Digital economy

Public consultation on draft OECD Recommendation on Digital Security of Critical Activities


Online public consultation on the draft OECD Recommendation on Digital Security of Critical Activities

‌ Comments accepted through 28 February 2019


The OECD is consulting the public on a draft OECD Recommendation on Digital Security of Critical Activities (“draft Recommendation”) that aims to replace the 2008 OECD Recommendation on the Protection of Critical Information Infrastructures (“CIIP Recommendation”).



What is this draft Recommendation about?

The draft Recommendation provides guidance to governments on how to develop digital security policies for critical activities without inhibiting the benefits from digital transformation. It should be read in conjunction with the 2015 OECD Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity.

The draft Recommendation focuses on critical economic and social activities. It does not cover defence and national/international security. It is work in progress at the OECD and its content may be subject to modification, including as a result of this public consultation.


What are OECD Recommendations and how are they used?

OECD Recommendations are adopted by the OECD’s governing body, the Council, and result from the substantive work carried out in the Organisation’s committees and their subsidiary bodies. Recommendations generally contain high-level policy directions based on agreed good practices and aspirational goals, and serve to highlight the importance of specific work areas in the context of broader international policy-making. They are not legally binding, but practice accords them great moral force as representing the political will of Members and non-Members having adhered to them (Adherents), on whom there is an expectation to do their utmost to fully implement them.

For more information, consult the online Compendium of OECD Legal Instruments.


Why is the OECD developing this new Recommendation?

In 2008, “critical information infrastructure protection” (CIIP) was a nascent policy area. The CIIP Recommendation was the first international instrument raising awareness and providing policy guidance about it. Today, the stakes are much higher: critical economic and social activities are considerably more digital-dependent, and digital security risk has become a potential source of major disruption. In addition, the digital security public policy landscape has significantly evolved, in particular with the adoption of national digital security (or cybersecurity) strategies. International policy guidance needs to be updated to take into account such economic and social, policy, technology and other evolutions.


What does the draft Recommendation aim to accomplish?

The draft Recommendation put forward through this public consultation aims to modernise the protection of critical information infrastructure protection (CIIP) in the era of digital transformation by applying the OECD digital security risk management approach to the protection of critical economic and social activities.

This approach is based on the Recommendation of the Council on Digital Security Risk Management for Economic and Social Prosperity. The Recommendation calls on leaders and decision makers in governments, businesses and other organisations to address digital security risk as an economic and social challenge rather than only a technical or digital infrastructure issue. In other words, it recommends to focus primarily on digital security risk to economic and social activities rather than only on the digital infrastructure on which these activities rely. Digital security risk management should be integrated in entreprise-wide risk management and decision making processes in order to protect economic and social activities without inhibiting the potential benefits of the digital transformation.

The draft Recommendation clarifies how policies to enhance digital security of critical economic and social activities should integrate into broader national risk management, what measures operators should be encouraged to take, and how governments can support them. It also provides guidance for the establishment of partnerships as a means to address challenges raised by cross-sector and cross-border dependencies.


Who can participate in the public consultation and how?

Comments are welcome from experts in governments, businesses, civil society and other stakeholder groups. More specifically, the draft Recommendation is likely to be of interest to:


  • Government policy makers in charge of digital security (or cybersecurity), protection of critical infrastructure, national risk management, public safety, etc. 
  • Operators of critical activities / infrastructures, the list of which varies across countries but typically includes key businesses and organisations in the banking and finance, transport, energy, public health, water, and food sectors. Defence is not in the scope of the draft Recommendation. 
  • Experts from civil society, the technical community and academia.

In responding to the consultation, you are invited to address the following questions:


  1. Do you agree with the draft Recommendation? 
  2. Is the draft Recommendation sufficiently clear, including its scope, structure and detailed content? How could it be improved? 
  3. Which areas would require to be further explained or developed?

Comments and questions in English or French should be sent to Your response will be made available to the public unless you clearly indicate that you wish it to be kept confidential. 


What will be the next steps after the public consultation?

Responses will be analysed by the OECD Secretariat and taken into consideration in developing the final version of the revised Recommendation and its explanatory document.


How was the draft Recommendation developed?

The draft Recommendation has been developed on the basis of an analysis of the responses to a questionnaire circulated in 2016 and 2017 to OECD delegations (see report “Policies for the Protection of Critical Information Infrastructure: Ten Years Later”) and with the support of an informal multistakeholder group of experts. It incorporates input from OECD Members and non-Members, representatives of business and industry, civil society and the Internet technical community, provided through official meetings and written comments. 

The work takes place at the OECD Working Party on Security and Privacy in the Digital Economy (SPDE) and its parent body, the Committee on Digital Economy Policy (CDEP).


related Documents and links