector VII, Sub-sector 9 a (new)

19a Banking and insurance

RR\674990EN.doc 39/58 PE 384.638v03-00 EN PROCEDURE

Title Identification, designation and protection of European Critical Infrastructure References COM(2006)0787 - C6-0053/2007 - 2006/0276(CNS) Committee responsible LIBE Opinion by ECON Date announced in plenary 1.2.2007 Drafts(wo)man Harald Ettl Date appointed 24.1.2007 Discussed in committee 10.4.2007 8.5.2007

Date adopted 5.6.2007

Result of final vote +: 37 –: 0 0: 3 Members present for the final vote Gabriele Albertini, Zsolt László Becsey, Pervenche Berès, Sharon Bowles, Udo Bullmann, David Casa, Manuel António dos Santos, Christian Ehler, Jonathan Evans, José Manuel García-Margallo y Marfil, Jean-Paul Gauzès, Robert Goebbels, Donata Gottardi, Dariusz Maciej Grabowski, Karsten Friedrich Hoppenstedt, Sophia in ‘t Veld, Piia-Noora Kauppi, Guntars Krasts, Andrea Losco, Astrid Lulling, Cristobal Montoro Romero, Joseph Muscat, Joop Post, John Purvis, Alexander Radwan, Dariusz Rosati, Heide Rühle, Eoin Ryan, Antolín Sánchez Presedo, Cristian Stănescu, Margarita Starkevičiūtė, Ivo Strejček, Ieke van den Burg, Sahra Wagenknecht Substitute(s) present for the final vote Harald Ettl, Ján Hudacký, Werner Langen, Maria Petre, Andreas Schwab Substitute(s) under Rule 178(2) present Anne Ferreira for the final vote

PE 384.638v03-00 40/58 RR\674990EN.doc EN 12.6.2007

OPINION OF THE COMMITTEE ON INDUSTRY, RESEARCH AND ENERGY

for the Committee on Civil Liberties, Justice and Home Affairs on the proposal for a Council directive on the identification and designation of European Critical Infrastructure and the assessment of the need to improve their protection (COM(2006)0787 – C6-0053/2007 – 2006/0276(CNS))

Draftsman: Norbert Glante

SHORT JUSTIFICATION

Critical infrastructures are physical and IT installations, networks, services and assets whose disruption or destruction would have serious implications for the health, safety or economic well-being of citizens and for efficient governance in the Member States.

Critical infrastructures in the EU are closely linked with one another and there is a high degree of reciprocal dependence in this area, which is why they are more vulnerable to disruption and destruction.

The Treaty on a Constitution for Europe puts it like this (in Article I-43): ‘The Union and its Member States shall act jointly in a spirit of solidarity if a Member State is the object of a terrorist attack or the victim of a natural or man-made disaster’.

There is a need to protect EU citizens as part of an integrated European strategy not just from terrorist attacks but also from natural disasters or accidents. These events often have cross- border consequences, making it necessary for the Member States to help one another and set up a crisis response system at Community level.

An effective strategy should set a high value on both prevention and measures to repair the consequences of attacks and disasters.

A European early-warning system for critical infrastructure can only be successful if it encourages the exchange of information on common sources of danger and devises appropriate measures and strategies for minimising their risk and providing more effective critical infrastructure protection.

Competences

RR\674990EN.doc 41/58 PE 384.638v03-00 EN As many parts of the infrastructure do not belong to the State, both public and private bodies must be involved in safety and control measures. At EU level the protection of infrastructure is the exclusive responsibility of the Member States. But the EU should take on a coordinating role in this area, because in many cases national measures depend on cross-border cooperation to be effective.

Cooperation and coordination To protect critical infrastructures, there is a need for ongoing and cooperative partnership between the owners and operators of the infrastructures concerned and the appropriate authorities in the Member States.

At European level a risk analysis system should be set up to ensure interoperability. It is vitally important that standards, rules and their implementation in practice should be the same everywhere. But this does not mean that every system need be identical. Rather it is important that systems should be more compatible and effective. In cases for which there are no sector- specific standards or as yet no international norms, the European Committee for Standardisation (CEN) and other standards bodies should put forward uniform, sector-specific and adapted safety standards for all the sectors concerned. Such standards should also be proposed at international level by the ISO so as to create the same conditions in this regard.

