REPORT on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

15.10.2021 - (COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD)) - ***I

Committee on Civil Liberties, Justice and Home Affairs
Rapporteur: Michal Šimečka
Rapporteurs for the opinion (*):
Nils Torvalds, Committee on Industry, Research and Energy
Alex Agius Saliba, Committee on Internal Market and Consumer Protection
(*) Associated committees – Rule 57 of the Rules of Procedure


Procedure : 2020/0365(COD)
Document stages in plenary
Document selected :  
A9-0289/2021
Texts tabled :
A9-0289/2021
Texts adopted :

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

 having regard to the Commission proposal to Parliament and the Council (COM(2020)0829),

 having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0421/2020),

 having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

 having regard to Rule 59 of its Rules of Procedure,

 having regard to the opinions of the Committee on Industry, Research and Energy,the Committee on Internal Market and Consumer Protection, the Committee on Foreign Affairs and the Committee on Transport and Tourism,

 having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs (A9-0289/2021),

1. Adopts its position at first reading hereinafter set out;

2. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3. Instructs its President to forward its position to the Council, the Commission and the national parliaments.


 

Amendment  1

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react, accommodate to and recover from incidents that have the potential to disrupt the provision of essential services by the critical entity, the free movement of essential services and the functioning of the internal market.

_________________

_________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

Proposal for a directive

Recital 2

 

Text proposed by the Commission

Amendment

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not always adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with evolving hybrid and terrorist threats and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity, efficiency and lifespan of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. At Union level there is no single recognised list of critical infrastructure sectors. Instead, different legal acts cover different sectors.

_________________

_________________

19 European Programme for Critical Infrastructure Protection (EPCIP).

19 European Programme for Critical Infrastructure Protection (EPCIP).

Amendment  3

Proposal for a directive

Recital 2 a (new)

 

Text proposed by the Commission

Amendment

 

(2a) Certain critical infrastructures have a pan-European dimension, such as the European Organisation for the Safety of Air Navigation, Eurocontrol, and the Union’s Global Satellite Navigation System, Galileo.

Amendment  4

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food production, processing and delivery, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption of essential services, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Amendment  5

Proposal for a directive

Recital 4

 

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services are subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only creates varying levels of resilience but also impacts negatively on the maintenance of vital societal functions or economic activities across the Union, and leads to unfair competition and to obstacles to the proper functioning of the internal market. Investors and companies can rely on and trust critical entities that are resilient, and reliability and trust are cornerstones of a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. A Union framework will therefore also have the effect of levelling the playing field for critical entities across the Union.

Amendment  6

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision and free movement of essential services in the internal market, to enhance the resilience of critical entities and to improve cross-border cooperation between competent authorities. It is essential that those rules be future-proof. To that end, the aim of this Directive is to make critical entities resilient, thereby improving their capacity to ensure the continuous provision of essential services in the face of a diverse set of risks. By laying down minimum rules, this Directive enables Member States to adopt or maintain more stringent rules to ensure the provision of essential services in the internal market and enhance resilience of critical entities.

Amendment  7

Proposal for a directive

Recital 6

 

Text proposed by the Commission

Amendment

(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

(6) In order to achieve that objective, Member States should identify critical entities that provide essential services in the sectors and subsectors set out in the Annex to this Directive. Those critical entites should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

Amendment  8

Proposal for a directive

Recital 7

 

Text proposed by the Commission

Amendment

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be regarded as lex specialis and should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.

Amendment  9

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. As a result, the competent authorities designated under the NIS 2 Directive will be responsible for the supervision of entities identified as critical entities or entities equivalent to critical entities under this Directive as regards matters that fall under the scope of that Directive.

_________________

_________________

20 [Reference to NIS 2 Directive, once adopted.]

20 [Reference to NIS 2 Directive, once adopted.]

Amendment  10

Proposal for a directive

Recital 10

 

Text proposed by the Commission

Amendment

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, and taking into account the hybrid nature of many threats and the Union’s strategy on resilience prepared by the Critical Entities Resilience Group, established by this Directive, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities of Member States under this Directive and the under NIS 2 Directive, including information sharing on incidents and threats and the exercise of supervisory tasks.

Amendment  11

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks, including cross-sectoral and cross-border risks, that may affect the provision of essential services, including accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences, criminal infiltration and sabotage. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. Member States should not consider as a risk any regular business risk to operations arising from market conditions or any risk arising from democratic decision-making. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. At their request the Commission should also be able to provide entities based in third countries with advisory expertise.

Amendment  12

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised minimum rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria and methodologies to identify critical entities should be laid down in a transparent manner. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

Amendment  13

Proposal for a directive

Recital 13 a (new)

 

Text proposed by the Commission

Amendment

 

(13a) In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council1a, which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure. It is crucial that Member States and the Commission be vigilant with regard to financial investments that foreign countries make in the operation of critical entities within the Union and the consequences that such investments could have on the ability to prevent significant disruptions.

 

_________________

 

1a Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79I, 21.3.2019, p. 1).

Amendment  14

Proposal for a directive

Recital 15

 

Text proposed by the Commission

Amendment

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only and, consequently, such entities should not be subject to the obligations laid down in Chapters III to VI of this Directive. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

_________________

_________________

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

Amendment  15

Proposal for a directive

Recital 16

 

Text proposed by the Commission

Amendment

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

(16) Member States should designate authorities competent to supervise the application of and enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively, including with competent authorities of other Member States. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level, including with competent authorities of other Member States.

Amendment  16

Proposal for a directive

Recital 17

 

Text proposed by the Commission

Amendment

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard.

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. Each single point of contact should liaise and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States and with the Critical Entities Resilience Group. The single points of contact should use efficient, secure and standardised reporting channels.

Amendment  17

Proposal for a directive

Recital 18

 

Text proposed by the Commission

Amendment

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities.

(18) Entities identified as critical entities under this Directive as well as entities in the digital infrastructure sector that are to be treated as equivalent are subject to the cybersecurity requirements of the NIS 2 Directive. The competent authorities designated under the two Directives should therefore cooperate in an effective and consistent manner, particularly in relation to risks and incidents affecting those entities. It is important that Member States take measures to avoid double reporting and checks and to ensure that the strategies and requirements provided for in this Directive and the NIS 2 Directive are complementary and that critical entities are not subject to an administrative burden beyond that which is necessary to achieve the objectives of this Directive.

