Abstract
The study examines the transformation of the European Union's (EU) governance framework in the field of critical infrastructure resilience, in the context of the proliferation of hybrid risks characterized by physical-digital interdependencies. Starting from the premise that contemporary threats can no longer be conceptualized as distinct phenomena, the study explores how the new normative instruments - particularly Directives (EU) 2022/2557 (CER) and (EU) 2022/2555 (NIS2) - respond to a risk landscape characterized by systemic interdependencies and cascading effects.
Methodologically, the study combines an institutional and legal analysis of the European architecture for the protection and resilience of critical infrastructures with a functional assessment based on hypothetical hybrid crisis scenarios. This approach enables the identification of persistent operational gaps between sectoral responsibilities, levels of governance, and coordination mechanisms. The study's main contribution lies in proposing an integrated analytical framework for assessing the EU's capacity to manage interconnected physical-digital risks, while highlighting the limitations of the current fragmented governance model.
The study argues that, despite recent normative advances, the resilience of critical infrastructures remains constrained by a deficit in operational coordination and by insufficient integration between cybersecurity policies, civil protection, and crisis management. In conclusion, the study underscores the need to strengthen forms of hybrid governance capable of overcoming traditional sectoral divisions and enabling a systemic approach to complex risks at the European level.
Methodologically, the study combines an institutional and legal analysis of the European architecture for the protection and resilience of critical infrastructures with a functional assessment based on hypothetical hybrid crisis scenarios. This approach enables the identification of persistent operational gaps between sectoral responsibilities, levels of governance, and coordination mechanisms. The study's main contribution lies in proposing an integrated analytical framework for assessing the EU's capacity to manage interconnected physical-digital risks, while highlighting the limitations of the current fragmented governance model.
The study argues that, despite recent normative advances, the resilience of critical infrastructures remains constrained by a deficit in operational coordination and by insufficient integration between cybersecurity policies, civil protection, and crisis management. In conclusion, the study underscores the need to strengthen forms of hybrid governance capable of overcoming traditional sectoral divisions and enabling a systemic approach to complex risks at the European level.
Cuvinte cheie
critical infrastructures
protection
resilience
multilevel governance
Istoric articol
Publicat
01.04.2026
Informații autori
Citare recomandată
Cătălin Peptan (2026). Governing Critical Infrastructure Resilience in the European Union: the Evolution and Limits of the Institutional Framework. Journal of Economic Sciences, 1(2), 224–254. https://doi.org/10.65631/jes.2.2026.18
Referințe bibliografice
[1]. European Union. (2016). Tratatul privind Uniunea Europeană (versiune consolidată) [Treaty on European Union (consolidated version)], Official Journal of the European Union C 202, 7 June 2016. https://eur-lex.europa.eu/resource.html?uri=cellar:9e8d52e1-2c70-11e6-b497-01aa75ed71a1.0020.01/DOC_2&format=PDF
[2]. European Union Agency for Cybersecurity (ENISA). (n.d.). Home. ENISA. https://www.enisa.europa.eu/
[3]. CERT-EU. (n.d.). Cybersecurity Service for the Union institutions, bodies, offices and agencies. https://cert.europa.eu/
[4]. European Commission. (n.d.). Emergency Response Coordination Centre (ERCC). European Civil Protection and Humanitarian Aid. https://civil-protection-humanitarianaid.ec.europa.eu/what/civil-protection/emergency-response-coordination-centre-ercc_en
[5]. European Union. (2016). Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016L1148
[6]. European Union. (2022). Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive
(EU) 2016/1148 (NIS2 Directive). Official Journal of the European Union. https://eurlex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555
[7]. European Union. (2022). Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC. Official Journal of the European Union. https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX:32022L2557
[8]. Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Systems Magazine, 21(6), 11-25. https://doi.org/10.1109/37.969131
[9]. Luiijf, H. A. M., Burger, H., Klaver, M., & Marieke, H. (2003). Critical infrastructure protection in the Netherlands: A Quick-scan. Copenhagen, Denmark: EICAR Denmark.
[10]. Giannopoulos, G., Filippini, R., & Schimmer, M. (2012). Risk assessment methodologies for Critical Infrastructure Protection. Part I: A state of the art. JRC Technical Notes, 1(1), 1-53.
