Critical or not critical? That is the question.

A few weeks ago, a question was raised as to why the cover image of our website reads “ENERGY CRITICAL INFRASTRUCTURE BENEFITS”. The question was triggered by the adjective “CRITICAL”. The critical infrastructure under national practice is not necessarily the same as European practice.

The issue had almost been forgotten when an article on The Wall Street Journal entitled “European Energy Sector Prepares for New Cybersecurity Rules” appeared.

According to one of its sentences:

„Cyprus designated 10 organizations as critical infrastructure while Finland counts more than 10,000, according to a 2019 report from the European Commission, the EU’s executive arm.”

Searching for the referenced report, the only publicly available Council publications (this, this and this) do not contain the Finnish and Cypriot data referred to. The WSJ is therefore presumably basing these claims on a non-public source.

If we accept the validity of the data, we can conclude that

there is plenty of work to be done at EU level to identify critical infrastructure, including energy infrastructure.

Looking at the European situation, it is perhaps not unreasonable to ask

whether the significantly different designation practices across countries could pose an EU-wide cybersecurity risk?

A recent article (15 June) shows that

the problem is also present in the US.

Among other things, the article sets out the foundations of a remarkable liability-support system.

We welcome messages either agreeing or disagreeing with the above. For example, by responding to them in a new post, a substantive professional exchange of views could be initiated.