Amendment  18

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

(19) Member States should support critical entities in strengthening their resilience, in particular those that qualify as small or medium-sized enterprises (SMEs), in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States should in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Where necessary and justified by public interest objectives, Member States should be able to provide financial resources to critical entities, without prejudice to applicable rules on State aid. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support information sharing and good practices between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Amendment  19

Proposal for a directive

Recital 19 a (new)

 

Text proposed by the Commission

Amendment

 

(19a) When implementating this Directive, it is important that Member States take all the necessary actions to prevent any excessive administrative burdens, particularly on SMEs, and avoid duplications or unnecessary obligations. It is crucial that Member States assist with and facilitate the provision of adequate support to SMEs, when requested, by taking the technical and organisational measures required under this Directive.

Amendment  20

Proposal for a directive

Recital 20

 

Text proposed by the Commission

Amendment

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States.

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and should be in line with common criteria and methodologies.

Amendment  21

Proposal for a directive

Recital 23

 

Text proposed by the Commission

Amendment

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, when implementing resilience measures under this Directive, critical entities may consider referring to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 .

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, critical entities ar also to take into consideration Directive 2008/96/EC of the European Parliament and of the Council30a, which introduces a network-wide road assessment to map the risks of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk of accidents and injuries, based on a site visit of an existing road or section of road. Ensuring the protection and resilience of critical entities is of the utmost importance for the railway sector and, when implementing resilience measures under this Directive, critical entities are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 .

_________________

_________________

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

 

30a Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59).

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

Amendment  22

Proposal for a directive

Recital 24

 

Text proposed by the Commission

Amendment

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular Regulation (EU) 2016/679.

Amendment  23

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and, in any event, no later than 24 hours after becoming aware of the incident in question, Member States’ competent authorities of any incident that significantly disrupts or has the potential to significantly disrupt their operations. The competent authority should inform the public of such an incident where it determines that it would be in the public interest to do so. The competent authority should ensure that the critical entity concerned inform users of its services that might be affected by such an incident of the incident and, where relevant, of any possible safety measures or remedies. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts, without undue delay. Information on incidents should be treated in a way that respects confidentiality and the security and commercial interests of the critical entity concerned.

Amendment  24

Proposal for a directive

Recital 26

 

Text proposed by the Commission

Amendment

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union and the internal market because they provide essential services to several Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

Amendment  25

Proposal for a directive

Recital 27 a (new)

 

Text proposed by the Commission

Amendment

 

(27a) Standardisation should remain primarily a market-driven process. However, there might still be situations where it is appropriate to require compliance with specified standards at Union level. The Commission and the Member States should support and promote the development and implementation of standards and specifications relevant to the resilience of critical entities as set by the European Standardisation Organisations for the undertaking of technical and organisational measures aimed at ensuring critical entities’ resilience. Member States should also encourage the use of internationally accepted standards and specifications relevant to resilience measures applicable to critical entities.

Amendment  26

Proposal for a directive

Recital 30

 

Text proposed by the Commission

Amendment

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. The assessment of critical entities under this Directive, in matters that fall under the scope of the NIS 2 Directive such as physical and non-physical cybersecurity, is the responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, when assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

Amendment  27

Proposal for a directive

Recital 31

 

Text proposed by the Commission

Amendment

(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. In order to avoid the divergent application of this Directive and to improve the functioning of the internal market, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission to supplement this Directive by drawing up a common list of essential services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

_________________

_________________

32 OJ L 123, 12.5.2016, p. 1.

32 OJ L 123, 12.5.2016, p. 1.

Amendment  28

Proposal for a directive

Article 1 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. This Directive:

1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market. To that end, this Directive:

Amendment  29

Proposal for a directive

Article 1 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

(a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

Amendment  30

Proposal for a directive

Article 1 – paragraph 2

 

Text proposed by the Commission

Amendment

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7.

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. In view of the interlinkages between cybersecurity and the physical security of entities, Member States shall ensure a coherent implementation of this Directive and the NIS 2 Directive.

Amendment  31

Proposal for a directive

Article 2 – paragraph 1 – point 3

 

Text proposed by the Commission

Amendment

(3) “incident” means any event having the potential to disrupt, or that disrupts, the operations of the critical entity;

(3) “incident” means any event having the potential to disrupt, or that disrupts the provision of an essential service by a critical entity;

Amendment  32

Proposal for a directive

Article 2 – paragraph 1 – point 4

 

Text proposed by the Commission

Amendment

(4) “infrastructure” means an asset, system or part thereof, which is necessary for the delivery of an essential service;

(4) “infrastructure” means assets, including facilities, systems and equipment, or parts thereof, which are necessary for the delivery of an essential service;

Amendment  33

Proposal for a directive

Article 2 – paragraph 1 – point 5

 

Text proposed by the Commission

Amendment

(5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities;

(5) “essential service” means a service which is essential for the maintenance of vital societal functions, economic activities, public health and safety, the environment or the rule of law;

Amendment  34

Proposal for a directive

Article 2 – paragraph 1 – point 6

 

Text proposed by the Commission

Amendment

(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities;

(6) “risk” means any circumstance or event having a potential adverse effect on the ability of a critical entity to provide an essential service;

Amendment  35

Proposal for a directive

Article 2 – paragraph 1 – point 7

 

Text proposed by the Commission

Amendment

(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysing potential threats and hazards and evaluating existing conditions of vulnerability that could disrupt the operations of the critical entity.

(7) “risk assessment” means a methodology to determine the nature and extent of a risk by assessing potential threats and hazards against the resilience of a critical entity, analysing existing conditions of vulnerability that could lead to the disruption of the operations of a critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services;

Amendment  36

Proposal for a directive

Article 2 – paragraph 1 – point 7 a (new)

 

Text proposed by the Commission

Amendment

 

(7a) ‘standard’ means standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council1a;

 

____________

 

1a Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)

Amendment  37

Proposal for a directive

Article 2 – paragraph 1 – point 7 b (new)

 

Text proposed by the Commission

Amendment

 

(7b) ‘technical specification’ means technical specification as defined in Article 2 point (4), of Regulation (EU) No 1025/2012;

Amendment  38

Proposal for a directive

Article 3 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

1. Following a consultation open to all affected stakeholders, each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall take into account the Union strategy on resilience prepared by the Critical Entities Resilience Group, referred to in Article 16, and set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

Amendment  39

Proposal for a directive

Article 3 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter;

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment as referred to in Article 4, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter, including measures to enhance cooperation between the public sector and the private sector and public and private entities;

Amendment  40

Proposal for a directive

Article 3 – paragraph 2 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) a list of all authorities and stakeholders involved in the implementation of the strategy;

Amendment  41

Proposal for a directive

Article 3 – paragraph 2 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) a policy framework addressing the specific needs and characteristics of small and medium-sized enterprises identified as critical entities to improve their resilience;

Amendment  42

Proposal for a directive

Article 3 – paragraph 2 – point d b (new)

 

Text proposed by the Commission

Amendment

 

(db) the relevant aspects of the national cybersecurity strategy provided for in the NIS 2 Directive and any other sectoral national strategy with a view to achieving coordination, complementarity and synergies.

