Critical infrastructures are the backbone of our modern and interconnected economies. The disruption of crucial systems and essential services, such as telecommunications, energy or water supply, transportation or financial systems, can result in substantial economic damage. These systems are highly exposed and vulnerable to a variety of shock events, ranging from climate and geological hazards to industrial accidents, terrorist or cyber-attacks, which can trigger cascading negative impacts locally and even globally.

Given the hyper-connectivity of these core infrastructure assets, compounded by digital transformation, comprehensive public policies are needed to strengthen critical infrastructure resilience. The goal is to limit the risk of disruptions in the essential services and increase the capacity to rebound quickly after a shock. Ensuring the service continuity of critical infrastructures should be an essential part of risk management policies in OECD and partner countries alike, as noted in the OECD Recommendation on the Governance of Critical Risks.

This report looks at the evolving risk landscape and the policy adjustments needed to strengthen critical infrastructure resilience. The analysis suggests that a coherent, system-based approach is best for effectively tackling complexity and interdependency in infrastructure. Partnerships between government and infrastructure operators can also support greater information sharing and resilience investment. A Policy Toolkit for the Governance of Critical Infrastructure Resilience provides concrete guidance for reform, focusing on building resilience up front.

Since the mid-2000s, governments have designed and implemented public policies to support the protection of critical infrastructure. Most OECD countries have defined critical infrastructure sectors, established an inventory of assets and put in place regulations, national programmes or incentive mechanisms to strengthen the resilience of critical infrastructure to shock events.

However, these policies, mostly driven by the post 9/11 security agenda, have not always been effective in addressing the challenges of the 21^st century’s more complex, digitally interconnected environment. Today’s critical infrastructure resilience policies have to address diverse and complex shock events, more interdependent systems and countries, and the fast pace of innovation in infrastructure sectors. Ageing infrastructures also present a growing policy challenge.

Infrastructure investments are on the rise globally, offering countries an opportunity to re-evaluate their policies and build resilience up front while bolstering the resilience and protection of existing infrastructure.

A systems-based approach presents clear advantages in designing policies for critical infrastructure. Such policies should address all hazards and threats, ensure co-ordination across multiple sectors (public and private), cover the entire infrastructure lifecycle and foster transboundary co-operation.

Critical infrastructure resilience depends upon governments working with infrastructure operators from the public and private sectors. While operators and governments agree on the need to protect critical assets and maintain service, their views may differ on the level of resilience required, the means to achieve it, and the regulatory requirements that should apply. These decisions have financial implications, and raise questions about who will bear the additional costs of investing in resilience.

Public-private co-operation between governments and operators to encourage dialogue on these issues are useful for jointly setting and implementing critical infrastructure resilience and security policies. Establishing trust, ensuring secure information sharing, developing cost-sharing mechanisms and strengthening international co-operation are among the key challenges to be addressed in creating such partnerships, and require appropriate governance mechanisms.

Governments can choose from a variety of policy tools for strengthening critical infrastructure resilience. The OECD survey identified twenty-two such tools ranging from prescriptive regulatory tools and compensation mechanisms to voluntary frameworks based on partnerships. It is important for governments to find the right balance between mandatory and voluntary frameworks to enhance stakeholder engagement in the process and ensure that investments in resilience are effectively made.

The example of Finland’s electricity transmission and distribution system illustrates an effective governance model that fosters investments in infrastructure resilience. Finland has been developing a co-operative framework to strengthen critical infrastructure resilience that stresses public private co-operation, information sharing and consensus building on policy design and objective setting. This governance model has produced impressive results in its first years of implementation. Nevertheless, new challenges have emerged, including addressing the implications in terms of costs for customers, the difference in capacity between larger and smaller operators, digitalisation and climate change.

This report proposes a Policy Toolkit on Governance of Critical Infrastructure Resilience, which invites governments to address the following seven interrelated governance challenges: