Crisis management is one of NATO's fundamental security tasks. It can involve military and non-military measures to address the full spectrum of crises – before, during and after conflicts. It is one of NATO’s strengths based on experience, tried and tested crisis management procedures, and an integrated military command structure.

Crisis management is one of NATO’s core tasks for which it employs an appropriate mix of political and military tools to manage crises in an increasingly complex security environment. NATO is one of few international organisations that have the experience as well as the tools to conduct crisis prevention and management operations.

NATO’s robust crisis management capabilities allow it to deal with a wide range of crises, which could pose a threat to the security of the Alliance’s territory and populations. These crises can be political, military humanitarian, and can also arise from a natural disaster or as a consequence of technological disruptions.

NATO provides the framework within which members can work and train together in order to plan and conduct multinational crisis management operations, often at short notice It can also train and operate with other actors where appropriate, for combined crisis management operations and missions.

Allies decide whether to engage in a crisis management operation on a case-by-case basis and by consensus.

NATO recognises that the military alone cannot resolve a crisis or conflict, and lessons learned from previous operations make it clear that a comprehensive political, civilian and military approach is necessary for effective crisis management.

The European Council of June 2004 invited the Commission to prepare a common strategy for the protection of critical infrastructure. On 20 October 2004, the Commission adopted the Communication "Protecting Critical Infrastructure in the Fight against Terrorism" with clear proposals for the measures needed to improve Europe's prevention, preparedness and response to terrorist attacks affecting critical infrastructure. In its conclusions on Preventing, Preparedness and Response to Terrorist Attacks and the EU Solidarity Program in the Consequences of Terrorist Threats and Attacks, adopted in December 2004, the Council supported the Commission's plan to propose a European Program for the Protection of Critical infrastructure (EPSIR) and approved the Commission's creation of the Critical Infrastructure Warning Information Network (CIWIN). In December 2006, the Commission submitted a proposal for a directive on the identification and designation of European critical infrastructures and an assessment of the need to improve their protection. At the same time, the Commission issued a communication on the European program for the protection of critical infrastructure. Taken together, these two documents define the framework for EU infrastructure protection. The Communication sets out the horizontal framework for the protection of the EU's critical infrastructure, explaining how the ERCIP can be put into action. The CIWIN initiative is part of the ERCIP, and it focuses more specifically on the process of information sharing between EU Member States and deals with the IT system that underpins this process.

General context

The security and economy of the European Union, as well as the well-being of its citizens, depend on certain important infrastructures and the services they provide. For example, telecommunications and energy networks, financial services and transport systems, health care, as well as the provision of safe drinking water and food are crucial for the EU and its member states. Any destruction or disruption of critical service delivery infrastructure, on the one hand, and inadequate response to an event of this type, on the other hand, could lead to loss of life, loss of property and disruption of public confidence in the EU. Complex interdependence means that an event can have a domino effect on other sectors and areas that at first sight are not immediately and clearly related. This type of interconnectivity is not sufficiently explored, and this may lead to insufficient protection and security for EU citizens in relation to critical infrastructure. The European Union's critical infrastructure is currently covered by a changing puzzle of safeguards and obligations, with no minimum standards being applied at a horizontal level. Some Member States are well ahead in the process of identifying their national critical infrastructure, have strong safeguards in place and have a set of practices and structures in place to ensure its protection. Others are just at the beginning of this process and can greatly benefit from access to best practices such as risk assessment methodology. The problem can be considered from a geographical perspective (ie between Member States) as well as from a sectoral perspective (ie between different critical infrastructure protection sectors). The exchange of information between Member States is a very complex matter that requires a well thought out approach. It is important to avoid duplication of activities as a result of insufficient information on similar situations in other Member States: for example, if there is information on best practice in one Member State, the costs of developing similar practice in others can be avoided member states. In addition, there is a fear of sharing sensitive information between participants. In order to exchange information effectively, an environment of trust and flexibility must be established.