Amendment  43

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

The strategy shall be updated where necessary and at least every four years.

Following a consultation open to all affected stakeholders, the strategy shall be updated at least every four years.

Amendment  44

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 1

 

Text proposed by the Commission

Amendment

1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

1. The Commission is empowered to adopt a delegated act in accordance with Article 21 to supplement this Directive by establishing a list of essential services in the sectors and subsectors referred to in the Annex. The Commission shall adopt the delegated act no later than... [six months after the date of entry into force of this Directive]. Competent authorities designated pursuant to Article 8 shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of the essential services listed in the delegated act, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Amendment  45

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34.

_________________

_________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Amendment  46

Proposal for a directive

Article 4 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors;

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors, including any risks to citizens and the internal market;

Amendment  47

Proposal for a directive

Article 4 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available, through their single point of contact referred to in Article 8(2), to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

Amendment  48

Proposal for a directive

Article 4 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

Amendment  49

Proposal for a directive

Article 5 – paragraph 2 – introductory part

 

Text proposed by the Commission

Amendment

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and apply the following criteria:

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and the strategy on the resilience of critical entities referred to in Article 3 and shall apply the following criteria:

Amendment  50

Proposal for a directive

Article 5 – paragraph 2 – point b

 

Text proposed by the Commission

Amendment

(b) (the provision of that service depends on infrastructure located in the Member State; and

(b) the provision of that essential service depends on infrastructure located in the Member State; and

Amendment  51

Proposal for a directive

Article 5 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) an incident would have significant disruptive effects on the provision of the service or of other essential services in the sectors referred to in the Annex that depend on the service.

(c) an incident would have significant disruptive effects on the provision of the essential service or of other essential services in the sectors referred to in the Annex that depend on the service.

Amendment  52

Proposal for a directive

Article 5 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III.

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to achieving the highest possible degree of coherence and to reducing the burden on the critical entity in regard to the obligations pursuant to Chapter III.

Amendment  53

Proposal for a directive

Article 5 – paragraph 6

 

Text proposed by the Commission

Amendment

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third of Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide the same or similar essential services to or in more than three Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

 

Amendment  54

Proposal for a directive

Article 5 – paragraph 7 – subparagraph 2

 

Text proposed by the Commission

Amendment

Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information.

Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed in due time that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information.

Amendment  55

 

Proposal for a directive

Article 5 – paragraph 7 a (new)–

 

Text proposed by the Commission

Amendment

 

7a. The Commission shall, in cooperation with the Member States, develop recommendations and guidelines to support Member States in identifying critical entities.

Amendment  56

Proposal for a directive

Article 6 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) the number of users relying on the service provided by the entity;

(a) the number of users relying on the essential service provided by the entity;

Amendment  57

Proposal for a directive

Article 6 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) the dependency of other sectors referred to in the Annex on that service;

(b) the dependency of other sectors and subsectors referred to in the Annex or of the supply chain on that essential service;

Amendment  58

Proposal for a directive

Article 6 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) the geographic area that could be affected by an incident, including any cross-border impacts;

(e) the geographic area that could be affected by an incident, including any cross-border impacts, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;

Amendment  59

Proposal for a directive

Article 6 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) the importance of the entity in maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service.

(f) the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.

Amendment  60

Proposal for a directive

Article 6 – paragraph 3

 

Text proposed by the Commission

Amendment

3. The Commission may, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2.

3. The Commission shall, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2.

Amendment  61

Proposal for a directive

Article 7 – paragraph 1

 

Text proposed by the Commission

Amendment

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [three years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [one year and six months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.

Amendment  62

Proposal for a directive

Article 8 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Commission and the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’) and, where relevant, to ensure cooperation with third countries.

Amendment  63

Proposal for a directive

Article 8 – paragraph 3

 

Text proposed by the Commission

Amendment

3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

3. By ... [four years and six months after entry into force of this Directive], and in the first trimester of every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

Amendment  64

Proposal for a directive

Article 9 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States shall support critical entities in enhancing their resilience. That support shall include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. Member States may provide financial resources to critical entities, without prejudice to applicable rules on State aid, where necessary and justified by public interest objectives.

Amendment  65

Proposal for a directive

Article 10 – paragraph 1

 

Text proposed by the Commission

Amendment

Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.

Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their provision of essential services concerned.

Amendment  66

Proposal for a directive

Article 11 – paragraph 1 – point d

 

Text proposed by the Commission

Amendment

(d) recover from incidents, including business continuity measures and the identification of alternative supply chains;

(d) recover from incidents, including business continuity measures and the identification of alternative supply chains, to ensure the continuous provision of the essential service;

Amendment  67

Proposal for a directive

Article 11 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, laying down appropriate training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12; where external providers are involved in employee security management, critical entities shall ensure that they comply with generally accepted standards and specifications

Amendment  68

Proposal for a directive

Article 11 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, including by means of periodic training.

Amendment  69

Proposal for a directive

Article 11 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned.

3. Upon request of the Member State that identified the critical entity and in consultation with the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned. At their request the Commission may also offer advisory missions to entities based in third countries.

Amendment  70

Proposal for a directive

Article 12 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. Such background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the persons concerned.

Amendment  71

Proposal for a directive

Article 12 – paragraph 2 –subparagraph 1 – introductory part

 

Text proposed by the Commission

Amendment

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38 , a background check as referred to in paragraph 1 shall:

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council, Member States shall ensure that a background check as referred to in paragraph 1 is carried out for the sole purpose of evaluating a potential security risk to the critical entity concerned. A background check shall:

_________________

 

38 OJ L 119, 4.5.2016, p. 1.

 

Amendment  72

Proposal for a directive

Article 13 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours of a critical entity becoming aware of an incident, followed by a detailed report no later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

 

Where an incident has or might have a significant impact on critical entities or on the continuity of the provision of essential services in more than three Member States, Member States shall ensure that the critical entities concerned notify such incidents to the Commission. The Commission shall inform the Critical Entities Resilience Group of any such notifications without undue delay. The Commission and the Critical Entities Resilience Group shall, in accordance with Union law, treat information provided as part of such notifications in a way that respects its confidentiality and protects the security and commercial interests of the critical entity or entities concerned.

Amendment  73

Proposal for a directive

Article 13 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) the geographical area affected by the disruption or potential disruption.

(c) the geographical area affected by the disruption or potential disruption, taking into account whether the area is geographically isolated.

Amendment  74

Proposal for a directive

Article 13 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. The competent authority concerned shall submit a summary report annually to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.

Amendment  75

Proposal for a directive

Article 13 – paragraph 4

 

Text proposed by the Commission

Amendment

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident.

