This is a self-archived – parallel published version of this article in the 

publication archive of the University of Vaasa. It might differ from the original. 

Critical Infrastructure Resilience as a Shared Policy 

Response of NATO and the EU 

Author(s): Kytömaa, Eero; Niskanen, Ville-Pekka 

Title: Critical Infrastructure Resilience as a Shared Policy Response of NATO 

and the EU 

Year: 2024 

Version: Accepted Manuscript 

Copyright ©2024 Palgrave Macmillan. 

Please cite the original version: 

 Kytömaa, E., & Niskanen, V.-P. (2024). Critical Infrastructure 

Resilience as a Shared Policy Response of NATO and the EU. In P. 

Uusikylä, H, Jalonen, & A. Jokipii (Eds.), Information Resilience and 

Comprehensive Security: Challenges and Complexities in Wicked 

Environments (pp. 75-108). Information Technology and Global 

Governance. Palgrave Macmillan. https://doi.org/10.1007/978-3-031-

66196-9_5 

 



Critical Infrastructure resilience as a shared policy response of NATO and the EU 
 Eero Kytömaa a, b & Ville-Pekka Niskanen b 
 
a Ministry of the Interior, National Security Unit, Helsinki, Finland  b Public Policy and Governance Research Group, School of Management, University of Vaasa, Vaasa, Finland  e-mail: eero.kytomaa(at)gov.fi; ville-pekka.niskanen(at)uwasa.fi  
This is the pre-copy-edited version of the article submitted for publication. Thus, some corrections have been made to the final published version. 
Published version: Kytömaa, Eero & Niskanen, Ville-Pekka, Critical Infrastructure Resilience as a Shared Policy Response of NATO and the EU published in Information Resilience and Comprehensive Security: Challenges and Complexities in Wicked Environments, edited by Petri Uusikylä, Harri Jalonen & Annukka Jokipii, 2024, Palgrave Macmillan, reproduced with permission of Palgrave Macmillan. https://doi.org/10.1007/978-3-031-66196-9_5 
ABSTRACT 
 Information resilience depends on critical infrastructure, as both information availability and 
effective communication rely on it. Disruptions in critical infrastructure undermine decision-making 
and situational awareness of various actors. This chapter explores the evolution of critical 
infrastructure policy within the European Union (EU) and the North Atlantic Treaty Organization 
(NATO), focusing on relevant policies and documents from the early 2000s to 2023. We begin by 
identifying key characteristics of critical infrastructure that necessitate dedicated policies by 
reviewing earlier literature. Following this, critical infrastructure policies and relevant documents 
within the EU and NATO contexts are examined, along with NATO-EU cooperation on critical 
infrastructure. Policy development within both organizations is characterized by a reactive 
approach, driven by the proliferation of terrorism, hybrid threats, and hostile state actors. Recent 
attention to ICT supply chains highlights a continuing reactive stance, yet acknowledgement of 

https://doi.org/10.1007/978-3-031-66196-9_5


climate hazards indicates room for proactive strategies. The core characteristics of critical 
infrastructure have stayed the same, despite evolving risks and policies since the early 2000s. 

ARTICLE TEXT 
 
Critical infrastructure plays a pivotal role in modern societies, serving as a fundamental enabler for 
various essential functions. This article focuses on the strategic-level policy documents of NATO 
(North Atlantic Treaty Organization) and the EU (European Union) through the lens of critical 
infrastructure protection and resilience. It seeks to evaluate how the evolving security landscape has 
influenced policy-level strategies in both organisations. 
Critical infrastructure (CI) can be defined as the physical or cyber infrastructure that is indispensable 
to the normal day-to-day functioning of a society. Such infrastructures are usually interlinked and 
networked, meaning that they function as parts of a larger system and make the functioning of other 
services and infrastructures possible (Brown et al. 2006; Ghorbani & Bagheri 2007). Critical 
infrastructure acts as society’s arteries or life support systems (e.g. Collier & Lakoff 2008), feeding 

it with the resources and information required for it to function. Central to this definition is the 
potential effects of disruptions in the delivery of the services provided by critical infrastructure: an 
infrastructure is not critical if its disruption does not have a potentially significant effect on “the 

maintenance of vital societal functions, health, safety, security, economic or social well-being of 
people” (Directive 2008/114/EC, Article 2; see also Cabinet Office 2010). In the more recent EU 

legislation, specifically the Directive on Critical Entities Resilience ((EU) 2022/2557), CI is defined 
as an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a 
network or a system, which is necessary to safeguard essential services. 



The term critical infrastructure began to appear in policy discussions and documents in the United 
States in the late 1990s and early 2000s (e.g. Lipschutz 2008; Moteff et al. 2003), which, to a large 
extent, can be attributed to terrorist attacks, especially that on September 11, 2001, that raised 
concerns about the vulnerability of infrastructure (Aradau 2010).1 Additionally, the period is 
characterised by the proliferation of information and communications technologies, the awareness of 
the interconnectedness of critical services, along with the recognition of the importance of protecting 
and enhancing the resilience of these systems. While the term may have appeared earlier in various 
contexts, it was during this period that it became a well-defined and widely used term in security 
policy. Since then, many countries and international organisations have adopted the concept and 
developed policies and strategies for the protection of critical infrastructure (Aradau 2023). 
Historically, efforts to safeguard CI have focused on devising mitigation plans and enhancing the 
protection of individual systems. However, this approach has proven inadequate in the face of 
evolving security threats, including man made and natural hazards.  As a result, the security policy 
narrative of both the EU and NATO has shifted towards addressing systemic vulnerabilities inherent 
in CI. One key transformation has been the recognition of the need to move beyond protection against 
conventional threats and towards a more nuanced understanding of adversarial clandestine operations, 
often referred to as hybrid threats. These hybrid threats encompass a wide range of tactics, including 
cyberattacks, sabotage, and subversion, all of which can target CI systems. CI-related threats stem 
from traditional state-based actors, emerging challenges from technological development, non-state 
actors and asymmetric warfare in which one side of the conflict employs unconventional tactics and 
methods. Recent events, such as disruptions to energy and telecommunications infrastructure in 

 
1 The 2001 World Trade Center (WTC) attacks in New York City and the subsequent collapse of twin towers caused 
physical damage to various CIs. Some critical services depended indirectly on connections at the WTC site, and its 
destruction caused a cascading effect within CI systems. (e.g. Mendonça et al. 2004; Mendonça & Wallace 2006). 



Europe, coupled with the use of military force by Russia against Ukraine, underscore the increasing 
vulnerability of critical infrastructure to state-sponsored threats. 
CI is crucial to information resilience, the overarching theme of this volume. Ensuring the timely 
supply of correct information for decision-making and situational awareness (e.g. Jokipii et al. 2021) 
depends on communication infrastructures (like cables and servers), which, in turn, depend on both 
energy and the availability and manufacture of ICT apparatus. Any disruptions in CI present threats 
to global flows of information crucial for communication, the economy, decision-making, and the 
delivery of essential services, even more so as cloud-based computing and storage rest on locations 
physically distant from the location of their usage. Much of time-critical information relevant for 
decision-making cannot be stored in libraries, but needs to be up-to-date and be accessible (e.g. 
Jalonen & Huhtinen 2021). These flows of information and accessing it are made possible by CIs. 
This article examines how the security policies of the EU and NATO have evolved in response to the 
landscape of CI threats. The article scrutinises the CI resilience priorities and taskings in key policy 
documents from the early 2000s until 2023. We begin this chapter by introducing some characteristics 
driving the emergence of CI, a special policy focus since the early 2000s. We next investigate the 
policy-setting priorities within the EU and NATO’s adaptation to the evolving CI threat environment. 

Lastly, we examine the potential complementarities as set out in joint EU–NATO declarations. We 
aim to provide a comprehensive picture of how policies have shifted from a focus on protection to 
addressing systemic vulnerabilities and the imperative of countering hybrid threats. 

Critical infrastructure as a distinct type of infrastructure 
 
Not all infrastructure qualifies as critical infrastructure. The determination of criticality is typically 
rooted in risk analysis or national strategic considerations that identify the national critical functions 



or essential services necessary for a country or society to function effectively (e.g. Directive 
2008/114/EC). Concerns over the effects of disruptions in infrastructure or the supply of resources 
are nothing new. Collier and Lakoff (2008) note that the destruction of infrastructure or key industries 
has long been a warfare tactic, and concerns over the gradual degradation of infrastructure (Moteff et 
al. 2003), energy shortages (energy security; also e.g. Cherp & Jewell 2014), and the security of 
supply of necessary resources to industrial production and the functioning of society and the economy 
existed throughout the nineteenth century (e.g. Aaltola et al. 2016; Kananen 2015) and in the case of 
the sustainability of key natural resources, even earlier (Friederich & Symons 2022). However, as the 
understanding of CI has evolved, some defining characteristics of CI have been identified in the 
literature. In part, these features also explain why CI has become a subfield of security policy. 
Wide-scale effects of CI disruption. The fundamental reason for the emergence of critical 
infrastructure as a priority in both supranational and national policy is the potential effects of CI 
failures on the day-to-day functioning of societies, from minor economic losses to increased distrust 
of societal actors, potential loss of life (Agrafiotis et al. 2018; Michalec et al. 2022), and a 
deterioration in the capability of security and defence authorities to respond to co-occurring events. 
Crises may occur in parallel or with cascade effects, and civilian and military actors may find 
themselves embroiled in conflicting tasks simultaneously (Caves et al. 2021). These effects make 
CI a lucrative target for malicious actors (see Aradau, 2023; Dunn Cavelty & Kristensen, 2008; 
Moteff et al., 2003). 
 
The risks related to CI are not caused only by its weakest parts but rather those with the largest 
potential effects of disruption (e.g. Brown et al. 2005; Collier & Lakoff 2008). Critical infrastructure 
may not inherently be as frail as its weakest link, but its risks are tied to components whose failure 
has the greatest potential to harm society. Malicious actions will most likely target these parts (e.g. 
Brown et al. 2005, 2006). Although policy documents and formulations on critical infrastructure often 



include protecting it from non-deliberate, non-malicious events like natural hazards, weather and 
faults (see e.g. Michalec et al. 2023), CI protection often emphasises a security-oriented point of view: 
the protection of critical infrastructure from deliberate malicious actions (see Piètre-Cambacédès & 
Chaudet, 2010). Concern over malicious intent has been accentuated by the fact that the systems 
controlling CIs are increasingly online, making them susceptible to cyberattacks and, thus, a larger 
number of potential malicious actors both inside and outside a country’s geographical boundaries 

and, thus, jurisdiction (Betz & Stevens, 2017; Lipschutz, 2008; Michalec et al., 2023; Stoddart, 2016). 
 
