A cyber-attack on the network transportation, financial system, network of attendance healthcare or energy supply infrastructures can have fatal economic and social consequences for a country. Are we protected?

The proper functioning of these infrastructures, and therefore the regular supply of their essential services, is increasingly dependent on digital technologies. This growing digitization, while improving the efficiency of organizations and facilitating the provision of their services, exposes them to new cyber threats, as demonstrated by the numerous cyber attacks on critical infrastructures (in particular hospitals and medical centers research ) during the pandemic and now in the context of the war in Ukraine.

Recall the cyber-attack launched on the same day as the start of the Russian military aggression against the KA-SAT satellite network that caused the disruption of communications between Ukrainian government agencies, as well as affecting tens of thousands of customers in Ukraine and throughout Europe.

It is not surprising, therefore, that the EU makes cybersecurity and the development of strong critical entities one of its priorities. Thus, in January this year, Directive 2022/2555 on measures for a high common level of cybersecurity in the EU (SRI Directive 2) and Directive 2022/2557 on the resilience of critical entities (CER Directive) entered into force.

The goal is that their joint application will strengthen the cyber and material security of the critical entities or infrastructures of the Member States. These are all those facilities that provide essential services for the maintenance of vital social functions, economic activities, public health and safety or the environment, and therefore require special physical and cyber protection. Think, for example, of entities in the energy sector (such as gas utilities), transportation (airlines), healthcare (hospitals) or digital infrastructure (search engines).

The SRI 2 and CER Directives thus attempt to make up for the need to bring the physical and cyber dimensions of critical infrastructure security closer together. The former repeals the 2016 SRI Directive (on measures to increase the security of European networks and information systems) and establishes a common cybersecurity regulatory framework . To this end, it expands the protected sectors from seven to eleven - to energy, transport, banking, financial market infrastructures, healthcare system, drinking water supply and digital infrastructure, are now added wastewater treatment, the management of ICT services, entities of the public administration (except parliaments, central banks and judiciary) and space - and removes the distinction between operators of essential services and digital service providers, as this differentiation no longer reflects the importance of digital services for the EU internal market.

In the new directive, entities are classified according to their importance and divided into "essential" entities in "high criticality" sectors (those in Annex I, such as energy, transport or banking) and "important" entities in "other critical sectors" (those in Annex II, such as postal and courier services, management waste services or digital services), being subject to different supervisory regimes by the competent authorities of the Member States.

These should introduce a series of measures to manage the cybersecurity risks of companies, including the adoption of national cybersecurity strategies in critical sectors that include policies for management of vulnerabilities, training and raising public awareness at subject of cybersecurity.

The EWC Directive, which replaces Directive 2008/114/EC (on the identification and designation of European critical infrastructures), also establishes a European legal framework to improve the ability of critical entities to prevent, respond to and recover from incidents caused by, among other things, natural disasters such as public health emergencies or man-made threats such as terrorism, sabotage or hybrid threats.

It aims, therefore, to reduce vulnerabilities and strengthen the physical resilience of the EU's critical infrastructures in order to ensure the uninterrupted provision of essential services for the European internal market. To this end, it extends its scope of regulation to nine additional sectors, so that they coincide with the "high criticality" sectors of the SRI 2 Directive.

In general terms, the CER Directive provides for rules for the identification and monitoring of critical entities, the carrying out of risk assessments, the creation of common cooperation and reporting procedures and the development of response plans by operators of critical entities.

Member States now have until October 17, 2024 to transpose both Directives into their national legislation. Let us hope that the measures they adopt to comply with them will serve to more effectively prevent the spread of digital pandemics that can cause social, political and economic consequences as serious as natural pandemics.