Critical Infrastructure Security and Resilience of the Republic of Croatia

Posted: August 18, 2016 at 10:34 am

Print Friendly, PDF & Email
by Robert Mikac, PhD, and Ivana Cesarec

 

The Republic of Croatia is the latest country to accede to the European Union,[1] and as such, has the obligation to normatively arrange and regulate issues of identification, determination and protection of European critical infrastructure. Specified obligations emerge from  Council Directive 2008/114/EC on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection (Council Directive 2008/114/EC).[2] Council Directive 2008/114/EC defines European critical infrastructure as ”critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes effects resulting from cross-sector dependencies on other types of infrastructure.”[3]

It should be noted that while Council Directive 2008/114/EC imposes an obligation on the identification, determination and protection of European critical infrastructure in energy and transport sectors, it does not regulate national critical infrastructure (CI). Although the European Union is striving to become a generator of success in developing CI protection, each Member State approaches and refers to CI in accordance with their current technological capabilities. Consequently, when we discuss this issue, we have within the European Union several levels of technological sophistication in the field of CI security and resilience. For example, some Member States, such as the Republic of Italy, have decided to regulate only issues pertaining to European critical infrastructure, while national issues are left open.

The Republic of Croatia has implemented Council Directive 2008/114/EC into national law by drafting and adopting the Critical infrastructure act, which provides for a process of regulation for national and European CI.[4] Under this act, National CI is defined as “the systems, networks and objects of national importance whose disruption in operation or interruption in the delivery of the goods can have serious consequences for national security, health and lives of people, property or environment, security and economic stability and continuous functioning of the government.”[5] European CI is defined as “Critical infrastructure that is of interest to at least two Member States or one Member State and is located on the territory of another Member State.”[6] Notwithstanding the adoption of the Critical infrastructure act, the Republic of Croatia has yet to implement this dual approach, although methodologically it has experience with identifying, determining and protecting buildings of special importance in the defence of the country.

Currently, the normative framework for CI protection in the Republic of Croatia is comprised of a critical infrastructure security and resilience system (hereafter, CISR system) and the Critical infrastructure act. This framework has led to two important documents, pursuant to the Critical infrastructure act. The first document issued under the Critical infrastructure act is the Decision on designation the sectors from which the central state administrative bodies identify national critical infrastructure and lists of the order of the sectors of critical infrastructures (Decision on Designation).[7] In the Decision on Designation, a total of eleven sectors have been determined from which ministries (the central administrative bodies) can identify the national CI. Those sectors are:

  1. Energy,
  2. Communications and IT technology,
  3. Transport,
  4. Public health,
  5. Water management,
  6. Food,
  7. Finances,
  8. Production, storage and transport of hazardous materials,
  9. Public sector,
  10. National monuments and valuables, and
  11. Science and education.[8]

The second document, entitled the Rules on the methodology for drafting business risk analysis of critical infrastructure, determines the guidelines, criteria and measurements for CI identification and risk analysis management.[9]

The architecture for future CISR systems is established through these documents, which provide foundational guidelines for the development of key processes and functionalities within any CISR system. The Critical infrastructure act has determined the rights, authorities and obligations of both the Government of the Republic of Croatia and state administrative bodies (i.e. CI administrators) necessary for identifying, determining and protecting national CI and securing their uninterrupted functionality. In the same way, the Act determines national CI sectors, CI management and Risk Analysis creation. Furthermore, the Act provides for owner/administrator Security plans, a CI security coordinator, procedures for handling of sensitive information, data classification processes, and the supervision of implementing the act’s provisions.

This regulatory framework has determined the processes for identifying and defining national CI within the Decision on Designation’s eleven sectors. In these sectors are nine competent ministries, along with a state administrative body named the National Protection and Rescue Directorate (NPRD), which functions at a lower governmental level than the nine ministries.[10] The NPRD serves as the coordinator of the CISR system and is the national contact point for cooperation with other countries and the European Commission. With the architecture structured in this way, implementation of necessary actions, as well as cooperation and coordination have certainly proved to be very challenging. Inefficiencies in administering CI resilience and protection may possibly provide one indication for why three years after the adoption of this normative framework (which provided clear deadlines), the Croatian government has yet to identify or determine a single national CI sector.

An important feature of establishing and creating a CISR system is defining the proper level of CI identification analysis and determination. When we analyzed several different Member State practices and solutions to determine whether these States defined CI either only at the state level or on a dual regional-local level (which certainly complicates the process much more, as seen in a number of participants), we came to the conclusion that countries with greater power and territory use a system that identified and specified CI on number of levels, while smaller countries did so only at the national level. According to these observations, the Republic of Croatia has decided to use a CI identification and determination approach only at the national level. This system is considered to be a pragmatic and appropriate solution for a country of the size, strength, population and economy for a country like the Republic of Croatia.

Regarding the issues of identification and determination of European CI within the territory of the Republic of Croatia or territory of neighbouring EU countries like Slovenia and Hungary (which are important to the Republic of Croatia), the Republic of Croatia has taken the initiative of holding bilateral meetings. In the bilateral talks with representatives from the Republic of Slovenia, we have established that there is no CI in Slovenian and Croatian territory that would be significant for both countries. Therefore, Slovenia is not included in the context of determining European CI, as defined by the Critical infrastructure act. As for the Republic of Hungary, Hungarian representatives stated their first priority to be carrying out the processes of identification and determination of their national CI prior to discussing cross-border impacts. Upon doing so, the Hungarians will in turn inform the Republic of Croatia of these impacts.