Strong interdependencies exist between CIs (Rinaldi et al. 2001). Critical infrastructure is a strongly 
networked and interconnected system, meaning that a disruption “to a critical infrastructure sector 

can have an impact on the functioning of several sectors, which together can have a serious social, 
economic and thus political impact” (Böröcz 2021, p. 51). These cascading effects increase the risks 

related to the effects of CI disruption (Brown et al. 2006). The nature of the interdependency between 
infrastructures can be physical (real-world linkages between CIs, like power lines or supply chains), 
cyber (information-related), geographic (the closeness and physical overlapping of different CIs in 
relation to each other), or logical (the dependency of an infrastructure on the state of another 
infrastructure; Brown et al. 2006, p. 14–16). These interdependencies are often also cross-border and, 
thus, require collaboration between neighbouring countries (Aula et al. 2020), along with recognising 
the risks associated with global supply chains (Wigell, Mikkola & Juntunen 2021). 
 
The openness of CI (Brown et al. 2006). Critical infrastructure is ubiquitous, consisting of physical 
transportation and information-related lines, pathways and devices located both over and 
underground, on and under the sea, and in the air and space. Such infrastructure cannot be closed off 
from the surrounding environment, both due to its physical scale and the fact that societal actors need 
to access the infrastructure, even more so in the case of information infrastructure and its open access, 



a central feature of democratic societies (Wigell, Mikkola & Juntunen 2021). Unlike fenced and 
highly monitored military infrastructure, CI is “open to surveillance and attack from an enemy that 

could be anywhere.” (Brown et al. 2006, p. 531). For Brown et al. (2006, p. 543), this, along with the 
dispersed nature of CI, makes its protection both hard and costly, as “The defender must protect a 

huge, dispersed target set, while the attacker need only focus on a small set of targets chosen to 
maximise damage.” 
 
CI is owned, operated, and built by state, non-state, and other actors (e.g. Atkins & Lawson 2020; 
Aula et al. 2020; Wigell, Mikkola & Juntunen 2021). For example, supply chains rely on transport 
companies, which, in turn, rely on roads, railways, waterways and airports, often owned and 
maintained by public actors. Furthermore, state leadership, healthcare, and providing both physical 
and social security are dependent on non-state actors, from critical supplies and services such as food 
production to transportation and communication networks and the media. Many of these actors may 
also be multinational, meaning that their ownership and governance structures are not rooted in the 
societies where they operate. Some may even be controlled – or, in the case of ICT infrastructure and 
software, developed and manufactured – by hostile state actors who present a possible threat (see 
Campion 2020; Poutala et al. 2022; Wigell, Mikkola & Juntunen 2021; Wigell, Deschryvere et al. 
2022). The varying modes of ownership present difficulties in setting and enforcing CI policies. In 
addition, public-private or private-private partnerships addressing interdependencies in critical 
infrastructure are not simple to implement, as states must treat private actors impartially, and 
corporations must comply with competition law. Private actors may protest policies that set new 
responsibilities for businesses (Stoddard 2016) or prioritise profit over preparedness and system 
resilience (Ganguly et al. 2018). However, private corporations and the state also share interests, as 
business continuity and societal order are complementary (Atkins & Lawson 2020). 
 



The aims of CI protection between national governments, the EU and NATO differ somewhat. For 
the national government, CI protection is at the heart of its functions of ensuring societal continuity, 
safety, security and sovereignty (e.g. Caves et al. 2021; Dunn Cavelty & Kristensen 2008). The EU, 
as a political-economic union and single market, emphasises the protection of the common single 
market through economic and political stability. For the EU, its interest arises, in part, from the fact 
that CIs located in Member States are interconnected and interdependent, meaning that disruption in 
one Member State is likely to spread to another and, thus, across the whole EU. That situation could 
cause widespread harm in member states and, ultimately, could threaten the EU’s credibility and its 

role as security provider.. As NATO is a political-military alliance, its interests relate to ensuring the 
ability of the civilian infrastructure that facilitates and supports NATO military operations (e.g. 
Jacuch 2017; 2020; Christie & Berzina 2022). Despite the common efforts and harmonising and 
legislative initiatives (especially of the EU) of the multinational organisations involved in CI 
protection, the practicalities remain a national responsibility (Wigell, Mikkola & Juntunen 2021). 
That is a result of the organisations not possessing the means in the form of security authority, 
operative units, or their own critical infrastructure (e.g. Niskanen et al. 2024; Poutala et al. 2022; 
Szymański 2020). 
Nevertheless, CI as a specific entity alongside other types of (non-critical) infrastructure presents CI 
as “the very foundation of society” where “societies are ‘grounded’ in infrastructure; their 

functioning, continuity and survival are made possible by the protection of infrastructure” (Aradau 

2010, 500–501). This materiality (Aradau 2010) or biopolitics (Collier & Lakoff 2015) in the context 
of CI protection and security means that human beings (and the societal order; Lipschutz 2008) are 
kept safe through the protection of critical infrastructure. From this perspective, the political salience 
of the topic is nothing surprising, as CI-related events are seen as presenting a threat to national, 
economic and individual security and, thus, have potentially significant political impacts (see e.g. 
Agrafiotis et al. 2018). 



Critical infrastructure in EU policy frameworks 
 
This section examines key policy documents, legislation, and arrangements emanating from the 
Council of the EU, which have exerted a discernible influence on the development of EU CI 
protection/resilience policy. We approach the development of EU CI policy frameworks by focusing 
on three central turning points: 1) the terrorist attacks and natural hazards in the early-to-mid 2000s, 
2) the development and institutionalisation of EU CI approaches, and last, 3) the paradigm-shifting 
Russian annexation of the Crimea. We deliberately limit our examination on CI on a broader level, 
and thus, leave out some specific but CI-related developments, like the NIS ((EU) 2016/1148) and 
NIS 2 ((EU) 2022/2555) directives. 

A counter-terrorism-induced beginning for CI protection in the EU 
 
The September 11, 2001, terrorist attacks in New York and the train bombing on March 11, 2004, in 
Madrid, followed by the July 2005 London attacks, influenced policy considerations and planning, 
not only resonating on an international scale but also accentuating the escalated risk associated with 
terrorist activities specifically affecting European infrastructure. These acts crystallised the necessity 
of comprehensive policies aimed at securing CI and led to the European Commission taking a keen 
interest in it. The European Security Strategy adopted by the European Council in December 2003 
did not explicitly address CI protection. However, the strategy established principles and set clear 
objectives for advancing the EU’s security interests, and subsequently, the EU incorporated CI 
protection into its security frameworks (see Council of the European Union 2009). 
After the 2004 Madrid attack, the European Council tasked the Commission and the high 
representative to prepare an overall strategy to strengthen the protection of CI. The Commission 
communication of October 22, 2004 (European Commission 2004a) recommended enhancing 



Europe’s capabilities to prevent, prepare for, and respond to terrorist threats against critical 

infrastructure. A European programme for critical infrastructure protection (EPCIP) and setting up 
a critical infrastructure warning information network (CIWIN) were proposed in The EU Solidarity 
Programme on the Consequences of Terrorist Threats and Attacks of December 2004 (European 
Commission 2006; European Commission 2004b). 
A commission green paper on a European programme for CI protection (European Commission 2005) 
stated that CIWIN should aim to protect CI from intentional acts of terrorism, natural calamities, 
negligence, accidents, computer hacking, criminal conduct, and malicious actions. Cyberattacks were 
highlighted as a significant concern, especially from the interdependency perspective: While 
cyberattacks are not expected to cause casualties, they can disrupt vital infrastructure services. The 
document noted that cascade events, like large-scale blackouts, highlight the vulnerability of the 
energy infrastructure (European Commission 2005). The Green Paper defined CIs as entities that 
encompass physical and information technology facilities, networks, services, and assets. These 
elements, if disrupted or destroyed, could significantly affect the well-being, safety, security, or 
economic stability of citizens and the effective functioning of EU governments. The CIs are seen as 
spanning a range of sectors, including banking and finance, transportation, energy, utilities, 
healthcare, food supply, and communications, along with essential government services. Within these 
sectors, critical elements extend beyond traditional infrastructure and encompass networks or the 
supply chains essential for delivering vital products or services (European Commission, 2004b; 
Bullock 2021). 

Interim EU CI protection frameworks start shaping – the EPCIP programme 
 
On December 12, 2006, the Commission presented a proposal for a directive focused on the 
identification and designation of European CI, as well as a common approach to assessing the need 



for enhanced protection (European Commission 2006a). Simultaneously, a communication launched 
EPCIP, documenting a comprehensive blueprint of the Commission’s approach to addressing the 

issue of CI protection within the European Union (European Commission 2006b). 
While the primary focus of the EPCIP programme was to enhance the protection and resilience of 
critical infrastructure against a range of threats, including terrorist attacks, natural hazards, and cyber 
threats, it also recognised the potential risks posed by state actors. The EPCIP proposed a strategy 
centred on prioritising specific CI sectors and identifying the spectrum of threats against which they 
should be protected (European Commission 2006b). Consequently, the programme predominantly 
focuses on conventional risk management methods targeting undesired events within designated CI 
sectors. 
In 2008, an implementation report of the 2003 European Security Strategy was issued (European 
Commission 2009). In addition to examining how the 2003 strategy had worked in practice and what 
should be done to improve its implementation, the report brought up CI, this time within the context 
of cybersecurity. Modern economies were seen to rely on traditional CI (transport, communication, 
energy) but also “the internet” was named. In terms of CI-related topics, the report devoted more lines 
to energy security (European Commission 2009). 

The ECI directive as the First EU CI regulation 
 
The primary legislative initiative within the EU was implemented through the European Critical 
Infrastructure (ECI) Directive (2008/114/EC) ratified in 2008. Its purpose was to strengthen the 
safeguarding of critical infrastructure across the EU. The ECI directive addressed the need for a 
coordinated, standardised, and comprehensive approach to CI protection within the EU, recognising 
the threat environment and challenges facing critical infrastructure and the importance of 
safeguarding these systems for the well-being, security, and stability of EU Member States. 



