Facilitating strategic cooperation to ensure the provision of essential services -

Projects’ results are expected to contribute to all of the following outcomes:

• Tools for EU Member State authorities and operators for the assessment and anticipation of relevant risks to the provisions of essential services are identified;
• The cooperation between authorities of EU Member States is facilitated by providing solutions for data exchange and joint cross-border risk assessments;
• Simulation tools are developed for large-scale exercises to test the resilience of operators and of specific sectors, and related training courses are designed;
• Measures by Member State authorities to facilitate risk assessments by operators are identified, including the assessment of dependencies on different sectors and cross-border interdependencies;
• Provide common European guidance and support for the drafting of their resilience plans in order to meet all the provisions of the proposed CER-Directive: risk analysis, domino effects, cross-sector and cross-border analysis, standardised plans, educational and training tools;
• An all-hazards framework is created to support Member States in ensuring improved concepts and instruments for the anticipation of risks to entities that provide essential services, resulting in an improved preparedness and response against disruptions of key sectors in the EU and enhanced resilience of the EU internal market.

The EU Security Union Strategy for 2020-2025[1], Counter-Terrorism Agenda[2]. for the EU and the Cyber Security Strategy stress the importance of ensuring resilience in the face of various risks. The livelihoods of European citizens and the good functioning of the internal market depend on the reliable provision of services fundamental for societal or economic activities in many different sectors. Those services often are reliant upon one another, thus disruptions in one sector can generate severe and long-lasting effects on the provision of services in others.

Member States hold the primary responsibility in ensuring that operators who use critical infrastructures to deliver such services (hereafter: ‘operators’) comply with applicable rules and have the necessary support to ensure their own resilience and as part of a complex system of interdependencies. On EU-level, there has been a revision of certain legislation aiming at the minimum harmonisation of such rules, such as the directive on the resilience of critical entities (CER[3]) and the directive on measures for high common level of cybersecurity across the Union (NIS-2[4]). In combination with sectoral EU-legislation and policies on resilience (e.g. for a Network Code on sector-specific rules for cybersecurity aspects of cross-border electricity flows[5]), this provides a comprehensive framework that needs to be put in practice.

“Facilitating strategic cooperation” refers to the necessity for public authorities of the Member States to be able to exchange information, in a secure way, on the risk assessments of their critical entities as well as their resilience. “Critical entities” is the specific term used in the CER directive to designate those entities that will be identified by the Member States under the directive. Pursuant to the directive, in particular of its articles 1 and 5, the identity of the critical entities will be classified. In the performance of the project, project participants will interact directly with Member States authorities responsible for risk assessment and analysis of the vulnerabilities of their critical entities. Pursuant to the proposed directive, the confidentiality of the critical entities (and of their vulnerabilities) shall be ensured and protected.

Proposals under this topic should support the competent authorities of Member States to identify and develop the most suitable tools, solutions and strategies to ensure the resilience of key sectors and thus facilitate the implementation of [related/ future] EU legislation.

Applicants should focus on delivering solutions that can be used by the competent authorities of EU Member States, to support their task in overseeing the resilience of key sectors in line with relevant EU rules. Such solutions should enhance their ability for cooperation and communication, conducting large-scale risk assessments (including the cross-border dimension), developing best practices for exercises and dedicated complex training modules. The proposals should address the development of improved concepts and instruments for the anticipation and management of strategic risks, strengthening governance framework and enhancing coordination between different authorities.

It is recommended that proposals develop concrete tools to support all-hazard analysis by integrating domain specific risk assessment and allowing to manage interdependencies phenomena among different sectors and Member States. Possible examples are virtual reality tools, dashboards, complex training and serious gaming modules or other instruments to be used and that currently may not exist on such scale.

Proposals should aim to cover the largest possible number of sectors described in the respective Annexes of the directive on the resilience of critical entities (CER) and the directive on measures for high common level of cybersecurity across the Union (NIS-2). The inclusion of associations representing private or public operators in specific sectors, or across sectors on EU- or national level, is encouraged.

In this topic the integration of the gender dimension (sex and gender analysis) in research and innovation content should be addressed only if relevant in relation to the objectives of the research effort.

Projects are expected to outline how results are fed into the work of relevant Commission expert groups – [for example the Critical Entities Resilience Group (CERG) and the NIS-2 Cooperation Group] – and to explore synergies with the actions undertaken by relevant EU agencies.

[1] COM(2020) 605 final.

[2] COM(2020) 795 final

[3] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.

[4] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

[5] Revised Network Code on Cybersecurity (NCCS)_1.pdf.

News flashes