Select Committee on European Union Fortieth Report


TERRORISM: CRITICAL INFRASTRUCTURE PROTECTION (14910/05)

Letter from the Chairman to Rt Hon Hazel Blears MP, Minister of State, Home Office

  Sub-Committee F (Home Affairs) of the European Union Select Committee considered this Green Paper at a meeting on 18 January.

  You say in the Explanatory Memorandum that this Green Paper has its origins in a previous Commission Communication, document 13979/04. The Sub-Committee took the opportunity to consider again this paper and other related papers which it considered on 2 February 2005. They were Communications from the Commission to the Council and the European Parliament on:

    —  Prevention, preparedness and response to terrorist attacks (Document 13978/04).

    —  Critical Infrastructure Protection in the fight against terrorism (Document 13979/04).

    —  Preparedness and consequence management in the fight against terrorism (Document 13980/04).

  There seems to be some confusion as to whether or not we are still holding these documents under scrutiny; for the avoidance of doubt, may I make it clear that we regard them as being cleared from scrutiny. However I wrote to Caroline Flint on 2 February 2005 raising a number of important questions. Over five months later I had not received a reply. When I wrote to you on 13 July about a further related document (to which I will shortly refer), I reminded you that a reply was outstanding. On 26 October I copied to you a letter to John Hutton voicing concern that a reply was still outstanding. On 14 November you wrote to me in reply to my letter of 13 July four months earlier—not to give me the information I had sought in February, but to assure me that a reply would follow "shortly". Now, two months further on, and so nearly a year after my original letter, I have yet to receive a reply.

  I have to say that, even making allowances for the workload imposed on officials by the UK Presidency, we find the handling of this dossier deeply unsatisfactory. In your letter of 14 November you wrote: "I would like to reassure you that I take seriously the commitment to proper Parliamentary scrutiny of EU business, particularly in this important area." I look forward to receiving evidence of this.

  The document the subject of my letter of 13 July, and of your reply of 14 November, was the Commission Communication establishing a framework programme on security and safeguarding liberties, and proposing two Council Decisions on Prevention, preparedness and consequence management of terrorism, and Prevention of and fight against crime (document 8205/05 + Add 1). I am grateful for your reply to my questions.

  The first of those issues was the legal base. You state, and I accept, that article 308 TEC can be justified as a legal base for that part of the draft dealing with "consequence management of terrorism". You seem however to share our doubts about the adequacy of article 308 for the other purposes. I note that you intend to report back to the Committee about this.

  I do not find your reply on subsidiarity convincing. No one doubts that terrorist attacks have cross-border implications, and that international terrorism demands an international response. That is not in issue. The question is whether what is proposed to be done at EU level adds anything to what the Member States might do bilaterally or multilaterally without involving the EU. As to this, you yourself expressed doubts in paragraph 16 of your explanatory memorandum of 7 June: "We would also welcome greater clarity in the instrument on how the activity would be carried out in such a way that respects the principles of subsidiarity". We too would welcome greater clarity on these issues.

  Pending receipt of the answer to my letter of 2 February 2005, and the report you have promised on the legal base, we will keep this document under scrutiny.

  I turn now to the Green Paper on the European Programme for Critical Infrastructure Protection. This is an important topic, and I am grateful for your full Explanatory Memorandum. This too, as the Commission acknowledges, is a topic with major subsidiarity implications. Like the JHA Council, we believe that Member States have ultimate responsibility for the protection of their critical infrastructure. Unlike the Council, we doubt whether action at EU level will add value in supporting and complementing Member States' activities.

  You state in paragraph 6 that you "consider it particularly important to clarify the added value that the Commission can bring to the area of European critical infrastructure protection". We fully share your doubts, and note that they seem to be shared by other Member States. We hope therefore that you will indeed proceed very cautiously.

  Paragraph 3.2 asks whether the EPCIP should deal with all hazards, or terrorism only, or all hazards with the emphasis on terrorism. It seems from paragraph 3 of the memorandum that although the JHA Council agreed that terrorism was the priority, an all hazards approach should be adopted to the protection of critical infrastructures. It would be useful to know the thinking behind this.

