Legal base	(a)— (b) Article 308 EC; consultation; unanimity
Document originated	(a) and (b) 12 December 2006
Deposited in Parliament	(a) and (b) 4 January 2007
Department	Home Office
Basis of consideration	EM of 19 February 2007
Previous Committee Report	None; but see (26072) 13979/04 HC 38-v (2004-05), para 5 (26 January 2005), HC 34-xiv (2005-06) para 8 (10 February 2005) and (27052) 14910/05 HC 34-xviii (2005-06), para 12 (8 February 2006), HC 34-xxviii (2005-06) para 16 (10 May 2006)
To be discussed in Council	No date set
Committee's assessment	Legally and politically important
Committee's decision	Not cleared; further information requested

Background

8.1 The Commission communication and draft Directive follows the publication by the Commission of a Green Paper which the previous Committee considered on 10 February 2005 and which we considered on 6 February 2006 and again on 10 May 2006. The Green Paper followed the request from the European Council to the Commission and the High Representative in June 2004 to prepare an overall strategy for the protection of critical infrastructure from terrorist attack.

8.2 "Critical infrastructure" for these purposes consists of those facilities and networks, services and property the destruction of which would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of government in the Member States. Such infrastructure includes systems for electricity and gas production and distribution, telephone exchanges and other communications systems, sewage plants, food distribution and key government services.

8.3 The Green Paper suggested the creation of a common framework, (the European Programme for Critical Infrastructure Protection — EPCIP), supplemented by a critical infrastructure warning network — CWIN, with common principles and standards for the protection of critical infrastructure, and with common definitions of concepts such as critical infrastructure protection, European critical infrastructure and Operator Security Plans. The Green Paper also suggested the adoption of a common list of critical infrastructure sectors, which would include energy, information and communications technologies, water and food supply, health, financial services, "public and legal order and safety", civil administration, transport, chemical and nuclear industries and "space and research". Under the heading "civil administration", the list included government functions, emergency services, civil administration services and postal and courier services, but also included the armed forces. On this latter point, we sought and obtained from the Minister an assurance in her letter of 30 January 2006 that in no circumstances would the disposition and organisation of this country's armed forces form part of any "common framework" at Community level, as referred to in the Green Paper.

8.4 The Green Paper argued that it was in the interests of the Member States and the European Union as a whole that each Member State should protect its national critical infrastructure under a common framework but in our view, some of the issues raised in the Green Paper touched on the fundamental duty of a national government to ensure the security of its citizens.

8.5 The Government's reply emphasised that the management of national critical infrastructure must be left, in accordance with the principle of subsidiarity, to the Member State concerned. The Government also stated that the proposed activities of the European Programme for Critical Infrastructure Protection (EPCIP) needed to be clearly established. In its view, the aim of the EPCIP should be to share good practice and expertise and to share research into issues and solutions related to critical infrastructure protection, but should not include national critical infrastructure issues such as the justification by Member States of what it regards as critical, the national armed forces and associated infrastructures, vulnerability analyses or monitoring of protective security measures. The EPCIP should also exclude assessing the threat from terrorism. The protection of critical infrastructure being "first and foremost a national responsibility", the Commission's efforts would be most effective when working with Member States on the protection of critical infrastructure having an EU cross-border effect (i.e. when having an impact on at least three Member States), but any sharing of information on critical infrastructure would have to take place on a strict need-to-know basis. The Government also stated that it was not persuaded of the need for any additional warning network, and did not support a CWIN format which would involve the dissemination of information on specific threats, alerts or vulnerabilities.

8.6 We wholly supported the Government's reply to the Green Paper, and considered it was right to express caution about a number of the options suggested. We also noted that the legal base for action at EU level in this area would require the closest examination.

The Commission communication

8.7 The Commission communication (document (a)) sets out the principles, processes and instruments which the Commission proposes for the implementation of the EPCIP. The Commission also intends to produce further communications relating to specific sectors of critical infrastructure, such as energy and transport.

