REPORT on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

15.10.2021 - (COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD)) - ***I

Committee on Civil Liberties, Justice and Home Affairs
Rapporteur: Michal Šimečka
Rapporteurs for the opinion (*):
Nils Torvalds, Committee on Industry, Research and Energy
Alex Agius Saliba, Committee on Internal Market and Consumer Protection
(*) Associated committees – Rule 57 of the Rules of Procedure


Procedure : 2020/0365(COD)
Document stages in plenary
Document selected :  
A9-0289/2021
Texts tabled :
A9-0289/2021
Texts adopted :

DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD))

(Ordinary legislative procedure: first reading)

The European Parliament,

 having regard to the Commission proposal to Parliament and the Council (COM(2020)0829),

 having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0421/2020),

 having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

 having regard to Rule 59 of its Rules of Procedure,

 having regard to the opinions of the Committee on Industry, Research and Energy,the Committee on Internal Market and Consumer Protection, the Committee on Foreign Affairs and the Committee on Transport and Tourism,

 having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs (A9-0289/2021),

1. Adopts its position at first reading hereinafter set out;

2. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3. Instructs its President to forward its position to the Council, the Commission and the national parliaments.


 

Amendment  1

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react, accommodate to and recover from incidents that have the potential to disrupt the provision of essential services by the critical entity, the free movement of essential services and the functioning of the internal market.

_________________

_________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

Proposal for a directive

Recital 2

 

Text proposed by the Commission

Amendment

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not always adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with evolving hybrid and terrorist threats and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity, efficiency and lifespan of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. At Union level there is no single recognised list of critical infrastructure sectors. Instead, different legal acts cover different sectors.

_________________

_________________

19 European Programme for Critical Infrastructure Protection (EPCIP).

19 European Programme for Critical Infrastructure Protection (EPCIP).

Amendment  3

Proposal for a directive

Recital 2 a (new)

 

Text proposed by the Commission

Amendment

 

(2a) Certain critical infrastructures have a pan-European dimension, such as the European Organisation for the Safety of Air Navigation, Eurocontrol, and the Union’s Global Satellite Navigation System, Galileo.

Amendment  4

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food production, processing and delivery, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption of essential services, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Amendment  5

Proposal for a directive

Recital 4

 

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services are subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only creates varying levels of resilience but also impacts negatively on the maintenance of vital societal functions or economic activities across the Union, and leads to unfair competition and to obstacles to the proper functioning of the internal market. Investors and companies can rely on and trust critical entities that are resilient, and reliability and trust are cornerstones of a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. A Union framework will therefore also have the effect of levelling the playing field for critical entities across the Union.

Amendment  6

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision and free movement of essential services in the internal market, to enhance the resilience of critical entities and to improve cross-border cooperation between competent authorities. It is essential that those rules be future-proof. To that end, the aim of this Directive is to make critical entities resilient, thereby improving their capacity to ensure the continuous provision of essential services in the face of a diverse set of risks. By laying down minimum rules, this Directive enables Member States to adopt or maintain more stringent rules to ensure the provision of essential services in the internal market and enhance resilience of critical entities.

Amendment  7

Proposal for a directive

Recital 6

 

Text proposed by the Commission

Amendment

(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

(6) In order to achieve that objective, Member States should identify critical entities that provide essential services in the sectors and subsectors set out in the Annex to this Directive. Those critical entites should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

Amendment  8

Proposal for a directive

Recital 7

 

Text proposed by the Commission

Amendment

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be regarded as lex specialis and should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.

Amendment  9

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. As a result, the competent authorities designated under the NIS 2 Directive will be responsible for the supervision of entities identified as critical entities or entities equivalent to critical entities under this Directive as regards matters that fall under the scope of that Directive.

_________________

_________________

20 [Reference to NIS 2 Directive, once adopted.]

20 [Reference to NIS 2 Directive, once adopted.]

