SECURITY OF EUROPEAN CRITICAL INFRASTRUCTURES OUTSIDE THE EUROPEAN UNION: A REVIEW OF THE WESTERN BALKANS NATIONAL LAWS

: From the very beginning of the 21st century, the European Union took measures to develop a common security framework for critical infrastructure protection and to harmonize measures and standards between states. European critical infrastructures should be determined from the national critical infrastructure, which implies the regulations / rules for critical infrastructure protection are an important factor in European security and national laws. The paper examines the representation and impact of the provisions of DIRECTIVE 2008/114 / EC in the specific laws for security and protection of European critical infrastructures outside the European Union. In the Western Balkans, four specific laws were adopted setting out national frameworks for the establishment of critical infrastructure protection frameworks. The results of the analysis are based on the incorporation and implementation of the suggested common European Union approach for critical infrastructure protection in the national legislations of Western Balkan countries.


Introduction
The connection and interdependence of different infrastructure elements among each other highlights the common goals of national and European community security in terms of critical infrastructure protection (Rehak et al, 2016;Stergiopoulosa et al, 2016;Besenyo, Feher, 2020).Legal norms of national legislation must not conflict with European treaties, laws adopted by European institutions, agreements concluded by the EU with third countries and international organizations, and the case law of the European Court of Justice (Borzel, 2016;Shumilo et al. 2021;Poustourli, 2016;Skara, Hajdini, 2021).Regarding the harmonization of regulations of member states and states striving to become members, i.e., meeting the conditions for membership arising from documents such as directives -as is the case with the critical infrastructure protection -it is necessary to incorporate their content into domestic law (Noutcheva, 2009;Miščević, Dark, 2017;Andryeyeva et al. 2021).Directives can be of varying degrees of generality, and states decide independently how and in what form they will apply the guidelines from the directives.Specific measures in the development of the European Program for the Protection of European Critical Infrastructure were launched in 2004 (European Commission, 2004;European Commission, 2005).Central to the development of the security framework is "Council Directive 2008/114 / EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection" (hereinafter DIRECTIVE 2008/114 / EC), which contains guidelines for defining European Critical Infrastructures (hereinafter ECIs) and operationalizing the strategic European framework (European Commission 2008).DIRECTIVE 2008/114 / EC represents an organizational approach to the protection of ECIs, and the same approach was proposed for the protection of national critical infrastructure, while the organization of protection consists of several important components.First of them is the definition and sectoral approach, and then the organization of protection through the Operator security plans -OSPs, risk assessment, Security Liaison officer / Contact person -SLO, National contact point, and identification and designation of ECIs (European Commission, 2008).
The primary and ultimate responsibility for infrastructure protection is allocated in the individual Member States, their national legislation, and the owners/operators of critical infrastructure (Petrakos, Kotzanikolaou, 2019).Furthermore, ECIs are determined from the national critical infrastructure, thus the importance of national security measures and standards for the security of the region is not under the question (Chehabeddine, Tvaronavičienė, 2020).
Since countries have different geographical, spatial, political, socio-economic, and other factors, it is clear that critical infrastructure facilities, systems, and networks cannot be identical in all countries and regions.Vital infrastructure facilities are primarily identified at the national level, and ECIs are then designated from the ranks of national critical infrastructure (Lazari, Simoncini, 2016;Poustourli, 2016;Poustourli et al. 2015;Rehak et al. 2019).In 2018, the implementation of the guidelines of DIRECTIVE 2008/114 / EC was evaluated, which led to the conclusion that 18 European Union member states adopted proposals and requirements by amending the existing or adopting new national legislation.In agreement with neighboring countries, 11 Member States have designated at least one ECIs.At the European Union level, 93 ECIs were identified, of which 88 are in the energy sector and 5 in the transport sector (European Commission, 2019;Lazari, Simoncini, 2016).
The directives do not prescribe mandatory instruments for achieving results, but they do prescribe the results that candidate countries must achieve.Thus, Sweden and the United Kingdom are known as countries that have a developed framework for the protection of critical infrastructure, but do not have special national laws governing this area.On the other hand, countries such as Croatia (Law on critical infrastructures 2013), Bulgaria, Greece (Keković, Ninković, 2020), Hungary, Romania (Alexandru, Vevera, Ciupercă, 2019;Trbojević, 2018) have special national laws used to regulate the area of critical infrastructure protection.