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident. The competent authority shall inform the public of an incident where it determines that it would be in the public interest to do so. The competent authority shall ensure that critical entities inform users of their services that might be affected by an incident of the incident and, where relevant, of any possible safety measures or remedies.

Amendment  76

Proposal for a directive

Article 13 a (new)

 

Text proposed by the Commission

Amendment

 

Article 13a

 

Standards

 

In order to promote the consistent implementation of this Directive, Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of standards and specifications relevant to the security and resilience of critical entities.

Amendment  77

Proposal for a directive

Article 14 – paragraph 2

 

Text proposed by the Commission

Amendment

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third of Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides the same or similar essential services to or in more than three Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

Amendment  78

Proposal for a directive

Article 15 – paragraph 1 – subparagraph 1

 

Text proposed by the Commission

Amendment

Upon request of one or more Member States or of the Commission, the Member State where the infrastructure of the critical entity of particular European significance is located shall, together with that entity, inform the Commission and the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Upon request of one or more Member States or of the Commission, a critical entity of particular European significance shall, inform the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Amendment  79

Proposal for a directive

Article 15 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Upon request of one or more Member States, or at its own initiative, and in agreement with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

2. Upon request of one or more Member States, or at its own initiative, and in consultation with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

Amendment  80

Proposal for a directive

Article 15 – paragraph 4 – subparagraph 2

 

Text proposed by the Commission

Amendment

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.

Amendment  81

Proposal for a directive

Article 16 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work.

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group shall invite representatives of relevant stakeholders to participate in its work and the European Parliament to participate as an observer.

Amendment  82

Proposal for a directive

Article 16 – paragraph 3 – point c

 

Text proposed by the Commission

Amendment

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border dependencies and regarding risks and incidents;

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border and cross sectoral dependencies and regarding risks and incidents;

Amendment  83

Proposal for a directive

Article 16 – paragraph 3 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) preparing a Union strategy on resilience in compliance with the objectives set out in this Directive;

Amendment  84

Proposal for a directive

Article 16 – paragraph 3 – point h

 

Text proposed by the Commission

Amendment

(h) exchanging information and best practices on research and development relating to the resilience of critical entities in accordance with this Directive;

(h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive;

Amendment  85

Proposal for a directive

Article 16 – paragraph 3 – point h a (new)

 

Text proposed by the Commission

Amendment

 

(ha) promoting and supporting coordinated risk assessments and joint actions among critical entities;

Amendment  86

Proposal for a directive

Article 16 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to promote strategic cooperation and exchange of information.

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to facilitate strategic cooperation and exchange of information.

Amendment  87

Proposal for a directive

Article 16 – paragraph 7

 

Text proposed by the Commission

Amendment

7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years.

7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. The Commission shall regularly publish a summary report of the activities of the Critical Entities Resilience Group.

 

The Commission shall set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under the NIS 2 Directive in order to better accommodate communication between the two groups and, consequently, to minimise ambiguities between the different authorities designated under this Directive and the NIS 2 Directive.

Amendment  88

Proposal for a directive

Article 17 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. In order to receive and properly use the information received under Article 8(3), the Commission shall keep a Union registry of incidents with the aim of developing and sharing best practices and methodologies.

Amendment  89

Proposal for a directive

Article 21 – paragraph 2

 

Text proposed by the Commission

Amendment

2. The power to adopt delegated acts referred to in Article 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators.

2. The power to adopt delegated acts referred to in Articles 4(1) and 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators.

Amendment  90

Proposal for a directive

Article 21 – paragraph 3

 

Text proposed by the Commission

Amendment

3. The delegation of power referred to in Article 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

3. The delegation of power referred to in Articles 4(1) and 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

Amendment  91

Proposal for a directive

Article 22 – paragraph 1

 

Text proposed by the Commission

Amendment

By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive.

By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive. The report shall contain separate country chapters on the concrete implementation progress in each Member State.

Amendment  92

Proposal for a directive

Article 22 – paragraph 2

 

Text proposed by the Commission

Amendment

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended. For that purpose, the Commission shall take into account relevant documents of the Critical Entities Resilience Group.

Amendment  93

Proposal for a directive

Annex – table – point 2 – Transport – point e (new)

 

Text proposed by the Commission

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

 

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

 

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

 

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

 

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

 

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

 

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

 

Amendment

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

 

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

 

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

 

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

 

(e) public transport

—Public transport authorities and service operators as referred to in Article 2, points (b) and (d), of Regulation (EC) No 1370/2007 of the European Parliament and of the Council65a.

 

 

_____________________

 

 

65a Regulation (EC) No 1370/2007 of the European Parliament and of the Council of 23 October 2007 on public passenger transport services by rail and by road and repealing Council Regulations (EEC) Nos 1191/69 and 1107/70 (OJ L 315, 3.12.2007, p. 1).

Amendment  94

Proposal for a directive

Annex – section 5 – subsection 6 (new)

 

 

 

Text proposed by the Commission

Amendment

Sectors, subsectors and types of entities

Sectors, subsectors and types of entities

5. Health

5. Health

— Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19

— Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19

— EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health

— EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health

— Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC

— Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC

— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2

— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2

— Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX

— Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX

 

— Entities holding a distribution authorisation as referred to in Article 79 of Directive 2001/83/EC

Amendment  95

Proposal for a directive

Annex – Sector 9 – Title

 

Text proposed by the Commission

Amendment

9. Public administration

9. Public administration and democratic institutions

Amendment  96

Proposal for a directive

Annex – Sector 9 – Type of entity – 3 a (new)

 

Text proposed by the Commission

Amendment

 

— Central, regional and local governments and assemblies

Amendment  97

Proposal for a directive

Annex – section 10 a (new)

 

Text proposed by the Commission

Amendment

 

10 a. Food production, processing and distribution

 

— Food businesses as referred to in Article 3, point (2), of Regulation (EC) No 178/2002 of the European Parliament and of the Council1a

 

________________

 

1a Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (OJ L 31, 1.2.2002, p. 1).



 

 

OPINION OF THE COMMITTEE ON INDUSTRY, RESEARCH AND ENERGY (2.7.2021)

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 – C9‑0421/2020 – (2020)0365(COD))

Rapporteur for opinion: Nils Torvalds

(*)  Associated committees – Rule 57 of the Rules of Procedure

 

 

 

 

AMENDMENTS

The Committee on Industry, Research and Energy calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:

Amendment  1

 

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity endangering the overall economic and social well-being of citizens.