The relevant information should be treated carefully, reliably and if need be confidentially irrespective of its source, even if parliamentary scrutiny must always be guaranteed.

IT Communications networks and information systems have become an essential aspect of economic and social life. Hence the security of networks and systems, and especially their availability, are acquiring increasing importance.

There is evidence – particularly in the area of organised crime – of attacks on information systems, and growing concern about the possibility of terrorist attacks on systems that are part of the Member States’ critical infrastructure. The aim of expanding a safe information society and an area of freedom, security and law is jeopardised by this, calling for countermeasures at EU level. The cross-regional and cross-border nature of modern information systems means that attacks on such systems often take on a cross-border dimension, underlining the urgent need for further measures to approximate the relevant provisions of criminal law.

Research In view of the increasing significance of security research the Commission has proposed substantially raising the annual budget from 2007 onward from €15 million to around €250 million a year.

In preparation for the new financial period from 2007, a European Security Research Advisory Board, composed of representatives of private and public interest groups in the security area, was set up in April 2005 to advise the Commission on the content and implementation of security research under the Seventh Framework Programme.

AMENDMENTS

PE 384.638v03-00 42/58 RR\674990EN.doc EN The Committee on Industry, Research and Energy calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to incorporate the following amendments in its report:

Text proposed by the Commission1 Amendments by Parliament

Amendment 1 Recital 2

(2) On 17 November 2005 the Commission (2) On 17 November 2005 the Commission adopted a Green Paper on a European adopted a Green Paper on a European Programme for Critical Infrastructure Programme for Critical Infrastructure Protection which provided policy options on Protection which provided policy options on the establishment of the programme and the the establishment of the programme and the Critical Infrastructure Warning Information Critical Infrastructure Warning Information Network (CIWIN). The responses received Network (CIWIN). The responses received to the Green Paper clearly showed the need to the Green Paper made clear the potential to set up a Community framework added value of a Community framework concerning critical infrastructure protection. concerning critical infrastructure protection. The need to increase the critical The need to increase the critical infrastructure protection capability in Europe infrastructure protection capability in Europe and to help reduce vulnerabilities concerning and to help reduce vulnerabilities concerning critical infrastructures was acknowledged. critical infrastructures was acknowledged. The importance of the principle of The importance of the key principles of subsidiarity and of stakeholder dialogue was subsidiarity, proportionality and emphasised. complementarity as well as of stakeholder dialogue was emphasised.

Amendment 2 Recital 3

(3) In December 2005 the Justice and Home (3) In December 2005 the Justice and Home Affairs Council called upon the Commission Affairs Council called upon the Commission to make a proposal for a European to make a proposal for a European Programme for Critical Infrastructure Programme for Critical Infrastructure Protection (EPCIP) and decided that it Protection (EPCIP) and decided that it should be based on an all-hazards approach should be based on an all-hazards approach while countering threats from terrorism as a while countering threats from terrorism as a priority. Under this approach, manmade, priority. Under this approach, manmade, technological threats and natural disasters technological threats and natural disasters should be taken into account in the critical should be taken into account in the critical infrastructure protection process, but the infrastructure protection process. threat of terrorism should be given priority. If the level of protection measures against a particular high level threat is found to be

1 Not yet published in OJ.

RR\674990EN.doc 43/58 PE 384.638v03-00 EN adequate in a critical infrastructure sector, stakeholders should concentrate on other threats to which they are still vulnerable.

Amendment 3 Recital 4

(4) The primary responsibility for protecting (4) The primary responsibility for protecting critical infrastructures currently falls on the critical infrastructures currently falls on the Member States and the owners/operators of Member States and the owners/operators of critical infrastructures. This should not critical infrastructures. The EU should, change. however, take on a coordinating role in this area given that the effectiveness of national measures depends in many cases on cross- border cooperation.