  Annex 2 to the Green Paper has a very long "indicative list" of critical infrastructure sectors. Tucked away in the middle we find the armed forces. We share the concern of the Commons Scrutiny Committee about this, and seek your categorical assurance that the Government will not agree to the activities of our armed forces being in any way controlled under a common EPCIP framework.

  We will keep the Green Paper under scrutiny pending receipt of your replies to these questions.

19 January 2006

Letter from Rt Hon Hazel Blears MP to the Chairman

  I am writing in response to your letter of 19 January. I am very sorry for not responding to your concerns as effectively as we should have on the issues you raised.

  For ease of reference, I thought it might be useful to split this letter into two sections.

  Section 1 deals with all the points you have raised, both in your letter of 19 January and in earlier correspondence of 2 February 2005[191] and 13 July 2005,[192] on Critical Infrastructure Protection, primarily relating to the Green Paper on the European Programme for Critical Infrastructure Protection (14910/05), but also linked to your earlier consideration of three Commission Communications:

    —  Communication from the Commission to the Council and the European Parliament on prevention, preparedness and response to terrorist attacks (93978/04).

    —  Communication from the Commission to the Council and the European Parliament on Critical Infrastructure Protection in the Fight against Terrorism (13979/04).

    —  Communication from the Commission to the Council and the European Parliament on Preparedness and Consequence Management in the Fight against Terrorism (13980/04).

  Section 2 will deal with the points you have raised in your letter of 19 January in relation to the Commission Communication Establishing a Framework Programme on Security and Safeguarding Liberties (8205/05 + ADD 1), which proposes two Council Decisions:

    —  Prevention, preparedness and consequence management of terrorism; and

    —  Prevention of and fight against crime.

(I)  POINTS RAISED ON COMMISSION COMMUNICATIONS, INCLUDING CRITICAL INFRASTRUCTURE PROTECTION

  You have raised several issues on this over the last year which have been very useful in helping the Government to shape its response to the Commission's Green Paper and for which I am grateful. I attach the Government's response with this letter, which contains the answers to some of your questions, but I thought that. It might be helpful to also address them specifically in this letter.

General Comments on Subsidiarity

  We agree with your advice to remain alert to the subsidiarity implications in these areas, and have particularly impressed upon the Commission the principle that subsidiarity must be at the heart of EPCIP with the protection of critical infrastructure being first and foremost a national responsibility. This is a view shared by most Member States.

Added Value of EPCIP

  In relation to what added value EPCIP will provide, in our Government Response to the Green Paper we have made the point that the overall goal for EPCIP should be kept as simple as possible. We see the added value of the programme in raising critical infrastructure protection capability in Europe through the sharing of good practices, methodologies and expertise between all EU Member States, the private sector and other relevant parties. We also see added value in shared research into critical infrastructure protection related issues and solutions. We have also made the point in our response that we do not consider that EPCIP should include consideration of national critical infrastructure issues such as creating national inventories, monitoring of protective security measures and national infrastructures, including the Armed Forces.

Critical Infrastructure Warning Information Network (CIWIN)

  You have also queried the added value that the proposed CIWIN will bring. On this our view is that a European information network can be an important instrument for sharing best practices, experiences and knowledge about how to analyse threats and vulnerabilities. However, we are not persuaded that a need for an additional warning network has been identified and we do not therefore support a CIWIN involving dissemination of specific threat, alert or vulnerability information. Early indications from the Commission suggest that this is a view shared by other Member States.

Security Inspections

  In relation to security inspections, the Government shares your scepticism about the assertion that security inspections "are the only effective instrument to guarantee the correct implementation of security requirements". In our response to the Green Paper we have made the point that it is probably too early to be prescriptive about monitoring and evaluation options and that the European Programme on Critical Infrastructure Protection will need to demonstrate that any activities it undertakes or commissions in this area do actually have the desired additional benefits over existing national and international inspection processes.

