This report analyses responses to a questionnaire circulated to OECD delegations for the review of the 2008 OECD Recommendation on the Protection of Critical Information Infrastructure (CIIP). It includes suggestions to guide the updating of the Recommendation. The update comes against a backdrop of fast digital transformation and increased digital reliance of businesses and governments; increased frequency and severity of cybersecurity attacks on critical information infrastructure; the rise of state-sponsored attacks including digital sabotage and espionage; and increased capacity of attackers. The update of the Recommendation serves as an opportunity to make changes to its purpose and scope; to insert key messages based on overarching themes from the responses; and to adjust the Recommendation in line with current and anticipated evolutions in contexts, risks and policies.