__________________

__________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

 

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, food certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Innovation and technology advancements contribute to the creation of new forms and types of infrastructure systems that use innovations aimed at reducing costs and increasing efficiency and may have implications on risk and resilience. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. Resilience of energy infrastructures plays an important role in economic growth across the Union and contributes to ensuring a decent standard of living to vulnerable energy consumers. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Amendment  3

 

Proposal for a directive

Recital 4

 

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. The resilience of critical entities is of great importance for the functioning of the internal market and the security of the Union and its citizens. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

Amendment  4

 

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities. As this Directive provides for minimum rules, Member States are free to adopt or maintain more stringent rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities where they deem them necessary to protect national security.

Amendment  5

 

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible, preventing any overlap that could hinder the effectiveness of those two directives. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

__________________

__________________

20 [Reference to NIS 2 Directive, once adopted.]

20 [Reference to NIS 2 Directive, once adopted.]

Amendment  6

 

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences and criminal infiltration. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

Amendment  7

 

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. This Directive addresses the need to ensure continuity of the services essential for the maintenance of vital societal functions or economic activities, without prejudice to national competences in organising and delivering public services. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

Amendment  8

 

Proposal for a directive

Recital 16

 

Text proposed by the Commission

Amendment

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing national or Union-based sector-specific arrangements or national and Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

Amendment  9

 

Proposal for a directive

Recital 18

 

Text proposed by the Commission

Amendment

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities.

(18) Entities identified as critical entities under this Directive as well as entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive. Consequently, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. Member States should take measures to avoid double reporting and control, to ensure that strategies and requirements provided for in this Directive and the NIS 2 Directive are complementary and that critical entities are not subject to additional administrative burden.

Amendment  10

 

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States should in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Amendment  11

 

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately to prevent even worse consequences and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. Given the sensitivity of some events, appropriate forms of confidentiality should be established, together with mechanisms to prevent the dissemination of data that could compromise national security.

Amendment  12

 

Proposal for a directive

Recital 30

 

Text proposed by the Commission

Amendment

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. The assessment of critical entities under this Directive, in matters that fall under the scope of the NIS 2 Directive such as physical and non-physical cybersecurity, are the responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, when assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

Amendment  13

 

Proposal for a directive

Article 1 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

(a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

Amendment  14

 

Proposal for a directive

Article 1 – paragraph 2

 

Text proposed by the Commission

Amendment

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7.

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. In view of the interlinkages between cybersecurity and the physical security of entities, Member States shall ensure a coherent implementation of both directives.

Amendment  15

 

Proposal for a directive

Article 1 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. Member States shall ensure that their security strategies, including sector-specific security strategies, provide for a coordinated policy framework for enhanced coordination in the context of information sharing on incidents and threats and the exercise of supervisory tasks which avoids the duplication of requirements and reporting and monitoring activities.

Amendment  16

 

Proposal for a directive

Article 2 – paragraph 1 – point 6

 

Text proposed by the Commission

Amendment

(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities;

(6) “risk” means any circumstance or event having a potential adverse effect on the operations of critical entities;

Amendment  17

 

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) the relevant aspects from the national cybersecurity strategy as provided for in the NIS2 Directive and any other sectoral national strategy with a view to achieving coordination, complementarity and synergies.

Amendment  18

 

Proposal for a directive

Article 3 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. When drafting their strategies, Member States may consult local and regional authorities and take into consideration local capacities.

Amendment  19

 

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . Where relevant, the risk assessment shall consider the capacities of local and regional authorities.

__________________

__________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Amendment  20

 

Proposal for a directive

Article 4 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

Amendment  21

 

Proposal for a directive

Article 5 – paragraph 4 a (new)

 

Text proposed by the Commission

Amendment

 

4a. Member States may identify those entities that they have identified as essential entities under the NIS 2 Directive as critical entities under this Directive. Where a Member State decides not to identify the essential entities under the NIS 2 Directive as critical entities under this Directive, it shall justify the reasons therefor.

Amendment  22

 

Proposal for a directive

Article 6 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) the geographic area that could be affected by an incident, including any cross-border impacts;

(e) the geographic area that could be affected by an incident, including any cross-border impacts, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;

Amendment  23

 

Proposal for a directive

Article 8 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States, with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’) and with the critical entities. Each Member State shall ensure that the single point of contact designated under the NIS 2 Directive is the single point of contact under this Directive.

Amendment  24

 

Proposal for a directive

Article 8 – paragraph 3

 

Text proposed by the Commission

Amendment

3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

3. By [three years and six months after entry into force of this Directive], and in the first trimester every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

Amendment  25

 

Proposal for a directive

Article 8 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, including, where appropriate, local and regional authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.

Amendment  26

 

Proposal for a directive

Article 9 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States shall support critical entities in enhancing their resilience, developing protocols, agreements and cooperation, and in exchanging of information and expertise between the public and private sectors. That support shall include among others, developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing periodic training to personnel of critical entities.

Amendment  27

 

Proposal for a directive

Article 9 – paragraph 1 a (new)

 

Text proposed by the Commission

Amendment

 

1a. Where necessary, Member States shall allocate sufficient resources to support critical entities to fulfil compliance requirements, in particular to cover additional costs associated with learning and training activities or employing additional staff for reporting, monitoring and reviewing.

Amendment  28

 

Proposal for a directive

Article 9 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall establish information sharing tools to support voluntary information sharing between critical entities in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data.

3. Member States shall establish information sharing tools to support voluntary information sharing between critical entities, with the aim of increasing knowledge sharing and transparency within and between sectors, in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data.

Amendment  29

 

Proposal for a directive

Article 11 – paragraph 1 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) prevent incidents which might threaten the security and continuation of the supply of goods and services;

Amendment  30

 

Proposal for a directive

Article 11 – paragraph 1 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) make use of accepted European standards and specifications relevant to the resilience of critical entities, without imposing the use of a particular type of service or technology or discriminating in favour of it;

Amendment  31

 

Proposal for a directive

Article 11 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

(e) ensure adequate employee and training security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

Amendment  32

 

Proposal for a directive

Article 11 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the measures referred to in points (a) to (e) among relevant operators and their staff, through periodic training.

Amendment  33

 

Proposal for a directive

Article 12 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

1. Member States shall ensure that critical entities may submit duly justified requests for background checks on persons who fall within certain specific categories of their personnel, identified based on common national criteria including persons being considered for recruitment to critical functions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

Amendment  34

 

Proposal for a directive

Article 12 – paragraph 2 – subparagraph 1 – introductory part

 

Text proposed by the Commission

Amendment

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38, a background check as referred to in paragraph 1 shall:

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38, Member States shall ensure that a background check as referred to in paragraph 1 is carried out for the sole purpose of evaluating a potential security risk to the critical entity and in respect of the fundamental rights of the person concerned. A background check shall:

__________________

__________________

38 OJ L 119, 4.5.2016, p. 1.

38 OJ L 119, 4.5.2016, p. 1.

Amendment  35

 

Proposal for a directive

Article 12 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) cover previous employments, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years.