LEN (European Law Enforcement Network)

  The Government remains to be convinced that establishing a LEN represents added value to existing arrangements such as the Bureau de Liaison network (BdL) and has shared these views with the Commission and other Member States. Official level discussions at a meeting chaired by the Commission on 27 February demonstrated clear support from other Member States for our position. The Commission has tendered for a research project to examine further the ways in which the exchange of law enforcement information of the nature covered by the LEN proposal might be improved. The Government will carefully scrutinise the results of this research.

Progress Update on ARGUS

  ARGUS is a proposal for a Commission IT system to provide a central co-ordination point for the alerts generated by the existing independent Commission alert systems. Discussions are ongoing but, as long as it remains a matter of internal Commission organisation and does not impact on our national operations, the Government is not opposed to its creation.

The All-Hazards Approach to EPCIP, with Terrorism Priority

  We have talked to the Commission about the approach that EPCIP should take and we concluded as part of our Presidency conclusions that, while recognising the threat from terrorism as a priority, the protection of European critical infrastructure should be based on an all hazards approach. This, we feel, will allow a pragmatic and flexible link that ensures a consistent approach with other types of hazards such as the threat from other types of intentional attack and natural disasters.

Armed Forces (Annex 2 of the Green Paper)

  We agree that the activities of our armed forces will NOT be controlled under the EPCIP framework, and have clarified to the Commission that Armed Forces, while part of Critical National Infrastructure, are out of scope of EPCIP.

(II)  POINTS RAISED ON COMMISSION COMMUNICATION ESTABLISHING A FRAMEWORK PROGRAMME ON "SECURITY & SAFEGUARDING LIBERTIES"

  On the Communication establishing a framework programme on "Security & Safeguarding Liberties" for the period 2007-13 (8205/05 + ADD 1) you raised the following points in your letter of 19 January.

Article 308

  In my reply of 14 November I expressed a commitment to report back to the Committee on our concerns over using Article 308 for purposes other than consequence management. In terms of the prevention of terrorist attacks on critical infrastructure, we have raised in the Council the concerns previously mentioned, but there has been only limited support for this position. We accept that there is an argument that civil protection could cover aspects of critical infrastructure protection as well as consequence management. However, as we and others have made clear in the negotiations, competence for law and order and internal security rests with the Member States, not the Community. We will therefore work to amend the draft so that this fundamental position is recognised and safeguarded.

Subsidiarity

  The Government agrees with the Committee that combating terrorism should remain the primary responsibility of Member States and has consistently made this point in EU discussions. This is the view of the majority of Member States. Bi-lateral and multi-lateral co-operation outside the EU is valuable and ongoing but the Government believes that the EU also can play a role in adding value to Member States' efforts. We are committed to ensuring that EU involvement does not extend beyond what is necessary or can in any way threaten our national security prerogative. But we believe the EU can add value in ways such as facilitating information sharing, supporting relevant research and encouraging Member States to reach a common level of preparedness. The area that we believe EPCIP will add most value is in multilateral Member State issues, involving three or more Member States.

25 April 2006

Annex A

UK RESPONSE TO THE EC GREEN PAPER ON "EUROPEAN PROGRAMME FOR CRITICAL INFRASTRUCTURE PROTECTION"

1.  INTRODUCTION

  The UK is grateful to the Commission for this opportunity to express our views on how the EP should proceed with improving the protection of European critical infrastructure. These views are provided in response to the EC Green Paper on the European Programme for Critical Infrastructure Protection (EPCIP), issued by the Commission on 17 November 2005.

  Our response is formed of two parts:

    —  An overall summary of the UK's views on the activities that will best help to improve the protection of European Critical Infrastructure. This provides the context for the detailed responses to the questions raised in the Green Paper.

    —  An Annex which contains the detailed responses to all the specific questions raised by the Commission.

  The fundamental principles that underpin our response are:

    —  Management of National Critical Infrastructure (NCI) must be left to the Member State concerned, in line with the Principle of Subsidiarity, as articulated in the Green Paper. The introduction of options relating to NCI in some sections of the Green Paper is therefore very confusing. We seek greater clarity, and separation, of what the Commission is proposing for European Critical Infrastructure (ECI), and what the Commission is proposing for NCI.

    —  Clear establishment of the proposed activities and outcomes of the Programme is essential. This needs:

      —  Agreement on the goal, scope and approach of EPCIP.

