Europe’s daily life depends on a vast web of invisible systems like power grids, digital networks, water supplies and emergency services. They keep the society running, often so smoothly that we forget they exist. But recent crises have revealed that it is not just storms, hackers or blackouts that endanger us, but also how people and institutions behave when everything starts to break down. A new approach is emerging across Europe, one that sees resilience not simply as stronger technology, but as smarter humans and smarter systems working together.

Photo by Freepik

Introduction

We are used to thinking of critical infrastructure as physical things as pipes, cables, stations, satellites. Yet the events that also can bring society to a halt, airport IT failures, cascading blackouts, interrupted communications, cyberattacks that disable hospitals, are rarely the result of a single broken component. Instead, they emerge from interconnected systems, where digital, physical and organisational worlds collide.

Europe’s regulatory response has been significant. The CER Directive (EU 2022/2557) requires essential services to prepare for an “all-hazards” environment. The NIS2 Directive (EU 2022/2555) expands cybersecurity obligations far beyond the IT department. And standards such as ISO 22316 define resilience as an organisational capability grounded in anticipation, adaptation and recovery (ISO, 2017).

But despite stronger laws and smarter technology, major disruptions continue. Why? Because resilience depends less on equipment than on how people interpret information, make decisions and coordinate across sectors. The main idea of this article is simple: To protect Critical Infrastructure in an era of cascading threats, Europe must build resilience around human cognition and systemic thinking, not just technical upgrades.

Where Today’s Systems Still Fall Short

Modern emergencies do not behave like predictable, isolated failures. A cyber breach can disrupt energy flows; a storm can knock out communications; a software outage in one airport can ripple across an entire continent. The Council Recommendation of 8 December 2022 acknowledges that existing preparedness tools struggle to capture these cross-sector effects (Council of the EU, 2022). Today’s risk models remain overly sectoral. Power grids plan for power issues. Transport plans for transport issues. Yet real crises spill across boundaries, sometimes within minutes. Recent events illustrate this vividly, for example, the April 2025 Iberian Peninsula blackout, where a voltage surge cascaded into a massive outage across Spain and Portugal, halting transport and communications within minutes El País, 2025).

When disaster strikes, institutions typically rely on checklists, predefined responsibilities and chain-of-command structures. These provide essential order, but only up to a point. In reality, crisis management needs more than just procedures. Crises often require flexible thinking, improvisation and rapid sensemaking. Hollnagel’s Resilience Engineering argues that organisations succeed not because systems never fail, but because people adapt to the unexpected (Hollnagel, 2011). Effective crisis response thus depends on the ability to anticipate and monitor subtle changes, not merely to follow plans. Yet Berlin’s January 2026 sabotage-induced blackout showed that rigid plans alone cannot restore power to tens of thousands during freezing weather without rapid improvisation and cross-agency coordination (Der Spiegel, 2026).

Post-incident reviews are common, but lessons often remain trapped in reports rather than shaping future practice. The EU Preparedness Union Strategy urges Member States to embed learning into long-term resilience building (European Commission, 2023a). Yet cross-sector learning remains inconsistent, and organisations often repeat past mistakes.

With digitalisation, climate pressures and hybrid threats accelerating, operators need a mixture of technical and cognitive skills such as cybersecurity awareness, crisis coordination, cross-sector communication and rapid decision-making. The Niinistö Report stresses the growing strategic importance of such competencies (Niinistö, 2023), and the Protect EU Communication highlights the need for enhanced preparedness capabilities (European Commission, 2023b). But Europe’s training systems have not fully caught up.

Cognitive and Systemic Resilience

The most advanced technology cannot compensate for poor decision-making. Cognitive resilience means that people and teams can recognise emerging threats, prioritise actions, avoid information overload and coordinate effectively under pressure. Hollnagel explains in his work four basic potentials for Resilient Performance (Hollnagel, 2015):

• The potential to respond. Knowing what to do or being able to respond to regular and irregular changes, disturbances, and opportunities by activating prepared actions or by adjusting current mode of functioning.
• The potential to monitor. Knowing what to look for or being able to monitor that which is or could seriously affect the system’s performance in the near term – positively or negatively. The monitoring must cover the system’s own performance as well as what happens in the environment.
• The potential to learn. Knowing what has happened, or being able to learn from experience, to learn the right lessons from the right experience.
• The potential to anticipate. Knowing what to expect or being able to anticipate developments further into the future, such as possible disruptions, novel demands or constraints, new opportunities, or changing operating conditions.