[11]. Theocharidou, M., & Giannopoulos, G. (2015). Risk assessment methodologies for critical infrastructure protection. Part II: A new approach. JRC Science and Policy Report, 6.
[12]. Bruneau, M., Chang, S. E., Eguchi, R. T., Lee, G. C., O'Rourke, T. D., Reinhorn, A. M., ... & von Winterfeldt, D. (2003). A framework to quantitatively assess and enhance the seismic resilience of communities. Earthquake Spectra, 19(4), 733-752. https://doi.org/10.1193/1.1623497
[13]. Linkov, I., Eisenberg, D. A., Bates, M. E., Chang, D., Convertino, M., Allen, J. H., … Seager, T. P. (2013). Measurable resilience for actionable policy. In I. Linkov & J. Palma-Oliveira (Eds.), Resilience and risk: Methods and application in environment, cyber and social domains (pp. 87–102). Springer.
[14]. Linkov, I., Trump, B. D., Trump, J., Pescaroli, G., Hynes, W., Mavrodieva, A., & Panda, A. (2022). Resilience stress testing for critical infrastructure. International Journal of Disaster Risk Reduction, 82, 103323.
[15]. Little, R. G. (2002). Controlling cascading failure: Understanding the vulnerabilities of interconnected infrastructures. Journal of Urban Technology, 9(1), 109-123.
[16]. Duenas-Osorio, L., & Vemuru, S. M. (2009). Cascading failures in complex infrastructure systems. Structural Safety, 31(2), 157-167.
[17]. Ouyang, M. (2014). Review on modeling and simulation of interdependent critical infrastructure systems. Reliability Rngineering & System Safety, 121, 43-60.
[18]. Brunner, L. G., Peer, R. A. M., Zorn, C., Paulik, R., & Logan, T. M. (2024). Understanding cascading risks through real-world interdependent urban infrastructure. Reliability Engineering & System Safety, 241, 109653. https://doi.org/10.1016/j.ress.2023.109653
[19]. Pursiainen, C., & Kytömaa, E. (2023). From European critical infrastructure protection to the resilience of European critical entities: what does it mean?. Sustainable and Resilient Infrastructure, 8(sup1), 85-101. https://doi.org/10.1080/23789689.2022.2128562
[20]. Becker, M. (2025). Transposing EU-legislation on critical infrastructure protection legal implementation performance in the Baltic Sea region. International Journal of Critical Infrastructure Protection, 50, 100781. https://doi.org/10.1016/j.ijcip.2025.100781
[21]. Alexopoulos, M. J., Niemi, A., Skobiej, B., & Sill Torres, F. (2025). Examination of the Critical Infrastructure Resilience Directive From the Maritime Point of View. JCMS: Journal of Common Market Studies, 63(2), 667-678.
[22]. Hooghe, L., & Marks, G. (2001). Multi-level governance and European integration. Bloomsbury Publishing PLC.
[23]. Abbott, K. W., Genschel, P., Snidal, D., & Zangl, B. (2021). Orchestration: Global governance through intermediaries. In The Spectrum of International Institutions (pp. 140-170). Routledge.
[24]. Ruohonen, J., Rindell, K., & Busetti, S. (2025). From Cyber Security Incident Management to Cyber Security Crisis Management in the European Union. arXiv preprint arXiv:2504.14220.
[25]. Ausfelder, A., Eick, A., Hartlapp, M., Mespoulet, R., Saurugger, S., Terpan, F., & Cappellina, B. (2024). EU soft‐law: Non‐binding but enforceable. European Law Journal, 30(4), 668-684.
[26]. Vandezande, N. (2024). Cybersecurity in the EU: How the NIS2-directive stacks up against its predecessor. Computer Law & Security Review, 52, 105890.
[27]. Olech, A. (2025). Hybrid threats to critical infrastructure in the European Union. Selected Hybrid CoE analyses. Terroryzm. Studia, analizy, prewencja, (Special), 133-158.
[28]. Pestana, G., & Sofou, S. (2024). Data governance to counter hybrid threats against critical infrastructures. Smart Cities, 7(4), 1857-1877.