Amendment 4 Recital 5

(5) There are a certain number of critical (5) There are a certain number of critical infrastructures in the Community, the infrastructures in the Community, the disruption or destruction of which would disruption or destruction of which would affect two or more Member States or a affect three or more Member States or at Member State other than that in which the least two Member States other than that in critical infrastructure is located. This may which the critical infrastructure is located. include transboundary cross-sector effects This may include transboundary cross-sector resulting from interdependencies between effects resulting from interdependencies interconnected infrastructure. Such between interconnected infrastructure. Such European critical infrastructures should be European critical infrastructures should be identified and designated by means of a identified and designated by means of a common procedure. The need to improve the common procedure. The need to improve the protection of such critical infrastructures protection of such European critical should be assessed under a common infrastructures should be assessed under a framework. Bilateral schemes for common framework. Bilateral schemes for cooperation between Member States in the cooperation between Member States in the field of critical infrastructure protection field of critical infrastructure protection constitute a well established and efficient constitute a well established and efficient means of dealing with transboundary critical means of dealing with transboundary critical infrastructure. EPCIP should build on such infrastructure. EPCIP should build on such cooperation. cooperation.

Justification

A European approach is justified if at least three Member States would be affected or at least two Member States other than that in which the critical infrastructure is located.

PE 384.638v03-00 44/58 RR\674990EN.doc EN Amendment 5 Recital 6

(6) Since various sectors have particular (6) Since various sectors have particular experience, expertise and requirements experience, expertise and requirements concerning critical infrastructure protection, concerning critical infrastructure protection, a Community approach to critical a Community approach to critical infrastructure protection should be infrastructure protection should be developed and implemented taking into developed and implemented taking into account sector specificities and existing account sector specificities and existing sector based measures including those sector based measures including those already existing at EU, national or regional already existing at EU, national or regional level, and where relevant cross-border level, and where relevant cross-border mutual aid agreements between mutual aid agreements between owners/operators of critical infrastructure owners/operators of critical infrastructure already in place. Given the very significant already in place. Given the very significant private sector involvement in overseeing and private sector involvement in overseeing and managing risks, business continuity planning managing risks, business continuity planning and post-disaster recovery, a Community and post-disaster recovery, a Community approach will need to encourage full private approach should ensure full private sector sector involvement. The establishment of a involvement. The establishment of sector- common list of critical infrastructure sectors specific criteria to ascertain and identify is necessary in order to facilitate the critical infrastructure and a common list of implementation of the sector-by-sector critical infrastructure sectors is necessary in approach to critical infrastructure protection. order to facilitate the implementation of the sector-by-sector approach to European critical infrastructure protection.

Amendment 6 Recital 7

(7) Each owner/operator of European critical (7) Each owner/operator of European critical infrastructure should establish an Operator infrastructure should establish an Operator Security Plan identifying critical assets and Security Plan identifying critical assets and laying down relevant security solutions for laying down relevant security solutions for their protection. The Operator Security Plan their protection. The Operator Security Plan should take into account vulnerability, threat should take into account vulnerability, threat and risk assessments, as well as other and risk assessments, as well as other relevant information provided by Member relevant information provided by Member State authorities. State authorities. Compliance with existing sector-based protection measures should be regarded as satisfying the requirement to establish and update an Operator Security Plan.

RR\674990EN.doc 45/58 PE 384.638v03-00 EN Justification

The Community approach should be built on existing sector-based protection measures, taking into account sector characteristics. Contradictions or duplications should be avoided at all costs. Amendment 7 Recital 8

(8) Each owner/operator of European critical (8) Each owner/operator of European critical infrastructure should designate a Security infrastructure should designate a Security Liaison Officer in order to facilitate Liaison Officer in order to facilitate cooperation and communication with cooperation and communication with relevant national critical infrastructure relevant national and Community critical protection authorities. infrastructure protection authorities. Compliance with existing sector-based protection measures should be regarded as satisfying the requirement to designate a Security Liaison Officer.

Amendment 8 Recital 10

(10) In order to facilitate improvements in (10) In order to facilitate improvements in the protection of European critical the protection of European critical infrastructures, common methodologies infrastructures, common methodologies should be developed for the identification should be developed and implemented for and classification of vulnerabilities, threats the identification and classification of threats and risks to infrastructure assets. and risks and structural vulnerabilities affecting infrastructure assets.