In other words, when human operators understand how complex systems behave, they can detect failure patterns earlier and act more effectively.

Critical infrastructure resilience must also be viewed through a systems lens. The CER Directive requires risk assessments that consider dependencies across sectors. ISO 22316 similarly emphasises interconnected organisational capabilities. This means mapping how disruptions travel through networks, integrating cyber and physical risk analysis, and building shared situational awareness across infrastructure operators and public authorities. Systemic resilience acknowledges the uncomfortable truth that no system is isolated. Protecting one piece without understanding the whole leaves society vulnerable. The Iberian blackout demonstrated how weak cross-border grid links magnified the crisis, while recovery depended on emergency imports from France and Morocco (El País, 2025). Major crises cross organisational and national borders. Effective resilience requires interoperability, shared protocols and coordinated response structures. Both NIS2 and the Council Recommendation emphasise this principle. Cooperation should not only begin when a crisis does, it must be part of the everyday practice.

Conclusion

Resilience is never finished. New vulnerabilities appear as fast as old ones are addressed. The Preparedness Union Strategy stresses continuous learning as a strategic necessity. This includes learning from near misses, exercises and real incidents, updating governance structures and revising assumptions about how systems behave. The goal is not to be perfect, but to be able to adapt to future challenges better. Post-incident reviews of the Iberian and Berlin outages are now driving changes in grid security and sabotage prevention, proof that learning must translate into systemic capability (El País, 2025; (Clean Energy Wire, 2026).

Europe’s policy landscape has never been more robust. Directives, standards and strategies now define what resilience must look like. Yet resilience cannot be achieved by compliance alone. Protecting Critical Infrastructure in the 21st century requires a profound mental shift. It means recognising that resilience is not just built into hardware and software, it is part of people, organisations and relationships. It is the ability to anticipate weak signals, understand system dynamics, collaborate across boundaries and adapt in real time. Our Critical Infrastructure systems will never be free of risk. But by building a resilience model grounded in human understanding and cooperation with others, Europe can ensure that when disruptions occur, as they inevitably will, society can withstand them with strength and intelligence.

The language editing and structure for this text has been improved using Copilot.

References

• Council of the European Union (2022). Council Recommendation of 8 December 2022 on a Union-wide approach to strengthening the resilience of critical infrastructure. Retrieved 9.1.2026.
  
• Directive (EU) 2022/2557. CER Directive – resilience of critical entities. (2022). Official Journal of the European Union. Retrieved 9.1.2026.
• Directive (EU) 2022/2555. NIS2 Directive – measures for a high common level of cybersecurity across the Union. (2022). Official Journal of the European Union. Retrieved 9.1.2026.
• European Commission (2023a). Preparedness Union Strategy. Retrieved 9.1.2026.
  
• European Commission (2023b). ProtectEU: A European Internal Security Strategy. Retrieved 9.1.2026.
• Hollnagel, E. (2011). Resilience Engineering in Practice: A Guidebook. Ashgate Publishing. Retrieved 9.1.2026.
• Hollnagel, E. (2015). RAG – Resilience Analysis Grid. Retrieved 28.1.2026.
• International Organization for Standardization (ISO) (2017). ISO 22316: Security and resilience – Organizational resilience – Principles and attributes.
• Niinistö, S. (2023). Safer Together – Strengthening Europe’s Civil and Military Preparedness and Readiness.
• Iberian Peninsula Blackout (2025). Massive power outage across Spain and Portugal following voltage surge. El País, April 29, 2025. Retrieved 12.1.2026.
• Berlin Power Outage (2026). Sabotage-induced blackout affecting 45,000 households. Der Spiegel, January 5, 2026.
• Clean Energy Wire. (2026, January 5). Berlin arson attack power blackout triggers calls to put security over transparency. Retrieved 12.1.2026.