[29]. Papadopoulos, L., Demestichas, K., Muñoz-Navarro, E., Hernández-Montesinos, J. J., Paul, S., Museux, N., ... & Levak, J. (2024). Protection of critical infrastructures from advanced combined cyber and physical threats: The PRAETORIAN approach. International Journal of Critical Infrastructure Protection, 44, 100657.
[30]. Geri, M. (2024). Understanding Russian Hybrid Warfare against Europe in the energy sector and in the future ‘energy-resources-climate’security nexus. Journal of Strategic Security, 17(3), 15-34.
[31]. Directorate-General for Migration and Home Affairs. (2024, 8 February). About us. European Commission. https://home-affairs.ec.europa.eu/who-we-are/about-us_en
[32]. Directorate-General for Communications Networks, Content and Technology. (n.d.). About us. European Commission. https://commission.europa.eu/about/departments-and-executiveagencies/communications-networks-content-and-technology_en
[33]. Directorate-General for Energy. (n.d.). About us. European Commission. https://commission.europa.eu/about/departments-and-executive-agencies/energy_en
[34]. Directorate-General for Mobility and Transport. (n.d.). About us. European Commission. https://commission.europa.eu/about/departments-and-executive-agencies/mobility-andtransport_en
[35]. Directorate-General for European Civil Protection and Humanitarian Aid Operations. (n.d.). About us. European Commission. https://civil-protection-humanitarianaid.ec.europa.eu/who/about-echo_en
[36]. European Commission. (n.d.). Directorate-General for Health and Food Safety (DG SANTE). https://commission.europa.eu/about/departments-and-executive-agencies/health-and-foodsafety_en
[37]. European Commission. (n.d.). Directorate-General for Environment (DG ENV). https://commission.europa.eu/about/departments-and-executive-agencies/environment_en
[38]. European Commission. (n.d.). Directorate-General for Internal Market, Industry, Entrepreneurship and SMEs (DG GROW). https://commission.europa.eu/about/departments-andexecutive-agencies/internal-market-industry-entrepreneurship-and-smes_en
[39]. European Commission. (n.d.). Directorate-General for Climate Action (DG CLIMA). https://commission.europa.eu/about/departments-and-executive-agencies/climate-action_en
[40]. European Commission. (n.d.). Directorate-General for Research and Innovation (DG RTD). https://commission.europa.eu/about/departments-and-executive-agencies/research-andinnovation_En
[41]. European Commission. (n.d.). Directorate-General for Defence Industry and Space (DG DEFIS). https://commission.europa.eu/about/departments-and-executive-agencies/defenceindustry-and-space_en
[42]. European Union. (2016). Tratatul privind funcționarea Uniunii Europeană (versiune consolidată) [Treaty on the Functioning of the European Union (consolidated version)], Official Journal of the European Union C 202/47, 7 June 2016. https://eurlex.europa.eu/resource.html?uri=cellar:9e8d52e1-2c70-11e6-b497-01aa75ed71a1.0020.01/DOC_3&format=PDF
[43]. Committee on Civil Liberties, Justice and Home Affairs. (n.d.). About | LIBE. European Parliament. https://www.europarl.europa.eu/committees/en/libe/about
[44]. Committee on Industry, Research and Energy. (n.d.). About | ITRE. European Parliament. https://www.europarl.europa.eu/committees/en/itre/about
[45]. Committee on Security and Defence. (n.d.). About | SEDE. European Parliament. https://www.europarl.europa.eu/committees/en/sede/about
[46]. European Commission. (n.d.). Recovery and Resilience Facility. https://commission.europa.eu/business-economy-euro/economic-recovery/recovery-and-resiliencefacility_en
[47]. European Commission. (n.d.). Horizon Europe. https://research-andinnovation.ec.europa.eu/funding/funding-opportunities/funding-programmes-and-opencalls/horizon-europe_en
[48]. Council of Europe. (n.d.). European and Mediterranean Major Hazards Agreement (EUR-OPA) - Statute of the Agreement. https://www.coe.int/en/web/europarisks/eur-opa-in-brief
[49]. Council of Europe. (2021). EUR-OPA Major Hazards Agreement - Strategic Framework 2021-2030 (as referenced in ministerial documentation). Council of Europe. https://rm.coe.int/ministerial-declaration-14th-ministerial-meeting-of-the-european-andm/1680a4b97f
[50]. Council of Europe. (n.d.). EUR-OPA Major Hazards Agreement - Resolutions. https://www.coe.int/en/web/europarisks/resolutions
[51]. Council of Europe. (2011). Resolution 2011-1 on ethical principles relating to disaster risk reduction and contributing to people’s resilience to disasters (EUR-OPA Major Hazards Agreement). https://www.coe.int/en/web/europarisks/resolutions#2011––1
[52]. Carrapico, H., & Barrinha, A. (2017). The EU as a coherent (cyber) security actor? JCMS: Journal of Common Market Studies, 55(6), 1254-1272.
[53]. European Parliament & Council of the European Union. (2019). Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification (Cybersecurity Act) (OJ L 151, 7.6.2019, pp. 15–69). EUR-Lex. https://eurlex.europa.eu/eli/reg/2019/881/oj
[54]. European Union Agency for Cybersecurity (ENISA). (2021). ENISA Threat Landscape 2021 (ETL 2021) (Report No. TP-AE-21-293-EN-N). Publications Office of the European Union. https://op.europa.eu/en/publication-detail/-/publication/98368007-475a-11ec-91ac-01aa75ed71a1/language-en
[55]. European Union Agency for Cybersecurity (ENISA). (2022). Cybersecurity certification framework (Publications Office of the European Union) [fără număr de raport]. https://www.enisa.europa.eu/topics/product-security-and-certification/cybersecurity-certificationframework
[56]. European Commission. (2017). Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, pp. 36–58). EUR-Lex. https://eur-lex.europa.eu/eli/reco/2017/1584/oj
[57]. European Parliament & Council of the European Union. (2023). Regulation (EU, Euratom) 2023/2841 of the European Parliament and of the Council of 13 December 2023 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union (OJ L 2841, 18.12.2023). EUR-Lex. https://eur-lex.europa.eu/legalcontent/EN/TXT/?uri=CELEX32023R2841
[58]. CERT-EU. (2025). Threat Landscape Report 2024: A year in review. https://cert.europa.eu/publications/threat-intelligence/tlr2024/
[59]. Ruohonen, J. (2024). The Incoherency Risk in the EU’s New Cyber Security Policies. In R. van de Wetering, R. Helms, B. Roelens, S. Bagheri, Y. K. Dwivedi, I. O. Pappas, & M. Mäntymäki (Eds.), Disruptive Innovation in a Digitally Connected Healthy World: 23rd IFIP WG
6.11 Conference on e-Business, e-Services and e-Society, I3E 2024 (pp. 284–295). Springer. https://doi.org/10.1007/978-3-031-72234-9_24
[60]. European Parliament. Research Service. (2024). Cybersecurity actors in the EU. European Parliament. https://epthinktank.eu/2024/01/10/cybersecurity-actors-in-the-eu/
[61]. European Commission. (2025). EU Civil Protection Mechanism. European Civil Protection and Humanitarian Aid Operations. https://civil-protection-humanitarianaid.ec.europa.eu/what/civil-protection/eu-civil-protection-mechanism_en
[62]. European Parliament & Council of the European Union. (2013). Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (Text with EEA relevance) (OJ L 347, 20.12.2013, pp. 924–947). EUR-Lex. https://eur-lex.europa.eu/eli/dec/2013/1313/oj/eng
[63]. European Commission. (2023). EU Civil Protection Mechanism: How the Emergency Response Coordination Centre (ERCC) works. European Civil Protection and Humanitarian Aid Operations. https://civil-protection-humanitarian-aid.ec.europa.eu/what/civil-protection/eu-civilprotection-mechanism_en
[64]. Schimmelfennig, F. (2024). Crisis and polity formation in the European Union. Journal of European Public Policy, 31(4), 1–20. https://doi.org/10.1080/13501763.2024.2313107
[65]. Ladi, S. (2024). Reconceptualising the EU–member states relationship in the pursuit of fast policy responses. Journal of European Public Policy, 31(2), 1–18. https://doi.org/10.1057/s41295-024-00384-6
[66]. Efstathiou, P., Maniou, M., Antonakakis, E., Dimitraki, E., Nikolidaki, S., & Boundali, V. (2025). Integrated crisis and disaster management in the European Union: From local preparedness to global security challenges. European Journal of Public Health, 35(Supplement_5), ckaf165.079. https://doi.org/10.1093/eurpub/ckaf165.079.