In line with earlier scoping documents, the threats noted by the directive included terrorist attacks, 
cyberattacks, natural hazards, accidents, and other hazards that could disrupt or damage essential 
systems and assets. What was new, however, was that the ECI directive took steps to ensure a 
consistent and standardised approach to critical infrastructure protection across the EU, providing a 
framework for Member States to identify and designate their CI and assess the need for improved 
protection measures. It also aimed to facilitate cross-border cooperation and information sharing 
among Member States to reflect that CI often extends beyond the borders of individual EU Member 
States. Accordingly, protecting CI requires Member States to collaborate to coordinate efforts. Such 
aims were facilitated by the legal basis of the ECI directive in Article 196 of the Treaty on the 
Functioning of the European Union, one of the constitutional documents of the EU, which outlines a 
basis for disaster prevention, preparedness, and response both on national and cross-border levels 
(Official Journal of the European Union 2012). This basis allowed the EU to encourage cooperation 
among Member States and develop measures to support CI protection.  
However, the ECI directive (2008/114/EC) had some limitations, which led to its being only partially 
implemented. First, there were significant variations in the measures adopted and the terms of its 
provisions. Since the scope of the directive was limited, it did not compel all Member States to 
develop their national arrangements. Second, during the implementation, certain Member States 
encountered challenges with the sectoral approach of the directive, as their national programmes were 
oriented toward systems rather than individual assets, thus making it challenging to account for 
interdependencies between sectors. (Anglmayr 2021.) Consequently, Member States with 
comparatively mature national CI protection programmes did not see any great added value in the 
directive, as they perceived their national level of protection was robust enough. Some Member 
States, such as Finland, only adopted procedural changes to implement the directive without 
legislative action. Those Member States commonly had a relatively high presence of public-private 
partnerships, with a preference for a consultative approach to national CI protection activities. Lastly, 



the directive required the Member States to designate their critical infrastructures in only two sectors, 
energy and transport, and to ensure the development of risk assessments and emergency plans for 
those sectors. (European Commission 2012.) 

Russian illegal annexation of Crimea as a game changer on EU CI policy 
 
The Russian annexation of Crimea in 2014 was a pivotal geopolitical event, preceded by the Russian 
occupation of some eastern regions of Ukraine. The event heightened tensions in the region and 
prompted the EU to re-evaluate its security-related strategies and policies, CI protection included. 
Crimea was strategically important for energy transit and supply, particularly natural gas pipelines. 
The annexation disrupted energy supply routes and highlighted vulnerabilities in critical energy 
infrastructure. Severe cyber attacks against Ukraine targeting critical infrastructure and government 
systems leading up to the annexation directed attention to CI resilience from a cybersecurity point of 
view. Cyber operations offered a level of anonymity and plausible deniability for the attacker, making 
it difficult for the target to attribute the attack to a specific actor or nation. A notable cyber attack on 
Ukraine’s power network took place in December 2015 (Council on Foreign Relations 2015). 

Hackers, widely believed to be associated with Russian state-sponsored groups, launched a 
sophisticated attack that resulted in power outages for several hours in parts of western Ukraine 
(Condliffe 2016). The attackers used malware to gain access to the control systems of energy 
distribution companies, manipulating and disrupting the operation of CI and highlighting the 
vulnerabilities inherent in CI sectors (e.g. Zetter 2016) 
While the cyber attack against Ukraine’s power network occurred, the EU Council was working on 

the first joint framework on countering hybrid threats, which was later published in April 2016 
(European Commission 2016). The framework noted persistent challenges to peace and stability in 
the EU’s eastern and southern regions. It contained a first definition of what is meant by hybrid threats 



in an EU policy document. While stating that definitions vary and there is a need to remain sufficiently 
flexible to respond to their evolving nature, it saw the concept of hybrid threat to include the “mixture 

of coercive and subversive activity, conventional and unconventional methods (i.e. diplomatic, 
military, economic, technological), which can be used in a coordinated manner by state or non-state 
actors to achieve specific objectives while remaining below the threshold of formally declared 
warfare. ”(European Commission 2016, p. 2). The framework document urged the EU to develop 
new ways to respond to hybrid threats, in particular those concerning CI. It also emphasised the 
imperative for the EU to enhance its capabilities as a security provider. It introduced resilience as an 
emerging policy approach, with a heightened emphasis on interconnectedness and supply chain 
security: “To effectively counter hybrid threats, the potential vulnerabilities of key infrastructures and 

supply chains must be addressed.” (European Commission 2016, p. 5). 
 
A Comprehensive Assessment of EU Security Policy (European Commission 2017) noted that due 
to recent attacks, the risk to CIs would probably increase. Consequently, there is an imperative to 
bolster preparation and response capabilities. Within this framework, the assessment pointed to a 
notable drawback of the ECI directive in its scope being restricted to the transport and energy sectors. 
Additionally, the limited authority granted to the Commission and the constrained obligations 
imposed on Member States were noted as challenges. Although the ECI directive was noted to have 
raised awareness and facilitated the exchange of good practices, its overall influence was viewed as 
more constrained than initially anticipated (European Commission 2017). 
 
The regulation on a framework for the screening of foreign direct investments into the Union ((EU) 
2019/452) allowed a Member State or the Commission to assess “foreign direct investments likely to 

affect security or public order” (Article 1) and use its potential effects on critical infrastructure as a 



consideration in the assessment (Article 4). Similarly to the NIS directive, the regulation also involved 
a much broader definition of CI than that of the ECI directive, covering a multitude of sectors. 
 
Foreshadowing the Directive on Critical Entities Resilience (CER), the 2020 Commission 
communication on the EU Security Union Strategy introduced a policy framework for the upcoming 
CER directive proposal, noted the shortcomings of the ECI directive and presented concerns over 
differing CI-related legislative frameworks between the Member States seen to “undermine the 

internal market” and acknowledged the need of the legislative framework to adapt to growing 

interdependencies (European Commission 2020, passim. and p. 6). The 2022 Council 
recommendation on a coordinated approach by the Union to strengthen the resilience of critical 
infrastructure (Official Journal of the European Union 2022) highlighted the need for increased 
coordination at the Union level, particularly in response to evolving threats that may simultaneously 
impact multiple Member States, such as Russia's war of aggression against Ukraine and hybrid 
campaigns targeting individual Member States. These threats have the potential to affect the resilience 
and proper functioning of the Union's economy, internal market, and society as a whole. 
 
The CER directive ((EU) 2022/2557), introduced on December 27, 2022, was set to replace the 
outdated ECI directive. The CER directive changed the EU regulatory approach. Instead of focusing 
on protecting specific infrastructures, the directive introduced a risk-based approach to identify 
'critical entities' that are crucial for 'the maintenance of vital societal functions or economic activities 
in the internal [single] market' (European Commission 2020a, p. 4; Pursiainen & Kytömaa 2022). 
This approach broadened the analysis beyond individual infrastructures and sectors, considering the 
interconnectedness within the EU's single market. Article 2, paragraph 2 of the directive defines 
‘resilience’ as a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, 
accommodate and recover from an incident. In addition, in comparison with the previous ECI 



directive, it defined CI very broadly as “an asset, a facility, equipment, a network or a system” or 

their parts which are “necessary for the provision of an essential service” (Article 2, paragraph 4).  

Essential services, in turn, are “crucial for the maintenance of vital societal functions, economic 
activities, public health and safety, or the environment” (Article 2, paragraph 5). This broad definition 

is a departure from the strict definitions of CI to cover only certain sectors in the ECI and NIS 
directives, thus, future-proofing the framework for future developments ((EU) 2022/2557).  
 

NATO non-military adaptation and references to CI policies 
 
Publicly available documentation from NATO is more restricted in comparison to the EU. In this 
section, the examination is based on organisational change analyses, publicly available strategic 
concepts and NATO summit documents. We approach NATO’s adaptation to changes in its strategic 
environment and the arrival of CI as a concern through three phases: 1) adaptation to nuclear war and 
the establishment of the Senior Civil Emergency Planning Committee (SCEPC), 2) the post-cold-war 
focus on civil emergency planning in the 1990s, and 3) the return to deterrence as a main focus in the 
aftermath of the Russian illegal annexation of Crimea. In this context, NATO’s responsiveness to 

changing security dynamics is crucial. While its original mandate focused on collective defence, its 
adaptation to emerging challenges is not only limited to military threats but is supported by the 
founding treaty’s formulations. 

Adaptation to nuclear war and establishment of the SCEPC 
 
The period from the establishment of NATO in 1949 until the end of the Cold War in the 1990s was 
largely shaped by the organisation’s military strategies and the imperatives of nuclear deterrence. 

During this time, NATO’s primary objective was to deter the expansionist ambitions of the Soviet 



Union. Notably, NATO was formally created a mere four months before the Soviet Union 
successfully conducted its first nuclear weapon test, marking the start of NATO’s nuclear deterrence 

posture and whole-of-government preparations for surviving a possible nuclear war between NATO 
and the Soviet Union. Thus, the policy development of the non-military domain within NATO was 
largely shaped by the organisation’s imperative of nuclear deterrence, where the escalation process 

to the use of a strategic nuclear arsenal was followed as necessary until the Soviet Union ceased its 
aggression. (Binnendijk & Gompert 2019.) Accordingly, non-military planning efforts within NATO 
had to consider the continuity of government and the delivery of essential services to civilian 
populations in the shadow of nuclear war. The focus was on ensuring the survival of people, 
institutions, and the economy in the face of a catastrophic conflict. 
 
For these purposes, NATO established the SCEPC in 1951. This committee was tasked with the 
utilisation of civilian assets within the alliance to support military operations and developing policies 
for the continuity of government and protection of civilian populations in the Member States. The 
SCEPC served as an advisory body to the North Atlantic Council, NATO’s highest decision-making 
authority. Several bodies responsible for various critical aspects were established under SCEPC. 
These included, for example, planning boards focused on transport, supply, communications, and the 
protection of civilian populations. As the planning assumption was a nuclear war scenario, civil 
emergency planning was largely occupied with the preparation of plans for the international civil 
wartime agencies – their functions, powers, staffing, location, and other organisational and 
administrative questions. (van Heuven, 1970.) NATO civil emergency planning encompassed 
resource availability, the determination of requirements, and the strategic application of resources 
during periods of tension, crisis, or war. In essence, the overarching goal of civil emergency planning 
is to achieve the optimal distribution and utilisation of critical resources in diverse contingency 
situations (van Heuven 1970).  In summary, concerns over infrastructure and its ability to support the 



movement of NATO troops and to ensure the functioning of the non-military society have existed 
since the 1950s (Jacuch, 2019). 
 

