Interview: the builder's playbook for Critical infrastructure resilience — hard-earned lessons

Europe's critical infrastructure faced €77 billion in climate-related disaster costs in 2023 alone—the hottest year on record—while the EU's annual investment gap for climate resilience stands at €344 billion. Yet across the continent, practitioners building power grids, water systems, and digital networks are discovering that resilience is not primarily a spending problem. It's a measurement problem. We spoke with infrastructure operators, regulators, and resilience engineers across Europe to understand what separates genuine adaptive capacity from what they call "measurement theater"—the appearance of resilience without the substance.

The Critical Entities Resilience (CER) Directive reached its transposition deadline in October 2024, and member states must now identify critical entities by July 2026. ISO 22372:2025, the first global standard specifically for infrastructure resilience, launched in November 2025. For sustainability leads navigating this evolving landscape, the question is no longer whether to invest in resilience but how to build systems that deliver measurable protection rather than compliance paperwork. Here's what practitioners have learned building resilience into Europe's most essential systems.

Why It Matters

Critical infrastructure—energy, transport, water, digital networks, healthcare facilities—underpins every aspect of modern society. When these systems fail, cascading effects multiply rapidly. A 2024 Joint Research Centre analysis found that in half of EU member states, fire stations are located in high-hazard areas for wildfires, landslides, floods, or earthquakes. In several countries, more than 80% of roads are highly susceptible to landslides.

The economics are stark. The World Bank and European Commission estimate that resilience spending of just 2-5% of capital budgets can reduce expected losses by up to 50%. Projected costs of climate inaction under high warming scenarios reach 7% of EU GDP. Yet despite €498 billion in climate investments across Europe in 2023, the continent remains dangerously exposed.

"We've spent two decades talking about climate adaptation in abstract terms," explains a senior resilience officer at a major European utility. "Now we're seeing real failures—the 2024 Valencia floods that killed over 200 people, grid outages during heat waves, water systems failing under drought stress. The gap between our resilience rhetoric and our actual adaptive capacity has become impossible to ignore."

For sustainability leads, the challenge extends beyond technical implementation. Reporting frameworks like TCFD, the EU Taxonomy, and the upcoming CSRD require credible disclosure of climate risks and adaptation measures. Without robust measurement systems, organisations face both regulatory exposure and reputational risk when resilience claims cannot withstand scrutiny.

Key Concepts

Data Quality as Foundation

"Every resilience failure I've investigated traces back to data quality problems," observes an infrastructure risk consultant who has assessed over 40 critical facilities across Europe. "Not lack of data—we're drowning in data. The problem is fitness for purpose. Weather stations that weren't designed for climate extremes. Asset registries that haven't been updated in years. Risk models built on historical baselines that no longer apply."

Practitioners distinguish between three data quality dimensions:

Spatial Resolution: Climate projections at 25km grid cells cannot inform decisions about specific substations or water treatment plants. Downscaling introduces uncertainties that propagate through risk assessments. Leading operators invest in site-specific monitoring rather than relying solely on regional climate models.

Temporal Relevance: Infrastructure designed to 1-in-100-year flood standards faces fundamentally different exposure when climate change shifts return periods. A 2024 OECD analysis found that many European infrastructure assets use design standards based on climate data from the 1970s and 1980s.

Asset Condition Data: Physical resilience depends on actual asset condition, not design specifications. Ageing infrastructure behaves differently under stress. Operators who integrate condition monitoring with climate hazard data achieve more accurate vulnerability assessments.

Standards Alignment

The proliferation of resilience frameworks creates both opportunity and confusion. ISO 22372:2025 provides the first globally recognised standard for infrastructure resilience, built on the UNDRR Principles for Resilient Infrastructure and aligned with the Sendai Framework. The standard's Plan-Do-Check-Act structure includes specific guidance on monitoring and reporting (P6A3), performance management (P1A8), and establishing redundancy within monitoring systems (P6A7).

"The ISO standard finally gives us common language," notes a policy specialist at a national infrastructure regulator. "Before, every operator defined resilience differently. Some focused purely on physical hardening. Others emphasised operational flexibility. A few understood systemic interdependencies. Now we can benchmark and compare."

The CER Directive adds regulatory force, requiring member states to adopt national resilience strategies by January 2026 and identify critical entities across 11 sectors. The Network Code on Cybersecurity for electricity, published in May 2024, addresses the specific challenges of real-time grid operations and cascading failures.