It should be noted that in the Republic of Croatia there is no specific comprehensive program at any higher education institution through which all who are engaged in activities related to CI can educate themselves on basic knowledge needed for better performance of duties and tasks related to the identifying, determining, protecting and strengthening the resilience of CI. In pursuit of an ad hoc solution to provide a base level of understanding to Croatian experts (ranging from representatives of the NPRD to security coordinators and their deputies from the nine established ministries), and while harmonizing the expectations and knowledge of these experts, an initial seminar was created and conducted in 2014, entitled “Risk analysis of critical infrastructure operation.” Following this seminar was an advanced course named “Mastering risk assessment and optimal risk management according to ISO 31000 and IEC 31010” in 2015.[11] However, these are not systematic solutions, and we must strive for them in the future.

The Republic of Croatia has followed the processes and developments of the European Union and individual Member States for its own national CI security and resilience. We observed that there are certain areas in which the majority of Member States have not yet developed adequate solutions but are seeking to improve. The said areas of interest are: (1) Public-private partnership in the field of CI protection; (2) Establishment of mechanisms for classified information/data exchange in the CISR system; and (3) Setting of preconditions for the establishment of a National CI Centre. In focusing on these areas of interest, the European Commission co-financed a project for a dialogue between the Republic of Croatia, the Republic of Serbia and the Kingdom of Sweden. In this program, Croatia and Serbia received guidance primarily from Sweden and other EU Member States on CI issues.[12] It is very important to emphasize that project has been very successful and has resulted in a multitude of long-term high-quality solutions that determine the needed direction of development of the CISR system in Croatia. However, the biggest challenge after the project is to present these solutions to the highest political decision makers, and to convince them to take those concrete steps outlined in the project. Without the support and decisions from Croatia’s highest political leadership, further development of the CISR system cannot proceed.

Conclusion

The Republic of Croatia is the latest country that has acceded to the European Union, and is the latest Member State to implement Council Directive 2008/114/EC into its national legislation. It has established an initial regulatory framework that serves as the architecture of a CISR system, and has created certain fundamental tasks and relations within this system.

Although the Croatian government has initiated a number of activities and continues to work on internal processes and functionality on an almost daily basis, the current CISR system leaves the impression that the system is much slower than expected. There continue to be major challenges for inter-institutional cooperation as well as questions regarding whether the highest levels of authority will address these issues. To date, experts are currently unable to get their attention.

For the Republic of Croatia, the future of CI resilience and security is certainly promising and dynamic. But, in order to implement meaningful change, the Republic of Croatia must use its own efforts to be more open to cooperation with countries, institutions and the private sector. These potential partners are more developed in CI protection and hold a close relationship with the European Commission. From these partners, the Republic of Croatia can receive the necessary knowledge, and transfer of best practices as well as an additional impulse for continuing its development process.

Robert Mikac, PhD, Faculty of Political Science, University of Zagreb, at previous workplace in National Protection and Rescue Directorate was in charge of affairs related to critical infrastructure, and from 2012 to 2015 the national contact point for critical infrastructure.

Ivana Cesarec, professional specialist engineer of crisis management and logistics, National Protection and Rescue Directorate, Republic of Croatia, works as expert associate for prevention activities and is deeply involved in activities related to critical infrastructure.


References

[1] Croatia became a full member of the European Union on 1 July 2013.

[2] Council Directive 2008/114/EC on the Identification and Designation of European Critical Infrastructures and the Assessment of the Need to Improve their Protection, 2008 O.J. (L 345/75), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008L0114&from=NL (hereafter Council Directive 2008/114/EC).

[3] Ibid. at art. 2 (b).

[4] Zakon o kritičnim infrastrukturama (Critical infrastructure act), 2013, in Official Gazette, No 56/2013 (Croat.), http://www.zakon.hr/z/591/Zakon-o-kriti%C4%8Dnim-infrastrukturama.

[5] Ibid. at art. 3.

[6] Ibid. at art. 2.

[7] Odluka o određivanju sektora iz kojih središnja tijela državne uprave identificiraju nacionalne kritične infrastrukture te liste redoslijeda sektora kritičnih infrastruktura (Decision on Designation the Sectors from which the Central State Administrative Bodies Identify National Critical Infrastructure and Lists of the Order of the Sectors of Critical Infrastructures), in Official Gazette, No 108/2013 (Croat.), http://narodne-novine.nn.hr/clanci/sluzbeni/2013_08_108_2411.html.

[8] Ibid.

[9] Pravilnik o metodologiji za izradu analize rizika poslovanja kritičnih infrastruktura (Rules on the Methodology for Drafting Business Risk Analysis of Critical Infrastructure), in Official Gazette, No 128/2013, http://narodne-novine.nn.hr/clanci/sluzbeni/2013_10_128_2792.html [hereinafter Rules on Methodology]. During 2016, the Republic of Croatia enacted a revised version of the Rules. See Rules on Methodology, in Official Gazette, No 47/2016 (Croat.), http://www.poslovni-savjetnik.com/propisi/pravilnik-o-metodologiji-za-izradu-analize-rizika-poslovanja-kriticnih-infrastruktura-vazeci.

[10] These ministries are as follows:

[11] In 2015 and 2016, through successful bilateral cooperation between Republic of Croatia and the State of Minnesota, American CI experts visited Croatia and held lectures for security coordinators and members of the public on the principles and functions of CISR.

[12] You can learn more about the project on the official website: www.recipe2015.eu.

Write to the Editors at ciprpt@gmu.edu