      —  Positioning the Programme against the newly agreed medium/long-term EU strategy for counter terrorism.

      —  Clear identification of all other EC activities that are related to EPCIP, (eg Research projects; Agreement of the Financial Programme for Prevention, Preparedness and Consequence Management of Terrorism).

      —  Establishment of a risk-based methodology to assess ECI based on impact of disruption.

2.  DIRECTION OF EPCIP (AIMS)

2.1.1  Purpose/Goal

  The goal for EPCIP is to raise critical infrastructure protection (CIP) capability in Europe, including:

    —  Sharing of good practices, methodologies, and CIP expertise between all EU Member States, the private sector and other agreed relevant parties.

    —  Shared research into CIP-related issues and solutions.

2.1.2  Out of Scope

  For the sake of clarity, it is helpful to identify those activities that the UK believes should NOT form part of EPCIP:

    —  National critical infrastructure issues, including inter-alia:

      —  Creating national inventories.

      —  Member State justification of what it identifies as critical.

      —  National Armed Forces and associated infrastructures.

      —  Vulnerability analysis.

      —  Monitoring of protective security measures.

    —  Assessing the threat from terrorism.

2.1.3  Specific Objectives

  It is important that clarity on the fundamental purpose of EPCIP is achieved at the very outset, and that this clarity is retained for the duration of the Programme. We believe that it is therefore critical that the Goal of EPCIP is articulated in simple language, and at the most strategic level that is possible.

  Any specific or detailed requirements to be addressed by EPCIP should therefore be identified as objectives, aligned to, but distinct from the Goal of EPCIP.

  Specific and measurable objectives must be identified for all the activities of EPCIP. For the initial phases of the Programme, we would expect these objectives to be concerned with identification of the sectors and the infrastructures within scope, and with the sharing of good practices across the EU.

  Later phases of EPCIP will include objectives on specific protection improvement measures, and the associated research projects.

3.  PRINCIPLES FOR EPCIP

3.1  Principles for Protection of EU Critical Infrastructure

    —  Subsidiarity is at the heart of EPCIP, with the protection of critical infrastructure being first and foremost a national responsibility.

    —  The prime responsibility for protecting critical infrastructure falls on the Member States and the owners/operators. The Commission's efforts will be most effective when working with the Member States on the protection of critical infrastructures having an EU cross-border effect (defined as impacting at least three Member States)

    —  Information sharing on CIP must take place in an environment of trust and confidentiality. Access to sensitive information will be granted on a strict need-to-know basis only.

    —  Effective protection requires communication, coordination, and cooperation nationally and at EU level (where relevant) among all stakeholders—the owners and operators of infrastructure, regulators, professional bodies and industry associations in cooperation with all levels of government, and the public. Such efforts must be undertaken with due regard for the security of information and applicable law concerning mutual legal assistance and data protection.

    —  Member State authorities must provide leadership and coordination in developing and implementing a nationally consistent approach to the protection of critical infrastructure within their jurisdictions.

    —  The private sector must be actively involved at both the national and EU level.

    —  Not all infrastructures can be protected from all threats. Dealing effectively with threats requires risk assessments and risk management. By applying appropriate risk management techniques, attention should be focused on areas of greatest risk.

    —  The degree and complexity of interdependencies is increasing as the EU becomes more dependent on shared information technology systems and communication technologies, transportation systems, electricity networks etc. The Commission, the MS and the owners/operators of critical infrastructures need to work together to identify these interdependencies and apply appropriate strategies to reduce risk where possible.

4.  APPROACH TO SOLUTIONS (FRAMEWORK)

  The EPCIP delivery framework needs to be established such that the aims of EPCIP can be best met while conforming to the EPCIP Principles, outlined above. Accordingly, given the ongoing discussions on scope of EPCIP, and the lack of clarity as to what European CI designation will mean, the UK considers it premature to define a Common Framework at this time.

4.1  Organisation of EPCIP

  We suggest that expert groups/networks form the core of EPCIP, by facilitating the exchange of good practices, experience and knowledge between all EU Member States, the private sector and other agreed relevant parties.

