Digital transformation is accelerating the digital reliance of critical economic and social activities. In parallel, digital security threats have been growing in number and sophistication. Many governments are anticipating a greater occurrence and severity of digital security incidents affecting critical activities in the coming years, potentially leading to large-scale disasters.

This situation pushes governments to adopt policies that strengthen digital security of critical activities. However, such policies should not undermine the benefits from digital transformation in critical sectors through constraints that would inhibit innovation or unnecessarily restrict the use, dynamic nature and openness of digital technologies.

Adopted in December 2019, the OECD Recommendation on Digital Security of Critical Activities sets out a range of policy recommendations to ensure that policies targeting operators of critical activities focus on what is critical for the economy and society without imposing unnecessary burdens on the rest. These recommendations support adherents in:
 

• adapting their overarching policy framework;
   
• promoting and building trust-based partnerships; and
   
• improving co-operation at the international level. 

The Recommendation also clarifies how this public policy area relates to broader national risk management/critical infrastructure protection policy.

 Download the Recommendation and explanatory note: English | français

 

Background

This Recommendation updates and replaces the 2008 Recommendation on the Protection of Critical Information Infrastructures (CIIP). As the first international legal instrument in this area, the CIIP Recommendation played a key role to raise awareness about the need to develop policies to protect critical information infrastructure. In 2017, the review of the CIIP Recommendation concluded that there was a need to update it in order to: 

• modernise the core concepts to ensure coherence with the 2015 Recommendation on Digital Security Risk Management for Economic and Social Prosperity;
   
• clarify the scope of this policy area, including where it stands within the broader landscape of digital security policy and national risk management/critical infrastructure protection policy; and
   
• take into account changes since 2008 as well as the experience acquired by countries in implementing policies in this area.
   

The resulting 2019 Recommendation on Digital Security of Critical Activities provides guidance on how to implement the 2015 Recommendation on Digital Security Risk Management for Economic and Social Prosperity to maintain the continuity, resilience and safety of critical activities without inhibiting the benefits from digital transformation.

 

Further reading

• Policies for the protection of critical information infrastructure: Ten years later, report on the review of the 2008 OECD Recommendation on the Protection of Critical Information Infrastructure (CIIP)
• Workshop on Digital Security and Resilience in Critical Infrastructure and Essential Services, February 2018
• Global Forum on Digital Security for Prosperity
• More OECD work on digital security and privacy
   

 Related OECD legal instruments

• Recommendation on Digital Security Risk Management for Economic and Social Prosperity
• Ministerial Declaration on the Digital Economy: Innovation, Growth and Social Prosperity ("Cancún Declaration")
• Recommendation concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data
• Recommendation on Principles for Internet Policy Making
• Recommendation on the Governance of Critical Risks