TERRORISM: CRITICAL INFRASTRUCTURE PROTECTION
Letter from the Chairman to Rt Hon Hazel
Blears MP, Minister of State, Home Office
Sub-Committee F (Home Affairs) of the European
Union Select Committee considered this Green Paper at a meeting
on 18 January.
You say in the Explanatory Memorandum that this
Green Paper has its origins in a previous Commission Communication,
document 13979/04. The Sub-Committee took the opportunity to consider
again this paper and other related papers which it considered
on 2 February 2005. They were Communications from the Commission
to the Council and the European Parliament on:
Prevention, preparedness and response
to terrorist attacks (Document 13978/04).
Critical Infrastructure Protection
in the fight against terrorism (Document 13979/04).
Preparedness and consequence management
in the fight against terrorism (Document 13980/04).
There seems to be some confusion as to whether
or not we are still holding these documents under scrutiny; for
the avoidance of doubt, may I make it clear that we regard them
as being cleared from scrutiny. However I wrote to Caroline Flint
on 2 February 2005 raising a number of important questions. Over
five months later I had not received a reply. When I wrote to
you on 13 July about a further related document (to which I will
shortly refer), I reminded you that a reply was outstanding. On
26 October I copied to you a letter to John Hutton voicing concern
that a reply was still outstanding. On 14 November you wrote to
me in reply to my letter of 13 July four months earliernot
to give me the information I had sought in February, but to assure
me that a reply would follow "shortly". Now, two months
further on, and so nearly a year after my original letter, I have
yet to receive a reply.
I have to say that, even making allowances for
the workload imposed on officials by the UK Presidency, we find
the handling of this dossier deeply unsatisfactory. In your letter
of 14 November you wrote: "I would like to reassure you that
I take seriously the commitment to proper Parliamentary scrutiny
of EU business, particularly in this important area." I look
forward to receiving evidence of this.
The document the subject of my letter of 13
July, and of your reply of 14 November, was the Commission
Communication establishing a framework programme on security and
safeguarding liberties, and proposing two Council Decisions
on Prevention, preparedness and consequence management of terrorism,
and Prevention of and fight against crime (document 8205/05
+ Add 1). I am grateful for your reply to my questions.
The first of those issues was the legal base.
You state, and I accept, that article 308 TEC can be justified
as a legal base for that part of the draft dealing with "consequence
management of terrorism". You seem however to share our doubts
about the adequacy of article 308 for the other purposes. I note
that you intend to report back to the Committee about this.
I do not find your reply on subsidiarity convincing.
No one doubts that terrorist attacks have cross-border implications,
and that international terrorism demands an international response.
That is not in issue. The question is whether what is proposed
to be done at EU level adds anything to what the Member States
might do bilaterally or multilaterally without involving the EU.
As to this, you yourself expressed doubts in paragraph 16 of your
explanatory memorandum of 7 June: "We would also welcome
greater clarity in the instrument on how the activity would be
carried out in such a way that respects the principles of subsidiarity".
We too would welcome greater clarity on these issues.
Pending receipt of the answer to my letter of
2 February 2005, and the report you have promised on the legal
base, we will keep this document under scrutiny.
I turn now to the Green Paper on the European
Programme for Critical Infrastructure Protection. This is
an important topic, and I am grateful for your full Explanatory
Memorandum. This too, as the Commission acknowledges, is a topic
with major subsidiarity implications. Like the JHA Council, we
believe that Member States have ultimate responsibility for the
protection of their critical infrastructure. Unlike the Council,
we doubt whether action at EU level will add value in supporting
and complementing Member States' activities.
You state in paragraph 6 that you "consider
it particularly important to clarify the added value that the
Commission can bring to the area of European critical infrastructure
protection". We fully share your doubts, and note that they
seem to be shared by other Member States. We hope therefore that
you will indeed proceed very cautiously.