Cooperative security, expansion of non-military policies and the appearance of CI 
 
The second phase of adaptation introduced Civil Emergency Planning (CEP) as a principal forum for 
broad cooperation with countries across the Euro-Atlantic region. Throughout the 1990s, NATO 
underwent a profound transformation, evolving from an organisation primarily focused on collective 
deterrence and defence to one that formally declared its tasks included crisis management and 
cooperative security. This transformation was first articulated in the 1991 strategic concept (NATO 
1991) and updated in the 2010 version (NATO 2010a), reflecting the evolving security landscape. 
The disintegration of the Soviet Union and the dissolution of the Warsaw Pact marked a turning point 
in the history of NATO and impacted the non-military planning domain. The cold war preparedness 
architecture, developed to deter the Soviet Union and to protect the alliance, came to an end. 
Deterrence of the Soviet Union had been the central raison d'être of NATO throughout the Cold War 
era (Wywiał 2022). 
The NATO strategic concepts from the 1990s introduced a comprehensive approach to security, 
shifting the emphasis from purely military means to include political, economic, social, and 
environmental elements. The move especially in 1999 strategic concept (NATO 1999) marked a 
recognition that security and stability encompass a broader spectrum of factors beyond traditional 
defence, reflecting the evolving nature of security challenges in the post-Cold War era. This 
transformation had notable implications for non-military preparedness planning.  
The mission for NATO’s non-military preparedness planning was also redefined to encompass the 
CEP domain. That change redirected its attention to planning the protection of civilian populations, 



support for crisis response operations (including peace support, humanitarian aid, and disaster 
response), and communicating policy advice in domains like civil protection, civil communications, 
industrial planning, food and agriculture, medical services, and transportation. While CI protection 
was not explicitly listed as a distinct area, it was implicitly addressed within the purview of 
communications, energy, and industrial planning domains. (Ponsard 2007.) 
 
The evolution of NATO’s stance on CI is best traced through various summit declarations (Table 1). 

A NATO summit serves as a periodic gathering for Heads of State and Government from NATO 
member countries to assess and guide Alliance activities. NATO summits are crucial moments in 
high-level decision-making, where new policies are introduced, potential members are invited and 
major initiatives are launched.. The term CI was not commonly used in NATO public policy 
documents in the early 2000s. One of the first mentions of CI in NATO documents, though not 
explicitly mentioned, occurs in the Riga 2006 summit declaration, which notes that alliance security 
interests can also be affected by the disruption of the flow of vital resources, where the materialisation 
of risks in energy infrastructures and the global energy system could affect NATO members (NATO 
2006). The summary of the early 2000s communiqués (see Table 1) indicates the primary concern 
was energy infrastructure security within the alliance. 
 
Table 1. Topics related to critical infrastructure in NATO summit communiqués and declarations 
from the pre-Russian invasion of Crimea in Ukraine, and potential explicit references or applications 
of the term "critical infrastructure" 
 
 
Summit and year Description of CI-related notions  Explicit mention of CI 



Riga, 2006 (NATO 2006) ● Discusses the importance of resources, such as energy, and their supply, along with energy infrastructure. 
No 

Bucharest, 2008 (NATO 2008) ● Discusses infrastructure in the broadest sense and primarily refers to the general capabilities, 
structures, and resources required for NATO’s operations and missions. Mentions critical energy infrastructure. 

Yes 

Strasbourg/Kehl, 2009 (NATO 2009) ● The importance of strengthening communication and information systems against cyber attacks, which are related to critical infrastructures and their resilience. 

No 

Lisbon, 2010 (NATO 2010b) ● Underlines the importance of energy security, environmental concerns, and resource constraints. No 
Chicago, 2012 (NATO 2012) ● Mentions CI protection in the context of energy 

security. The declaration underlines NATO’s commitment to ensuring a stable and reliable energy supply, diversification of energy routes and sources, and the interconnectivity of energy networks.  

Yes 

 
 

Back to deterrence and reformulation of non-military policies 
 
The Russian occupation and annexation of Crimea and other operations in Ukraine in February and 
March 2014 served as a wake-up call for the NATO Member States and EU development alike. 
Cooperative security was gradually relegated to the background, with a heightened prioritisation of 
defence and deterrence policies (Fix & Keil 2022). The events surrounding the Russian invasion of 
Ukraine in 2014 underscored the vulnerabilities of essential systems and services, prompting NATO 
to explicitly recognise the importance of safeguarding critical infrastructure. Consequently, post-2014 
NATO summit documents began incorporating critical infrastructure as a distinct element in 
addressing the evolving landscape of hybrid warfare, reflecting a more comprehensive understanding 
of security challenges. 



 
At the Wales Summit in September 2014, all NATO Member States condemned Russia’s actions. 

They also agreed to support the EU’s economic sanctions against the Russian government, committed 

to enhancing NATO’s readiness and responsiveness significantly and pledged to reverse the trend of 
declining defence budgets. A paragraph on countering hybrid activities was introduced with 
mentioning of the strategic partnership with the EU, which was stated to be “a unique and essential 

partner for NATO” (para. 121) and acknowledged to share common values and strategic interests 
(NATO 2014). 
 
Following the 2016 Warsaw summit, NATO shifted its focus further towards resilience, defined 
through non-military preparedness using Article 3 of the founding treaty (NATO 1949) as the 
“individual and collective capacity to resist any form of armed attack” (NATO 2016a) or other 
significant disruptions to a society (NATO 2018a). NATO introduced the seven baseline 
requirements of resilience, highlighting the importance of ensuring the functioning of the non-
military parts of society and civil support to the military in peacetime, conflict and war: continuity of 
government, logistics, communications – essentially, civilian infrastructure – and their support for 
military forces (see NATO, 2018a). A hybrid warfare deterrence message was introduced, too, as 
hybrid threats were stated to be possible causes for the activation of Article 5 addressing common 
defence. The Brussels summit in 2018 (NATO 2018b) emphasised NATO’s commitment to adapt to 

a changing security environment, while the 2021 Brussels summit (NATO 2021) broadened CI-
related concerns from energy security to information networks and next-generation 5G 
communication technology and introduced climate change as a threat to CIs and recognised the EU 
as a partner with shared interests in terms of CI, too. In addition, the cyber threat posed by the Russian 
state and non-state actors was noted. The Madrid summit in June 2022 (NATO 2022a) expanded the 
scope of critical infrastructure-related aspects. Subsequently, the Vilnius 2023 summit (NATO 2023), 



following the sabotage of the Nord Stream gas pipeline, solidified critical infrastructure resilience 
and disruptive technologies as key focus areas for the alliance in the upcoming years. The CI-related 
notions in these documents since 2014 have been summarised in Table 2. 
 
Table 2. Themes related to CI in NATO summit communiqués and declarations, and possible explicit 
mentions or uses of the term "critical infrastructure" after the illegal annexation of Crimea by Russia 
in Ukraine. 
  
Summit and year Description of CI-related notions  Explicit mention of CI? 
Wales, 2014 (NATO 2014) 

● Introduction of NATO Enhanced Cyber Defence Policy. 
● Discusses CI-related concepts and considerations within the broader context of security, energy, and environmental challenges. These elements reflect the need for robust and adaptable infrastructure to 

support NATO’s mission and objectives.  

No 

Warsaw, 2016 (NATO 2016a) 

● Definition of resilience through Article 3 of the North Atlantic Treaty. 
● Introduction of the seven baseline requirements of resilience, which include CI-related requirements. 
● CI noted especially in the context of energy security and enhancement of resilience against energy supply disruptions and cyber threats. 
● Deterrence clause – cyber attacks – also under Article 5. 

Yes 

Brussels, 2018 (NATO 2018b) 

● Recognised the need for continued NATO efforts to develop support for national authorities in CI protection  Yes 

Brussels, 2021 (NATO 2021) 

● Noted energy security, information networks and new 5G network technologies as CI. Noted Russian hybrid actions in information, cyber and political environments. Noted threats to CIs by state and non-state actors from inside the Russian borders by means of cyber attacks. 
● Discussed direct and indirect (i.e. strategic) effects of climate change on CI. 

Yes 



● The EU as a like-minded partner with shared interests in, e.g. CI protection, resilience and technological development. Concerns over the supply of energy to military operations. 
Madrid, 2022, Declaration (NATO 2022a) and new Strategic Concept (NATO 2022b) 

● Introduction of 2022 Strategic Concept, which included CI-related concerns in hybrid and cyber threats, terrorism, Russian actions, and 
concerns over China’s growing ambitions in technology, supply chain and infrastructure control. 

● Noted Article 3 of joint and individual preparedness against “all 

forms of attack”, which also received a special mention in relation to CI protection, aspects of security of supply, continuity of government and civil-military support. 

Yes, in the Strategic Concept 

Vilnius, 2023 (NATO 2023a) 

● Noted the hybrid and cyber threats to Allied institutions and 
infrastructure and China’s influence on technologies, supply chains and critical infrastructure. 

● A statement in response to the deliberate September 2022 Nord Stream gas pipeline explosions, announcing the establishment of the NATO Maritime Centre for the Security of Critical Undersea Infrastructure and repeated the deterrence clause on NATO protection of the allies’ critical infrastructure to cover undersea infrastructure.  

Yes 

 

Emerging NATO – EU Cooperation in Critical Infrastructure Protection and Resilience 
 
Again, in terms of the EU–NATO partnership, the Russian attack on Ukraine and the illegal 
annexation of Crimea can be seen as the event promoting the development of joint declarations and 
strategies in the areas of situational awareness, cyber security, crisis prevention and response, and 
strategic communication. Although the complementary work agenda of the EU and NATO, along 
with their shared values and interests, have been recognised since the 1999 Strategic Concept and the 
European integration process was welcomed by the NATO 1991 Strategic Concept, the first EU–

NATO Joint Declaration was not announced as late as in 2016. 
 



Both the first EU–NATO joint declaration (NATO 2016b) and the EU Global Strategy (European 
Union 2016) emphasised the importance of strengthening EU–NATO cooperation to counter hybrid 
threats, address cybersecurity challenges, and promote resilience. The NATO Warsaw Summit 
declaration (NATO 2016a) in the same year further solidified this commitment by reaffirming 
NATO’s dedication to EU–NATO collaboration, particularly in tackling security challenges 
emanating from both the east and south. While NATO remained primarily focused on collective 
defence and deterrence, the EU was acknowledged for having more powerful tools to implement 
measures that fall short of invoking Article 5, including sanctions and legally binding resilience 
measures for member nations. However, the joint declaration did not expressly mention critical 
infrastructure protection, albeit it included a paragraph on enhancing resilience and an agreement to 
exchange analyses of potential hybrid threats. The declaration aimed to raise awareness among EU 
Member States and NATO allies of the need to build resilience in societies and critical services. Both 
organisations committed to enhancing cross-briefings on resilience and aligning planning criteria and 
guidelines. 
The 2018 Brussels joint declaration (NATO 2018c) highlighted the intensified cooperation between 
the two organisations, stating “our cooperation has developed substantially and is now unprecedented 

in its quality, scope, and vigor”. The text underscored the significance of resilience in confronting 
evolving security challenges, emphasising the imperative for collaborative efforts and cooperation 
between the EU and NATO to further develop their capabilities and responses. The text mentions 
resilience in several instances, highlighting the commitment of both organisations to enhance 
resilience. The declaration’s language is deterrent in tone, as it states the organisational priorities are 

to improve the ability to respond to hybrid threats, improve preparedness for crises, exchange timely 
information, including on cyberattacks, confront disinformation, build the resilience of members and 
partners, and testing procedures through parallel and coordinated exercises. It does not explicitly refer 
to critical infrastructures, but it reiterates organisational readiness for hybrid threats. 