Amendment  10

Proposal for a directive

Recital 10

 

Text proposed by the Commission

Amendment

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, and taking into account the hybrid nature of many threats and the Union’s strategy on resilience prepared by the Critical Entities Resilience Group, established by this Directive, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities of Member States under this Directive and the under NIS 2 Directive, including information sharing on incidents and threats and the exercise of supervisory tasks.

Amendment  11

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks, including cross-sectoral and cross-border risks, that may affect the provision of essential services, including accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences, criminal infiltration and sabotage. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. Member States should not consider as a risk any regular business risk to operations arising from market conditions or any risk arising from democratic decision-making. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. At their request the Commission should also be able to provide entities based in third countries with advisory expertise.

Amendment  12

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised minimum rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria and methodologies to identify critical entities should be laid down in a transparent manner. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

Amendment  13

Proposal for a directive

Recital 13 a (new)

 

Text proposed by the Commission

Amendment

 

(13a) In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council1a, which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure. It is crucial that Member States and the Commission be vigilant with regard to financial investments that foreign countries make in the operation of critical entities within the Union and the consequences that such investments could have on the ability to prevent significant disruptions.

 

_________________

 

1a Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79I, 21.3.2019, p. 1).

Amendment  14

Proposal for a directive

Recital 15

 

Text proposed by the Commission

Amendment

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only and, consequently, such entities should not be subject to the obligations laid down in Chapters III to VI of this Directive. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

_________________

_________________

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

Amendment  15

Proposal for a directive

Recital 16

 

Text proposed by the Commission

Amendment

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

(16) Member States should designate authorities competent to supervise the application of and enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively, including with competent authorities of other Member States. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level, including with competent authorities of other Member States.

Amendment  16

Proposal for a directive

Recital 17

 

Text proposed by the Commission

Amendment

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard.

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. Each single point of contact should liaise and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States and with the Critical Entities Resilience Group. The single points of contact should use efficient, secure and standardised reporting channels.

Amendment  17

Proposal for a directive

Recital 18

 

Text proposed by the Commission

Amendment

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities.

(18) Entities identified as critical entities under this Directive as well as entities in the digital infrastructure sector that are to be treated as equivalent are subject to the cybersecurity requirements of the NIS 2 Directive. The competent authorities designated under the two Directives should therefore cooperate in an effective and consistent manner, particularly in relation to risks and incidents affecting those entities. It is important that Member States take measures to avoid double reporting and checks and to ensure that the strategies and requirements provided for in this Directive and the NIS 2 Directive are complementary and that critical entities are not subject to an administrative burden beyond that which is necessary to achieve the objectives of this Directive.

Amendment  18

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

(19) Member States should support critical entities in strengthening their resilience, in particular those that qualify as small or medium-sized enterprises (SMEs), in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States should in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Where necessary and justified by public interest objectives, Member States should be able to provide financial resources to critical entities, without prejudice to applicable rules on State aid. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support information sharing and good practices between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Amendment  19

Proposal for a directive

Recital 19 a (new)

 

Text proposed by the Commission

Amendment

 

(19a) When implementating this Directive, it is important that Member States take all the necessary actions to prevent any excessive administrative burdens, particularly on SMEs, and avoid duplications or unnecessary obligations. It is crucial that Member States assist with and facilitate the provision of adequate support to SMEs, when requested, by taking the technical and organisational measures required under this Directive.

Amendment  20

Proposal for a directive

Recital 20

 

Text proposed by the Commission

Amendment

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States.

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and should be in line with common criteria and methodologies.

Amendment  21

Proposal for a directive

Recital 23

 

Text proposed by the Commission

Amendment

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, when implementing resilience measures under this Directive, critical entities may consider referring to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 .

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, critical entities ar also to take into consideration Directive 2008/96/EC of the European Parliament and of the Council30a, which introduces a network-wide road assessment to map the risks of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk of accidents and injuries, based on a site visit of an existing road or section of road. Ensuring the protection and resilience of critical entities is of the utmost importance for the railway sector and, when implementing resilience measures under this Directive, critical entities are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 .