Paragraph 3.2 asks whether the EPCIP should
deal with all hazards, or terrorism only, or all hazards with
the emphasis on terrorism. It seems from paragraph 3 of the memorandum
that although the JHA Council agreed that terrorism was the priority,
an all hazards approach should be adopted to the protection of
critical infrastructures. It would be useful to know the thinking
Annex 2 to the Green Paper has a very long "indicative
list" of critical infrastructure sectors. Tucked away in
the middle we find the armed forces. We share the concern of the
Commons Scrutiny Committee about this, and seek your categorical
assurance that the Government will not agree to the activities
of our armed forces being in any way controlled under a common
We will keep the Green Paper under scrutiny
pending receipt of your replies to these questions.
19 January 2006
Letter from Rt Hon Hazel Blears MP to
I am writing in response to your letter of 19
January. I am very sorry for not responding to your concerns as
effectively as we should have on the issues you raised.
For ease of reference, I thought it might be
useful to split this letter into two sections.
Section 1 deals with all the points you have
raised, both in your letter of 19 January and in earlier correspondence
of 2 February 2005
and 13 July 2005,
on Critical Infrastructure Protection, primarily relating to the
Green Paper on the European Programme for Critical Infrastructure
Protection (14910/05), but also linked to your earlier consideration
of three Commission Communications:
Communication from the Commission
to the Council and the European Parliament on prevention, preparedness
and response to terrorist attacks (93978/04).
Communication from the Commission
to the Council and the European Parliament on Critical Infrastructure
Protection in the Fight against Terrorism (13979/04).
Communication from the Commission
to the Council and the European Parliament on Preparedness and
Consequence Management in the Fight against Terrorism (13980/04).
Section 2 will deal with the points you have
raised in your letter of 19 January in relation to the Commission
Communication Establishing a Framework Programme on Security and
Safeguarding Liberties (8205/05 + ADD 1), which proposes two
Prevention, preparedness and consequence
management of terrorism; and
Prevention of and fight against
You have raised several issues on this over
the last year which have been very useful in helping the Government
to shape its response to the Commission's Green Paper and for
which I am grateful. I attach the Government's response with this
letter, which contains the answers to some of your questions,
but I thought that. It might be helpful to also address them specifically
in this letter.
General Comments on Subsidiarity
We agree with your advice to remain alert to
the subsidiarity implications in these areas, and have particularly
impressed upon the Commission the principle that subsidiarity
must be at the heart of EPCIP with the protection of critical
infrastructure being first and foremost a national responsibility.
This is a view shared by most Member States.
Added Value of EPCIP
In relation to what added value EPCIP will provide,
in our Government Response to the Green Paper we have made the
point that the overall goal for EPCIP should be kept as simple
as possible. We see the added value of the programme in raising
critical infrastructure protection capability in Europe through
the sharing of good practices, methodologies and expertise between
all EU Member States, the private sector and other relevant parties.
We also see added value in shared research into critical infrastructure
protection related issues and solutions. We have also made the
point in our response that we do not consider that EPCIP should
include consideration of national critical infrastructure issues
such as creating national inventories, monitoring of protective
security measures and national infrastructures, including the
Critical Infrastructure Warning Information Network
You have also queried the added value that the
proposed CIWIN will bring. On this our view is that a European
information network can be an important instrument for sharing
best practices, experiences and knowledge about how to analyse
threats and vulnerabilities. However, we are not persuaded that
a need for an additional warning network has been identified and
we do not therefore support a CIWIN involving dissemination of
specific threat, alert or vulnerability information. Early indications
from the Commission suggest that this is a view shared by other
In relation to security inspections, the Government
shares your scepticism about the assertion that security inspections
"are the only effective instrument to guarantee the correct
implementation of security requirements". In our response
to the Green Paper we have made the point that it is probably
too early to be prescriptive about monitoring and evaluation options
and that the European Programme on Critical Infrastructure Protection
will need to demonstrate that any activities it undertakes or
commissions in this area do actually have the desired additional
benefits over existing national and international inspection processes.
