Full Text

EXECUTIVE SUMMARY

The Working Party on Security and Privacy in the Digital Economy (SPDE) has undertaken a two year process to review and possibly update the Recommendation of the Council on the Protection of Critical Information Infrastructure (CIIP Recommendation) ten years after its adoption. A questionnaire was circulated amongst OECD members and participants in the Committee on Digital Economy Policy to collect input for the review. Eighteen countries responded to the questionnaire, representing a variety of regions, country cultures, sizes, and digital maturity. This document provides an analysis of these responses and suggestions to guide the updating of the Recommendation. The update of the Recommendation serves as an opportunity to make changes to its purpose and scope; to insert key messages based on overarching themes from the responses; and to adjust the Recommendation in line with current and anticipated evolutions in contexts, risks and policies.

The update comes against a backdrop of fast digital transformation and increased digital reliance of businesses and governments; increased frequency and severity of attacks on CII; the rise of state-sponsored attacks including digital sabotage and espionage; and the increased capacity of attackers. As a result, there is a pressing need to collect and share common good practices in order to assist policymakers tasked with managing the risks associated with these emerging trends, drivers and challenges.

The concept of "Critical Information Infrastructure" (CII) was initially introduced at the international level to raise awareness on the need to develop policies in this then emerging area. However, although well recognised by subject matter experts, it has been rarely used to develop domestic policy frameworks. The inherent complexity of the concept has become a source of confusion rather than inspiration. An updated Recommendation no longer needs to use the concept of CII. It should instead focus on the application of the Principles of the 2015 Recommendation of the Council on digital security risk management for economic and social prosperity ("Security Recommendation") to the protection of essential services, activities, or functions.

Countries that developed a CIIP policy framework a decade ago often follow a risk management approach that focuses on protection of information infrastructure. Those with a more recent framework generally follow a "service approach", which primarily focuses on the risk to services, functions...