_________________

_________________

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

 

30a Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59).

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

Amendment  22

Proposal for a directive

Recital 24

 

Text proposed by the Commission

Amendment

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular Regulation (EU) 2016/679.

Amendment  23

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and, in any event, no later than 24 hours after becoming aware of the incident in question, Member States’ competent authorities of any incident that significantly disrupts or has the potential to significantly disrupt their operations. The competent authority should inform the public of such an incident where it determines that it would be in the public interest to do so. The competent authority should ensure that the critical entity concerned inform users of its services that might be affected by such an incident of the incident and, where relevant, of any possible safety measures or remedies. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts, without undue delay. Information on incidents should be treated in a way that respects confidentiality and the security and commercial interests of the critical entity concerned.

Amendment  24

Proposal for a directive

Recital 26

 

Text proposed by the Commission

Amendment

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union and the internal market because they provide essential services to several Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

Amendment  25

Proposal for a directive

Recital 27 a (new)

 

Text proposed by the Commission

Amendment

 

(27a) Standardisation should remain primarily a market-driven process. However, there might still be situations where it is appropriate to require compliance with specified standards at Union level. The Commission and the Member States should support and promote the development and implementation of standards and specifications relevant to the resilience of critical entities as set by the European Standardisation Organisations for the undertaking of technical and organisational measures aimed at ensuring critical entities’ resilience. Member States should also encourage the use of internationally accepted standards and specifications relevant to resilience measures applicable to critical entities.

Amendment  26

Proposal for a directive

Recital 30

 

Text proposed by the Commission

Amendment

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. The assessment of critical entities under this Directive, in matters that fall under the scope of the NIS 2 Directive such as physical and non-physical cybersecurity, is the responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, when assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

Amendment  27

Proposal for a directive

Recital 31

 

Text proposed by the Commission

Amendment

(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. In order to avoid the divergent application of this Directive and to improve the functioning of the internal market, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission to supplement this Directive by drawing up a common list of essential services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

_________________

_________________

32 OJ L 123, 12.5.2016, p. 1.

32 OJ L 123, 12.5.2016, p. 1.

Amendment  28

Proposal for a directive

Article 1 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. This Directive:

1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market. To that end, this Directive:

Amendment  29

Proposal for a directive

Article 1 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

(a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

Amendment  30

Proposal for a directive

Article 1 – paragraph 2

 

Text proposed by the Commission

Amendment

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7.

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. In view of the interlinkages between cybersecurity and the physical security of entities, Member States shall ensure a coherent implementation of this Directive and the NIS 2 Directive.

Amendment  31

Proposal for a directive

Article 2 – paragraph 1 – point 3

 

Text proposed by the Commission

Amendment

(3) “incident” means any event having the potential to disrupt, or that disrupts, the operations of the critical entity;

(3) “incident” means any event having the potential to disrupt, or that disrupts the provision of an essential service by a critical entity;

Amendment  32

Proposal for a directive

Article 2 – paragraph 1 – point 4

 

Text proposed by the Commission

Amendment

(4) “infrastructure” means an asset, system or part thereof, which is necessary for the delivery of an essential service;

(4) “infrastructure” means assets, including facilities, systems and equipment, or parts thereof, which are necessary for the delivery of an essential service;

Amendment  33

Proposal for a directive

Article 2 – paragraph 1 – point 5

 

Text proposed by the Commission

Amendment

(5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities;

(5) “essential service” means a service which is essential for the maintenance of vital societal functions, economic activities, public health and safety, the environment or the rule of law;

Amendment  34

Proposal for a directive

Article 2 – paragraph 1 – point 6

 

Text proposed by the Commission

Amendment

(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities;

(6) “risk” means any circumstance or event having a potential adverse effect on the ability of a critical entity to provide an essential service;

Amendment  35

Proposal for a directive

Article 2 – paragraph 1 – point 7

 

Text proposed by the Commission

Amendment

(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysing potential threats and hazards and evaluating existing conditions of vulnerability that could disrupt the operations of the critical entity.

