Critical infrastructure protection requires the evaluation of the criticality of infrastructures and the prioritization of critical assets. However, criticality analysis is not yet standardized. This paper examines the relation between risk and criticality. It analyzes the similarities and differences in terms of scope, aims, impact, threats and vulnerabilities; and proposes a generic risk-based criticality analysis methodology. The paper also presents a detailed list of impact criteria for assessing the criticality level of infrastructures. Emphasis is placed on impact types that are society-centric and/or sector-centric, unlike traditional risk analysis methodologies that mainly consider the organization-centric impact.