(c) in exceptional cases and based on national criteria, cover previous employments, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years.

Amendment  36

 

Proposal for a directive

Article 13 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

1. Member States shall ensure that critical entities only notify the competent authority of incidents that significantly disrupt their operations without undue delay, in order to avoid over-information and unnecessary data flow, and to guarantee the effective functioning of national authorities and private entities. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

Amendment  37

 

Proposal for a directive

Article 13 – paragraph 2 – point -a (new)

 

Text proposed by the Commission

Amendment

 

(-a) the impact on human life and the environmental consequences;

Amendment  38

 

Proposal for a directive

Article 13 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) the geographical area affected by the disruption or potential disruption.

(c) the geographical area affected by the disruption or potential disruption, taking into account whether that area is geographically isolated.

Amendment  39

 

Proposal for a directive

Article 16 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work.

2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of relevant parties to participate in its work, encouraging the involvement of SMEs, civil society and trade unions mainly in training related aspects.

Amendment  40

 

Proposal for a directive

Article 16 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to promote strategic cooperation and exchange of information.

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to facilitate strategic cooperation and information exchange.

Amendment  41

 

Proposal for a directive

Article 16 – paragraph 7 a (new)

 

Text proposed by the Commission

Amendment

 

7a. Critical Entities Resilience Group, in spirit of security cooperation and open access, may give, upon request, access to its findings and source data for use in academia, security research and for other beneficial uses. The requests for access should be reasoned and justified and the data provided shall respect the fundamental rights of persons and be proportionate to the influence on the entities in question.

Amendment  42

 

Proposal for a directive

Article 16 – paragraph 7 b (new)

 

Text proposed by the Commission

Amendment

 

7b. The Commission shall set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under [the NIS 2 Directive] in order to better accommodate communication between the two groups and, consequently, to minimise ambiguities between the different designated authorities under this Directive and [the NIS 2 Directive].

Amendment  43

 

Proposal for a directive

Article 17 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. In order to receive and properly use the information received under Article 8(3), the Commission shall keep a European registry of incidents with the aim of developing and sharing best practices and methodologies.

Amendment  44

 

Proposal for a directive

Article 22 – paragraph 2

 

Text proposed by the Commission

Amendment

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive]. For that purpose and with a view to further advancing strategic cooperation, the Commission shall take into account any non-binding guidance documents of the Critical Entities Resilience Group on the experience gained at a strategic level.

Amendment  45

 

Proposal for a directive

Annex - Point 5. Health (new)

 

 

Text proposed by the Commission

Sector

Subsector

Type of entity

 

Amendment

 

 

Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC

Amendment  46

 

Proposal for a directive

Annex - Point 8 a (new)

 

 

Text proposed by the Commission

Sector

Subsector

Type of entity

 

Amendment

Food

Wholesale market

 Food businesses as referred to in Annex I of Regulation (EC) N° 853/2004 (1a)

1a Regulation (EC) No 853/2004 of the European Parliament and of the Council of 29 April 2004 laying down specific hygiene rules for on the hygiene of foodstuffs  (OJ L 139, 30.04.2004, p.39).


PROCEDURE – COMMITTEE ASKED FOR OPINION

Title

Resilience of critical entities

References

COM(2020)0829 – C9-0421/2020 – 2020/0365(COD)

Committee responsible

 Date announced in plenary

LIBE

11.2.2021

 

 

 

Opinion by

 Date announced in plenary

ITRE

11.2.2021

Associated committees - date announced in plenary

29.4.2021

Rapporteur for the opinion

 Date appointed

Nils Torvalds

15.2.2021

Discussed in committee

26.5.2021

 

 

 

Date adopted

1.7.2021

 

 

 

Result of final vote

+:

–:

0:

58

0

14

Members present for the final vote

Nicola Beer, François-Xavier Bellamy, Hildegard Bentele, Tom Berendsen, Vasile Blaga, Michael Bloss, Paolo Borchia, Marc Botenga, Markus Buchheit, Martin Buschmann, Cristian-Silviu Buşoi, Jerzy Buzek, Carlo Calenda, Maria da Graça Carvalho, Ignazio Corrao, Ciarán Cuffe, Josianne Cutajar, Nicola Danti, Pilar del Castillo Vera, Christian Ehler, Valter Flego, Niels Fuglsang, Lina Gálvez Muñoz, Jens Geier, Bart Groothuis, Christophe Grudler, Henrike Hahn, Robert Hajšel, Ivo Hristov, Romana Jerković, Eva Kaili, Seán Kelly, Izabela-Helena Kloc, Łukasz Kohut, Andrius Kubilius, Miapetra Kumpula-Natri, Thierry Mariani, Marisa Matias, Eva Maydell, Joëlle Mélin, Iskra Mihaylova, Dan Nica, Angelika Niebler, Ville Niinistö, Mauri Pekkarinen, Tsvetelina Penkova, Morten Petersen, Markus Pieper, Clara Ponsatí Obiols, Manuela Ripa, Jérôme Rivière, Robert Roos, Massimiliano Salini, Sara Skyttedal, Jessica Stegrud, Beata Szydło, Riho Terras, Grzegorz Tobiszowski, Patrizia Toia, Evžen Tošenovský, Marie Toussaint, Isabella Tovaglieri, Viktor Uspaskich, Henna Virkkunen, Pernille Weiss, Carlos Zorrinho

Substitutes present for the final vote

Klemen Grošelj, Alicia Homs Ginel, Elena Lizzi, Jutta Paulus, Susana Solís Pérez, Nils Torvalds

 


FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION

58

+

NI

Martin Buschmann, Clara Ponsatí Obiols, Viktor Uspaskich

PPE

François-Xavier Bellamy, Hildegard Bentele, Tom Berendsen, Vasile Blaga, Cristian-Silviu Buşoi, Jerzy Buzek, Maria da Graça Carvalho, Pilar del Castillo Vera, Christian Ehler, Seán Kelly, Andrius Kubilius, Eva Maydell, Angelika Niebler, Markus Pieper, Massimiliano Salini, Sara Skyttedal, Riho Terras, Henna Virkkunen, Pernille Weiss

Renew

Nicola Beer, Nicola Danti, Valter Flego, Bart Groothuis, Klemen Grošelj, Christophe Grudler, Iskra Mihaylova, Mauri Pekkarinen, Morten Petersen, Susana Solís Pérez, Nils Torvalds

S&D

Carlo Calenda, Josianne Cutajar, Niels Fuglsang, Lina Gálvez Muñoz, Jens Geier, Robert Hajšel, Alicia Homs Ginel, Ivo Hristov, Romana Jerković, Eva Kaili, Łukasz Kohut, Miapetra Kumpula-Natri, Dan Nica, Tsvetelina Penkova, Patrizia Toia, Carlos Zorrinho