8.8 In the Commission's view, the objective of the EPCIP is to be achieved by the creation of an EU framework concerning the protection of critical infrastructures. The threats to be addressed include that from terrorism as a priority, but the EPCIP will be based on an "all-hazard" approach. The Commission considers that if the level of protective measures in a particular sector is found to be adequate "stakeholders should concentrate their efforts on threats to which they are vulnerable".

8.9 The Commission describes subsidiarity as a "key principle" to guide the implementation of the EPCIP, and that it will focus its efforts on infrastructure which is critical from a European, rather than a national or regional perspective. However, European critical infrastructure is evidently to be given an extended meaning. It is described in the communication as constituting "those designated critical infrastructures which are of the highest importance for the Community and which if disrupted or destroyed would affect two or more Member States, or a single Member State if the critical infrastructure is located in another Member State". The communication adds that the procedure for identifying and designating European critical infrastructure, together with a common approach to assessing the need to improve protection for such infrastructure will be determined by a Directive (see document (b) below).

8.10 The other "key principles" include "complementarity" (i.e. that the Commission will avoid duplicating existing efforts at EU, national or regional level "where these have proven to be effective in protecting critical infrastructure"), "confidentiality" (i.e. that at EU and national level information will be classified appropriately with access granted on a "need to know", with information being shared "in an environment of trust and security"), "stakeholder cooperation"(i.e. that owners and operators of critical infrastructure should be involved as well as public authorities in the development of the EPCIP) and "proportionality" (that measures should be proposed only in case of need and proportionate to the risk involved). Finally, the EPCIP is to be developed using a sector-by-sector approach.

8.11 The Commission proposes a framework for the EPCIP consisting of a Directive to provide for a common approach to identifying and designating European critical infrastructures and assessing the need for improved protection, an EPCIP Action Plan, a Critical Infrastructure Warning Network (CWIN), together with support for Member States in relation to national critical infrastructure. The Commission also proposes that it should chair an EU level body to coordinate work on the EPCIP.

8.12 The draft Directive (document (b)) is considered below, and the Critical Infrastructure Warning Network (CWIN) is to be the subject of a separate proposal. The EPCIP Action Plan envisages a range of activities in which the Commission would take a leading role. For example, it would be for the Commission to identify sectors where action should be taken as a priority, and the Commission with the Member States to elaborate criteria for identifying European critical infrastructure and to create an inventory of national bilateral and EU critical infrastructure protection programmes.

8.13 The Action Plan also provides for the Commission to assist the Member States in the development of national critical infrastructure programmes. The communication notes that the responsibility for protecting national critical infrastructure falls on the Member States, but with "due regard for existing Community competence".[27] However, the communication also encourages each Member State to establish a national programme for the protection of critical infrastructure and sets out a list of issues which such programmes should address as a "minimum". Such issues include identifying critical infrastructure according to "predefined national criteria" which, again "as a minimum", would take into account the geographical area affected by disruption or destruction of the infrastructure, the severity of the effects assessed on the basis of the effect on the public, the economy, the environment, as well as political and "psychological" effects and consequences for public health. The communication argues that the introduction of similar approaches to the protection of national infrastructure will "contribute to ensuring that CI stakeholders throughout Europe benefit from not being subjected to varying frameworks resulting in additional costs and that the internal market is not distorted".

The draft Directive

8.14 Document (b) is a proposal for a Directive, to be adopted under Article 308 EC, for the identification by the Member States of relevant infrastructures and for their designation by the Commission as "European critical infrastructure". In its explanation of the proposal, the Commission argues that "only a common framework can provide the necessary basis for a coherent and uniform implementation of measures to enhance the protection of ECI" and that "non-binding voluntary measures, while flexible, would not provide the necessary stable foundation as they would not provide enough clarity on who does what, nor would they clarify the rights and obligations for ECI stakeholders involved".

8.15 The legal base chosen for the proposal by the Commission is Article 308 EC, but the reasons for this choice are not explained. In particular, it is not explained how the proposal, which relates essentially to national security, is nevertheless necessary to attain, in the course of the operation of the common market, one of the objectives of the Community.