In terms of establishing a framework of critical infrastructure protection, countries face significant differences between the financial and institutional capacities of the European Union member states and non-member states of the European Union (Petrakos, Kotzanikolaou, 2019).The geopolitical space of the Western Balkans consists of the Republic of Serbia, Kosovo, Bosnia and Herzegovina, the Republic of Northern Macedonia, Montenegro, and Albania.These countries are not member states of the European Union, but they are trying to reach and meet the standards of European integration.Most of the countries analyzed in this paper have opted for the adoption of specific national critical infrastructure protection laws, which contain the definition of critical infrastructure from DIRECTIVE 2008/114 / EC (with reasonable language/translation differences) and the basic sectoral distribution of vital infrastructures.To harmonize national legislation with the European Union regulations, and from the aspect of critical infrastructure protection, it is necessary to adjust the regulatory framework that includes the definition of critical infrastructure and ECIs, sectoral approach, operator security plans, liaison officers, contact point for coordination at the national level.The goal of this paper is to analyze the national laws for the protection of critical infrastructures in the Western Balkans, with an emphasis on the incorporation of provisions and operationalization of approaches for the critical infrastructure protection under DIRECTIVE 2008/114 / EC.In addition, we analyzed the provisions of national laws regulating the attitude of these countries towards ECIs, each of which, except Kosovo, directly borders one of the European Union member states.
The research in the article is based on the legal dogmatic method, comparative method, and content analysis.The paper identifies the key critical infrastructure protection components presented in DIRECTIVE 2008/114 / EC.This is followed by a comparative analysis that examines the impact and representation of the provisions of DIRECTIVE 2008/114 / EC in the specific laws (lex specialis) of the Western Balkans.In addition to official European and national regulations, there were also several other sources such as website articles, journals, and books.
In the Western Balkans countries, four specific laws were adopted setting out national frameworks for establishing critical infrastructure systems and incorporating (partly) the provisions of Directive 2008/114 / EC, and implementing critical infrastructure protection approaches in each country.The laws were adopted by Serbia, Kosovo, Montenegro, and Republika Srpska (an entity in Bosnia and Herzegovina with legislative powers in its territory).The Republic of Northern Macedonia and Albania have not yet adopted special legislation, nor has Bosnia and Herzegovina at the state level (only one entity).The laws of Serbia and Montenegro stipulate that the provisions on the protection of ESIs will be applied on the day of the country's accession to the European Union, the law of Kosovo does not specifically define the time frame for the application of ECIs, while the law of Republika Srpska does not define ECIs but International Critical Infrastructure (Sikimić, Gnjatović, 2021).In the final remarks, the authors try to determine the degree of application of the analyzed provisions in each of the analyzed countries, as well as causes and dilemmas in the process of operationalization of adopted laws, and they try to make recommendations for future actions regarding the protection of ECIs outside the European Union.The limitations of the research are that the analysis does not cover several national laws from each country that regulate certain aspects of security and protection, such as regulations for dealing with emergencies caused by natural disasters or cyber security.The research is focused only on the national lex specialis that define national critical infrastructure and ECIs.In addition, laws in Albania and Northern Macedonia were not analyzed, as such specific laws have not yet been adopted.
Through this paper, the authors want to contribute to the development of research regarding critical infrastructure in the scientific and academic community of the Western Balkans, where this subject, despite its relevance, seems underestimated.The practical significance is visible in a kind of cross-section of the situation in the field of critical infrastructure protection from the aspect of the process of integration (of analyzed countries) into the European community and protection of ECIs outside the European Union territorial borders (see more in: Petrović, 2022; Fejzullahu, Beleg, 2022).

National legal frameworks for critical infrastructure protection in the Western Balkan countries
Although the DIRECTIVE 2008/114/EC provides guidance on the protection of ECIs, the primary and ultimate responsibility for infrastructure safety is addressed to the Member States individually, their national legislation and critical infrastructure owners/operators.It emphasizes that it is necessary for the states to respect a common minimum when they evaluate responses to security requirements.The DIRECTIVE 2008/114 / EC also emphasizes an approach that takes into consideration all sources of threats and dangers, and it recommends involvement of the private sector in order to establish an integrated system for protection.Firstly, it is necessary to identify, determine and name national critical infrastructures within the sector, and subsequently to apply the criteria of interdependence, connectivity and cross-border element in order to designate.

INSIGHTS INTO REGIONAL DEVELOPMENT
ISSN Below, in the paper we analyzed national legislations in Western Balkans countries that adopted special laws for the critical infrastructure protection, according to the key components of the mentioned approach for the protection of ECIs: • Sectoral approach, • Operator security plans -OSPs, • Security Liaison officer / Contact person -SLO, • Identification / designation and protection of ECIs, and • National contact point.