Amendment9 Recital 11

(11) Only a common framework can provide (11) By defining the respective the necessary basis for a coherent responsibilities of all relevant stakeholders implementation of measures to protect a common framework can provide the European critical infrastructure and clearly necessary basis for a coherent define the respective responsibilities of all implementation of measures to protect relevant stakeholders. Owners/operators of European critical infrastructure and clearly European critical infrastructure should be define the respective responsibilities of all given access to best practices and relevant stakeholders. Owners/operators of methodologies concerning critical European critical infrastructure should be infrastructure protection. given access to information and the exchanges of proven experience, practices and methodologies concerning critical infrastructure protection.

PE 384.638v03-00 46/58 RR\674990EN.doc EN Amendment 10 Recital 12

(12) Effective protection of critical (12) Effective protection of European infrastructure requires communication, critical infrastructure requires coordination, and cooperation at national communication, coordination, and and Community level. This is best achieved cooperation at national and Community through the nomination of CIP Contact level. This is best achieved through the Points in each Member State, who should nomination of ECIP Contact Points at coordinate CIP issues internally, as well as national and Community levels, who should with other Member States and the coordinate ECIP issues internally, as well as Commission. with other Member States and the EU.

Amendment 11 Recital 13

(13) In order to develop Critical (13) In order to develop European Critical Infrastructure Protection activities in areas Infrastructure Protection activities in areas which require a degree of confidentiality, it which require a degree of confidentiality, it is appropriate to ensure a coherent and is appropriate to ensure a coherent and secure information exchange in the secure information exchange in the framework of this Directive. Certain Critical framework of this Directive. Certain Infrastructure Protection information is of European Critical Infrastructure Protection such nature that its disclosure would information is of such nature that its undermine the protection of the public disclosure would undermine the protection interest as regards public security. Specific of the public interest as regards public facts about a critical infrastructure asset, security. Specific facts about a critical which could be used to plan and act with a infrastructure asset, which could be used to view to causing unacceptable consequences plan and act with a view to causing for critical infrastructure installations should unacceptable consequences for critical be classified and access granted only on a infrastructure installations should be need-to-know basis, both at Community classified and access granted only on a need- level and at Member State level. to-know basis, both at Community level and at Member State level. .

Amendment 12 Recital 14

RR\674990EN.doc 47/58 PE 384.638v03-00 EN will be sufficiently protected. To encourage will be sufficiently protected. information sharing, it should be clear for the industry that the benefits of providing Critical Infrastructure related information outweigh the costs for the industry and society in general. Critical Infrastructure Protection information exchange should therefore be encouraged.

Justification

Consideration of the principle of subsidiarity.

Amendment 13 Recital 15

(15) This Directive complements existing (15) This Directive complements existing sectoral measures at Community level and in sectoral measures at Community level and in the Member States. Where Community the Member States. Where Community mechanisms are already in place, they mechanisms are already in place, they should continue to be used and will should continue to be used and will contribute to the overall implementation of contribute to the overall implementation of this Directive. this Directive whilst ensuring that extra costs are not incurred as a result of multiple claims without an increase in security. Future sectoral measures should take account of this Directive in order to avoid possible duplication or contradiction.

Justification

The administrative burden should be as limited as possible.

Amendment 14 Recital 15 a (new)

(15a) This Directive does not take account of the special significance of the ‘external dimension’ of critical infrastructures, such as in the financial sector or the energy industry.

Justification

To make clear that critical infrastructures outside the European Union can also have enormous effects, particularly in the finance and energy sectors, and action is needed to increase security.

PE 384.638v03-00 48/58 RR\674990EN.doc EN Amendment 15 Recital 17

(17) Since the objectives of this Directive, (17) Since the objectives of this Directive, namely the creation of a procedure for the namely the creation of a procedure for the identification and designation of European identification and designation of European Critical Infrastructures, and a common Critical Infrastructures, and a common approach to the assessment of the needs to approach to the assessment of the needs to improve the protection of such improve the protection of such infrastructures, cannot be sufficiently infrastructures, cannot in all cases be achieved by the Member States and can sufficiently achieved by the Member States therefore, by reason of the scale of the and can therefore, by reason of the scale of action, be better achieved at Community the action, be better achieved at Community level, the Community may adopt measures level, the Community may adopt measures in accordance with the principle of in accordance with the principle of subsidiarity as set out in Article 5 of the subsidiarity as set out in Article 5 of the Treaty. In accordance with the principle of Treaty. In accordance with the principle of proportionality, as set out in that Article, this proportionality, as set out in that Article, this Directive does not go beyond what is Directive does not go beyond what is necessary in order to achieve those necessary in order to achieve those objectives. objectives.