In January 2022, EU and NATO staff initiated a structured dialogue on resilience, which was to focus 
on the synergies and complementarity between the EU legislative initiative, the EU CER Directive, 
and NATO’s baseline requirements for national resilience. Later, in 2022, the imperative for urgent 

enhancements in critical infrastructure resilience was underscored by the Nord Stream sabotage in 
September 2022, serving as a catalyst for heightened focus on vulnerable cross-border infrastructures. 
(E.g. EU-NATO 2023.) 
The third EU–NATO declaration issued on January 3, 2023, articulated a collective vision for 
coordinated action by the EU and NATO in response to shared security threats (NATO 2023b). This 
vision was shaped by the ongoing Russian war in Ukraine, characterised as an unprecedented 
challenge to Euro-Atlantic security and recognised as the most severe threat in decades. In addition, 
a cross-reference of the significance of the war in the organisations’ documents was noted: “As 

underlined by both the NATO Strategic Concept and the EU Strategic Compass, this is a key juncture 
for Euro-Atlantic security and stability, more than ever demonstrating the importance of the 
transatlantic bond, calling for closer EU-NATO cooperation”. 
The declaration (NATO 2023b) reinforced both organisations’ commitment to expanding and 

deepening their collaboration in several critical areas, one of which was critical infrastructure 
protection. The 2023 declaration addressed the challenges posed by the growing geostrategic 
competition and further resilience-building measures. The collaborative efforts outlined in the 
declaration extend to navigating the complexities of emerging and disruptive technologies and 
ensuring a joint approach in several areas, for example, in the space domain. The declaration also 
presented a united stance against foreign information manipulation and interference, underscoring the 
shared commitment to safeguarding the integrity of information spaces. In essence, this shared vision 
outlines a strategic roadmap for the EU and NATO to navigate contemporary security threats through 
strengthened and diversified cooperation. The exchange and cooperation between NATO and EU 



staff had already been intensified in the previous year, a shift that addressed specific resilience-related 
issues stemming from Russia’s war of aggression against Ukraine. 

Analysis 
 
EU Policy documents with CI relevance from 2000 to 2010 can be described as responses to incidents 
that had an impact on the continuity of critical services, mainly terrorist attacks. Therefore, the focus 
was on preventive aspects but also highlighted the need for cross-border and cross-sectoral 
cooperation, along with joint mitigation measures. Although the EU had programmes on CI since at 
least 2004, the first specific EU directive (ECI) placing some requirements on the Member States in 
the fields of energy and transportation was only ratified in 2008. From the 2010s, the focus shifted to 
shaping a wider context of preparedness and resilience, which in turn influenced CI legislative 
updates. During this period, the emphasis shifted towards a holistic approach to enhance overall 
resilience in the face of emerging challenges. This period witnessed the introduction of legislation 
and risk assessment protocols, fostering collaborative endeavours across sectors and cooperation 
among Member States. The CER Directive replaced the dated and constricted ECI directive in 2022. 
The significant impact of Russia's invasion of Ukraine on the EU's political decision-making 
processes became evident. Subsequent to the Council's recommendation following the sabotage of 
the Nord Stream gas pipeline in September 2022, Member States were urged to accelerate the 
adoption of the new legal framework CER and to welcome the EU’s stronger involvement in the 

protection of critical infrastructure (Kari 2023).  
 
NATO’s main focus until the end of the Cold War was deterrence and preparation for a possible 

nuclear confrontation, which, as a strategic approach, required safeguarding the non-military parts of 
society from the potential impacts of a full-scale nuclear war. Accordingly, NATO had devised 
approaches ensuring the functioning of state leadership, the protection of civilians, and civil support 



to the military. However, the end of the Cold War led the alliance to develop new approaches for a 
broader security perspective. Since the 1990s, NATO has broadened its focus from a purely military 
alliance towards cooperative security, along with programmes in disaster response and peacebuilding. 
However, although CI-related concerns were discussed in NATO summit communiqués in the early 
2000s, CI as a term appeared rather late and in the context of cyber and energy security. 
 
The hostile and clandestine activities of Russia fostered a heightened emphasis on state-based threats 
to critical infrastructure and was a paradigm-shift event in both the EU and NATO, signified by the 
appearance of resilience as a broader concept and framework that also included CI. The ensuing 
paradigm shift necessitated heightened concentration on continuity aspects and accentuating the 
significance of addressing those threats in the context of resilience (Pursiainen & Gattinesi 2014). In 
the EU, malign state-based activities emerged as the new policy driver that ultimately led to the 
refinement of the EU’s CI policies. Safeguarding infrastructures, such as energy supply chains and 

transportation, is crucial due to the potential for unconventional attacks via hybrid threats on 
vulnerable targets, leading to substantial economic or societal disruption. The EU policy documents 
highlighted the urgency of developing efforts to enhance the resilience of CI, especially in the realm 
of transportation, encompassing significant hubs like the EU’s main airports and merchant ports. The 

Commission was tasked with evaluating the potential development of common tools, including 
indicators, to bolster the resilience of CI to hybrid threats across all pertinent sectors (European 
Commission 2016).  
 
We summarise the development of EU and NATO CI-related policies in Figure 1, presented against 
some notable CI-related events. 
 



 
Figure 1. A timeline of the development of EU and NATO paradigms and policies on CI protection 
between 2000 and 2020, along with key events with policy implications 

Conclusions 
 This chapter has analysed the EU and NATO approaches to CI protection based on central EU policies 
and regulations, along with public NATO policy documents, strategic concepts and summit 
communiqués. From today’s perspective, a notable characteristic of both EU and NATO approaches 
to CI protection is their reactiveness. In the 1990s and early 2000s, terrorist attacks, natural hazards 
and the rise of the cyber domain as an attack vector instilled the importance of CI for the functioning 
of society. Arguably, this is the case with CI policies overall: concerns over the effects of its 
disruption arose as threats materialised and awareness of its criticality arose. Professor Dorothy E. 
Denning’s (2000) statement to the US Congress on cyberterrorism and CI seems to describe the 



contemporary stance of the beginning of the millennium quite well: “the threat of cyberterrorism has 

been mainly theoretical, but it is something to watch and take reasonable precautions against”. 

Consequently, from the early 2000s to the beginning of the 2010s, the scope of CI protection policies 
remained limited in the EU and NATO. The 2008 ECI directive only covered the transportation and 
energy sectors. The first specific references to CI in NATO summit communiqués are found in those 
of the 2014 Wales summit, though energy-related concerns had been expressed previously. However, 
Russia's hostilities towards Ukraine triggered the development of CI-related policies in both 
organisations. This, in turn, resulted in the issuance of the EU–NATO Joint Declarations in 2016, 
2018, and 2023, wherein the common interests, values, and threats shared by the two groups were 
acknowledged. 
Can we move beyond the reactive nature of CI policies and transition towards more strategic 
frameworks for CI protection and resilience building? As Driedger (2022, p. 147) notes, “Policy 

driven by inertia [e.g. path dependencies] and reactiveness is bound to lack foresight and planning.” 

Encouragingly, recent updates such as the CER directive contribute to this shift, as the legislative act 
now refers to critical entities instead of specific infrastructures. This change enables the directive to 
be applicable to a broader set of current and future CIs. Furthermore, acknowledging the potential 
future natural hazards associated with climate change, such as extreme weather events, rising sea 
levels, and temperature extremes has a well-established history in climate science, and this seems to 
trickle down to CI policies. As climate-related challenges increasingly impact CI, there is a growing 
recognition that these vulnerabilities provide strategic opportunities for exploitation by state 
adversaries. This necessitates a comprehensive and adaptive policy approach to mitigate risks, 
enhance resilience, and safeguard critical systems in the face of evolving environmental and 
geopolitical dynamics. 
Nevertheless, a reactive stance persists. Developments in the policy documents point towards 
growing concerns and recognition of technologies, networks, ICT apparatus, and crucial components 



for manufacturing ICT apparatus as potential CI related threats. Exploiting vulnerabilities in the ICT 
supply chain, which is a intricate, globally interconnected ecosystem covering the entire life cycle of 
ICT hardware, software, and managed services involving various entities such as third-party vendors, 
suppliers, service providers, and contractors, can lead to consequences that impact all users of that 
particular technology or service (CISA 2023). ICT supply chain vulnerabilities emerged as a 
prominent topic initially during major trade disputes between the USA and China and the two 
superpowers’ own chip-related programmes. Subsequently, they were further underscored by supply 
chain disruptions during the COVID-19 pandemic. In Europe, the EU introduced the EU Chips Act. 
(Donnelly 2023.) In the act, it was noted how there are some “key products and critical infrastructures 

in the internal market that are depending on the supply of semiconductors” ((EU) 2023/1781). The 

Nord Stream sabotage, again, brought undersea CI to the agenda, inducing a response from both the 
EU and NATO (e.g. EU–NATO Task Force… 2023). 
The nature of CIs as open, interdependent entities whose disruption may have significant 
consequences on the society’s functions and which are owned and controlled by various actors was 
theoreticized already in the beginning of 2000s, and these fundamentals have not changed. While the 
foundational principles endure, the evolving nature of threats and recent sabotage incidents against 
EU and NATO CI, have prompted the organisations to adjust their CI-related policies, aiming to 
ensure enhanced resilience and security. 

References 
Aaltola, Mika, Fjäder, Christian, Innola, Eeva, Käpylä, Juha, & Mikkola, Harri (2016). 