8.16 The Commission argues that the proposal complies with the principle of subsidiarity by stating that, although it is the responsibility of each Member State to protect the critical infrastructure under its jurisdiction, "it is crucial for the security of the European Union[28] to make sure that infrastructure having an impact on two or more Member States or a single Member State if the critical infrastructure is located in another Member State are sufficiently protected and that one or more Member States are not made vulnerable by weaknesses or lower security standards in other Member States". It is also argued that "similar rules concerning security would also help to make sure that the rules of competition within the internal market are not distorted". The Commission states that as the Member States have "varying approaches to critical infrastructure protection and different legal systems" a Directive is "best suited" for creating a common procedure for identifying and designating European critical infrastructure.

8.17 The detailed provisions of the draft Directive may be summarised as follows. Articles 1 and 2 are concerned with the purpose of the proposal and with definitions. Article 2 defines critical infrastructure as "those assets or part thereof which are essential for the maintenance of critical societal functions". "European critical infrastructure" is defined as critical infrastructure "the disruption or destruction of which would significantly affect two or more Member States, or a single Member State if the critical infrastructure is located in another Member State".

8.18 Articles 3 and 4 provide for the identification and designation of European critical infrastructure. Member States are required by Article 3(3) to identify such infrastructure in accordance with criteria ("cross-cutting" and "sectoral" criteria) to be adopted by the Commission following a comitology[29] procedure under Article 11(3). Member States are required to notify the Commission of the critical infrastructure they have identified, following which the Commission is to draw up a list of infrastructures to be designated by the Commission under the Article 11(3) procedure as "European Critical Infrastructures" (Article 4).

8.19 Article 5 requires each Member State to cause the owners or operators of European Critical Infrastructure situated on its territory to establish and update an "Operator Security Plan". Such a Plan must include a risk assessment and "relevant security solutions" in accordance with the provisions of Annex II to the draft Directive. Annex II requires important assets to be identified, the preparation of a risk analysis and the "identification, selection and prioritisation" of counter-measures and procedures, distinguishing between "permanent security measures" (i.e. those which cannot be introduced by the owner/operator at short notice) and "graduated security measures" (i.e. those which are activated according to varying risk and threat levels).

8.20 Article 6 requires each Member State to cause the owner/operator of any European critical infrastructure on its territory to designate a "Security Liaison Officer" as the point of contact between the Member State and the owner/operator. Member States are also required to communicate relevant information concerning identified risks and threats to the Security Liaison Officer.

8.21 Article 7(1) requires each Member State to carry out a risk and threat assessment in relation to European critical infrastructure situated within its territory. Article 7(2) requires Member States to report to the Commission on the types of vulnerabilities, threats and risks encountered in each of the sectors referred to in Annex I to the Directive (i.e. energy, nuclear industry, information and communications technologies, water, food, health, financial, transport, chemical industry, space and research facilities). Provision is made for the format for such reports, and for the development of "common methodologies" for risk and threat assessments to be determined by the Commission using the comitology procedure under Article 11(3).

8.22 Article 8 requires the Commission[30] to support the owners/operators of European critical infrastructure by providing access to best practice and "methodologies" related to critical infrastructure protection. Article 9 requires each Member State to appoint a "critical infrastructure protection Contact Point" and provides for such a Contact Point to coordinate critical infrastructure protection issues[31] with the relevant Member State and with other Member States and the Commission.

8.23 Article 10 makes provision for the protection of information. Article 10(1) imposes a duty of the Commission to take "appropriate measures" under Commission Decision 2001/844/EC, ECSC, Euratom[32] to protect information subject to a requirement of confidentiality to which it has access or which has been communicated by Member States. Member States are required to take equivalent measures in accordance with the relevant national law. Article 10(1) also provides that "due account shall be given to the gravity of the potential prejudice to the essential interests of the Community or of one or more of its Member States", but the effect of this provision is far from clear.