LEN (European Law Enforcement Network)
The Government remains to be convinced that
establishing a LEN represents added value to existing arrangements
such as the Bureau de Liaison network (BdL) and has shared these
views with the Commission and other Member States. Official level
discussions at a meeting chaired by the Commission on 27 February
demonstrated clear support from other Member States for our position.
The Commission has tendered for a research project to examine
further the ways in which the exchange of law enforcement information
of the nature covered by the LEN proposal might be improved. The
Government will carefully scrutinise the results of this research.
Progress Update on ARGUS
ARGUS is a proposal for a Commission IT system
to provide a central co-ordination point for the alerts generated
by the existing independent Commission alert systems. Discussions
are ongoing but, as long as it remains a matter of internal Commission
organisation and does not impact on our national operations, the
Government is not opposed to its creation.
The All-Hazards Approach to EPCIP, with Terrorism
We have talked to the Commission about the approach
that EPCIP should take and we concluded as part of our Presidency
conclusions that, while recognising the threat from terrorism
as a priority, the protection of European critical infrastructure
should be based on an all hazards approach. This, we feel, will
allow a pragmatic and flexible link that ensures a consistent
approach with other types of hazards such as the threat from other
types of intentional attack and natural disasters.
Armed Forces (Annex 2 of the Green Paper)
We agree that the activities of our armed forces
will NOT be controlled under the EPCIP framework, and have clarified
to the Commission that Armed Forces, while part of Critical National
Infrastructure, are out of scope of EPCIP.
& SAFEGUARDING LIBERTIES"
On the Communication establishing a framework
programme on "Security & Safeguarding Liberties"
for the period 2007-13 (8205/05 + ADD 1) you raised the following
points in your letter of 19 January.
In my reply of 14 November I expressed a commitment
to report back to the Committee on our concerns over using Article
308 for purposes other than consequence management. In terms of
the prevention of terrorist attacks on critical infrastructure,
we have raised in the Council the concerns previously mentioned,
but there has been only limited support for this position. We
accept that there is an argument that civil protection could cover
aspects of critical infrastructure protection as well as consequence
management. However, as we and others have made clear in the negotiations,
competence for law and order and internal security rests with
the Member States, not the Community. We will therefore work to
amend the draft so that this fundamental position is recognised
The Government agrees with the Committee that
combating terrorism should remain the primary responsibility of
Member States and has consistently made this point in EU discussions.
This is the view of the majority of Member States. Bi-lateral
and multi-lateral co-operation outside the EU is valuable and
ongoing but the Government believes that the EU also can play
a role in adding value to Member States' efforts. We are committed
to ensuring that EU involvement does not extend beyond what is
necessary or can in any way threaten our national security prerogative.
But we believe the EU can add value in ways such as facilitating
information sharing, supporting relevant research and encouraging
Member States to reach a common level of preparedness. The area
that we believe EPCIP will add most value is in multilateral Member
State issues, involving three or more Member States.
25 April 2006
UK RESPONSE TO THE EC GREEN PAPER ON "EUROPEAN
PROGRAMME FOR CRITICAL INFRASTRUCTURE PROTECTION"
The UK is grateful to the Commission for this
opportunity to express our views on how the EP should proceed
with improving the protection of European critical infrastructure.
These views are provided in response to the EC Green Paper on
the European Programme for Critical Infrastructure Protection
(EPCIP), issued by the Commission on 17 November 2005.
Our response is formed of two parts:
An overall summary of the UK's views
on the activities that will best help to improve the protection
of European Critical Infrastructure. This provides the context
for the detailed responses to the questions raised in the Green
An Annex which contains the detailed
responses to all the specific questions raised by the Commission.
The fundamental principles that underpin our
Management of National Critical Infrastructure
(NCI) must be left to the Member State concerned, in line with
the Principle of Subsidiarity, as articulated in the Green Paper.