(7) “risk assessment” means a methodology to determine the nature and extent of a risk by assessing potential threats and hazards against the resilience of a critical entity, analysing existing conditions of vulnerability that could lead to the disruption of the operations of a critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services;

Amendment  36

Proposal for a directive

Article 2 – paragraph 1 – point 7 a (new)

 

Text proposed by the Commission

Amendment

 

(7a) ‘standard’ means standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council1a;

 

____________

 

1a Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)

Amendment  37

Proposal for a directive

Article 2 – paragraph 1 – point 7 b (new)

 

Text proposed by the Commission

Amendment

 

(7b) ‘technical specification’ means technical specification as defined in Article 2 point (4), of Regulation (EU) No 1025/2012;

Amendment  38

Proposal for a directive

Article 3 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

1. Following a consultation open to all affected stakeholders, each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall take into account the Union strategy on resilience prepared by the Critical Entities Resilience Group, referred to in Article 16, and set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

Amendment  39

Proposal for a directive

Article 3 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter;

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment as referred to in Article 4, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter, including measures to enhance cooperation between the public sector and the private sector and public and private entities;

Amendment  40

Proposal for a directive

Article 3 – paragraph 2 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) a list of all authorities and stakeholders involved in the implementation of the strategy;

Amendment  41

Proposal for a directive

Article 3 – paragraph 2 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) a policy framework addressing the specific needs and characteristics of small and medium-sized enterprises identified as critical entities to improve their resilience;

Amendment  42

Proposal for a directive

Article 3 – paragraph 2 – point d b (new)

 

Text proposed by the Commission

Amendment

 

(db) the relevant aspects of the national cybersecurity strategy provided for in the NIS 2 Directive and any other sectoral national strategy with a view to achieving coordination, complementarity and synergies.

Amendment  43

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

The strategy shall be updated where necessary and at least every four years.

Following a consultation open to all affected stakeholders, the strategy shall be updated at least every four years.

Amendment  44

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 1

 

Text proposed by the Commission

Amendment

1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

1. The Commission is empowered to adopt a delegated act in accordance with Article 21 to supplement this Directive by establishing a list of essential services in the sectors and subsectors referred to in the Annex. The Commission shall adopt the delegated act no later than... [six months after the date of entry into force of this Directive]. Competent authorities designated pursuant to Article 8 shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of the essential services listed in the delegated act, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Amendment  45

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34.

_________________

_________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Amendment  46

Proposal for a directive

Article 4 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors;

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors, including any risks to citizens and the internal market;

Amendment  47

Proposal for a directive

Article 4 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available, through their single point of contact referred to in Article 8(2), to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

Amendment  48

Proposal for a directive

Article 4 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

Amendment  49

Proposal for a directive

Article 5 – paragraph 2 – introductory part

 

Text proposed by the Commission

Amendment

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and apply the following criteria:

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and the strategy on the resilience of critical entities referred to in Article 3 and shall apply the following criteria:

Amendment  50

Proposal for a directive

Article 5 – paragraph 2 – point b

 

Text proposed by the Commission

Amendment

(b) (the provision of that service depends on infrastructure located in the Member State; and

(b) the provision of that essential service depends on infrastructure located in the Member State; and

Amendment  51

Proposal for a directive

Article 5 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) an incident would have significant disruptive effects on the provision of the service or of other essential services in the sectors referred to in the Annex that depend on the service.

(c) an incident would have significant disruptive effects on the provision of the essential service or of other essential services in the sectors referred to in the Annex that depend on the service.

Amendment  52

Proposal for a directive

Article 5 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III.

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to achieving the highest possible degree of coherence and to reducing the burden on the critical entity in regard to the obligations pursuant to Chapter III.