The Left

Marisa Matias

Verts/ALE

Michael Bloss, Ignazio Corrao, Ciarán Cuffe, Henrike Hahn, Ville Niinistö, Jutta Paulus, Manuela Ripa, Marie Toussaint

 

14

0

ECR

Izabela-Helena Kloc, Robert Roos, Jessica Stegrud, Beata Szydło, Grzegorz Tobiszowski, Evžen Tošenovský

ID

Paolo Borchia, Markus Buchheit, Elena Lizzi, Thierry Mariani, Joëlle Mélin, Jérôme Rivière, Isabella Tovaglieri

The Left

Marc Botenga

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 


 

 

OPINION OF THE COMMITTEE ON THE INTERNAL MARKET AND CONSUMER PROTECTION (23.7.2021)

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD))

Rapporteur for opinion ‘(*)’: Alex Agius Saliba

 

 

‘(*) Associated committee – Rule 57 of the Rules of Procedure’

 

 

 

SHORT JUSTIFICATION

On 16 December 2020, the Commission presented a proposal for a directive on the resilience of critical entities (RCE) together with an accompanying impact assessment, based on the 2019 assessment of the implementation of the Directive 2008/114/EC on European critical infrastructure (ECI). In view of the importance of cybersecurity for the resilience of critical entities, the Commission submitted in parallel also a proposal for a revised NIS Directive ('NIS 2'). To ensure full coherence, cyber-resilience obligations under NIS 2 would apply also to critical entities identified under the new proposal.

The RCE proposal reflects a switch from the current approach from protection of individual assets towards strengthening the resilience of the critical entities that operate them. It would require Member States to adopt national strategies and undertake regular risk assessments and also establishes obligations on critical entities to enhance their resilience and ability to provide essential services. The procedure of identifying critical entities would be different to that set out in ECI Directive. The Commission would also have specific oversight over critical entities of particular European significance.

The rapporteur is broadly supportive of the RCE proposal and believes it is important for IMCO to acknowledge that the existing EU-level measures aimed at protecting key services and infrastructures from physical risks need to be updated. Strengthening the resilience of critical entities in the Member States and levelling the playing field for critical entities across the Union is of outstanding importance considering the increasing interlinkages between sectors, entities and services in the internal market.

 

The IMCO Committee is associated pursuant to Rule 57 with shared competences as regards issues that raise questions under the remit of IMCO aimed at improving the functioning of the internal market.

Scope and definitions

The rapporteur welcomes the extension of the scope of the directive as it gives the possibility of encompassing new sectors that did not benefit from specific protection measures. However, the rapporteur believes that the general objective of ensuring a high level of resilience of critical entities and essential infrastructures and securing the delivery of essential services in order to improve the functioning of the internal market needs to be clearly spelt out.

Furthermore, he tries to ensure closer alignment and harmonisation of both RCE and NIS 2 Directives, where possible in particular in relation to scope and definitions. To this end, the rapporteur requires that physical non-cyber protection under the proposed RCE Directive are clearly separated from the requirements in NIS 2 through a clear distinction in the definition of “resilience” comprised in Article 2(2). Furthermore, he proposes a set of well-articulated definitions covering “critical entities”, “resilience”, “incident”, “essential infrastructure” among others.

Strategy and risk assessment by Member States

 

The rapporteur welcomes the strategy reinforcing the resilience of critical entities and the risk assessment that each Member State must adopt. However, he makes suggestions to improve the involvement and consultation with the critical entities and stakeholders, as these companies provide vital services for the smooth running of daily life and enhanced cooperation with them is key if we are to achieve the objectives of this Directive. He also acknowledges the importance of managing supply chain and supplier-related risks when used by critical entities to ensuring supply chains contribution to the resilience of the entities they supply to.

 

Identification of critical entities

 

The rapporteur supports that Member States will have to identify critical entities in key relevant sectors referred to in the Annex, however, he explains that Member States will be obliged to identify entities for those sectors and subsectors from the Annex that exist in the Member States and for which the entities are key providers of essential services for the maintenance of vital societal functions and economic activities. The rapporteur has therefore made suggestions in this area.

 

Competent authorities and single point of contact

 

The rapporteur acknowledges the importance of proper oversight and enhanced cooperation between competent authorities of the Member States. However, he notes that single points of contact should be established to exercise a liaison function and coordination with the critical entities with competent authorities and other single points of contact and with the Critical Entities Resilience Group. The single point of contact should also simplify and harmonise reporting channels (one-stop-shop principle).

 

Notification of incidents

The rapporteur believes that incidents that significantly disrupt the operations of critical entities and are of public interest shall be reported not only to the competent authorities, via the single point of contact, but as well as to the public or when necessary to the affected users. The rapporteur also suggests clarifying some of the requirements to notify incidents that have not yet happened and provides additional guidance as to the reporting thresholds.

 

 


AMENDMENTS

The Committee on the Internal Market and Consumer Protection calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:

Amendment  1

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover and protect from incidents or threats that have the potential to disrupt the operations of the critical entity, the functioning of the internal market or the free movement of essential services.

__________________

__________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

Proposal for a directive

Recital 2

 

Text proposed by the Commission

Amendment

(2) Despite existing measures at Union[1] and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to  natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.  Due to the increased cross-sectoral and cross-border interdependencies between critical infrastructures, an incident in one Member State can seriously affect activities in another Member State. In order to achieve a high level of resilience of critical infrastructures across the Union, essential services and  essential infrastructure should be protected and resilient in all Member States.

Amendment  3

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of essential service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption of essential services, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in a far-reaching and long-lasting negative impact on the delivery of those services across the internal market, including on individuals, consumers and business. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Amendment  4

Proposal for a directive

Recital 4

 

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services and essential infrastructure are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only creates heterogeneous levels of resilience and differences between Member States relating to the designation and oversight of critical entities  but also impacts negatively on the maintenance of vital societal functions or economic activities across the Union, and also leads to unfair competition and to obstacles to the proper functioning of the internal market . Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. A European framework should therefore also have the effect of levelling the playing field for critical entities across the Union.

Amendment  5

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision and free movement of essential services in the internal market and enhance the resilience of critical entities and essential infrastructure necessary for vital societal or economic activities within the Union. To this end, the aim of this Directive should be to make critical infrastructures and critical entities resilient thereby furthering their capacity to ensure continuous provision of essential services or essential infrastructure or at least to swiftly restore performance after an incident has taken place. Operators of critical infrastructures delivering essential services across the internal market in various sectors necessary for vital societal functions and economic activities, should become resilient against current and anticipated future risks.