Existing provisions in the area of the proposal

There are currently no provisions in the EU for information exchange and alerting in the field of critical infrastructure protection, although in 2006 the Commission proposed a directive on the designation and designation of European critical infrastructures (ECIs) and an assessment of the need to improve their protection (COM(2006) 787 final). At the same time, the Commission issued a communication on the European Critical Infrastructure Protection Program (COM (2006) 786 final). In June 2008, the Council reached a political agreement on the aforementioned Directive, with its adoption scheduled for the second half of 2008. In addition, there are a number of sectoral Rapid Alert Systems (RAS) in the EU. The main difference between CIWIN and existing rapid alert systems is the cross-sectoral nature. None of the existing rapid alert systems offer a horizontal and cross-sectoral function that can be accessed by a wide range of actors (relevant national agencies and ministries for critical infrastructure protection, etc.) and not just emergency services: - Council Decision on the establishment of a Community mechanism for civil protection (revised version) (2007/779/EC, Euratom); - Council Decision on Community arrangements for the early exchange of information in the event of a radiation hazard (87/600/Euratom), establishing a Community system for information in the event of a radiation hazard; - Council Directive 82/894/EEC of 21 December 1982 on the notification of animal diseases within the Community (82/894/EEC); - Council Directive on protective measures against the introduction into the Community of plant pests (2000/29/EC); - Decision of the European Parliament and the Council to establish a network for epidemiological surveillance and control of communicable diseases in the Community (2119/98/EC); - Directive of the European Parliament and of the Council on general product safety (2001/95/EC); - Regulation (EC) of the European Parliament and of the Council establishing the general principles and requirements of legislation in the field of food, establishing a European Food Safety Authority and defining procedures regarding food safety (178/2002); - Commission Decision on the development of an integrated computerized veterinary system called TRASES (2003/623/EC); - Decision of the Commission to amend its internal rules of procedure (2006/25/EC, Euratom).

Stakeholder consultation

Consultation methods, main target sectors and general profile of consultation participants Consultations have been held with all interested participants in the SGHUM through and within the framework of the European Program for the Protection of Critical Infrastructure (EPCIP). They were conducted through: - The Green Paper on the ETS, adopted on 17 November 2005, the consultation period of which expired on 15 January 2006. 22 Member States provided formal responses to the consultation. About 100 representatives of the private sector also provided their comments. In general, the reactions are supportive of the idea of creating CIWIN - The series of informal meetings held between Member States' JRI contact persons hosted by the Commission (December 2005; February 2006; December 2006; November 2007; February 2008; March 2008 .). - The Critical Infrastructure Warning Information Network (CIWIN) study completed in January 2008 and conducted by an external contractor: Unisys. As part of the study, the contractor conducted interviews for CIWIN in all 27 Member States. Informal meetings with representatives of the private sector. Numerous informal meetings were held with representatives of private business, as well as with industry associations. A summary of the responses and how they were taken into account Although the ERCIP Green Paper was broader in scope and consulted stakeholders on many aspects of ERCIP (e.g. purpose and key principles of ERCIP, implementation steps, etc.), part of it also focused on CIWIN Reactions to the ERCIR Green Paper and ongoing discussions with all stakeholders had a major impact on shaping the CIWIN proposal Initially, Member States did not have a unified view on the establishment of CIWIN Some supported it as a multi-level communication/alert system composed of two separate features: a rapid alert system (RAS) and an electronic forum for the exchange of ideas and best practices on RKI. However, some Member States prefer CIWIN to be limited to its role as a forum or simply as a RAS connecting Member States to the Commission. During the consultations, two Member States were against the CIWIN system. As opinions differed, the matter was discussed at regular meetings of the JRI contact persons with the Member States. The final concept of CIWIN is precisely the result of these discussions.

Collection and use of expert opinions

Scientific/expertise areas covered Expertise was gathered through numerous meetings and workshops held in 2006, 2007 and 2008, as well as during the consultation process of the Green Paper on the ERCIP. Information was collected from all interested participants. Methodology used In March 2006, the Commission awarded a contract which included a CIWIN feasibility study, the aim of which was to gather information on best practice for critical infrastructure protection and to conduct interviews with experts in Member States on CIWIN requirements and as an exchange network, and as a rapid alert system, taking into account the existing infrastructures and networks at national and international level. Another objective was to establish a common platform for the exchange of information on LCI. Main organizations/experts consulted All EU member states. Summary of opinions received and used No mention was made of the existence of potentially serious risks with irreversible consequences. Means used to publicize the expert opinions Through the annexes to the impact assessment.