Amendment  53

Proposal for a directive

Article 5 – paragraph 6

 

Text proposed by the Commission

Amendment

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third of Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide the same or similar essential services to or in more than three Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

 

Amendment  54

Proposal for a directive

Article 5 – paragraph 7 – subparagraph 2

 

Text proposed by the Commission

Amendment

Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information.

Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed in due time that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information.

Amendment  55

 

Proposal for a directive

Article 5 – paragraph 7 a (new)–

 

Text proposed by the Commission

Amendment

 

7a. The Commission shall, in cooperation with the Member States, develop recommendations and guidelines to support Member States in identifying critical entities.

Amendment  56

Proposal for a directive

Article 6 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) the number of users relying on the service provided by the entity;

(a) the number of users relying on the essential service provided by the entity;

Amendment  57

Proposal for a directive

Article 6 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) the dependency of other sectors referred to in the Annex on that service;

(b) the dependency of other sectors and subsectors referred to in the Annex or of the supply chain on that essential service;

Amendment  58

Proposal for a directive

Article 6 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) the geographic area that could be affected by an incident, including any cross-border impacts;

(e) the geographic area that could be affected by an incident, including any cross-border impacts, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;

Amendment  59

Proposal for a directive

Article 6 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) the importance of the entity in maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service.

(f) the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.

Amendment  60

Proposal for a directive

Article 6 – paragraph 3

 

Text proposed by the Commission

Amendment

3. The Commission may, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2.

3. The Commission shall, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2.

Amendment  61

Proposal for a directive

Article 7 – paragraph 1

 

Text proposed by the Commission

Amendment

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [three years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [one year and six months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.

Amendment  62

Proposal for a directive

Article 8 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Commission and the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’) and, where relevant, to ensure cooperation with third countries.

Amendment  63

Proposal for a directive

Article 8 – paragraph 3

 

Text proposed by the Commission

Amendment

3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

3. By ... [four years and six months after entry into force of this Directive], and in the first trimester of every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

Amendment  64

Proposal for a directive

Article 9 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States shall support critical entities in enhancing their resilience. That support shall include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. Member States may provide financial resources to critical entities, without prejudice to applicable rules on State aid, where necessary and justified by public interest objectives.

Amendment  65

Proposal for a directive

Article 10 – paragraph 1

 

Text proposed by the Commission

Amendment

Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.

Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their provision of essential services concerned.

Amendment  66

Proposal for a directive

Article 11 – paragraph 1 – point d

 

Text proposed by the Commission

Amendment

(d) recover from incidents, including business continuity measures and the identification of alternative supply chains;

(d) recover from incidents, including business continuity measures and the identification of alternative supply chains, to ensure the continuous provision of the essential service;

Amendment  67

Proposal for a directive

Article 11 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, laying down appropriate training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12; where external providers are involved in employee security management, critical entities shall ensure that they comply with generally accepted standards and specifications

Amendment  68

Proposal for a directive

Article 11 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, including by means of periodic training.

Amendment  69

Proposal for a directive

Article 11 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned.

3. Upon request of the Member State that identified the critical entity and in consultation with the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned. At their request the Commission may also offer advisory missions to entities based in third countries.

Amendment  70

Proposal for a directive

Article 12 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. Such background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the persons concerned.

Amendment  71

Proposal for a directive

Article 12 – paragraph 2 –subparagraph 1 – introductory part

 

Text proposed by the Commission

Amendment

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38 , a background check as referred to in paragraph 1 shall:

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council, Member States shall ensure that a background check as referred to in paragraph 1 is carried out for the sole purpose of evaluating a potential security risk to the critical entity concerned. A background check shall:

_________________

 

38 OJ L 119, 4.5.2016, p. 1.

 

Amendment  72

Proposal for a directive

Article 13 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours of a critical entity becoming aware of an incident, followed by a detailed report no later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

 

Where an incident has or might have a significant impact on critical entities or on the continuity of the provision of essential services in more than three Member States, Member States shall ensure that the critical entities concerned notify such incidents to the Commission. The Commission shall inform the Critical Entities Resilience Group of any such notifications without undue delay. The Commission and the Critical Entities Resilience Group shall, in accordance with Union law, treat information provided as part of such notifications in a way that respects its confidentiality and protects the security and commercial interests of the critical entity or entities concerned.