Justification

Wording of original paragraph is too strong.

Amendment 16 Article 2, point (b) b) “European Critical Infrastructure” means b) “European Critical Infrastructure” means critical infrastructures the disruption or critical infrastructures the disruption or destruction of which would significantly destruction of which would significantly affect two or more Member States, or a affect three or more Member States, or at single Member State if the critical least two Member States if the critical infrastructure is located in another Member infrastructure is located in another Member State. This includes effects resulting from State. This includes effects resulting from cross-sector dependencies on other types of cross-sector dependencies on other types of infrastructure; infrastructure;

Justification

A European approach is justified if at least three Member States would be affected or at least two Member States other than that in which the critical infrastructure is located.

Amendment 17 Article 2, point (c), bullets 1 and 2

RR\674990EN.doc 49/58 PE 384.638v03-00 EN • public effect (number of members of the • effect on the population; population affected); • economic effect (significance of economic • effect on the internal market (significance loss and/or degradation of products or of economic loss and/or degradation of services); products or services);

Justification

Necessary clarification.

Amendment 18 Article 2, point (d)

d) “vulnerability” means a characteristic of d) “structural vulnerability” means a an element of the critical infrastructure's characteristic of an element of the critical design, implementation, or operation that infrastructure's design, implementation, or renders it susceptible to disruption or operation that renders it susceptible to destruction by a threat and includes disruption or destruction by a threat and dependencies on other types of includes dependencies on other types of infrastructure; infrastructure; (This amendment applies throughout the text. Adopting it will necessitate corresponding changes throughout)

Justification

Necessary clarification.

Amendment 19 Article 3, paragraphs 1 and 2

1. The cross-cutting and sectoral criteria to 1. The cross-cutting and sectoral criteria to be used to identify European Critical be used to identify European Critical Infrastructures shall be adopted in Infrastructures shall be based on existing accordance with the procedure referred to in protection criteria and adopted in Article 11(3). They may be amended in accordance with the procedure referred to in accordance with the procedure referred to in Article 11(3). They may be amended in Article 11(3). accordance with the procedure referred to in Article 11(3). The European Parliament shall be fully informed without delay if the Commission submits measures, or proposals for measures to be taken, to the Council. The cross-cutting criteria having a horizontal The cross-cutting criteria having a horizontal application to all critical infrastructure application to all European critical

PE 384.638v03-00 50/58 RR\674990EN.doc EN sectors shall be developed taking into infrastructure sectors shall be developed account the severity of the effect of the taking into account the severity of the effect disruption or destruction of a particular of the disruption or destruction of a infrastructure. They shall be adopted by [one particular infrastructure. They shall be year after the entry into force of this adopted by [six months after the entry into Directive] at the latest. force of this Directive] at the latest. The sectoral criteria shall be developed for The sectoral criteria shall be developed for priority sectors while taking into account the priority sectors and be based on existing characteristics of individual critical sector-based protection measures, taking infrastructure sectors and involving, as into account the characteristics of individual appropriate, relevant stakeholders. They critical infrastructure sectors and involving shall be adopted for each priority sector at all relevant stakeholders, given that each the latest one year following the designation sector possesses particular experience and as a priority sector. expertise and has different requirements concerning the protection of their critical infrastructure. They shall be adopted for each priority sector at the latest one year following the designation as a priority sector. Where Community mechanisms are already in place, they shall continue to be used. Future sectoral measures shall take account of this Directive in order to avoid possible duplication or contradiction. 2. The priority sectors to be used for the 2. The priority sectors to be used for the purposes of developing the criteria provided purposes of developing the criteria provided for in paragraph 1 shall be identified by the for in paragraph 1 shall be identified in Commission on an annual basis from among accordance with the procedure referred to those listed in Annex I. in Article 11(3) on an annual basis from among those listed in Annex I. Annex I may be amended in accordance with the procedure referred to in Article 11(3) in so far as this does not broaden the scope of this Directive.

