Critical Infrastructure: Commission proposes a Blueprint to improve response to disruptive cross-border incidents

Today, the Commission is proposing a Council Recommendation for a Critical Infrastructure Blueprint that will enhance the EU’s coordination in response to attempts to disrupt our critical infrastructure.

The geopolitical context in which critical infrastructure operates is highly volatile and this not only in view of Russia’s war of aggression against Ukraine, increased hybrid attacks and the sabotage of the Nord Stream gas pipelines. Citizens, businesses and authorities in the EU rely on critical infrastructure because of the essential services that the entities operating such infrastructure provide. Such services are crucial for the maintenance of vital societal functions and must be provided in an unobstructed manner in the internal market.

The EU has already taken a number of measures to enhance the protection of critical infrastructure to avoid or mitigate the effects of disruptions in the essential services. Immediately after the sabotage of the Nord Stream gas pipelines, the Commission proposed a Council Recommendation to accelerate the work to protect critical infrastructure, proposing to enhance coordination in the response to incidents and crises with a Critical Infrastructure Blueprint. Moreover, the EU-NATO Task Force on resilience of critical infrastructure, launched in March 2023, presented on 29 June a final assessment report which maps out the current security challenges and presents targeted recommendations to strengthen critical infrastructure resilience.  Today’s proposal builds on these actions, and further complements existing EU-level crisis instruments.  It also complements the existing Blueprint in the area of cybersecurity and the EU Protocol for countering hybrid threats.

Scope and objective of the Critical Infrastructure Blueprint

In order to ensure a targeted, proportionate and effective approach, the Blueprint, provides a roadmap with measures that can be applied when Member States are faced with significant critical infrastructure incidents.

The Blueprint aims to achieve three main objectives in response to a significant critical infrastructure incident:

  1. Improve shared situational awareness, by better understanding the significant critical infrastructure incident in the Member States, its origin, and its potential consequences for all key stakeholders at operational and strategic/political level.
  2. Ensure coordinated public communication to minimise discrepancies in the messages conveyed to the public after a significant critical infrastructure incident. Clear public communication is also important to tackle disinformation.
  3. Provide effective response by strengthening the response of Member States and cooperation between Member States and with relevant Union institutions, bodies, offices, agencies, will mitigate the effects of a significant critical infrastructure incident and enable swift reestablishment of essential services.

The Blueprint can be applied when:

(i) the incident has a significant disruptive effect to or in six or more Member States;

(ii) the incident has a significant disruptive effect in two or more Member States, and timely policy coordination in the response at Union level is required, due to the incident’s wide-ranging and significant impact of technical or political relevance.

To respond to the significant critical infrastructure incident, the Blueprint sets out several actions that can be taken at EU level, such as the support of the affected Member States through information exchange, the organisation of expert meetings, the preparation of situational awareness reports, and the coordination of public communication lines and of the response. The coordinated response may also include technical support of other Member States or relevant EU institutions, bodies and agencies, if so requested by the affected Member States, and activation of EU crisis coordination mechanisms and use of EU instruments. Points of contact for matters relating to the Critical Infrastructure Blueprint are foreseen for all actors involved. Member States affected by the significant critical infrastructure incident will share with the rotating Presidency of the Council and the Commission relevant information on the incident. The Recommendation foresees that the Member States, the Council, the Commission and, where appropriate, the EEAS and relevant EU bodies, offices and agencies should apply the Blueprint without delay whenever a significant critical infrastructure incident occurs.

Next steps

This proposal will now be discussed by the Council.


The EU has had a legal and policy framework for the protection of critical infrastructure for almost 15 years. This has been updated with the Directive on Critical Entities Resilience (CER Directive), which entered into force in January 2023. In light of the current security context, a Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure was adopted on 8 December 2022 following a Commission proposal. In that Recommendation, the Council highlighted, among others, the need to ensure at Union level a coordinated and effective response to risks to the provision of essential services. It invited the Commission “to draft a Blueprint on a coordinated response to disruptions of critical infrastructure with significant cross-border relevance”.

On 25 July 2023, the Commission adopted Delegated Regulation establishing a list of essential services in those sectors. Based on this list, Member States must carry out risk assessments and then identify their critical entities.