Amendment  73

Proposal for a directive

Article 13 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) the geographical area affected by the disruption or potential disruption.

(c) the geographical area affected by the disruption or potential disruption, taking into account whether the area is geographically isolated.

Amendment  74

Proposal for a directive

Article 13 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. The competent authority concerned shall submit a summary report annually to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.

Amendment  75

Proposal for a directive

Article 13 – paragraph 4

 

Text proposed by the Commission

Amendment

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident.

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident. The competent authority shall inform the public of an incident where it determines that it would be in the public interest to do so. The competent authority shall ensure that critical entities inform users of their services that might be affected by an incident of the incident and, where relevant, of any possible safety measures or remedies.

Amendment  76

Proposal for a directive

Article 13 a (new)

 

Text proposed by the Commission

Amendment

 

Article 13a

 

Standards

 

In order to promote the consistent implementation of this Directive, Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of standards and specifications relevant to the security and resilience of critical entities.

Amendment  77

Proposal for a directive

Article 14 – paragraph 2

 

Text proposed by the Commission

Amendment

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third of Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides the same or similar essential services to or in more than three Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

Amendment  78

Proposal for a directive

Article 15 – paragraph 1 – subparagraph 1

 

Text proposed by the Commission

Amendment

Upon request of one or more Member States or of the Commission, the Member State where the infrastructure of the critical entity of particular European significance is located shall, together with that entity, inform the Commission and the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Upon request of one or more Member States or of the Commission, a critical entity of particular European significance shall, inform the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Amendment  79

Proposal for a directive

Article 15 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Upon request of one or more Member States, or at its own initiative, and in agreement with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

2. Upon request of one or more Member States, or at its own initiative, and in consultation with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

Amendment  80

Proposal for a directive

Article 15 – paragraph 4 – subparagraph 2

 

Text proposed by the Commission

Amendment

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.

Amendment  81

Proposal for a directive

Article 16 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work.

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group shall invite representatives of relevant stakeholders to participate in its work and the European Parliament to participate as an observer.

Amendment  82

Proposal for a directive

Article 16 – paragraph 3 – point c

 

Text proposed by the Commission

Amendment

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border dependencies and regarding risks and incidents;

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border and cross sectoral dependencies and regarding risks and incidents;

Amendment  83

Proposal for a directive

Article 16 – paragraph 3 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) preparing a Union strategy on resilience in compliance with the objectives set out in this Directive;

Amendment  84

Proposal for a directive

Article 16 – paragraph 3 – point h

 

Text proposed by the Commission

Amendment

(h) exchanging information and best practices on research and development relating to the resilience of critical entities in accordance with this Directive;

(h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive;

Amendment  85

Proposal for a directive

Article 16 – paragraph 3 – point h a (new)

 

Text proposed by the Commission

Amendment

 

(ha) promoting and supporting coordinated risk assessments and joint actions among critical entities;

Amendment  86

Proposal for a directive

Article 16 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to promote strategic cooperation and exchange of information.

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to facilitate strategic cooperation and exchange of information.

Amendment  87

Proposal for a directive

Article 16 – paragraph 7

 

Text proposed by the Commission

Amendment

7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years.

7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. The Commission shall regularly publish a summary report of the activities of the Critical Entities Resilience Group.

 

The Commission shall set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under the NIS 2 Directive in order to better accommodate communication between the two groups and, consequently, to minimise ambiguities between the different authorities designated under this Directive and the NIS 2 Directive.