Amendment  6

Proposal for a directive

Recital 6

 

Text proposed by the Commission

Amendment

(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

(6) In order to achieve that objective, Member States should identify critical entities that provide essential services or essential infrastructure falling within existing sectors and subsectors at national level as referred to in the Annex which should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks and possible crises.

Amendment  7

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 (hereafter “NIS 2 Directive”) is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 (the “NIS 2 Directive”) is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. A coherent approach should be ensured between these acts, such as by ensuring that entities under NIS 2 susceptible to being subject to obligations under this Directive, where possible, benefit from a single point of contact and a common set of rules. As a result, the supervision of entities identified as critical or equivalent to critical under this Directive, in matters that fall under the scope of the NIS2 Directive, will be a responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, entities that are identified as essential entities under the NIS 2 Directive, but are not identified as critical entities under this Directive, should also enhance the resilience of their physical infrastructure, where appropriate.

__________________

__________________

20 [Reference to NIS 2 Directive, once adopted.]

20 Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (OJ L ..., ..., p. ..).

Amendment  8

Proposal for a directive

Recital 10

 

Text proposed by the Commission

Amendment

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

In view of ensuring a comprehensive approach to the resilience of critical entities, and taking into account the objectives of the Union’s strategy on resilience  prepared by the Critical Entities Resilience Group, each Member State should adopt a national strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

Amendment  9

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of essential services vital for societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant risks, including cross-sectoral, cross-border, natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries, and risks arising for the general population or the internal market. Member States should not consider as a risk any regular business risk to operations derived from market conditions, or any risk derived from democratic decision-making. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

Amendment  10

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities of the sectors and subsectors on their territory listed in the Annex. Therefore, common criteria and specifications based on minimum indicators and methodologies for each sector and sub-sector to identify critical entities should be laid down in close cooperation with the relevant authorities. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. In order to avoid divergent application of this Directive and improve the functioning of the internal market, the Commission in cooperation with the Member States should provide detailed guidelines and make recommendations to support Member States in identifying the list of essential services and infrastructure and the critical entities for each national sector and subsector referred to in the Annex.

Amendment  11

Proposal for a directive

Recital 15

 

Text proposed by the Commission

Amendment

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only and consequently, such entities should not be subject to the obligations laid down in Chapters III to VI. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

__________________

__________________

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

Amendment  12

Proposal for a directive

Recital 16

 

Text proposed by the Commission

Amendment

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority.  In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

(16) Member States should designate authorities competent to supervise the application of and enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority.  In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

Amendment  13

Proposal for a directive

Recital 17

 

Text proposed by the Commission

Amendment

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard.

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. The single points of contact should also liaise, and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States, with the Critical Entities Resilience Group established by this Directive and with entities identified as critical entities under this Directive.  In order to facilitate the cooperation and communication with the Member States, entities identified as critical entities under this Directive should also designate a reference point of contact within the entity. The reference point of contact should be used by the critical entity to liaise, coordinate and communicate with the Member States, on measures related to the organisational and technical aspects related to the implementation of this Directive. To that end, the single points of contact should use efficient, secure, standardised and harmonised reporting channels.

Amendment  14

Proposal for a directive

Recital 18

 

Text proposed by the Commission

Amendment

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities.

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate in an effective and consistent manner, particularly in relation to cybersecurity risks and incidents affecting those entities.

Amendment  15

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

 

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, and should support the organisation of exercises to test their resilience, provide training to personnel of critical entities, provide financial resources without prejudice to existing competition law rules, in particular rules on state aid and  assistance and protect sensitive areas, facilities and other infrastructure, where necessary and justified by public interest objectives. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing and good practices between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Amendment  16

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and no later than 24 hours after becoming aware of a particular incident, Member States' competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Critical entities and competent authorities should also inform the public of such incidents where they determine that the disclosure of such incidents would be in the public interest. Critical entities should also notify potentially affected users of their services of the incident, its consequences and, where relevant, any possible safety measures or remedies to be taken by users. The notification should allow the competent authorities and users to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, procedures should be established for Member States to inform other affected Member States and other critical entities through single points of contact. The information on the incidents should be treated  in a way that respects confidentiality and protects the security and commercial interest of the critical entity concerned.

Amendment  17

Proposal for a directive

Recital 26

 

Text proposed by the Commission

Amendment

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructure and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union and the internal market because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive. While Union institutions, bodies or agencies and the services they provide are not covered under this Directive, the Commission should nevertheless provide guidance and strategies, to identify which of those institutions, bodies or agencies and which of their services could potentially be considered as entities equivalent to critical entities providing essential services for the functioning of the internal market and should ensure their enhanced resilience.

Amendment  18

Proposal for a directive

Recital 27

 

Text proposed by the Commission

Amendment

(27) Where any Member State considers that additional information is necessary to be able to advise a critical entity in meeting its obligations under Chapter III or to assess the compliance of a critical entity of particular European significance with those obligations, in agreement with the Member State where the infrastructure of that entity is located, the Commission should organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, notably on their organisation and conduct, the follow-up to be given and the obligations for the critical entities of particular European significance concerned. The advisory missions should, without prejudice to the need for the Member State where the advisory mission is conducted and the entity concerned to comply with the rules of this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such missions could, where relevant, be requested through the Emergency Response Coordination Centre.

(27) Where any Member State considers that additional information is necessary to be able to advise a critical entity in meeting its obligations under Chapter III or to assess the compliance of a critical entity of particular European significance with those obligations, in agreement with the Member State of establishment and the Member States in which the infrastructure of that entity is located, the Commission should organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, notably on their organisation and conduct, the follow-up to be given and the obligations for the critical entities of particular European significance concerned. The advisory missions should, without prejudice to the need for the Member State where the advisory mission is conducted and the entity concerned to comply with the rules of this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such missions could, where relevant, be requested through the Emergency Response Coordination Centre.

Amendment  19

Proposal for a directive

Recital 27a

 

Text proposed by the Commission

Amendment

 

(27a) Standardisation should remain primarily a market-driven process. However, there may still be situations where it is appropriate to require compliance with specified standards at Union level. The Commission and the Member States should also support and promote the development and implementation of standards and specifications relevant to the resilience of critical entities as set by the European Standardisation Organisations for the undertaking of technical and organisational measures aimed at ensuring critical entities’ resilience under Article 11(1) of this Directive. Member States should also encourage the use of internationally accepted standards and specifications relevant to resilience measures applicable to critical entities.

Amendment  20

Proposal for a directive

Article 1 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. This Directive:

1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities and essential infrastructure within the Union in order to ensure an effective provision of essential services, including in crisis situations, and to improve the functioning of the internal market.

Amendment