Short address for this page:
The OECD Council Recommendation on the Protection of Critical Information Infrastructures (2008) provides a high-level policy framework for the development of a national policy and international co-operation for critical information infrastructures protection (CIIP). In 2018 the Recommendation is being revised to align it with the 2015 Recommendation on digital security risk management.
The Recommendation reflects a shared understanding of the concept of Critical Information Infrastructures (CII) and of how national CII are identified across countries. It calls for the introduction and maintenance of effective policy frameworks to implement the OECD Security Guidelines in relation to the protection of CII and makes recommendations with respect to the protection of CII at the domestic level and across borders.
The Recommendation focuses on how governments should demonstrate leadership and commitment regarding CIIP, manage risks to CII and work in partnership with private sector. It also calls for bilateral and multilateral cooperation at regional and global levels, for example to share knowledge and experience, develop a common understanding and share information.
This Recommendation builds on the findings of a comparative analysis of policies in seven OECD countries in 2006-2007. At that time, the concept of CII was emerging and there was no agreement across countries on what it meant. Some countries did not even use these terms at all. The comparative analysis helped develop a shared understanding of the concept.
The report "The Development of Policies for the Protection of Critical Information Infrastructures" (2007) also analysed commonalities and differences across countries in areas such as how the policies are developed, what they include, risk management practices, strategies to mitigate vulnerabilities and monitor threats, roles and responsibilities, cross-border co-operation, public-private co-operation and information sharing at international level.
Work in this area is carried out by the Working Party on Security and Privacy in the Digital Economy (SPDE) of the Committee for Digital Economy Policy (CDEP).