Besides critical infrastructure, we also distinguish operators of essential services (OES). These are entities that provide essential services to our society or economy and depend on network and information systems. It is important that these network and information systems (NIS) are secure. Most critical infrastructure belongs to operators of essential services.
Critical infrastructure and operators of essential services can be found in the following sectors:
- Energy – infrastructure for large-scale production, transport and distribution of energy (both electricity and gas), e.g. gas pipelines or high-voltage pylons
- Transport – vital transport hubs, including rail, air and water
- Finance – critical links in electronic payment systems
- Drinking water – suppliers and distributors of drinking water
- Health – care institutions
- Digital infrastructure – Internet hubs and providers of DNS services
- Electronic communications – national connections of electronic communications Within this sector, there is only critical infrastructure, no operators of essential services.
- Space: for the space sector, there is a European Regulation that obliges Member States to also provide adequate protection and security (equivalent to critical infrastructure).
A definition of the term 'critical infrastructure' can be found in the Act of 1 July 2011 on the security and protection of critical infrastructure. A definition of the term 'operator of essential services' can be found in the Act of 7 April 2019 establishing a framework for the security of network and information systems of public interest for public safety.
All critical infrastructure must:
- have a security plan with general measures that always apply;
- take additional measures depending on the level of threat. The threat level analysis is done by CUTA;
- have a contact point (24/7) for the government. This enables the operator of the critical infrastructure and the government to exchange information quickly when necessary;
- organise exercises and inspections. This way, the procedures remain known or can be improved;
- report every incident to the authorities.
Security and protection measures for critical infrastructure are aimed at preventing or mitigating any event that might cause damage to the infrastructure or any part thereof.
The National Crisis Center is the contact point for critical infrastructure for Belgium and the EU.
Every operator of essential services identified by the government must:
- have a security policy for its network and information systems (NIS) that includes technical and organisational measures to manage security risks, prevent incidents or minimise the impact of incidents.
- report any security incident involving its network and information systems to the NIS authorities.
- conduct regular internal and external audits of its network and information systems.
- Cooperate and exchange information with the government.
The Centre for Cyber Security Belgium (CCB) is the central contact point for operators of essential services for Belgium and the EU. The National Crisis Center assists the CCB and sectoral authorities in identifying these operators.