The introduction of options relating to NCI in some sections of
the Green Paper is therefore very confusing. We seek greater clarity,
and separation, of what the Commission is proposing for European
Critical Infrastructure (ECI), and what the Commission is proposing
Clear establishment of the proposed
activities and outcomes of the Programme is essential. This needs:
Agreement on the goal, scope
and approach of EPCIP.
Positioning the Programme against
the newly agreed medium/long-term EU strategy for counter terrorism.
Clear identification of all other
EC activities that are related to EPCIP, (eg Research projects;
Agreement of the Financial Programme for Prevention, Preparedness
and Consequence Management of Terrorism).
Establishment of a risk-based
methodology to assess ECI based on impact of disruption.
OF EPCIP (AIMS)
The goal for EPCIP is to raise critical infrastructure
protection (CIP) capability in Europe, including:
Sharing of good practices, methodologies,
and CIP expertise between all EU Member States, the private sector
and other agreed relevant parties.
Shared research into CIP-related
issues and solutions.
2.1.2 Out of Scope
For the sake of clarity, it is helpful to identify
those activities that the UK believes should NOT form part of
National critical infrastructure
issues, including inter-alia:
Creating national inventories.
Member State justification of
what it identifies as critical.
National Armed Forces and associated
Monitoring of protective security
Assessing the threat from terrorism.
2.1.3 Specific Objectives
It is important that clarity on the fundamental
purpose of EPCIP is achieved at the very outset, and that this
clarity is retained for the duration of the Programme. We believe
that it is therefore critical that the Goal of EPCIP is
articulated in simple language, and at the most strategic level
that is possible.
Any specific or detailed requirements to be
addressed by EPCIP should therefore be identified as objectives,
aligned to, but distinct from the Goal of EPCIP.
Specific and measurable objectives must be identified
for all the activities of EPCIP. For the initial phases of the
Programme, we would expect these objectives to be concerned with
identification of the sectors and the infrastructures within scope,
and with the sharing of good practices across the EU.
Later phases of EPCIP will include objectives
on specific protection improvement measures, and the associated
3.1 Principles for Protection of EU Critical
Subsidiarity is at the heart of EPCIP,
with the protection of critical infrastructure being first and
foremost a national responsibility.
The prime responsibility for protecting
critical infrastructure falls on the Member States and the owners/operators.
The Commission's efforts will be most effective when working with
the Member States on the protection of critical infrastructures
having an EU cross-border effect (defined as impacting at least
three Member States)
Information sharing on CIP must take
place in an environment of trust and confidentiality. Access to
sensitive information will be granted on a strict need-to-know
Effective protection requires communication,
coordination, and cooperation nationally and at EU level (where
relevant) among all stakeholdersthe owners and operators
of infrastructure, regulators, professional bodies and industry
associations in cooperation with all levels of government, and
the public. Such efforts must be undertaken with due regard for
the security of information and applicable law concerning mutual
legal assistance and data protection.
Member State authorities must provide
leadership and coordination in developing and implementing a nationally
consistent approach to the protection of critical infrastructure
within their jurisdictions.
The private sector must be actively
involved at both the national and EU level.
Not all infrastructures can be protected
from all threats. Dealing effectively with threats requires risk
assessments and risk management. By applying appropriate risk
management techniques, attention should be focused on areas of
The degree and complexity of interdependencies
is increasing as the EU becomes more dependent on shared information
technology systems and communication technologies, transportation
systems, electricity networks etc. The Commission, the MS and
the owners/operators of critical infrastructures need to work
together to identify these interdependencies and apply appropriate
strategies to reduce risk where possible.
4. APPROACH TO
The EPCIP delivery framework needs to be established
such that the aims of EPCIP can be best met while conforming to
the EPCIP Principles, outlined above. Accordingly, given the ongoing
discussions on scope of EPCIP, and the lack of clarity as to what
European CI designation will mean, the UK considers it premature
to define a Common Framework at this time.
4.1 Organisation of EPCIP
We suggest that expert groups/networks form
the core of EPCIP, by facilitating the exchange of good practices,
experience and knowledge between all EU Member States, the private
sector and other agreed relevant parties.
