Text size




International cooperation

CIIP or Critical Information Infrastructure Protection is in the field of interest of many international organizations, including the OECD, the EU, the UN and NATO.

In 2008, the OECD developed a recommendation on the protection of critical information infrastructures (in .pdf), according to which the member countries should:

  1. Adopt policy objectives and identify agencies implementing such policy objectives.
  2. Take appropriate steps to increase the security level of CII.
  3. Conduct risk assessments on the CII.
  4. Periodically review a national risk management process and monitor the implementation of risk management strategy, and, including other activities, to:

a) Develop an appropriate organizational structure to provide guidelines and promote good security practices and to monitor the progress, as well as develop a complete set of procedures to ensure preparedness, prevention, protection and recovery from threats.

b) Develop a system of measurement to evaluate and appraise measures in place (including exercises and tests) and allow for feedback and continuous update.

  1. Consult the private sector by and establish trusted partnerships with a focus on risk management, incident response and recovery. The partnership shall rely on the transparency of activities of the private sector.
  2. Continuously evaluate and monitor regulations on the CIIP, including those that concern cross-border threats, and assess whether such regulations should be improved.

Most of the OECD recommendations are also present in the Cyber Security Strategy of Estonia.

In the EU, member states' policies and practices regarding the protection of critical information infrastructure vary and the sector largely lacks the formulation of common policies. In 2005, the Council adapted a Framework Decision 2005/222/JHA on attacks against information systems. In 2009, the Commission presented a Communication on Protecting Europe from large scale cyber attacks and disruptions: enhancing preparedness, security and resilience. This communication has initiated the completion of common CIIP policy at the EU level.

The communication presents a Five Pillar Action Plan to address the challenges of the CII defence policy:

  • Preparedness and prevention
  • Detection and response: provide adequate early warning mechanisms
  • Mitigation and recovery: reinforce EU defence mechanisms for CIIs
  • International cooperation: to promote EU priorities internationally
  • Criteria for the ICT Sector: identification and designation of European critical infrastructures

The Council Directive of 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection mainly concentrates on the energy and transport sectors. However, over the next few years, the impact of the directive should be enlarged and more attention should be paid to the ICT sector. Have a closer look.

Did you get the answer to your question?

Added 07.02.2011
Updated 29.12.2015

Back to page "Critical Information Infrastructure Protection CIIP"