The interconnectedness and interdependence of various infrastructural elements places the interest of critical infrastructure protection at the centre interlace between foreign policy and national security.It is also important to mention the policy of the European Union regarding the harmonization of regulations of the member states and the states that aspire to become member states.Thus, it is necessary to incorporate directive's guidance into domestic laws.
In 2018, the Republic of Serbia adopted the "Law on Critical Infrastructure" (Law on Critical Infrastructure, Official Gazette of the Republic of Serbia No. 87/2018).In order to make a review of this law, we analyzed several its articles.
• In the article 6 we see a sectoral approach where it is defined that the identification and determination of critical infrastructure are carried out in eight sectors of critical infrastructure: energy, transport, water, and food supply, health, finance, telecommunications and information technology, environmental protection, functioning of state bodies.For each of the above sectors of critical infrastructure one of the ministries that submit to the Ministry of Interior a proposal for critical infrastructure in its sector is responsible for, and critical infrastructure, at the proposal of the Ministry of Interior, is determined by the Government of Republic of Serbia • The article 8 refers that measures to reduce risks, responsibilities, and duties, and a framework for action to eliminate or reduce the consequences of security threats to critical infrastructure, are set out in the Security Plan of the Risk Management Operator.• Critical infrastructure operators are required by the legislator to appoint a Liaison Officer.This person is in charge of ensuring constant control of risks and threats, informs the Ministry of the Interior on the evaluation of risks, threats, and vulnerabilities, coordinates the Security Plan of the operator for risk management, and performs all other tasks related to critical infrastructure.The designated person must be licensed as a Liaison Officer, according to the article 9. The article 23 stipulates that the Law will take effect "one (1) year after its publication in the Official Journal of the Republic of Kosovo" (Official Journal of the Republic of Kosovo, No. 5/2018).
• According to the article 5 "The National Critical Infrastructure of the Republic of Kosovo shall be divided into sectors based on common areas of interest, to facilitate cooperation between partners and actors of the sector."Critical infrastructure sectors include premises of the Government, health care and public health, information and communication technology, transport, water, and wastewater services."Identification and determination of critical infrastructure will be carried out by the Ministry of Interior, in cooperation with reference bodies and international partners.• The article 9 refers: Owners/operators of national critical infrastructure and ECIs must develop an Operator Security Plan or equivalent plan that should contain the prescribed minimum of measures."An operator security plan or equivalent plan includes the identification, selection, and identification of all necessary measures to reduce vulnerabilities and ensure the operation of all identified critical areas or facilities or network systems."• The article 10 stipulates that each critical infrastructure sector should have a Security Coordinator, with a representative of the Ministry of Interior acting as Deputy Security Coordinator.In addition, owners/operators of national critical infrastructure should designate a Liaison Security Officer to act as a contact point for security issues of the national critical infrastructure facility, as well as connections between owners/operators of national and European critical infrastructures.• The article 11: "ECI is a classification of critical infrastructure located in a European country whose disruption or destruction will have a significant impact on at least two other European countries."The Government of the Republic of Kosovo, at the proposal of the Ministry of Interior, determines possible ECIs in the energy and transport sectors and their subsectors.Concerning the Security Plans of the Operators and the Liaison Officer in charge of the security of ECIs, the same provisions which regulate the duties of these persons in the protection of national critical infrastructure are applied.• The Ministry of Interior of the Republic of Kosovo has been designated as the contact point for the protection of ECIs.This Ministry also supervises the implementation of the Law on Critical Infrastructure of the Republic of Kosovo, written in the articles 17 and 19.
Bosnia and Herzegovina consist of two entities and one district, with an extremely complex security system in which overlapping competencies between state and entity bodies often come to focus.No special law on critical infrastructure was adopted at the state level, nor in the entity of the Federation of Bosnia and Herzegovina or the Brcko District of BIH.In the entity of Republika Srpska, in July 2019, the "Law on Critical Infrastructure Security in the Republika Srpska" was adopted (Official Gazette of Republika Srpska, No 58/19).
• The article 3 lists the sectors from which critical infrastructure is determined, namely: industry, energy, and mining; information and communication infrastructure; traffic; healthcare; utility services; water management; food and drinks; finance; production, storage, and transport of hazardous materials; public services; upbringing and education; cultural and natural assets.According to the articles 5 and 8, the competent republican administrative bodies propose critical infrastructure from their sectors, and the Minister of the Interior confirms the identified critical infrastructure by a decision.The methodology for determining critical infrastructure is also adopted by the Minister of the Interior.• The article 12: Responsible entities of critical infrastructure prepare a Security Plan, which includes measures to protect and ensure the continuation of critical infrastructure.• For each sector of critical infrastructure, the Security Coordinator for Critical Infrastructure and his deputy are appointed, as well as the person responsible for the management and protection of critical infrastructure facilities.The Security Coordinator and the person responsible for the management and protection of critical infrastructure are in charge of implementing the Security Plan for Critical Infrastructure Protection, for communication and coordination of protection with other sectors and the Ministry of Interior.
