Differences

This shows you the differences between two versions of the page.

--- topics:infrastructure [2026/03/14 12:34] – ↷ Page moved from infrastructure to topics:infrastructure admin
+++ topics:infrastructure [2026/04/20 13:09] (current) – vso_vso
@@ Line 1: / Line 1: @@
-[[critical_infrastructure|]]
+<WRAP catbadge slate>Technology and Infrastructure</WRAP>
-====== Infrastructure ======
+====== Critical infrastructure ======
+<WRAP meta>
+lead-authors: Vitaliy Soloviy
+contributors: Klaus Kubeczko
+reviewers:
+version: 1.0
+updated: 17 March 2026
+sensitivity: low
+ai-use: Claude Sonnet 4.6 (Anthropic) was used for topic structuring, writing, reference verification, and formatting; reviewed by Vitaliy Soloviy, 17 March 2026
+status: draft
+</WRAP>
+<WRAP intro>
+Critical infrastructure refers to systems and assets whose disruption would significantly affect public safety, security, or economic continuity. Electricity grids sit at the core of this category — most other critical systems depend on them, and their growing complexity under smart grid transitions introduces new vulnerabilities alongside new capabilities.
+</WRAP>
+===== Why this matters =====
+Electricity is the infrastructure that underlies most other critical infrastructure. Hospitals, water treatment, communications, and transport all depend on reliable power. As grids become more digitalised and distributed, the attack surface expands — cyberattacks, extreme weather events, and cascading failures across interconnected systems all pose risks that conventional grid design did not anticipate. Protecting electricity infrastructure is therefore not just a technical challenge but a governance one, requiring coordination across regulatory, operational, and security domains.
+<WRAP callout>
+Digitalisation makes new forms of grid coordination possible but also introduces new vulnerabilities that did not exist in analogue systems.
+</WRAP>
+===== Shared definitions =====
+The EU Directive on the Resilience of Critical Entities (CER, 2022/2557) defines critical infrastructure as infrastructure essential to the maintenance of vital societal functions, economic activity, public health, safety, or security, whose disruption would have significant cross-sectoral effects. Energy — including electricity generation, transmission, and distribution — is explicitly listed as a critical sector.((European Parliament and Council of the European Union. (2022). Directive (EU) 2022/2557 on the resilience of critical entities. //Official Journal of the European Union//, L 333, 164–198. https://eur-lex.europa.eu/eli/dir/2022/2557/oj))
+Within that framework, electricity grids carry additional specificities: they are highly interconnected, failures can cascade across large geographic areas, and increasing digitalisation ties grid reliability to cybersecurity in ways that earlier regulatory frameworks did not address. The EU NIS2 Directive (2022/2555) responds to this by establishing binding cybersecurity obligations for energy operators as essential entities.((European Parliament and Council of the European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). //Official Journal of the European Union//, L 333, 80–152. https://eur-lex.europa.eu/eli/dir/2022/2555/oj))
+===== Perspectives =====
+Critical infrastructure protection involves different roles and responsibilities depending on who is responsible, what systems are at stake, and what governance frameworks apply.