Expert groups/networks within each
of the critical infrastructure sectors/sub sectors identified
as being potentially vulnerable to incidents with cross-border
Cross-cutting, issue-specific expert
groups/networks with focus on best practices and experiences in
relation to eg:
Management of Public-Private
Methodology (risk and vulnerability
analysis methods, guidelines/handbooks, definitions, CIP-related
horizon scanning, etc).
Use of CIP regulation/legislation,
CIP minimum standards, certification programmes and inspections,
working within the EU Better Regulations principles.
CIP programme design at Member
CIP research and training.
4.2 Collection/Sharing of information
The UK is concerned that EC research initiatives
being are being started that attempt to collect sensitive data
from all Member States on national critical infrastructure (eg
Energy; Transport), in advance of Member State agreement as to
what actually forms part of the European critical infrastructure.
The direct approaches that have been made to UK companies are
jeopardising our working relationships with these companies.
The UK would therefore insist that clear guidelines
be agreed in advance of EPCIP-related research initiatives:
There must be clarity on the rationale
for the collection of data, the nature of that data, the process
by which it will be collected and held, and how it will be used.
The benefit from sharing such data
also needs to be clearly demonstrated, and agreed by the provider
of the data.
Access to CIP data owners will be
by prior agreement, and will be facilitated through the nominated
Member State Contact Point for EPCIP.
De-stabilisation of existing good
relationships with Private Sector operators will be avoided.
4.3 Way ahead: Next Steps
The key next step is the agreement of key definitions
and principles for EPCIP, which will hopefully result from the
Green Paper consultation process.
The UK priorities for EPCIP would then be:
Facilitating dissemination of advice
and good practice in CIP.
Defining what constitutes cross-border
infrastructure that is critical to Europe.
Defining the role and the competence
of the EU in cross-border CIP (eg Which EU Pillar? Relevance of
Clarifying the Council working group
(comitology) to be used for EPCIP.
Develop a working understanding of
the components that form the European critical infrastructure,
their interdependencies, and how EU-level priorities are to be
5. CRITICAL INFRASTRUCTURE
We believe that an EPCIP CI information network
can be an important instrument in term of strengthening the exchange
of best practices, experiences and knowledge about how to analyse
threats and vulnerabilities among the public and the private sector.
However, we are not persuaded that the need for any additional
warning network has been identified. We do not therefore support
a format of CIWIN involving dissemination of specific threat,
alert or vulnerability information. Member State agreement of
the requirements from CIWIN must precede any further advancement
of plans for design or implementation of technical solutions.
6. FINANCE AND
We would seek greater transparency of how the
options being considered for EPCIP effect the funding requirements
It is the UK's understanding that EPCIP will
be completely funded from the FP (2007-13) for Prevention, Preparedness
and Consequence Management of Terrorism. It is our understanding
that 137.4 million is proposed for this FP. The proposals
for EPCIP need to outline all the expected costs of the Programme,
including the funds earmarked for related research projects, the
costs for seminars and other information-sharing activities, and
the costs for any specific solution proposals, such as for CIWIN.
As an overall principle, the costs for implementation
of protective security measures will normally be the responsibility
of the owner/operator of the infrastructure concerned.
Working together, we are making progress on
preparing the way forward for the European Programme for CIP,
although we do feel that the Green Paper does not fully reflect
the progress that has been made by the Commission during 2005.
The June and September seminars have demonstrated
that there is considerable common ground across Member States
as to what the Programme should aim to achieve, how it is progressed,
and the areas of activity that would deliver most value across
the EU. It is important that this emerging consensus from the
Member States is now translated into value-adding EP CIP activities.
191 Correspondence with Ministers, 4th Report of
Session 2005-06, HL Paper 16, pp 329-330. Back
Correspondence with Ministers, 45th Report of Session 2005-06,
HL Paper 243, p 539. Back