    —  Expert groups/networks within each of the critical infrastructure sectors/sub sectors identified as being potentially vulnerable to incidents with cross-border impact, eg:

      —  Energy.

      —  Transport.

      —  Communication and IT.

      —  Finance and banking.

      —  Health infrastructure.

    —  Cross-cutting, issue-specific expert groups/networks with focus on best practices and experiences in relation to eg:

      —  Management of Public-Private Partnership.

      —  Methodology (risk and vulnerability analysis methods, guidelines/handbooks, definitions, CIP-related horizon scanning, etc).

      —  Use of CIP regulation/legislation, CIP minimum standards, certification programmes and inspections, working within the EU Better Regulations principles.

      —  CIP programme design at Member State level.

      —  CIP research and training.

4.2  Collection/Sharing of information

  The UK is concerned that EC research initiatives being are being started that attempt to collect sensitive data from all Member States on national critical infrastructure (eg Energy; Transport), in advance of Member State agreement as to what actually forms part of the European critical infrastructure. The direct approaches that have been made to UK companies are jeopardising our working relationships with these companies.

  The UK would therefore insist that clear guidelines be agreed in advance of EPCIP-related research initiatives:

    —  There must be clarity on the rationale for the collection of data, the nature of that data, the process by which it will be collected and held, and how it will be used.

    —  The benefit from sharing such data also needs to be clearly demonstrated, and agreed by the provider of the data.

    —  Access to CIP data owners will be by prior agreement, and will be facilitated through the nominated Member State Contact Point for EPCIP.

    —  De-stabilisation of existing good relationships with Private Sector operators will be avoided.

4.3  Way ahead: Next Steps

  The key next step is the agreement of key definitions and principles for EPCIP, which will hopefully result from the Green Paper consultation process.

  The UK priorities for EPCIP would then be:

    —  Facilitating dissemination of advice and good practice in CIP.

    —  Defining what constitutes cross-border infrastructure that is critical to Europe.

    —  Defining the role and the competence of the EU in cross-border CIP (eg Which EU Pillar? Relevance of Article 308?).

    —  Clarifying the Council working group (comitology) to be used for EPCIP.

    —  Develop a working understanding of the components that form the European critical infrastructure, their interdependencies, and how EU-level priorities are to be identified.

5.  CRITICAL INFRASTRUCTURE WARNING INFORMATION NETWORK (CIWIN)

  We believe that an EPCIP CI information network can be an important instrument in term of strengthening the exchange of best practices, experiences and knowledge about how to analyse threats and vulnerabilities among the public and the private sector. However, we are not persuaded that the need for any additional warning network has been identified. We do not therefore support a format of CIWIN involving dissemination of specific threat, alert or vulnerability information. Member State agreement of the requirements from CIWIN must precede any further advancement of plans for design or implementation of technical solutions.

6.  FINANCE AND FUNDING

  We would seek greater transparency of how the options being considered for EPCIP effect the funding requirements of EPCIP.

  It is the UK's understanding that EPCIP will be completely funded from the FP (2007-13) for Prevention, Preparedness and Consequence Management of Terrorism. It is our understanding that €137.4 million is proposed for this FP. The proposals for EPCIP need to outline all the expected costs of the Programme, including the funds earmarked for related research projects, the costs for seminars and other information-sharing activities, and the costs for any specific solution proposals, such as for CIWIN.

  As an overall principle, the costs for implementation of protective security measures will normally be the responsibility of the owner/operator of the infrastructure concerned.

7.  CONCLUSION

  Working together, we are making progress on preparing the way forward for the European Programme for CIP, although we do feel that the Green Paper does not fully reflect the progress that has been made by the Commission during 2005.

  The June and September seminars have demonstrated that there is considerable common ground across Member States as to what the Programme should aim to achieve, how it is progressed, and the areas of activity that would deliver most value across the EU. It is important that this emerging consensus from the Member States is now translated into value-adding EP CIP activities.



191   Correspondence with Ministers, 4th Report of Session 2005-06, HL Paper 16, pp 329-330. Back

192   Correspondence with Ministers, 45th Report of Session 2005-06, HL Paper 243, p 539. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007