Safeguarding critical infrastructure – the regulatory framework for protection across the EU
April 2024 | SPECIAL REPORT: INFRASTRUCTURE & PROJECT FINANCE
Financier Worldwide Magazine
April 2024 Issue
From physical attacks on the Nordstream pipeline to cyber attacks on commercial enterprises, the security of critical infrastructure is becoming a target – in the truest sense of the word. Digitalisation, technological advances and increased interconnections are creating more and more target areas for attacks, while the vulnerability of critical infrastructure is growing.
In response to these developments, policymakers in the European Union (EU) are under pressure to act not only to protect economical resources, but also to ensure security of supply for the public. Therefore, back in 2020 the European Commission proposed two key pieces of legislation aimed at strengthening the resilience of Europe’s critical infrastructure. These obligations will be implemented across the EU in autumn 2024. From then on, any company operating in a ‘critical’ sector may have to comply with far-reaching obligations, with the threat of heavy fines and even directors’ liability in the event of non-compliance.
This article takes a closer look at how the regulatory framework across the EU will change, what obligations operators will have to comply with and, most importantly, who will have to act soon.
What is critical infrastructure?
First, what do we mean by critical infrastructure? According to the definition of the German Federal Office for Information Security, critical infrastructures are “organisations and facilities of major importance for the national community, the failure or impairment of which would result in lasting supply shortages, serious disruptions to public security or other dramatic consequences”.
According to the relevant EU legislation, this covers entities operating infrastructure in various fields, mainly in the energy, transport, banking, financial, healthcare, drinking water, wastewater, digital, public administration, space and food production sectors. Infrastructure and related facilities in each of these sectors are ‘critical’ if they exceed a certain size and therefore supply a specific amount of people. EU member states are free to determine the exact thresholds to be applied here. In Germany, the benchmark for a power plant is that it must supply at least 500,000 people to be considered critical infrastructure. This is the case if it has an installed net nominal capacity above 104GW.
It is important to note that the first obligation is for each operator to determine for itself whether it operates critical infrastructure based on the relevant legal thresholds. There is no automatic categorisation or notification by the competent authorities.
How is critical infrastructure regulated in the EU?
Once an operator has identified that it operates critical infrastructure, it must consider how critical infrastructure is regulated within the EU and therefore what obligations and challenges it faces in order to protect its systems.
Regulatory framework. For a long time, national laws laid the foundations for critical infrastructure regulation across the EU. As a result, the regulations varied considerably from one member state to another. Because of increasing interconnectedness, there was a growing need for a harmonised European set of rules to ensure cross-sectoral and cross-border protection for critical infrastructure. Back in 2016, the EU took its first steps in this regard by way of enacting Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS 1 Directive). The NIS 1 Directive was an important pillar of the European cyber security strategy, aiming to create a uniform legal framework and strengthen cyber resilience of critical infrastructure across all member states for the first time.
It is important to note that the entire regulatory framework concerning security of critical infrastructure within the EU is set out by way of directives. These acts are not directly applicable in member states but contain a deadline by which the directive must be transposed into national law by means of a transposition act. Each directive defines a basic level of protection and obligations that must be respected in the corresponding national transposition law. However, these minimum standards do not prevent national legislators from providing for a higher level of protection.
The NIS 1 Directive and the national transposition acts defined aims toward stronger cooperation between EU member states and set out minimum security requirements and reporting obligations for critical infrastructure.
It is these minimum requirements that are now facing a fundamental change: two new directives, the NIS 2 Directive and the Directive on the resilience of critical entities (CER Directive), must be implemented into the national law of all EU member states by October 2024. With this new legislation, the EU has significantly expanded the regulatory framework for critical infrastructure across the bloc, broadening both the scope of obligations as well as the addressees.
NIS2 Directive. Based on the framework of the NIS1 Directive, the new NIS2 Directive will regulate requirements for cyber security, addressing significantly more companies and extending their obligations.
The NIS2 Directive distinguishes between two types of operators: ‘essential entities’ and ‘important entities’. This not only encompasses companies previously recognised as critical infrastructure under the NIS1 Directive, but any company of a certain size operating in the energy, transport, banking and finance, healthcare, water, digital infrastructure, public administration and space sectors, with these sectors to be considered ‘highly critical’. This also includes companies of a certain size in other sectors defined as ‘critical’, for example the production, processing and distribution of food as well as manufacturing.
Size is determined by number of employees and turnover. Significantly more companies than before will therefore be included in the cyber security regime. Which companies will be specifically covered can only be conclusively determined after issuance of the national transposition acts, as well as supplementary regulation.
Both important and essential entities are required to implement certain cyber security measures to protect their IT systems and networks. These include establishing risk management procedures including safety measures and risk assessments, reporting obligations, registration, verification and information obligations, staff training and verifying risk management along their supply chain.
Failure to comply with these obligations can have dire consequences. Depending on the sector, fines can amount to up to €10m or 2 percent of a company’s turnover in the previous year. The new law also places greater responsibility on senior management. Directors are obliged to approve cyber security risk management measures and monitor their implementation. It is particularly important that this obligation cannot be delegated to a third party. In the event of a breach of duty, management is personally liable for the damage caused.
CER Directive. In addition to cyber security requirements, critical infrastructure operators will also be legally obliged by the CER Directive requirements to physically protect their critical facilities. This is the first time these requirements have been harmonised across the EU.
Specifically, the CER Directive requires operators to ensure their facilities are resilient to non-cyber threats by implementing resilience measures and resilience plans, registration, reporting and verification requirements, as well as staff training. This includes physical protection measures like perimeter surveillance tools, detection devices and access controls, as well as risk and crisis management procedures and protocols.
Non-compliance with these requirements can lead to penalties which will be detailed in the national transposition acts.
Assessment and outlook
The directives and their national implementing legislation set new standards in regulating critical infrastructure. Not only have the individual measures to be implemented been tightened, many more economic sectors and companies have been included as targets. As a result, the number of companies affected has multiplied. In Germany alone, experts estimate that up to 30,000 companies could be subject to regulation from 2024, compared with 2000 at present.
Due to the structure of the legislation as directives, it is also expected that member states will further increase the level of protection in their national legislation. Companies operating in affected sectors must familiarise themselves with the new legislation at an early stage and analyse whether and, if so, to what extent they are affected by the new regulations. In view of the consequences and the far-reaching nature of the new rules, it is highly advisable to seek comprehensive, timely advice to be prepared when the national acts come into effect in October 2024.
Pia Heckenberger is an associate at Hogan Lovells International LLP. She can be contacted on +49 699 62 360 or by email: pia.heckenberger@hoganlovells.com.
© Financier Worldwide
BY
Pia Heckenberger
Hogan Lovells International LLP
Infrastructure & project finance
Developments in US federal infrastructure policy and funding
Opportunities in Brazil’s free power market
Concessional financing to encourage small scale renewable power initiatives
An emerging tipping point for government incentives and private investment
Regulation of carbon dioxide transportation and storage infrastructure in the UK
Safeguarding critical infrastructure – the regulatory framework for protection across the EU
JETPs in Indonesia: reaction to the CIPP and the future under a Prabowo government
A new frontier for public-private partnerships in the Philippines
Update on Oman’s Public-Private Partnership Law