Huoltovarmuus muutoksessa. Kansallisen varautumisen haasteet kansainvälisessä 
toimintaympäristössä. FIIA Report 49. Finnish Institute of International Affairs. 
https://www.fiia.fi/en/publication/huoltovarmuus-muutoksessa  

https://www.fiia.fi/en/publication/huoltovarmuus-muutoksessa


Agrafiotis, Ioannis, Nurse, Jason R. C., Goldsmith, Michael, Creese, Sadie, & Upton, David (2018). 
A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how 
they propagate. Journal of Cybersecurity, 4(1), tyy006. https://doi.org/10.1093/cybsec/tyy006 

Alcaraz, Cristina & Zeadally, Sherali (2015). Critical infrastructure protection: Requirements and 
challenges for the 21st century. International Journal of Critical Infrastructure Protection, 8, 
53–66. https://doi.org/10.1016/j.ijcip.2014.12.002 

Anglmayr, Imgard (2021). European critical infrastructure. Revision of Directive 2008/114/EC. PE 
662.604 – February 2021. European Parliamentary Research Service. 
https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/662604/EPRS_BRI(2021)6626
04_EN.pdf 

Aradau, Claudia (2010). Security that matters: Critical infrastructure and objects of protection. 
Security Dialogue, 41(5), 491–514. https://doi.org/10.1177/0967010610382687 

Aradau, Claudia (2023). Infrastructure. In Mark B. Salter, Can E. Mutlu & Philippe M. Frowd (Eds.). 
Research Methods in Critical Security Studies: An Introduction (2nd Ed). 
https://doi.org/10.4324/9781003108016-42  

Atkins, Sean & Lawson, Chappell (2021). An improvised patchwork: success and failure in 
cybersecurity policy for critical infrastructure. Public Administration Review, 81(5), 847–861. 
https://doi.org/10.1111/puar.13322 

Aula, Ilari, Amundsen, Rannveig, Buvarp, Paul, Harrami, Omar, Lindgren, Johan, Sahlén, Viktoria, 
Wedebrand, Christoffer (2020). Critical Nordic Flows. Collaboration between Finland, 
Norway and Sweden on Security of Supply and Critical Infrastructure Protection. National 
Emergency Supply Agency. 

https://doi.org/10.1093/cybsec/tyy006
https://doi.org/10.1016/j.ijcip.2014.12.002
https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/662604/EPRS_BRI(2021)662604_EN.pdf
https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/662604/EPRS_BRI(2021)662604_EN.pdf
https://doi.org/10.1177/0967010610382687
https://doi.org/10.4324/9781003108016-42
https://doi.org/10.1111/puar.13322


https://www.huoltovarmuuskeskus.fi/files/8c21565b6c4e2f8b05f62b7d5967fa24cc0e932a/c
ritical-nordic-flows.pdf 

Betz, David J. & Stevens, Tim (2017). Cyberspace and the State. Toward a Strategy for Cyber-Power. 
Routledge.  

Binnendijk, Hand, & Gompert, David (2019). Decisive response: a new nuclear strategy for NATO. 
Survival, 61(5), 113–128. https://doi.org/10.1080/00396338.2019.1662119 

Brown, Gerald G., Carlyle, W. Matthew, Salmerón, Javier, & Wood, Kevin (2005). Analyzing the 
vulnerability of critical infrastructure to attack and planning defenses. In INFORMS Tutorials 
in Operations Research, (pp. 102-123). Informs. 

Brown, Gerald, Carlyle, Matthew, Salmerón, Javier, & Wood, Kevin (2006). Defending critical 
infrastructure. Interfaces, 36(6), 530–544. https://doi.org/10.1287/inte.1060.0252 

Böröcz, Miklós (2021). Critical infrastructure protection policy in the EU. Strategic Impact, 3/2021. 
https://doi.org/10.53477/1841-5784-21-15 

Cabinet Office (2010). Strategic Framework and Policy Statement on Improving the Resilience of 
Critical Infrastructure to Disruption from Natural Hazards. March 2010.  UK Cabinet Office. 
https://www.gov.uk/government/publications/strategic-framework-and-policy-statement-on-
improving-the-resilience-of-critical-infrastructure-to-disruption-from-natural-hazards  

Campion, Andrew Stephen (2020). From CNOOC to Huawei: Securitization, the China threat, and 
critical infrastructure. Asian Journal of Political Science, 28(1), 47-66. 
https://doi.org/10.1080/02185377.2020.1741416 

Caves, Ben, Lucas, Rebecca, Dewaele, Livia, Muravska, Julia, Wragg, Chris, Spence, tom, 
Hernandez, Zufik, Knack, Anna, & Black, James (2021). Enhancing Defence's Contribution 

https://www.huoltovarmuuskeskus.fi/files/8c21565b6c4e2f8b05f62b7d5967fa24cc0e932a/critical-nordic-flows.pdf
https://www.huoltovarmuuskeskus.fi/files/8c21565b6c4e2f8b05f62b7d5967fa24cc0e932a/critical-nordic-flows.pdf
https://doi.org/10.1080/00396338.2019.1662119
https://doi.org/10.1287/inte.1060.0252
https://doi.org/10.53477/1841-5784-21-15
https://www.gov.uk/government/publications/strategic-framework-and-policy-statement-on-improving-the-resilience-of-critical-infrastructure-to-disruption-from-natural-hazards
https://www.gov.uk/government/publications/strategic-framework-and-policy-statement-on-improving-the-resilience-of-critical-infrastructure-to-disruption-from-natural-hazards
https://doi.org/10.1080/02185377.2020.1741416


to Societal Resilience in the UK: Lessons from International Approaches. RAND 
Corporation. https://doi.org/10.7249/RRA1113-1 

Cherp, Aleh & Jewell, Jessica (2014). The concept of energy security: Beyond the four As. Energy 
policy, 75, 415–421. https://doi.org/10.1016/j.enpol.2014.09.005 

Christie, Edward H. & Berzina, Kristine (2022). NATO and Societal Resilience: All Hands on Deck 
in an Age of War. Policy Brief, July 2022. German Marshall Fund of the United States. 
https://www.gmfus.org/sites/default/files/2022-
07/NATO%20and%20Societal%20Resilience%20All%20Hands%20on%20Deck%20in%20
an%20Age%20of%20War.pdf 

CISA (2020). Information and Communications Technology Supply Chain Security. Cybersecurity & 
Infrastructure Security Agency. Retrieved from https://www.cisa.gov/topics/information-
communications-technology-supply-chain-security on February 2nd, 2024. 

Collier, Stephen J. & Lakoff, Andrew (2008). The Vulnerability of Vital Systems: How “Critical 

Infrastructure” Became a Security Problem. In Myriam Dunn & Kristian Soby Kristensen 

(Eds.). The Politics of Securing the Homeland: Critical Infrastructure, Risk and 
Securitisation, (pp. 17–39). Routledge.  

 Collier, Stephen J., & Lakoff, Andrew (2015). Vital systems security: Reflexive biopolitics and the 
government of emergency. Theory, Culture & Society, 32(2), 19–51. 
https://doi.org/10.1177/0263276413510050 

Condliffe, Jamie (2016, December 22). Ukraine’s Power Grid Gets Hacked Again, a Worrying Sign 

for Infrastructure Attacks. MIT Technology Review. Retrieved from 
https://www.technologyreview.com/2016/12/22/5969/ukraines-power-grid-gets-hacked-
again-a-worrying-sign-for-infrastructure-attacks/ on February 1st, 2024. 

https://doi.org/10.7249/RRA1113-1
https://doi.org/10.1016/j.enpol.2014.09.005
https://www.gmfus.org/sites/default/files/2022-07/NATO%20and%20Societal%20Resilience%20All%20Hands%20on%20Deck%20in%20an%20Age%20of%20War.pdf
https://www.gmfus.org/sites/default/files/2022-07/NATO%20and%20Societal%20Resilience%20All%20Hands%20on%20Deck%20in%20an%20Age%20of%20War.pdf
https://www.gmfus.org/sites/default/files/2022-07/NATO%20and%20Societal%20Resilience%20All%20Hands%20on%20Deck%20in%20an%20Age%20of%20War.pdf
https://www.cisa.gov/topics/information-communications-technology-supply-chain-security
https://www.cisa.gov/topics/information-communications-technology-supply-chain-security
https://doi.org/10.1177/0263276413510050
https://www.technologyreview.com/2016/12/22/5969/ukraines-power-grid-gets-hacked-again-a-worrying-sign-for-infrastructure-attacks/
https://www.technologyreview.com/2016/12/22/5969/ukraines-power-grid-gets-hacked-again-a-worrying-sign-for-infrastructure-attacks/


Council of the European Union (2009). European Security Strategy: A Secure Europe in a Better 
World. European Communities. https://doi.org/10.2860/1402 

Council on Foreign Relations (2015). Compromise of a power grid in eastern Ukraine. Retrieved 
from https://www.cfr.org/cyber-operations/compromise-power-grid-eastern-ukraine on 
February 1st, 2024. 

Denning, Dorothy E. (2000). Statement of Dorothy E. Denning on Terrorist Threats to the United 
States. May 23, 2000. Retrieved from https://irp.fas.org/congress/2000_hr/00-05-
23denning.htm on February 2nd, 2024. 

Directive 2008/114/EC. Council Directive (2008/114/EC) on the identification and designation of 
European critical infrastructures and the assessment of the need to improve their protection 
(Text with EEA relevance). 

Directive (EU) 2016/1148. Directive (EU) 2016/1148 of the European Parliament and of the Council 
of 6 July 2016 concerning measures for a high common level of security of network and 
information systems across the Union. 

Directive (EU) 2022/2555. Directive (EU) 2022/2555 of the European Parliament and of the Council 
of 14 December 2022 on measures for a high common level of cybersecurity across the Union, 
amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing 
Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance). 

Directive (EU) 2022/2557. Directive (EU) 2022/2557 of the European Parliament and of the Council 
of 14 December 2022 on the resilience of critical entities and repealing Council Directive 
2008/114/EC (Text with EEA relevance). 

https://doi.org/10.2860/1402
https://www.cfr.org/cyber-operations/compromise-power-grid-eastern-ukraine
https://irp.fas.org/congress/2000_hr/00-05-23denning.htm
https://irp.fas.org/congress/2000_hr/00-05-23denning.htm


Dridger, Jonas J. (2022). Inertia and Reactiveness in Germany’s Russia Policy. From the 2021 Federal 

Election to the Invasion of Ukraine in 2022. German Politics and Society, 136(40), 135–151. 
https://doi.org/10.3167/gps.2022.400407 

Donnelly, Shawn (2023). Semiconductor and ICT Industrial Policy in the US and EU: Geopolitical 
Threat Responses. Politics and Governance, 11(4), 129–139. 
https://doi.org/10.17645/pag.v11i4.7031 

Dunn Cavelty, Myriam, & Kristensen, Kristian Soby (2008). Introduction: Securing the homeland: 
Critical infrastructure, risk, and (in) security. In Myriam Dunn Cavelty & Kristian Soby 
Kristensen (Eds.). Securing 'the Homeland' Critical Infrastructure, Risk and (In)Security, (pp. 
1-14). Routledge.  