Amendment 20 Article 4, paragraph 1

1. On the basis of the notifications made 1. On the basis of the notifications made pursuant to the second paragraph of Article pursuant to the second paragraph of Article 3(3) and any other information at its 3(3) and any other information at its disposal, the Commission shall propose a list disposal, the Commission shall propose a list of critical infrastructures to be designated as of critical infrastructures to be designated as European Critical Infrastructures. The

RR\674990EN.doc 51/58 PE 384.638v03-00 EN European Critical Infrastructures. Commission shall fully inform the European Parliament without delay of the details of this list.

Amendment 21 Article 7, paragraph 2, subparagraph 1

Each Member State shall report to the Each Member State shall report to the Commission on a summary basis on the Commission on a summary basis on the types of vulnerabilities, threats and risks types of vulnerabilities, threats and risks encountered in each sector referred to in encountered in each sector referred to in Annex I within 18 months following the Annex I within 12 months following the adoption of the list provided for in Article adoption of the list provided for in Article 4(2) and thereafter on an ongoing basis 4(2) and thereafter on an ongoing basis every two years every two years

Justification

Shortens the procedure.

Amendment 22 Article 7, paragraph 4

Amendment 23 Article 8

The Commission shall support the The Commission shall, in coordination with owners/operators of designated European the Member States, support the Critical Infrastructures by providing access owners/operators of designated European to available best practices and Critical Infrastructures by providing access methodologies related to critical to information and exchanges of proven infrastructure protection. experience, practices and methodologies related to critical infrastructure protection.

PE 384.638v03-00 52/58 RR\674990EN.doc EN Amendment 24 Article 10, paragraph 2

Amendment 25 Article 10, paragraph 3

3. Member States shall ensure that Critical 3. Member States shall ensure that Infrastructure Protection Information European Critical Infrastructure Protection submitted to the Member States or to the Information submitted to the Member States Commission, is not used for any purpose or to the Commission, is not used for any other than the protection of critical purpose other than the protection of infrastructures. European critical infrastructures.

Amendment 26 Article 11, paragraph 1

1. The Commission shall be assisted by a 1. The Commission shall be assisted by a Committee composed of a representative of Committee composed of a representative of each CIP Contact Point. each Member State.

Justification

Consideration of the subsidiarity principle.

Amendment 27 Article 12, paragraph 1, subparagraph 1

Member States shall bring into force the Member States shall bring into force the laws, regulations and administrative laws, regulations and administrative provisions necessary to comply with this provisions necessary to comply with this Directive by 31 December 2007 at the latest. Directive by 1 July 2008 at the latest. They They shall forthwith communicate to the shall forthwith communicate to the Commission the text of those provisions and Commission the text of those provisions and a correlation table between those provisions a correlation table between those provisions and this Directive. and this Directive.

Justification More realistic timeframe.

RR\674990EN.doc 53/58 PE 384.638v03-00 EN PROCEDURE

Title Identification, designation and protection of European Critical Infrastructure References COM(2006)0787 - C6-0053/2007 - 2006/0276(CNS) Committee responsible LIBE Opinion by ITRE Date announced in plenary 1.2.2007 Drafts(wo)man Norbert Glante Date appointed 27.2.2007 Discussed in committee 11.4.2007 2.5.2007 5.6.2007 7.6.2007 Date adopted 27.6.2007