[67]. European Energy - Information Sharing & Analysis Centre. (n.d.). Home – EE-ISAC. https://www.ee-isac.eu/
[68]. European Union Agency for Railways. (n.d.). European Union Agency for Railways (ERA) – Moving Europe towards a sustainable and safe railway system without frontiers. https://www.era.europa.eu/
[69]. European Union Aviation Safety Agency. (n.d.). EASA | Your safety is our mission. https://www.easa.europa.eu/en
[70]. Gerbec, M., Čaleta, D., Modic, J., Giunta, G., & Durante, N. G. (2025). Cross-CI Assessment of Risks and Cascading Effects in ATLANTIS Project. Applied Sciences, 15(19), 10374. https://doi.org/10.3390/app151910374
[71]. Cha, Y.; White, C. J.; Gonzalez, P. L. M.; et al. (2025). Assessing the cascading impacts of natural hazards on Critical National Infrastructure (CNI) using Scotland as a case study. Npj Natural Hazards, 2, 108. https://doi.org/10.1038/s44304-025-00161-9
[72]. Barquet, K.; Englund, M.; Inga, K.; et al. (2023). Conceptualizing multiple hazards and cascading effects on critical infrastructures. Disasters, e12591. https://doi.org/10.1111/disa.12591
[73]. Teichmann, F.; Sergi, B. S. (2025). The EU Cyber Resilience Act: Hybrid governance, compliance, and cybersecurity regulation in the digital ecosystem. Computer Law & Security Review, 59, 106209. https://doi.org/10.1016/j.clsr.2025.106209
[74]. Wang, R.; Qiu, H.; Liu, R.; Huo, H.; Cheng, X.; Liu, X. (2025). A hybrid governance framework for adaptive and sustainable urban energy management. Sustainable Cities and Society, 130, 106638. https://doi.org/10.1016/j.scs.2025.106638
[75]. Brighi, R., & Adinolfi, G. (2025). EU Cybersecurity Policies in Cyber-Physical Ecosystems: Challenges and Perspectives. European Journal of Risk Regulation, 16(2), 466–468. https://doi.org/10.1017/err.2025.10026
[76]. Mikac, R. (2023). Protection of the EU’s critical infrastructures: results and challenges. Applied Cybersecurity & Internet Governance, 2(1), 1-25.
[77]. Schmitz-Berndt, S., & Cole, M. D. (2022). Towards an efficient and coherent regulatory framework on cybersecurity in the EU: the proposals for a NIS 2.0 directive and a cyber resilience act. Applied Cybersecurity & Internet Governance, 1(1), 1-17.
[78]. Fuggini, C., Solari, C., De Stefano, R., Bolletta, F., & De Maio, F. V. (2023). Assessing resilience at different scales: from single assets to complex systems. Environment Systems and Decisions, 43(4), 693-707.
[79]. Rathnayaka, B., Robert, D., Adikariwattage, V., Siriwardana, C., Meegahapola, L., Setunge, S., & Amaratunga, D. (2024). A unified framework for evaluating the resilience of critical infrastructure: Delphi survey approach. International Journal of Disaster Risk Reduction, 110, 104598. https://doi.org/10.1016/j.ijdrr.2024.104598
[80]. Kopustinskas, V., Foretic, H., & Asensio Bermejo, I. (Eds.). (2024). Resilience assessment: Methodological challenges and applications to critical infrastructures (Proceedings of the 63rd ESReDA Seminar, Joint Research Centre, Ispra, Italy, 25–26 October 2023). Publications Office of the European Union. https://publications.jrc.ec.europa.eu/repository/bitstream/JRC139101/JRC139101_01.pdf