4.2. Designating critical information infrastructure sectors

In South Africa, the Critical Infrastructure Protection Act 8 of 2019 provides that the Cabinet Minister responsible for policing may declare infrastructure as ‘critical’ based on the recommendation of the Critical Infrastructure Council, the application for declaration of infrastructure as critical infrastructure, and any other relevant information.

In Tanzania’s Cybercrime Act of 2015, the Minister may designate a computer system as critical information infrastructure, by order published in the Gazette. The order may prescribe guidelines or procedures for the registration, protection, management of critical information infrastructure, management and storage of associated data,  disaster recovery plans, and audit.

In Kenya’s Computer Misuse and Cybercrimes Act, 2018, the  Director, who is the secretary to the National Computer and Cybercrimes Coordination Committee (NC4), shall designate a system as a critical infrastructure if it meets the definition of critical infrastructure and is in line with a critical infrastructure framework.

In Nigeria’s, the Cybercrimes (Prohibition, Prevention, etc) Act, 2015, the President may, on the recommendation of the National Security Adviser, by order published in the Federal Gazette, designate certain computer systems, and/or networks as constituting Critical National Information Infrastructure if they would, when incapacitated or destroyed, debilitate national or economic security, public health, and safety.

Ghana’s Cybersecurity Act, 2020 (Sections 35) has designated 13 CII sectors: National Security and Intelligence, Information and Communications Technology (ICT), Banking and Finance, Energy, Water, Transportation, Health, Emergency Services, Government, Food and Agriculture, Manufacturing, Mining, and Education.

The Botswana National Cybersecurity Strategy has identified the following sectors as national critical infrastructure sectors with regard to cybersecurity: finance, communications, energy, water, emergency services, food, public safety, health, public services, and e-government.

Kenya’s Director, National Computer and Cybercrimes Coordination Committee (NC4), in a Gazette Notice ( effective  20 January 2022), designated as Critical Infrastructure the following sectors: Telecommunications, Electoral, Judicial, Education, Health, Food, Water, Land, Energy, Transport and Industry, Banking, Finance, Defence, Security, and Public safety.

The Mauritius National Cybersecurity Strategy identifies the critical sectors as financial services, Tourism, electricity, water, ICT and Broadcasting, Health, Government Services, Manufacturing, Transport and Logistics, Sugar and Customs.

The University of Fairfax Webinar discusses:

• The US National Infrastructure Protection Plan (NIPP),

Critical infrastructure sectors,

• The common cyber risks shared by all elements of the critical infrastructure,
• How Presidential Policy Directive/PPD 21 – Critical Infrastructure Security and Resilience supports the need for cyber risk resilience,
• An overview of the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity,
• How it supports critical infrastructure protection and suggestions to enhance cyber risk resilience.

The United States of America has 16 CI sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Material, and Waste; Transportation Systems; and Water and Wastewater Systems.

The European Union (EU) Directive on Security of Network and Information Systems (NIS Directive) mandates that member State adopt a national strategy on the security of network and information systems defining the strategic objectives and appropriate policy and regulatory measures covering at least the seven CI sectors: Energy, Transport, Banking, Financial Market, Health, Drinking Water Supply and Distribution, and Digital Infrastructure.

The Report from the Commission to the European Parliament and the Council assesses the consistency of the approaches taken by the Member States in the identification of operators of essential services (OES) in accordance with Article 23(1) of Directive 2016/1148/EU on the security of network and information systems.

The CIIP law in France adopted in December 2013 and the framework for the ‘security of activities of vital importance’ established in 1998 identifies more than 200 critical operators (called ‘operators of vital importance’) in 12 sectors including: Food, Health, Water, Telecom and Broadcasting, Space and Research, Industry, Energy, Transport, Finance, Civilian administration, Military activities and Justice. By law, these operators are required to identify their ‘critical information systems’ that is, those systems ‘whose unavailability could strongly threaten the economic or military potential, the security or the resilience of the Nation’.

The UK’s Centre for the Protection of National Infrastructure (CPNI) has designated 13 national infrastructure sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport, and Water. Several sectors have defined ‘sub-sectors’; Emergency Services, for example, can be split into Police, Ambulance, Fire Services, and Coast Guard.

Based on the national, regional, and international examples of definition, identification and classification of critical infrastructure discussed, using your country as an example:

• Define Critical Infrastructure and Critical Information Infrastructure CI(I);
• Identify the CI;(I)
• Classify the CI(I);
• What principles/criteria did you use?