Result of final vote +: 34 –: 0 0: 0 Members present for the final vote Philippe Busquin, Jorgo Chatzimarkakis, Giles Chichester, Silvia Ciornei, Den Dover, Nicole Fontaine, Adam Gierek, Norbert Glante, András Gyürk, Fiona Hall, Rebecca Harms, Erna Hennicot-Schoepges, Romana Jordan Cizelj, Werner Langen, Romano Maria La Russa, Reino Paasilinna, Atanas Paparizov, Francisca Pleguezuelos Aguilar, Vladimír Remek, Teresa Riera Madurell, Paul Rübig, Andres Tarand, Britta Thomsen, Claude Turmes, Nikolaos Vakalis Substitute(s) present for the final vote Alexander Alvaro, Pilar Ayuso, Christian Ehler, Robert Goebbels, Edit Herczog, Erika Mann, John Purvis, Esko Seppänen, Silvia-Adriana Ţicău Substitute(s) under Rule 178(2) present Albert Deß for the final vote

PE 384.638v03-00 54/58 RR\674990EN.doc EN 7.6.2007

OPINION OF THE COMMITTEE ON TRANSPORT AND TOURISM

Draftswoman: Renate Sommer

SHORT JUSTIFICATION

Commission proposal

In June 2004, shortly after the train bombings in Madrid, the European Council instructed the Commission to prepare an overall strategy to protect critical infrastructure from acts of terrorism. This led in November 2005 to the Commission Green Paper on a European Programme for Critical Infrastructure Protection (EPCIP), setting out potential strategies for implementing EPCIP and for a Critical Infrastructure Warning Information Network (CIWIN). In December 2005 the Council of Ministers for Justice and Home Affairs instructed the Commission to submit a proposal on EPCIP no later than June 2006. The Commission’s December 2006 communication on EPCIP sets out a number of elements which the framework of such a programme might comprise including, this proposal for a directive containing a procedure for the identification and designation of European Critical Infrastructure in need of improved protection.

This directive is intended to complement existing national programmes on the protection of important infrastructures and to be built on existing Critical Infrastructure sector-based measures. The Commission proposes that an infrastructure should be a designated as a European Critical Infrastructure if its disruption or destruction would affect two or more Member States, or a single Member State if the critical infrastructure is located in another Member State. Each Member State should identify European Critical Infrastructure (ECI) located within its territory as well as critical infrastructures outside its territory that may have an impact on it, and notify such the Commission of such infrastructures. On this basis the Commission intends to draw up centrally, under the comitology procedure, a specific list of European Critical Infrastructures.

Alongside this proposal for a directive on the identification and designation of European

RR\674990EN.doc 55/58 PE 384.638v03-00 EN Critical Infrastructure, existing sector-specific legislation will remain in force. In the transport sector, for example, security legislation already exists, e.g. for vessels and port facilities, airports, civil aviation and the transport of dangerous goods.

Rapporteur’s amendments

Your rapporteur believes that, with this proposal for a directive, the Commission is exceeding its powers, misunderstanding its instructions and seeking to achieve an objective which contravenes the subsidiarity principle. The initiative on the protection of critical infrastructure is intended to guarantee internal security. It is not an initiative to protect the stability of the Internal Market. Rather than complementing the measures of the Member States, which is its real task, the Commission clearly wishes to replace the Member States’ existing measures. The proposed system of reporting requirements creates additional and counter-productive bureaucratic structures. Furthermore, the proposal does not address the real task, but delegates it to a comitology committee, and indeed it is questionable whether there is any need for such a directive at all.

Your rapporteur considers that critical infrastructures should be identified and designated solely by the Member States. She opposes the requirement for the Member States to notify the Commission of specific critical infrastructures. This would be against national security interests, since a European list of critical infrastructures would be an interesting source of information to terrorists. In order to reduce the level of risk the only appropriate measure would seem to be devolved management of ECI in the Member States.

The only infrastructures which should be regarded as critical from a European point of view are those whose disruption or destruction would affect at least three Member States, or two Member States other than the one in which they are located. Furthermore, all that should be done centrally by the Commission is to define and list in general terms the European priority sectors at risk, and to draw up fundamental criteria based on the importance of the infrastructure to the security (of supply) of the population.

In deciding whether an infrastructure is critical, the “human factor” must therefore be taken into consideration. It needs to be made clear that this directive centres on the citizen and that the proposed rules are being adopted for his welfare, since the proposal for a directive is intended to contribute to better public security and thus improve quality of life for citizens.

Sectors with potential critical infrastructure are listed in Annex I. Your rapporteur proposes that the definition of the potential critical sectors in the transport field should be supplemented in the interest of clarity. This clarification should include tunnels, bridges, stations, locks, ports and airports.