EU–NATO (2023). Eighth progress report on the implementation of the common set of proposals 
endorsed by EU and NATO Councils on 6 December 2016 and 5 December 2017. 
https://www.consilium.europa.eu/media/65080/230616-progress-report-nr8-eu-nato.pdf 

EU–NATO Task Force on the Resilience of Critical Infrastructure (2023). Final assessment report. 
June 2023. https://www.nato.int/nato_static_fl2014/assets/pdf/2023/6/pdf/EU-
NATO_Final_Assessment_Report_Digital.pdf 

European Commission (2004a). Communication from the Commission to the Council and the 
European Parliament - Prevention, preparedness and response to terrorist attacks. 
COM/2004/0698 final. 

European Commission (2004b). Communication from the Commission to the Council and the 
European Parliament: Critical Infrastructure Protection in the fight against terrorism. 
COM(2004) 702 final. 

https://doi.org/10.3167/gps.2022.400407
https://doi.org/10.17645/pag.v11i4.7031
https://www.consilium.europa.eu/media/65080/230616-progress-report-nr8-eu-nato.pdf
https://www.nato.int/nato_static_fl2014/assets/pdf/2023/6/pdf/EU-NATO_Final_Assessment_Report_Digital.pdf
https://www.nato.int/nato_static_fl2014/assets/pdf/2023/6/pdf/EU-NATO_Final_Assessment_Report_Digital.pdf


European Commission (2005). Green Paper on a European programme for critical infrastructure 
protection. COM/2005/0576 final. 

European Commission (2006a). Proposal for a Directive of the Council on the identification and 
designation of European Critical Infrastructure and the assessment of the need to improve 
their protection. COM/2006/0787 final - CNS 2006/0276. 

European Commission (2006b). Communication from the Commission on a European Programme 
for Critical Infrastructure Protection. COM(2006) 786 final. 

European Commission (2012, June 22nd). Commission staff working document on the review of the 
European Programme for Critical Infrastructure Protection (EPCIP). SWD(2012) 190 final. 
https://home-affairs.ec.europa.eu/system/files/2020-09/epcip_swd_2012_190_final.pdf 

European Commission (2016, April 6). Joint Communication to the European Parliament and the 
Council. Joint Framework on countering hybrid threats a European Union response. 
JOIN/2016/018 final. European Commission. 

European Commission (2017). Commission Staff Working Document Comprehensive Assessment of 
EU Security Policy Accompanying the document Communication from the Commission to the 
European Parliament, the European Council and the Council. Ninth progress report towards 
an effective and genuine Security Union. SWD/2017/0278 final. 

European Commission (2020). Communication from the Commission on the EU Security Union 
Strategy. COM/2020/605 final. 

European Union (2016). Shared Vision, Common Action: A Stronger Europe. A Global Strategy for 
the European Union’s Foreign And Security Policy. Retrieved from 

https://home-affairs.ec.europa.eu/system/files/2020-09/epcip_swd_2012_190_final.pdf


https://eeas.europa.eu/archives/docs/top_stories/pdf/eugs_review_web.pdf on February 2nd, 
2024. 

Fix, Liana & Keil, Steven (2022). NATO and Russia after the Invasion of Ukraine. Policy Brief, April 
2022. The German Marshall Fund of the United States. 
https://www.gmfus.org/sites/default/files/2022-04/Fix%20%26%20Keil%20-
%20NATO%20-%20Geopolitics%20-%20Russia%20-Brief%20-%20FINAL.pdf 

Friederich, Simon & Symons, Jonathan (2023). Operationalising sustainability? Why sustainability 
fails as an investment criterion for safeguarding the future. Global Policy, 14(1), 61–71. 
https://doi.org/10.1111/1758-5899.13160 

Ganguly, Auroop Ratan, Bhatia, Udit, & Flynn, Stephen E. (2018). Critical Infrastructures 
Resilience. Policy and Engineering Principles. Routledge.  

Ghorbani, Ali A., & Bagheri, Ebrahim (2008). The state of the art in critical infrastructure protection: 
a framework for convergence. International Journal of Critical Infrastructures, 4(3), 215–

244. http://dx.doi.org/10.1504/IJCIS.2008.017438 
van Heuven, Marten H. A. (1970). Civil Emergency Planning in Nato. International Lawyer, 4(2), 

391–398. 
Jacuch, Andrzej (2017). Civil preparedness – Nato civil experts capability. Przegląd Nauk o 

Obronności, 2017(3), 135–143. https://doi.org/10.5604/01.3001.0012.9806 
Jacuch, Andezej (2019). Civil Transport in NATO. Bezpieczeństwa Narodowego, 1(15), 275–286. 

https://doi.org/10.37055/sbn/132162 

https://eeas.europa.eu/archives/docs/top_stories/pdf/eugs_review_web.pdf
https://www.gmfus.org/sites/default/files/2022-04/Fix%20%26%20Keil%20-%20NATO%20-%20Geopolitics%20-%20Russia%20-Brief%20-%20FINAL.pdf
https://www.gmfus.org/sites/default/files/2022-04/Fix%20%26%20Keil%20-%20NATO%20-%20Geopolitics%20-%20Russia%20-Brief%20-%20FINAL.pdf
https://doi.org/10.1111/1758-5899.13160
http://dx.doi.org/10.1504/IJCIS.2008.017438
https://doi.org/10.5604/01.3001.0012.9806
https://doi.org/10.37055/sbn/132162


Jacuch, Andrzej (2020). Security and defense challenges – civil preparedness in NATO. Scientific 
Journal of the Military University of Land Forces, 52(2), 270–280. 
https://doi.org/10.5604/01.3001.0014.2532 

Jalonen, Harri & Huhtinen, Aki-Mauri (2021). Tiedon huoltovarmuus prosessina. In Tiedon 
huoltovarmuutta etsimässä. Vaasan yliopiston raportteja 28. Vaasan yliopisto.  
https://urn.fi/URN:ISBN:978-952-476-974-7 

Jokipii, Annukka, Uusikylä, Petri & Jalonen, Harri (2021). Yhteenveto. In Tiedon huoltovarmuutta 
etsimässä. Vaasan yliopiston raportteja 28. Vaasan yliopisto. https://urn.fi/URN:ISBN:978-
952-476-974-7 

Kari, Markus (2023). Effects of the Russian invasion of Ukraine on the Finnish model of 
comprehensive security. Defensor Legis, 4,5(2023). 
https://www.edilex.fi/defensor_legis/1001160014.pdf 

Kananen, Ilkka (2015). Suomen huoltovarmuus: riittääkö energia ja ruoka, toimiiko tiedonkulku? 
Docendo. 

Lipschutz, Ronnie D. (2008). Imperial warfare in the naked city—Sociality as critical infrastructure. 
International Political Sociology, 2(3), 204–218. https://doi.org/10.1111/j.1749-
5687.2008.00045.x 

Mendonça, David, Lee, Earl E., & Wallace, William A. (2004, October). Impact of the 2001 World 
Trade Center attack on critical interdependent infrastructures. In 2004 IEEE International 
Conference on Systems, Man and Cybernetics (IEEE Cat. No. 04CH37583) (Vol. 5, pp. 4053-
4058). IEEE. https://doi.org/10.1109/ICSMC.2004.1401165 

https://doi.org/10.5604/01.3001.0014.2532
https://urn.fi/URN:ISBN:978-952-476-974-7
https://urn.fi/URN:ISBN:978-952-476-974-7
https://urn.fi/URN:ISBN:978-952-476-974-7
https://www.edilex.fi/defensor_legis/1001160014.pdf
https://doi.org/10.1111/j.1749-5687.2008.00045.x
https://doi.org/10.1111/j.1749-5687.2008.00045.x
https://doi.org/10.1109/ICSMC.2004.1401165


Mendonça, D., & Wallace, William A. (2006). Impacts of the 2001 World Trade Center attack on 
New York City critical infrastructures. Journal of Infrastructure Systems, 12(4), 260–270. 
https://doi.org/10.1061/(ASCE)1076-0342(2006)12:4(260) 

Michalec, Ola, Milyaeva, Sveta & Rashid, Awais (2022). When the future meets the past: Can safety 
and cyber security coexist in modern critical infrastructures? Big Data & Society, 9(1), 
20539517221108369. https://doi.org/10.1177/20539517221108369 

Moteff, John, Copeland, Claudia, & Fischer, John (2003). Critical Infrastructures: What Makes an 
Infrastructure Critical? Report for Congress. Order Code RL31556. Congressional Research 
Service. The Library of Congress. https://apps.dtic.mil/sti/citations/ADA467306 

NATO (1949, April 4). The North Atlantic Treaty. Nato.int. Retrieved from 
https://www.nato.int/cps/en/natolive/official_texts_17120.htm on February 2nd, 2024. 

NATO (1991, November 7). The Alliance's New Strategic Concept (1991) agreed by the Heads of 
State and Government participating in the Meeting of the North Atlantic Council. Nato.int. 
Retrieved from https://www.nato.int/cps/en/natohq/official_texts_23847.htm on February 
2nd, 2024. 

NATO (1999, April 24). The Alliance's Strategic Concept (1999). Approved by the Heads of State 
and Government participating in the meeting of the North Atlantic Council in Washington 
D.C. Nato.int. Retrieved from https://www.nato.int/cps/en/natohq/official_texts_27433.htm 
on February 2nd, 2024. 

NATO (2006, November 29). Riga Summit Declaration Issued by the Heads of State and Government 
participating in the meeting of the North Atlantic Council in Riga on 29 November 2006. 
Nato.int. Retrieved from https://www.nato.int/cps/en/natohq/official_texts_37920.htm  on 
February 2nd, 2024. 

https://doi.org/10.1061/(ASCE)1076-0342(2006)12:4(260)
https://doi.org/10.1177/20539517221108369
https://apps.dtic.mil/sti/citations/ADA467306
https://www.nato.int/cps/en/natolive/official_texts_17120.htm
https://www.nato.int/cps/en/natohq/official_texts_23847.htm
https://www.nato.int/cps/en/natohq/official_texts_27433.htm
https://www.nato.int/cps/en/natohq/official_texts_37920.htm


NATO (2008, April 3). Bucharest Summit Declaration. Issued by the Heads of State and Government 
participating in the meeting of the North Atlantic Council in Bucharest on 3 April 2008. 
Nato.int. Retrieved from https://www.nato.int/cps/en/natolive/official_texts_8443.htm on 
February 2nd, 2024. 

NATO (2009, April 4). Strasbourg / Kehl Summit Declaration. Issued by the Heads of State and 
Government participating in the meeting of the North Atlantic Council in Strasbourg / Kehl. 
Nato.int. Retrieved from https://www.nato.int/cps/en/natohq/news_52837.htm on February 
2nd, 2024. 