Impact assessment

Within the framework of the ERCIP package, and in particular in the Commission Communication on ERCIP, it has already been agreed to adopt a separate proposal for CIWIN. The impact assessment envisages five policy options: Option 1: Maintain the status quo. Under this option, no horizontal action is taken at European level, leaving each Member State to deal with this issue on its own. Option 2: CIWIN as an advanced version of the existing RAS. Under this option (which requires both a functional overhaul of the existing IT architecture and changes to its legal basis), CIWIN's role would be to ensure connectivity between existing RASs and access to them by various EU departments and ministries in the Member States. As this will only cover the rapid alert function, any action to add a platform for the exchange of information and best practices requires a substantial revision of the existing RAS, which will be resource-intensive. Option 3: CIWIN as an open platform for (non-secure) exchange of information related to CPI. This option requires an IT tool open to the general public and operating as a standard Internet site. This will certainly contribute to a better awareness of the protection of critical infrastructures in Europe and increase the direct exchange of information between the participants. However, since the owner of any uploaded information will never know who the end user is, the amount of uploaded information will be strictly limited. Option 4: CIWIN as a secure and voluntary multi-level communication/alert system composed of two separate functions: a Rapid Alert System (RAS) and an electronic forum for the exchange of ideas and best practices on CIW. Under this option, CIWIN will be created as an IT tool that can store and forward sensitive information classified to the level of "UE RESTREINT". The system will have two main functions: 1) a secure forum for the exchange of information with an emphasis on the exchange of good practices, dialogue and confidence building at the EU level; 2) a rapid alert system for critical infrastructure. Member States will be free to use the whole system, some of the functions or none of them. Option 5: CIWIN as a mandatory multi-level communication/alert system composed of two separate functions: a Rapid Alert System (RAS) and an electronic forum for the exchange of ideas and best practices on CIW. Under this option, CIWIN will be a mandatory system, with each Member State having the obligation to regularly upload and update the relevant information. The Commission carried out an impact assessment described in the work programme. Option 4 — CIWIN as a secure and voluntary/pluggable multi-level communication/alert system composed of two distinct functions: a rapid alert system and an electronic forum for the exchange of ideas and best practices on CIW — clearly demonstrates the most - the favorable ratio between benefits and disadvantages. Under this option, CIWIN will provide a secure environment for information exchange, go a long way in building trust between participants and enable the exchange of alerts.

LEGAL ELEMENTS OF THE OFFER

Summary of proposed measures

The purpose of the proposed action is to assist Member States to exchange information on common threats, vulnerability and appropriate measures and strategies to support critical infrastructure to reduce risk. Plea The legal basis of the proposal is contained in Article 308 of the Treaty establishing the European Community and in Article 203 of the Treaty establishing the European Atomic Energy Community.

Principle of subsidiarity

The principle of subsidiarity applies insofar as the proposal does not affect an area of exclusive competence of the Community. The objectives of the proposal cannot be sufficiently achieved by the Member States for the following reasons: The principle of subsidiarity is respected, as the measures resulting from this proposal cannot be implemented by any Member State alone, therefore the matter must be decided at EU level. Although each Member State has the responsibility to protect the critical infrastructure falling under its jurisdiction, a pan-European and cross-border platform providing access to information to all Member States that would benefit from it can certainly only be realized at the level EU. Community action will better achieve the objectives of the proposal for the following reasons: No Member State can independently ensure a pan-European exchange of information or rapid alerts. It is therefore clear that working at EU level guarantees the added value of coordinating information units that may already be available but not shared with others. Only a pan-European approach can ensure that those Member States willing to share and receive information are treated equally, that cooperation does not discriminate against Member States on geographical grounds and that information really reaches those who want to they get it. There is a direct link between European interdisciplinary cooperation and national security and safety. In today's world of interdependence between cross-border sectors, both geographically and cross-sectorally, some Member States may offer services to other Member States or may have an impact on the provision of services in other Member States. There is a risk that one Member State will suffer because another has failed to adequately protect infrastructure on its territory. More and more infrastructures are of a European scale, which means that a purely national approach is not enough. There is a clear need to address the wide range of threats that can affect Europe's critical infrastructure. The proposal therefore complies with the principle of subsidiarity.