• In the article 4, paragraph 8 we seen that this law does not recognize ECIs but defines the International Critical Infrastructure as an infrastructure "which is defined as critical between two neighboring countries."• The Ministry of the Interior cooperates (in the context of this paper it is the contact point) with the critical infrastructure bodies of other countries and is in charge of supervising the implementation of the Law on Critical Infrastructure Security of the Republika Srpska, regulation of the articles 15-18.
In December 2019, Montenegro adopted the "Law on Determination and Protection of Critical Infrastructure", which was published in the Official Journal of Montenegro, no.72/2019 of 26.12. 2019, effective on 3. 1. 2020.
• According to the articles 9-11, identification and determination of critical infrastructure is performed in the sectors of energy, transport, water supply, health, finance, electronic communications, information and communication technologies, environmental protection, functioning of state bodies, and other areas of public interest.Ministries in charge of certain sectors submit proposals for critical infrastructures to the Ministry of the Interior.At the motion of this Ministry, the Government of Montenegro determines the critical infrastructure.• The article 14 and 15 prescribe the obligation of critical infrastructure operators to develop a Security Plan for the protection of critical infrastructure and to obtain the consent of the Ministry of Interior for the developed plan.Exceptionally, if a critical infrastrucutre operator already has a protection plan that qualifies for critical infrastructure protection, that plan will be considered a Critical Infrastructure Protection Security Plan.• The articles 18-20 prescribes the obligation for critical infrastructure operators to appoint a person for critical infrastructure protection (Coordinator) chosen among the employees.The coordinator must be qualified for the protection of critical infrastructure, and evidence for that qualification is passing the professional exam for the critical infrastructure protection.• The legal provisions on ECIs will be applied from the day of Montenegro's accession to the European Union, and ECIs may be determined in the sectors set by the European Commission body responsible for the critical infrastructure protection.ECIs are protected the same as national critical infrastructure in Montenegro unless otherwise defined by European Union regulationsthe articles 24-25.• The Ministry of the Interior is the contact point for the exchange of information and coordination of activities related to ECIs with other Member States and European Union bodies.The mentioned Ministry is also in charge of supervising the implementation of the Law on Determining and Protecting Critical Infrastructurethe articles 27 and 33.
facilities.In this regard, it is necessary to revise or amend the legislation in several areas, primarily in the field of information security.On the other hand, more flexible legal solutions compared to the European union countries are one of the leading factors that attract larger companies to operate in one of the Western Balkan countries.The political and security challenge for the entire region is the issue of Bosnia and Herzegovina, i.e. the current problem of division of competencies between the state and the entities, which is reflected in the critical infrastructure protection framework, which is not legally regulated at the state level in this country.In addition to coordinated critical infrastructure management at the international level, harmonization is also needed at the bilateral level (DCAF 2021;Charokopos 2021).The recommendation from the article is improvement of cooperation between the countries of the Western Balkans, regarding harmonizing methodologies, and close cooperation of national contact points for critical infrastructure -ministries responsible for interior affairs.

•
According to the articles 12 and 13, ECIs is a critical infrastructure of interest to at least two Member States of the European Union and may be determined in sectors defined by the European Commission.ECIs are protected on the territory of the Republic of Serbia in the same way as national critical infrastructure unless European Union regulations require otherwise.It is important to emphasize that Article 24 defines that the provisions relating to ECIs will start to apply on the day of the accession of the Republic of Serbia to the European Union.• The contact point for exchanging information with the Member States and bodies of the European Union, and coordination of activities related to ECIs is the Ministry of Internal Affairs of the Republic of Serbia.The mentioned Ministry is also in charge of supervising the implementation of the Law on Critical Infrastructure and by-laws adopted based on this Law, and it performs inspection supervision (Law on Critical Infrastructure, Official Gazette of the Republic of Serbia No. 87/2018, Articles 16-18).The Assembly of the Republic of Kosovo adopted Law No. 06 / L -014 on Critical Infrastructure, which was promulgated by Decree No. DL-016-2018 and published in the Official Gazette of the Republic of Kosovo in April 2018.