Re: New directive EU) 2022/2557 of the European Parlament may completely change the aim of protecting Critical Infrastructures

[Rex Brooks <rexb@starbourne.com>]

Greetings Dario,

I am including the OASIS Admin and the EM CAP Subcommittee on this so that we can get more eyes and brains looking at this, especially those with operational knowledge and use of CAP under various categories.

To the extent that Critical Entities are defined and the various and possibly different geographical locations/areas are likewise defined and can be included in the CAP message yes, it is possible and has been foreseen. However, I think it is probably wiser to have the Critical Entities define their systems and subsystems in a way that makes it easier to group them logically for separate specific CAP Alerts that can be issued for all subsystems and populations affected in an effective way.

However, keeping track of all the resources and expertises required for the situation should use EDXL-Resource Messaging and EDXL-SitRep in addition to EDXL-CAP.

The more we can think our way through these expanded requirements, the better we can meet those requirements.

As I have suggested both to you about this project and to the OASIS EMTC and EM Member Section Steering Committee--where we can get our limited funding proposed and approved--I think the most important consideration is to get the definitions of Critical Entities agreed to so that we're all working from the same page.

Thanks for informing me of this, Dario.

Cheers,

Rex Brooks

On 2/13/2023 12:21 PM, Dario Ruiz Lopez wrote:

Dear Rex,

 

The European Parlament issued a new directive on the resilience of Critical Entities that is meant to replace directive Directive 2008/114/EC. It is a dramatic change, because it changes very much the scope of a critical infrastructure and now aims to the protection not only of the facilities but the entity run them. And what is much more ambitious, now the infrastructure are not only the facilities, but any system used to run the service, or even any part of the system. As an example, in the directive 2008 one of the critical infrastructures was the railroad network, but now the trains and even the engines of the trains would be critical infrastructures as parts of the system that are needed to run the service. Actually, probably even the computers needed to monitor the network would be a critical infrastructure on its own.

 

The point in all of this is that possibly it will now not be enough to report on the facility affected, but to report on the whole asset affected. I wonder if EDXL-CAP has something already foreseen for that.

 

Best regards

 

	DarÃo Ruiz LÃpez Project Director Secure Societies and Societal Transformation T: +34 91 038 9924 Calle de AlbarracÃn, 25 â 28037 Madrid â Spain atos.net

 

 

 

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.

Este mensaje y los ficheros adjuntos pueden contener informaciÃn confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional.
Si usted recibe este correo electrÃnico por error, gracias por informar inmediatamente al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningÃn compromiso para el grupo Atos, salvo ratificaciÃn escrita por ambas partes.
Aunque se esfuerza al mÃximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no serà responsable de cualesquiera daÃos que puedan resultar de una transmisiÃn de virus.