Principle of proportionality

The proposal complies with the principle of proportionality for the following reasons: This proposal does not go beyond what is necessary to achieve the main objectives of cooperation between Member States in this field, especially in view of their willingness to participate. The proposed action provides an opportunity for those Member States that do not wish to participate in the ETS to do so. Compared to the benefits, CIWIN will not have a significant direct financial impact either on the Member States or on the EU budget. For example, the maintenance costs would amount to around 550,000 Euros per year, while the costs of overcoming incidents that CIWIN could potentially avoid or limit are far higher. Choice of tools Proposed instruments: Council Decision. Other means would not be suitable for the following reasons: A legal basis is needed for the CIWIN prototype to be fully operational and accessible to all member states. Since the subject matter addressed by this legal instrument is specific and not of a general nature, a Council decision is the most appropriate instrument to achieve this objective, while at the same time obliging the users of the system (the Member States and the Commission) to respect the potential confidentiality of the information exchanged.

Implication on the budget

An estimate of the impact on the budget can be found in the accompanying financial statement. The program "Prevention, preparedness and management of the consequences of terrorism and other security-related risks" for the period 2007-2013 will play its role in the implementation of this decision.

More information

Simulation, pilot phase and transition period There has been or will be a simulation or pilot stage for this proposal. Revision / Recast / Time Limit Clause The proposal includes a review clause. The proposal includes a reworking clause.

THE COUNCIL OF THE EUROPEAN UNION

• having regard to the Treaty establishing the European Community, and in particular Article 308 thereof,

• having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 203 thereof,

• having regard to the Commission's proposal,

• having regard to the opinion of the European Parliament2,

• considering that:

(1) In its conclusions on Preventing, Preparedness and Response to Terrorist Attacks and the EU Solidarity Program in the Consequences of Terrorist Threats and Attacks, adopted in December 2004, the Council supported the Commission's plan to propose a European program for Critical Infrastructure Protection (EPCIP) and endorsed the Commission's establishment of CIWIN.

(2) In November 2005, the Commission adopted a Green Paper on a European Critical Infrastructure Protection Program (EPCIP), which provided policy options on how the Commission could set up EPCIP and CIWIN. The results of the Green Paper consultations confirmed the interest of most of the Member States in the establishment of CIWIN.

(3) In December 2006, the Commission adopted a Communication on EPCIP announcing that CIWIN would be established by a separate Commission proposal and that it would provide a platform for the secure exchange of best practices. Several critical infrastructure incidents in Europe, such as the 2006 European blackout, have demonstrated the need for better and more efficient information sharing to limit the extent of damage.

(4) It is appropriate to establish an information system that will allow Member States and the Commission to exchange information and alerts in the field of critical infrastructure protection (CIP), deepen the dialogue on CPI and contribute to the integration and better coordination of the nationally dispersed and fragmented research programs for CRI.

(5) CIWIN should contribute to improving the protection of critical infrastructure in the EU by providing an information system that would facilitate the cooperation of Member States, as well as offering an efficient and fast alternative to time-consuming methods of searching for information on critical infrastructures in the Community.

(6) In particular, CIWIN should stimulate the development of appropriate measures aimed at facilitating the exchange of best practices, as well as becoming a tool for the secure transmission of immediate threat signals and alerts.

(7) C1S should avoid duplication and take into account the specific characteristics, expertise, arrangements and areas of competence of each of the existing RAS sectoral systems.

(8) Over the years, the Commission has developed the operational capability to assist in response to a wide range of emergencies through several RAS, which are sector-specific and target specialist services within the EU. However, existing KA8s do not have a critical infrastructure protection function available to a wider range of actors, not just sector authorities or emergency services.

(9) The interdependence of critical infrastructure in the Member States and the variable levels of CRI in them suggest that the establishment of a Community facility of a horizontal and cross-sectoral nature for the exchange of information and alerts on CRI would increase the security of citizens.