+<WRAP perspectives>
+==== Actors and stakeholders ====
+Responsibility for critical infrastructure protection is distributed across multiple actors — grid operators, national regulators, cybersecurity agencies, emergency services, and government ministries — who rarely share a single chain of command. Coordination among them before, during, and after disruptions is as important as the technical measures each actor takes individually. In practice, information sharing across these groups remains uneven, and the boundary between operator responsibility and state responsibility is often contested.((European Parliament and Council of the European Union. (2022). Directive (EU) 2022/2557 on the resilience of critical entities. //Official Journal of the European Union//, L 333, 164–198. https://eur-lex.europa.eu/eli/dir/2022/2557/oj))
+<WRAP case>
+**European Union -- CER Directive implementation** \\
+Member states are required to identify critical entities, assess their risks, and ensure they have resilience plans in place. Implementation pace has varied considerably across the EU, with most member states missing the October 2024 transposition deadline.((European Parliament and Council of the European Union. (2022). Directive (EU) 2022/2557 on the resilience of critical entities. //Official Journal of the European Union//, L 333, 164–198. https://eur-lex.europa.eu/eli/dir/2022/2557/oj))
+</WRAP>
+==== Technologies and infrastructure ====
+The interdependence of electricity grids with telecommunications, water, transport, and digital systems means that a failure in one can propagate across others. Smart grid technologies improve situational awareness and operational flexibility, but also expand the digital attack surface. Cybersecurity measures for operational technology — SCADA systems, distribution management platforms, smart meters — are increasingly treated as integral to grid design rather than as an add-on.((European Commission / ISGAN WG6 and ETIP-SNET. (2022). //Flexibility for resilience: How can flexibility support power grids resilience?// Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/54d9c702-dc9c-11ec-a534-01aa75ed71a1))
+<WRAP case>
+**European Union -- NIS2 and energy operators** \\
+Under NIS2, electricity generators, transmission and distribution operators above defined size thresholds must implement risk management measures, report significant incidents within 24 to 72 hours, and demonstrate supply chain security.((European Parliament and Council of the European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. //Official Journal of the European Union//, L 333, 80–152. https://eur-lex.europa.eu/eli/dir/2022/2555/oj))
+</WRAP>
+==== Institutional structures ====
+Regulatory frameworks for critical infrastructure protection have traditionally focused on physical security. The growing digital dimension has prompted a shift toward integrated cyber-physical governance, but the institutional architecture varies significantly across jurisdictions. Cross-border interdependencies add a further layer, as a disruption in one country's grid can affect neighbours sharing the same synchronous zone.((European Commission / ISGAN WG6 and ETIP-SNET. (2022). //Flexibility for resilience: How can flexibility support power grids resilience?// Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/54d9c702-dc9c-11ec-a534-01aa75ed71a1))
+<WRAP case>
+**European Union -- NIS2 and CER as parallel frameworks** \\
+NIS2 governs cybersecurity obligations while the CER Directive addresses physical resilience of critical entities. Together they form a dual-track framework, though coordination between the two remains a work in progress at both EU and national levels.((European Parliament and Council of the European Union. (2022). Directive (EU) 2022/2557. https://eur-lex.europa.eu/eli/dir/2022/2557/oj))
+</WRAP>
+</WRAP>
+===== Distinctions and overlaps =====
+<WRAP distinction>
+**Critical infrastructure vs resilience**\\
+Resilience describes a system's capacity to absorb, adapt to, and recover from disruptions; critical infrastructure protection is the governance and technical effort to maintain that capacity in systems whose failure would have cascading societal effects. The two concepts are closely related — resilience is the goal, critical infrastructure protection is the practice — but they belong to different analytical frames. See the [[topics:resilience|Resilience]] topic.
+</WRAP>
+<WRAP distinction>
+**Physical security vs cybersecurity**\\
+Conventional critical infrastructure protection focused on physical threats — natural disasters, sabotage, physical attack. Digitalisation adds a distinct attack vector: cyber intrusions targeting operational technology can cause physical effects without any physical access. Current frameworks (NIS2, CER) treat these as complementary rather than separate, but operational integration across the two domains remains uneven.
+</WRAP>
+===== Related topics =====
+[[topics:resilience|Resilience]] · [[topics:grid|Grid]] · [[topics:digitalisation|Digitalisation]] · [[topics:operator|Operator]] · [[topics:grid_edge|Grid edge]]
+===== Topic notes =====
+Formatting pass 26 March 2026. Changes: catbadge corrected; duplicate status lines removed from catbadge; status field added to meta; AI statement moved from bottom of page to ai-use field in meta; superscript footnote references converted to inline DokuWiki footnotes; case examples wrapped in WRAP case blocks; insight block added (152 chars); section heading corrected to Shared definitions; Distinctions section added; tag-based Related topics converted to direct links; References heading removed.
+Should be integrated into broader infrastructure topic.
+@@GAP@@ Non-EU institutional case needed.
+@@GAP@@ Technical case needed: add a case illustrating a specific cyber-physical vulnerability or resilience measure at the grid level, with technical specificity.
+@@GAP@@ Non-EU case needed: add a case showing how critical infrastructure governance is structured in a non-European context (e.g. US NERC CIP standards, or a national framework in Asia or Latin America).
+@@GAP@@ Both non-EU case gaps noted in Perspectives need filling before in-review status.
+~~DISCUSSION|Discussion — logged-in users only~~