NATO (2010a, November 19). Strategic Concept for the Defence and Security of the Members of the 
North Atlantic Treaty Organization Adopted by Heads of State and Government at the NATO 
Summit in Lisbon 19-20 November 2010. NATO Public Diplomacy Division. 
https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_publications/20120214_strategic-
concept-2010-eng.pdf 

NATO (2010b, November 20). Lisbon Summit Declaration. Issued by the Heads of State and 
Government participating in the meeting of the North Atlantic Council in Lisbon. Nato.int. 
Retrieved from https://www.nato.int/cps/en/natohq/official_texts_68828.htm on February 
2nd, 2024. 

NATO (2012, May 20). Chicago Summit Declaration. Issued by the Heads of State and Government 
participating in the meeting of the North Atlantic Council in Chicago on 20 May 2012. 
Nato.int. Retrieved from https://www.nato.int/cps/en/natohq/official_texts_87593.htm on 
February 2nd, 2024. 

NATO (2014, September 5). Wales Summit Declaration. Issued by the Heads of State and 
Government participating in the meeting of the North Atlantic Council in Wales. Nato.int. 

https://www.nato.int/cps/en/natolive/official_texts_8443.htm
https://www.nato.int/cps/en/natohq/news_52837.htm
https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_publications/20120214_strategic-concept-2010-eng.pdf
https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_publications/20120214_strategic-concept-2010-eng.pdf
https://www.nato.int/cps/en/natohq/official_texts_68828.htm


Retrieved from https://www.nato.int/cps/en/natohq/official_texts_112964.htm on February 
2nd, 2024. 

NATO (2016a, July 9). Warsaw Summit Communiqué. Issued by the Heads of State and Government 
participating in the meeting of the North Atlantic Council in Warsaw 8-9 July 2016. Nato.int. 
Retrieved from https://www.nato.int/cps/en/natohq/official_texts_133169.htm on February 
2nd, 2024. 

NATO (2016b, July 8). Joint declaration by the President of the European Council, the President of 
the European Commission, and the Secretary General of the North Atlantic Treaty 
Organization. Nato.int. Retrieved from 
https://www.nato.int/cps/en/natohq/official_texts_133163.htm on February 2nd, 2024. 

Nato (2018a). The Secretary General’s Annual Report 2017. NATO Public Diplomacy Division. 

Retrieved from 
https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2018_03/20180315_SG_AnnualRep
ort_en.pdf on February 2nd, 2024. 

NATO (2018b, July 11). Brussels Summit Declaration. Issued by the Heads of State and Government 
participating in the meeting of the North Atlantic Council in Brussels 11-12 July 2018. 
Nato.int. Retrieved from https://www.nato.int/cps/en/natohq/official_texts_156624.htm on 
February 2nd, 2024. 

NATO (2018c, July 10). Joint Declaration on EU-NATO Cooperation by the President of the 
European Council, the President of the European Commission, and the Secretary General of 
the North Atlantic Treaty Organization. Nato.int. Retrieved from 
https://www.nato.int/cps/en/natohq/official_texts_156626.htm on February 2nd, 2024. 

https://www.nato.int/cps/en/natohq/official_texts_112964.htm
https://www.nato.int/cps/en/natohq/official_texts_133169.htm
https://www.nato.int/cps/en/natohq/official_texts_133163.htm
https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2018_03/20180315_SG_AnnualReport_en.pdf
https://www.nato.int/nato_static_fl2014/assets/pdf/pdf_2018_03/20180315_SG_AnnualReport_en.pdf
https://www.nato.int/cps/en/natohq/official_texts_156624.htm
https://www.nato.int/cps/en/natohq/official_texts_156626.htm


NATO (2021, June 14). Brussels Summit Communiqué. Issued by the Heads of State and Government 
participating in the meeting of the North Atlantic Council in Brussels 14 June 2021. Nato.int. 
Retrieved from https://www.nato.int/cps/en/natohq/news_185000.htm on February 2nd, 
2024. 

NATO (2022a, June 29). Madrid Summit Declaration. Issued by NATO Heads of State and 
Government participating in the meeting of the North Atlantic Council in Madrid 29 June 
2022. Nato.int. Retrieved from 
https://www.nato.int/cps/en/natohq/official_texts_196951.htm on February 2nd, 2024. 

NATO (2022b, June 29). NATO 2022 Strategic Concept. Adopted by Heads of State and Government 
at the NATO Summit in Madrid 29 June 2022. 
https://www.nato.int/nato_static_fl2014/assets/pdf/2022/6/pdf/290622-strategic-concept.pdf 

NATO (2023a, July 11). Vilnius Summit Communiqué. Issued by NATO Heads of State and 
Government participating in the meeting of the North Atlantic Council in Vilnius 11 July 2023. 
Nato.int. Retrieved from https://www.nato.int/cps/en/natohq/official_texts_217320.htm on 
February 2nd, 2024. 

NATO (2023b, January 10). Joint Declaration on EU-NATO Cooperation by the President of the 
European Council, the President of the European Commission, and the Secretary General of 
the North Atlantic Treaty Organization. Nato.int. Retrieved from 
https://www.nato.int/cps/en/natohq/official_texts_210549.htm on February 2nd, 2024. 

Niskanen, Ville-Pekka, Uusikylä, Petri, Lonka, Harriet, Ahonen, Pertti, Laitinen, Kari, Tervo, Vesa-
Pekka, Ruoslahti, Harri, Huttunen, Petri (2024). Onko siviilivalmiudelle tarvetta Suomessa? 
Siviilivalmiuden käsite, käyttö ja lisäarvo osana kansallista varautumista. Valtioneuvoston 

https://www.nato.int/cps/en/natohq/news_185000.htm
https://www.nato.int/cps/en/natohq/official_texts_196951.htm
https://www.nato.int/nato_static_fl2014/assets/pdf/2022/6/pdf/290622-strategic-concept.pdf
https://www.nato.int/cps/en/natohq/official_texts_217320.htm
https://www.nato.int/cps/en/natohq/official_texts_210549.htm


selvitys- ja tutkimustoiminnan julkaisusarja 2024:1. Valtioneuvoston kanslia. 
https://urn.fi/URN:ISBN:978-952-383-015-8 

Official Journal of the European Union (2012, October 26th). Consolidated version of the Treaty on 
the Functioning of the European Union. C 326/47. 

Official Journal of the European Union (2023, January 20th). Council Recommendation of 8 
December 2022 on a Union-wide coordinated approach to strengthen the resilience of critical 
infrastructure (Text with EEA relevance). 2023/C 20/01. 

Piètre-Cambacédès, Ludovic & Chaudet, Claude (2010). The SEMA referential framework: 
Avoiding ambiguities in the terms “security” and “safety”. International Journal of Critical 
Infrastructure Protection, 3(2), 55–66. https://doi.org/10.1016/j.ijcip.2010.06.003 

Poutala, Tero, Sinkkonen, Elina & Mattlin, Mikael (2022). EU Strategic Autonomy and the Perceived 
Challenge of China: Can Critical Hubs Be De-weaponized? European Foreign Affairs 
Review, 27(Special Issue (2022)), 79–98. https://doi.org/10.54648/eerr2022015 

Regulation (EU) 2019/452. Regulation (EU) 2019/452 of the European Parliament and of the Council 
of 19 March 2019 establishing a framework for the screening of foreign direct investments 
into the Union. 

Regulation (EU) 2023/1781. Regulation (EU) 2023/1781 of the European Parliament and of the 
Council of 13 September 2023 establishing a framework of measures for strengthening 
Europe’s semiconductor ecosystem and amending Regulation (EU) 2021/694 (Chips Act) 

(Text with EEA relevance). 
Ponsard, Lionel (2007). Russia, NATO and Cooperative Security: Bridging the Gap. Routledge. 

https://urn.fi/URN:ISBN:978-952-383-015-8
https://doi.org/10.1016/j.ijcip.2010.06.003
https://doi.org/10.54648/eerr2022015


Pursiainen, Christer & Gattinesi, Peter (2014). Towards testing critical infrastructure resilience. JRC 
Scientific and Policy Reports. Joint Research Centre. European Commission. 

Pursiainen, C., & Kytömaa, E. (2023). From European critical infrastructure protection to the 
resilience of European critical entities: what does it mean? Sustainable and Resilient 
Infrastructure, 8(sup1), 85–101. https://doi.org/10.1080/23789689.2022.2128562 

Rinaldi, Steven M., Peerenboom, James P., & Kelly, Terrence K. (2001). Identifying, understanding, 
and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine, 
21(6), 11–25. https://doi.org/10.1109/37.969131 

Stoddart, Kristan (2016). UK cyber security and critical national infrastructure protection. 
International Affairs, 92(5), 1079–1105. https://doi.org/10.1111/1468-2346.12706  

Szymański, Piotr (2020, April 24). Towards greater resilience: NATO and the EU on hybrid threats. 

Centre for Eastern Studies (OSW). Retrieved from 
https://www.osw.waw.pl/en/publikacje/osw-commentary/2020-04-24/towards-greater-
resilience-nato-and-eu-hybrid-threats on February 3rd, 2024. 

Wigell, Mikael, Mikkola, Harri & Juntunen, Tapio (2021). Best Practices in the whole-of-society 
approach in countering hybrid threats. Study Requested by the INGE committee. Directorate 
General for External Policies of the Union. https://doi.org/10.2861/379  

Wigell, Mikael, Deschryvere, Matthias, Fjäder, Christian, Helwig, Niklas, Kaitila, Ville, Koski, Heli, 
Seilonen, Josi, Suominen, Arho (2022). Europe Facing Geoeconomics: Assessing Finland’s 

and the EU’s Risks and Options in the Technological Rivalry. Publications of the 
Government´s analysis, assessment and research activities 2022:12. Prime Minister’s Office. 

https://urn.fi/URN:ISBN:978-952-383-205-3 

https://doi.org/10.1080/23789689.2022.2128562
https://doi.org/10.1109/37.969131
https://doi.org/10.1111/1468-2346.12706
https://www.osw.waw.pl/en/publikacje/osw-commentary/2020-04-24/towards-greater-resilience-nato-and-eu-hybrid-threats
https://www.osw.waw.pl/en/publikacje/osw-commentary/2020-04-24/towards-greater-resilience-nato-and-eu-hybrid-threats
https://doi.org/10.2861/379
https://urn.fi/URN:ISBN:978-952-383-205-3


Wywiał, Przemysław (2022). Perception of resilience in the security policy of the North Atlantic 

Alliance and the Republic of Poland. Defence Science Review, 15(2022), 37–47. 
https://doi.org/10.37055/pno/136372  

Zetter, Kim (2016, March 3). Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid. 
Wired.com. Retrieved from https://www.wired.com/2016/03/inside-cunning-unprecedented-
hack-ukraines-power-grid/ on February 1st, 2024. 

https://doi.org/10.37055/pno/136372
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/