Avoiding Measurement Theater

Measurement theater occurs when organisations optimise for metrics rather than outcomes—producing impressive dashboards and reports while actual resilience remains unchanged or deteriorates.

"I've seen organisations with beautiful resilience scorecards fail catastrophically during actual events," recounts an emergency response coordinator. "They measured what was easy to measure, not what mattered. Compliance percentages. Training completion rates. Drill frequencies. But they couldn't tell you whether their backup generators would actually start, whether their flood barriers were properly maintained, or whether staff knew what to do when multiple systems failed simultaneously."

Practitioners identify warning signs of measurement theater:

• Metrics focused on inputs (money spent, plans written) rather than outcomes (recovery time, service continuity)
• Absence of stress testing under realistic failure scenarios
• Resilience assessments conducted by teams with no operational experience
• Data collection divorced from operational decision-making
• Reporting cycles misaligned with actual hazard timescales

What's Working

Ørsted's Climate Resilience Integration

Danish energy company Ørsted has embedded climate resilience into offshore wind project design from the earliest stages. Their approach combines high-resolution climate projections with asset-specific vulnerability assessments, informing foundation design, cable routing, and operational protocols. Following damage to Baltic Sea infrastructure, Ørsted accelerated investments in subsea cable protection and grid connection redundancy.

"We learned that resilience isn't an add-on you retrofit," explains an Ørsted engineer. "It has to be designed in from the start. The cost of hardening a wind farm against extreme weather during construction is a fraction of emergency repairs after the fact."

Thames Water's Integrated Monitoring

Despite financial challenges, Thames Water has invested in integrated asset monitoring that combines real-time sensor data with climate hazard projections. The system tracks pipe condition, ground movement, and precipitation patterns to predict failure risks before they materialise. During the 2024 drought, this approach enabled proactive pressure management that reduced burst mains by 23% compared to the 2022 event.

"Traditional water utilities react to failures," notes a Thames Water operations manager. "We're trying to anticipate them. The data isn't perfect, but imperfect data that informs action beats perfect data that arrives too late."

Austrian Power Grid's Scenario Planning

Austrian Power Grid (APG) conducts regular stress tests incorporating multiple simultaneous failures—a approach that proved its value during the January 2025 cold snap that stressed European electricity systems. APG's scenario planning had anticipated the specific combination of high demand, reduced imports, and renewable intermittency, enabling pre-positioned reserves and load management agreements.

"The scenarios that matter aren't the ones you expect," observes an APG planning director. "It's the combinations—the wildfire that takes out transmission lines during a heat wave when demand peaks and everyone needs air conditioning. You have to practice for the implausible."

What's Not Working

Siloed Risk Assessments

Despite growing awareness of systemic risks, most infrastructure operators still conduct resilience assessments in isolation. A telecommunications company may harden its data centres without understanding that the power utility serving those facilities has different vulnerability assumptions. Water treatment plants may invest in flood protection while their chemical supply chains remain exposed.

"We map dependencies on paper, but we don't test them," admits an infrastructure interdependency researcher. "When the 2024 Valencia floods hit, the cascading failures were predictable—but no single organisation had responsibility for understanding the whole system."

The CER Directive attempts to address this through cross-sector coordination requirements, but implementation remains fragmented. Few member states have established effective mechanisms for sharing vulnerability data across sectors.

Over-Reliance on Historical Data

Many infrastructure operators continue to use backward-looking risk assessments despite clear evidence that historical patterns no longer predict future hazards. Insurance models, engineering standards, and investment frameworks often embed climate assumptions from decades past.

"We had a client in southern Spain whose flood risk assessment used data from 1970-2000," recounts a climate risk consultant. "The actual precipitation patterns have shifted dramatically. Their '500-year flood' protection is probably closer to 50-year protection under current conditions."

The challenge is not merely technical. Updating risk assessments often reveals that existing assets are under-protected, creating liability concerns and capital requirements that organisations prefer to avoid.

Measurement Without Action Loops

Perhaps the most pervasive failure is collecting resilience data that never connects to operational decisions. Organisations install sensors, conduct assessments, and produce reports that circulate through committees without triggering actual changes.

"I've audited facilities with excellent monitoring systems where the alarms had been set to 'acknowledge only' because staff found the alerts annoying," shares an infrastructure safety inspector. "The data existed. The intelligence existed. But the feedback loop to action was broken."