*******

The Committee on Transport and Tourism calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to propose rejection of the Commission proposal.

PE 384.638v03-00 56/58 RR\674990EN.doc EN PROCEDURE

Title Identification, designation and protection of European Critical Infrastructure References COM(2006)0787 - C6-0053/2007 - 2006/0276(CNS) Committee responsible LIBE Opinion by TRAN Date announced in plenary 1.2.2007 Drafts(wo)man Renate Sommer Date appointed 31.1.2007 Discussed in committee 8.5.2007 4.6.2007

Date adopted 5.6.2007

Result of final vote +: 23 –: 16 0: 1 Members present for the final vote Robert Atkins, Inés Ayala Sender, Etelka Barsi-Pataky, Paolo Costa, Michael Cramer, Luis de Grandes Pascual, Arūnas Degutis, Christine De Veyrac, Petr Duchoň, Saïd El Khadraoui, Robert Evans, Emanuel Jardim Fernandes, Georg Jarzembowski, Timothy Kirkhope, Dieter- Lebrecht Koch, Jaromír Kohlíček, Sepp Kusstatscher, Bogusław Liberadzki, Eva Lichtenberger, Marian-Jean Marinescu, Robert Navarro, Seán Ó Neachtain, Josu Ortuondo Larrea, Willi Piecyk, Luís Queiró, Reinhard Rack, Luca Romagnoli, Gilles Savary, Brian Simpson, Renate Sommer, Dirk Sterckx, Ulrich Stockmann, Georgios Toussas, Yannick Vaugrenard, Roberts Zīle Substitute(s) present for the final vote Markus Ferber, Pedro Guerreiro, Elisabeth Jeggle, Anne E. Jensen, Corien Wortmann-Kool

RR\674990EN.doc 57/58 PE 384.638v03-00 EN PROCEDURE

Title Identification, designation and protection of European Critical Infrastructure References COM(2006)0787 - C6-0053/2007 - 2006/0276(CNS) Date of consulting Parliament 22.1.2007 Committee responsible LIBE Date announced in plenary 1.2.2007 Committee(s) asked for opinion(s) ECON ENVI ITRE IMCO Date announced in plenary 1.2.2007 1.2.2007 1.2.2007 1.2.2007 TRAN 1.2.2007 Not delivering opinions ENVI IMCO Date of decision 27.2.2007 1.3.2007 Rapporteur(s) Jeanine Hennis- Date appointed Plasschaert 25.1.2007 Discussed in committee 8.5.2007

Date adopted 27.6.2007

Result of final vote +: 46 –: 3 0: 1 Members present for the final vote Alexander Alvaro, Alfredo Antoniozzi, Kathalijne Maria Buitenweg, Giuseppe Castiglione, Giusto Catania, Carlos Coelho, Fausto Correia, Elly de Groen-Kouwenhoven, Esther De Lange, Panayiotis Demetriou, Bárbara Dührkop Dührkop, Kinga Gál, Patrick Gaubert, Roland Gewalt, Lilli Gruber, Adeline Hazan, Jeanine Hennis-Plasschaert, Lívia Járóka, Ewa Klamt, Roger Knapman, Magda Kósáné Kovács, Wolfgang Kreissl-Dörfler, Barbara Kudrycka, Stavros Lambrinidis, Henrik Lax, Edith Mastenbroek, Dan Mihalache, Claude Moraes, Javier Moreno Sánchez, Athanasios Pafilis, Luciana Sbarbati, Inger Segelström, Károly Ferenc Szabó, Vladimir Andreev Urutchev, Ioannis Varvitsiotis, Manfred Weber, Tatjana Ždanoka Substitute(s) present for the final vote Adamos Adamou, Edit Bauer, Simon Busuttil, Gérard Deprez, Koenraad Dillen, Iratxe García Pérez, Ignasi Guardans Cambó, Sylvia- Yvonne Kaufmann, Metin Kazak, Jörg Leichtfried, Marianne Mikko, Herbert Reul, Rainer Wieland

PE 384.638v03-00 58/58 RR\674990EN.doc EN