(10) Given the future availability of the Trans-European Telematics Services between Administrations (S-TESTA) communication network or any alternative secure network used by the Commission, the Commission should decide on the most appropriate technology platform for C1S and require the end users to meet the technical requirements established by the Commission.

(11) The process of exchange of information about LCI between the relevant participants requires a relationship of trust in a manner according to which confidential or sensitive information shared voluntarily is not made public and according to which this sensitive information is properly protected.

(12) CIWIN access should be limited to authorized users according to established conditions, procedures and security measures. While access by users in Member States should be limited to competent national authorities, access within is limited to competent services. The commission should be

(13) Any costs that may arise as a result of the functioning of CIWIN at Community level must be covered by Community resources and/or by relevant Community programmes.

(14) Any costs that may arise as a result of the functioning of CIWIN at national level should be financed by the Member States themselves, unless the Community arrangements provide otherwise.

(15) Given that the purpose of the envisaged action, namely the exchange of information at an increased level of security

Definitions

For the purposes of this decision, the following definitions are accepted: - "Critical infrastructure" means those assets, systems or parts thereof which are located in Member States and which are of fundamental importance for the maintenance of vital functions of society, the health, safety, security, economic or social well-being of the people and whose disruption or disruption would have a material impact on a Member State as a result of an inability to maintain these functions. -Participating Member State' means that Member State which has signed a Memorandum of Understanding with the Commission. -"CIWIN Administrator" means the contact person for CIWIN in the relevant Member State or the Commission, who ensures the appropriate use of CIWIN and compliance with the user guidelines within the relevant Member State or the Commission. -"Threat" is any information, circumstance or event that could destroy or disrupt the operation of a critical infrastructure or any of its elements. Participation Participation and use of CIWIN remains open to all member states. Participation in CIWIN is subject to the signing of a Memorandum of Understanding, which contains the technical and security requirements applicable to CIWIN, as well as information about the sites to be included in CIWIN. Functions (1) CIWIN consists of the following two functions: a) an electronic forum for the exchange of information related to LCI; b) a quick alert feature which will enable the the participating Member States and the Commission to send alerts for concern about immediate risks and threats to the critical infrastructure. (2) The electronic forum consists of established areas and dynamic areas. The established zones are permanently included in the system. While their content can be adjusted, the zones themselves cannot be removed, renamed, or new zones added. The list of designated areas is contained in Annex I. Dynamic zones are created on demand and serve a specific purpose. After fulfilling their original purpose, their existence ceases. The list of dynamic zones that will be created immediately after the implementation of CIWIN is contained in Annex II. Role of Member States Participating Member States shall designate a CIWIN Administrator by notifying the Commission thereof. The CIWIN administrator is responsible for granting or denying access to CIWIN within the respective Member State. Participating Member States shall provide access to CIWIN in accordance with guidelines adopted by the Commission. Participating Member States shall provide and regularly update relevant information on the LCI that is of common interest to the EU. Role of the Commission The Commission is responsible for: a) for the technical development and management of CIWIN, including the IT structure of the system and the information exchange elements; b) for the preparation of guidelines regarding the terms of use of the system, including confidentiality, transmission, storage, classification and deletion of information. The Commission also determines the conditions and procedures for granting full or limited access to CIWIN The Commission appoints a CIWIN administrator who is responsible for granting or denying access rights to CIWIN within the Commission. The Commission provides and regularly updates the relevant information on the LCI, which is of common interest to the EU. CIWIN is created as a secure and confidential system that can handle information up to "RESTREINT UE" level. The Commission decides on the most appropriate technology platform for CIWIN, and users must meet the technical requirements established by the Commission. The CIWIN security classification is updated when necessary. Users' right of access to documents is based on the "need to know" principle, always following the author's specific instructions regarding the protection and distribution of a document. Member States and the Commission shall take the necessary security measures so that: a) prevent any unauthorized person from accessing CIWIN; b) to ensure that authorized persons only have access to the data within their competence when they use CIWIN; c) to prevent reading, copying, modification or destruction of the data in the system by unauthorized persons. Uploading information to CIWIN does not affect ownership of the information. Authorized users are solely responsible for the data they provide and must ensure that their content fully complies with applicable national and Community legislation.