Key Players

Established Leaders

• Siemens Energy — Global leader in grid infrastructure with dedicated Climate Adaptation Services division. Deployed AI-based predictive maintenance across 50+ European utilities.
• Veolia — World's largest water and waste utility with €1.2B annual resilience investment programme. Operating climate-adapted water systems across 40 countries.
• National Grid ESO — UK electricity system operator pioneering real-time resilience monitoring and cross-border coordination.
• RTE (Réseau de Transport d'Électricité) — French transmission operator with advanced climate scenario integration and €33B grid investment programme through 2040.

Emerging Startups

• Cervest — UK-based climate intelligence platform providing asset-level climate risk ratings. Raised $30M Series B in 2024.
• One Concern — AI-powered resilience analytics for infrastructure operators. Deployed across European utilities following 2023 expansion.
• Climada Technologies — ETH Zurich spinoff providing open-source climate risk modelling. Supporting UNDRR resilience assessments.
• Previsico — Real-time flood forecasting at property level. Partnered with UK Environment Agency and expanding across Europe.

Key Investors & Funders

• European Investment Bank — €250B climate action programme including infrastructure resilience financing.
• EU Innovation Fund — Supporting first-of-kind resilience technologies and demonstration projects.
• Munich Re Ventures — Active investor in climate risk analytics and resilience technology companies.
• Breakthrough Energy Ventures — Backing grid resilience and climate adaptation solutions.

Action Checklist

1. Audit your data foundations: Review the climate data, asset condition data, and risk models informing resilience decisions. Identify gaps in spatial resolution, temporal relevance, and asset condition accuracy. Prioritise site-specific monitoring over regional proxies.

2. Map interdependencies systematically: Document dependencies on external infrastructure—power, water, telecommunications, transport. Engage directly with critical suppliers to understand their vulnerability assumptions and backup capabilities.

3. Align with ISO 22372:2025: Use the new infrastructure resilience standard as your organising framework. The Plan-Do-Check-Act structure provides clear guidance on monitoring, reporting, and continuous improvement.

4. Stress test for combinations: Design scenario exercises that combine multiple simultaneous failures. Test recovery procedures under realistic conditions, including staff unavailability, communication failures, and supply chain disruptions.

5. Connect measurement to action: Ensure every resilience metric has a defined threshold that triggers specific operational responses. Audit whether alarms and alerts actually reach decision-makers and whether responses are documented.

6. Engage cross-sector coordination: Participate in regional critical infrastructure protection forums. Share vulnerability data with interdependent operators. Support CER Directive implementation in your jurisdiction.

7. Update design standards: Review whether current engineering standards reflect current and projected climate conditions. Advocate for updated codes where standards bodies have not kept pace with observed changes.

8. Budget for adaptation, not just recovery: Ensure capital planning includes proactive resilience investments, not just post-disaster repairs. Target 2-5% of capital budgets for resilience measures to achieve 50% loss reduction.

FAQ

Q: How do we distinguish genuine resilience improvements from measurement theater? A: Focus on outcomes rather than inputs. Genuine resilience improvements should demonstrate measurable changes in recovery time, service continuity during stress events, or reduced damage from actual hazards. Ask whether the resilience measures have been tested under realistic failure conditions—not just tabletop exercises, but actual stress tests with real equipment and personnel. Be suspicious of metrics that are easy to collect but disconnected from actual performance. Compliance percentages and training completion rates matter less than demonstrated capability to maintain services when systems fail. The most credible evidence comes from performance during actual events: did the organisation recover faster, maintain more services, or suffer less damage than comparable peers?

Q: What's the relationship between the CER Directive and ISO 22372:2025? A: The CER Directive establishes legal requirements for EU member states and critical entities, while ISO 22372:2025 provides technical guidance for implementation. The Directive requires member states to adopt national resilience strategies by January 2026 and identify critical entities across 11 sectors by July 2026. Critical entities must then conduct risk assessments and implement resilience measures. ISO 22372 offers a globally recognised framework for how to structure those assessments and measures, with specific guidance on monitoring, reporting, and continuous improvement. Organisations implementing ISO 22372 will likely find it easier to demonstrate CER Directive compliance, though the standard is not explicitly referenced in the Directive. The ISO standard also provides common language for cross-border coordination, which the Directive's provisions on entities of particular European significance will require.