8.24 Article 10(2) requires that any person handling confidential information pursuant to the Directive "shall have an appropriate level of security vetting by the Member State concerned". Article 10(3) requires Member States to ensure that "Critical Infrastructure Protection Information" (i.e. specific facts about an item of critical infrastructure, whether national or European) which is submitted to the Member States or the Commission is not used for any purpose other than the protection of critical infrastructures.

8.25 Article 11 provides for a 'comitology' committee to assist the Commission. In relation to decisions by the Commission under Article 5 on whether the requirements of the Directive on Operator Security Plans are satisfied in particular sectors, the role of the committee is advisory only.[33] For all other decisions, including criteria for identifying European critical infrastructure, amending the list of priority sectors, imposing requirements for Operator Security Plans in particular sectors, and devising templates and methodologies for reports by Member States, the Commission is to be assisted by a regulatory committee .[34]

The Government's view

8.26 In his Explanatory Memoranda of 19 February 2007 the Minister of State at the Home Office (Tony McNulty) deals separately with the communication (document (a)) and with the draft Directive (document (b)).

8.27 The Minister begins his assessment of the policy implications of the communication by considering the question of subsidiarity. The Minister finds it clear from the communication that the Commission's efforts will focus on infrastructure that is critical from a European, rather than a national or regional, perspective. The Minister notes that the communication indicates that, "where requested to do so and taking due account of existing Community competences and resources", the Commission may support Member States' efforts to protect critical infrastructures within their territory by providing relevant information. The Minister explains that the UK supports this approach but that the Government is clear on two points, first, that responsibility for national critical infrastructure is a national responsibility and, secondly, that protection of European Critical Infrastructure is the responsibility of the Member State within which the infrastructure is located.

8.28 On the more general policy implications of the communication, the Minister comments that critical infrastructure protection is an issue of high priority in the UK and that the Government considers it important that it "engages fully in the development of EPCIP and clarify the added value that the Commission can bring to the area of European critical infrastructure protection". The Minister considers it "very encouraging" that the Commission "has listened to the views of the Member States and is now proposing a series of voluntary measures to improve CNI capabilities across the EU". The Minister concludes that "consequently there are few concerns for the UK in this Communication".

8.29 The Minister notes that the communication recognises that the threat from terrorism is a priority, but that the EPCIP will be based on an "all hazards" approach. The Minister explains that UK support for the change in scope from terrorism to the "all hazards" approach is based on the consideration that "plans for infrastructure resilience tend not to be terrorist specific". The Minister adds that the extension to the "all hazards" approach "could dilute the effectiveness of the security measures against terrorist attackes which EPCIP was originally expected to develop" and that therefore the Government is keen to ensure that the threat from terrorism "is maintained as the key focus for EPCIP".

8.30 The Minister also explains the Government's concerns over the definition of "European Critical Infrastructure" used in the communication and the draft Directive, and emphasises the Government's view that designation as European Critical Infrastructure should be limited to those items of infrastructure the disruption or destruction of which would affect at least three Member States significantly.

8.31 The Minister explains that the Government challenges the Commission's claim that the introduction of similar approaches to critical national infrastructure (CNI) protection across the Member States would "benefit critical infrastructure stakeholders throughout Europe by reducing the additional costs that result from varying frameworks and ensuring that the internal market is not distorted". The Minister points out in this context that the threat to critical national infrastructure is not equal in all Member States and that it is therefore not appropriate to apply the same standard of protection measures in all Member States.

8.32 In relation to the proposal for a Critical Infrastructure Warning Information Network (CIWIN), the Minister explains that the Government remains to be convinced that new systems need to be developed in order to exchange best practices, experience and knowledge between Member States. The Minister states that the Government does not agree with the Commission's intention to implement a new warning system to share specific threat and vulnerability information, and welcomes the fact that the communication presents this as being only a possibility. Nevertheless, the Minister notes that a prototype for CIWIN is being developed and is expected to be produced by the end of 2007, and that this gives the Government some cause for concern.

8.33 In relation to the draft Directive (document (b)), the Minister explains that the Government supports, in principle, the Commission's decision to implement the EPCIP through a combination of binding and non-biding measures. The Minister comments that the use of a Directive to implement the basic elements for the cross-border components of the EPCIP would "allow the Commission to make these requirements obligatory for Member States whilst still allowing the Member States to adapt the obligations to their particular legal systems and existing CIP procedures".

8.34 The Minister nevertheless points out that the Government does have concerns in relation to the Directive. The key concerns are the definition of "European Critical Infrastructure" (ECI) as being infrastructures which are critical to two or more Member States whereas the Government believes that the EPCIP should focus on infrastructures which are critical to at least three Member States, the omission of any provision allowing a Member State to challenge the designation of infrastructure located within its territory as ECI, and the imposition of legal obligations on infrastructure operators to produce Operator Security Plans and to provide Security Liaison Officers.

8.35 The Minister makes a number of detailed comments in relation to the draft Directive. First, the Minister develops the concern expressed over the definition of ECI as it appears in Article 2 of the proposal, emphasising that the Government remains firmly of the view that the EPCIP should focus on the areas best suited to EU cooperation, namely where there are many Member States involved. In the Minister's view, designation as ECI should be limited to those items of infrastructure, the disruption or destruction of which would affect at least three Member States significantly, and where only two Member States are affected bilateral rather than European level arrangements are appropriate. The Minister comments further that bilateral arrangements are the preferred solution for items of infrastructure which are shared by two Member States. The Minister adds that the Government believes that this approach works well without Commission intervention and that the introduction of the Commission into these bilateral arrangements "risks politicising the ECI designation process".

8.36 The Minister notes that Article 3(2) provides for the Commission to identify particular sectors as priorities for action, but that the Government prefers such priorities to be fixed through comitology, using the regulatory procedure[35] . In relation to Article 3(3) (which requires Member States to notify the Commission of critical infrastructures within its territory and in other Member States) the Minister explains that the Government is concerned that in some cases, for security reasons, the UK "may prefer not to identify a particular infrastructure in another Member State as being of critical importance to the UK", and that even if the Government were prepared to nominate an infrastructure in another Member State for designation as ECI, it would need to consider carefully the risks of sharing sensitive information relating to such infrastructure.

8.37 The Minister explains in relation to Article 5 that the Government does not support the imposition of a legal obligation on operators of infrastructure to produce an Operator Security Plan (OSP). The Government wishes the wording of the proposal to be modified so that it leaves to Member States the question of how reporting on vulnerabilities, threats and risks is achieved. Also in relation to Article 5 the Minister notes that the proposal requires OSPs to identify the "assets", which term the Minister considers unclear. More substantively, the Minister points out that "the location of assets that are deemed to be critical to a Member State is highly sensitive information which would be shared only on a need to know basis". The Minister also notes that the Commission may decide to exempt a particular sector from the requirement for OSPs, using only the advisory procedure. The Government considers that the regulatory procedure should apply.

8.38 In relation to Article 6, the Minister explains that the Government does not support the imposition of a legal obligation on operators of critical national infrastructure to appoint a Security Liaison Officer (SLO) as a result of the item of infrastructure being designated as ECI.

8.39 The Minister explains that the Government has a number of concerns with reporting requirements imposed on Member States by Article 7. First, the Government points to the risk of overlap and confusion between the assessments of risk made for the purposes of the ECI and those made for national purposes. Secondly, the Government has "significant concerns about the disclosure of detailed vulnerability, threat and risk information" and has made it clear to the Commission that "it will not disclose sensitive information regarding specific threats or vulnerabilities" and that it will provide only a generic overview of information comparable to that which is in the public domain. Finally, the Minister notes that Article 7(3) (which provides that the Commission "shall assess on a sectoral basis whether specific protection measures are required for European Critical Infrastructures") appears to enable the Commission to prescribe what kind of measures the Member States should adopt in order to protect ECI in their territory. The Government would be content for the Commission to be able to recommend such measures, but believes that the decision whether to adopt such measures should remain for the Member State concerned.