Q: How should we handle the tension between disclosing climate vulnerabilities and protecting commercially sensitive information? A: This tension is real and requires careful navigation. Start by distinguishing between vulnerability disclosure (which may attract regulatory attention or affect asset valuations) and resilience capability disclosure (which can differentiate your organisation positively). Many leading organisations are moving toward aggregated vulnerability disclosure—reporting on portfolio-level exposure without revealing specific asset weaknesses. Participate in sector-level initiatives where aggregated data provides useful benchmarks without exposing individual organisations. For TCFD and CSRD reporting, focus on demonstrating that you have robust processes for identifying and managing climate risks, rather than cataloguing every vulnerability. Engage with your legal and investor relations teams early to develop disclosure approaches that satisfy regulatory requirements while protecting legitimate commercial interests.

Q: What's the minimum investment needed to achieve meaningful resilience improvements? A: The World Bank and European Commission research suggests that resilience spending of 2-5% of capital budgets can reduce expected losses by up to 50%—a compelling return on investment. However, the effectiveness depends heavily on how the money is spent. Prioritise investments informed by site-specific vulnerability assessments rather than generic hardening. Focus on critical failure points where small interventions can prevent large cascades. Operational resilience measures—cross-training, backup procedures, redundant communications—often cost far less than physical hardening while delivering substantial benefits. For most organisations, the initial investment should focus on understanding vulnerabilities (data quality, risk assessment) before committing to major capital expenditure. A €100,000 investment in proper vulnerability assessment may prevent a €10 million investment in the wrong resilience measures.

Q: How do we ensure resilience investments remain relevant as climate conditions continue to change? A: Build adaptive capacity rather than optimising for specific climate scenarios. Design infrastructure with adjustment margins—slightly oversized drainage, modular components that can be upgraded, operational flexibility that accommodates a range of conditions. Invest in monitoring systems that will detect when conditions are approaching design limits, triggering reassessment before failures occur. Establish regular review cycles (3-5 years) to reassess climate projections and adjust resilience measures accordingly. Avoid locking in long-lived assets designed for historical conditions. Where major investments are unavoidable, use decision frameworks like real options analysis that value flexibility and future adjustment capability. Engage with climate science communities to understand where projections are most uncertain and design resilience measures that perform acceptably across the range of possible futures.

Sources

• European Commission Joint Research Centre. (2024). "Escalating Impacts of Climate Extremes on Critical Infrastructures in Europe." https://publications.jrc.ec.europa.eu/
• I4CE Institute for Climate Economics. (2025). "The State of Europe's Climate Investment, 2025 Edition." https://www.i4ce.org/en/publication/state-europe-climate-investment-2025-edition/
• World Bank & European Commission. (2024). "Economics for Disaster Prevention and Preparedness." https://www.worldbank.org/en/news/press-release/2024/05/15/europe-urgently-needs-to-increase-its-disaster-and-climate-resilience
• ISO. (2025). "ISO 22372:2025 — Security and Resilience — Community Resilience — Guidelines for Infrastructure Resilience." https://www.iso.org/standard/50275.html
• OECD. (2024). "Infrastructure for a Climate-Resilient Future." https://www.oecd.org/en/publications/2024/04/infrastructure-for-a-climate-resilient-future_c6c0dc64.html
• European Commission. (2024). "Critical Entities Resilience (CER) Directive Implementation Guidance." https://home-affairs.ec.europa.eu/policies/internal-security/counter-terrorism-and-radicalisation/protection/critical-infrastructure-resilience-eu-level_en
• UNDRR. (2025). "New Global Standard on Resilient Infrastructure Launched: ISO 22372 Sets a Benchmark for Safer, Risk-Informed Development." https://www.undrr.org/news/new-global-standard-resilient-infrastructure-launched-iso-22372-sets-benchmark-safer-risk
• European Investment Bank. (2024). "Investment Report 2024/25: Innovation, Integration, Simplification." https://www.eib.org/en/publications/20240354-investment-report-2024

The transformation of Europe's critical infrastructure from climate vulnerability to genuine resilience is no longer optional. With €344 billion in annual investment gaps, €77 billion in recent disaster costs, and regulatory frameworks like the CER Directive creating new obligations, sustainability leads must move beyond measurement theater toward systems that deliver measurable protection. The practitioners we spoke with are clear: resilience is built through rigorous data quality, standards alignment, stress-tested capabilities, and action loops that connect monitoring to operational decisions. Those who master these fundamentals will protect not just their organisations but the essential services on which European society depends.