8.40 The Minister notes, in relation to Article 9, that each Member State is to be obliged to appoint a critical infrastructure point (CIP) to coordinate critical infrastructure issues with other Member States and with the Commission, and comments that this should be amended to make clear that the CIP coordinates European critical infrastructure issues. The Minister adds that the way in which each Member State decides to organise the coordination of its national critical infrastructure is a matter for that Member State alone.

Conclusion

8.41 We thank the Minister for his thorough and helpful Explanatory Memorandum. We agree with the general observations the Minister has made on subsidiarity and the scope of the policy for critical infrastructure protection at EU level. In particular, we see no reason for Commission involvement in bilateral cooperation between two Member States in relation to critical infrastructure which is of concern to those Member States. We therefore agree that the Minister is right to insist that "European Critical Infrastructure" should be defined in the narrow sense he has suggested, namely that its disruption or destruction should affect at least three Member States.

8.42 We note that the communication envisages an extensive role for the Commission, but does not even mention the role of the European Union Counter-Terrorism Coordinator (Mr Gijs de Vries). As, in the Government's view, the key focus of the policy should remain on the threat from terrorism, we ask the Minister to explain if the Counter-Terrorism Coordinator has been consulted and what role is envisaged he should play in the development of the EPCIP policy.

8.43 We have considerable misgivings over the adoption of an EC Directive in this area, believing it to be of doubtful legality and questionable in principle. We note that the proposal is made under Article 308 EC, but it does not appear to us that a measure which is concerned essentially with the national security of Member States is a matter falling within the EC Treaty at all, and still less under Article 308 EC. We agree with the Minister's comment that the threat to national critical infrastructure is not equal in all Member States and we doubt the need to address any supposed distortion of the internal market, as argued by the Commission. In our view, this is a makeweight argument seeking to justify the improper use of Article 308 EC to extend the Community's competence into matters of national security. We therefore ask the Minister to reconsider if this proposal is properly made under Article 308 EC.

8.44 Apart from the question of the legal base, the adoption of a Directive in this sensitive area seems to us to be inappropriate. We note, and agree with, the comments the Minister has made about Article 3, 5, 6 and 7. We remind the Minister that such issues can become the subject of legal proceedings before the ECJ, either by way of preliminary reference, or -more likely- by infraction proceedings by the Commission which may lead to unexpected results. We question whether policy in this area of such sensitivity to the Member States is really appropriate for a binding legal instrument and for judicial determination at EC level. We should be grateful for the Minister's comments.

8.45 We also ask the Minister if any assessment has been made of the effect on external competence of the European Community if the Directive were to be adopted. We note that the UK has made bilateral agreements in this field, one of these being an agreement made with the United States on cooperation in science and technology for critical infrastructure protection. We ask the Minister to explain what effect adoption of the proposed Directive might have on the ability of the United Kingdom to conclude agreements in this field with countries outside the European Community.

8.46 We shall hold the documents under scrutiny pending the Minister's reply.

28   The 'security of the European Union' is not referred to in Article 2 or 3 of the EC Treaty as an objective or activity of the European Community. Back

29   A method for the adoption of delegated legislation by the Commission, and provided for by Council Decision 1999/468/EC. The relevant procedure is the 'regulatory' procedure under which the Commission is assisted by a committee of Member States' representatives.  Back

30   As the Directive is addressed to the Member States, not the Commission, it is hard to see how this effectively imposes any obligation. Back

31   Such issues do not appear to be confined to those concerned with 'European Critical Infrastructure'. Back

32   OJ No L 317 of 3.12.01, p.1. The rules on security form part of the Commission's internal rules of procedure. Back

33   The Commission is required (by Article 3 of Council Decision 1999/468/EC) to 'take the utmost account' of the committee's opinion, but is not bound by the opinion. Back

34   Under this procedure, the Commission may adopt the measure only if the committee gives a favourable opinion. Otherwise the matter is referred to the Council. If the Council has neither adopted nor opposed the measure within the required time, the Commission may adopt the measure. Back

35   This procedure would involve the Member State giving their opinion, which the Commission either would have to follow, or submit a proposal to the Council for adoption by QMV. Back