Amendment  88

Proposal for a directive

Article 17 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. In order to receive and properly use the information received under Article 8(3), the Commission shall keep a Union registry of incidents with the aim of developing and sharing best practices and methodologies.

Amendment  89

Proposal for a directive

Article 21 – paragraph 2

 

Text proposed by the Commission

Amendment

2. The power to adopt delegated acts referred to in Article 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators.

2. The power to adopt delegated acts referred to in Articles 4(1) and 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators.

Amendment  90

Proposal for a directive

Article 21 – paragraph 3

 

Text proposed by the Commission

Amendment

3. The delegation of power referred to in Article 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

3. The delegation of power referred to in Articles 4(1) and 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

Amendment  91

Proposal for a directive

Article 22 – paragraph 1

 

Text proposed by the Commission

Amendment

By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive.

By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive. The report shall contain separate country chapters on the concrete implementation progress in each Member State.

Amendment  92

Proposal for a directive

Article 22 – paragraph 2

 

Text proposed by the Commission

Amendment

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended. For that purpose, the Commission shall take into account relevant documents of the Critical Entities Resilience Group.

Amendment  93

Proposal for a directive

Annex – table – point 2 – Transport – point e (new)

 

Text proposed by the Commission

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

 

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

 

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

 

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

 

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

 

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

 

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

 

Amendment

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

 

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

 

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

 

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

 

(e) public transport

—Public transport authorities and service operators as referred to in Article 2, points (b) and (d), of Regulation (EC) No 1370/2007 of the European Parliament and of the Council65a.

 

 

_____________________

 

 

65a Regulation (EC) No 1370/2007 of the European Parliament and of the Council of 23 October 2007 on public passenger transport services by rail and by road and repealing Council Regulations (EEC) Nos 1191/69 and 1107/70 (OJ L 315, 3.12.2007, p. 1).

Amendment  94

Proposal for a directive

Annex – section 5 – subsection 6 (new)

 

 

 

Text proposed by the Commission

Amendment

Sectors, subsectors and types of entities

Sectors, subsectors and types of entities

5. Health

5. Health

— Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19

— Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19

— EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health

— EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health

— Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC

— Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC

— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2

— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2

— Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX

— Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX

 

— Entities holding a distribution authorisation as referred to in Article 79 of Directive 2001/83/EC

Amendment  95

Proposal for a directive

Annex – Sector 9 – Title

 

Text proposed by the Commission

Amendment

9. Public administration

9. Public administration and democratic institutions

Amendment  96

Proposal for a directive

Annex – Sector 9 – Type of entity – 3 a (new)

 

Text proposed by the Commission

Amendment

 

— Central, regional and local governments and assemblies

Amendment  97

Proposal for a directive

Annex – section 10 a (new)

 

Text proposed by the Commission

Amendment

 

10 a. Food production, processing and distribution

 

— Food businesses as referred to in Article 3, point (2), of Regulation (EC) No 178/2002 of the European Parliament and of the Council1a

 

________________

 

1a Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (OJ L 31, 1.2.2002, p. 1).



 

 

OPINION OF THE COMMITTEE ON INDUSTRY, RESEARCH AND ENERGY (2.7.2021)

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 – C9‑0421/2020 – (2020)0365(COD))

Rapporteur for opinion: Nils Torvalds

(*)  Associated committees – Rule 57 of the Rules of Procedure

 

 

 

 

AMENDMENTS

The Committee on Industry, Research and Energy calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:

Amendment  1

 

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity endangering the overall economic and social well-being of citizens.

__________________

__________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

 

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, food certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Innovation and technology advancements contribute to the creation of new forms and types of infrastructure systems that use innovations aimed at reducing costs and increasing efficiency and may have implications on risk and resilience. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. Resilience of energy infrastructures plays an important role in economic growth across the Union and contributes to ensuring a decent standard of living to vulnerable energy consumers. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Amendment  3

 

Proposal for a directive

Recital 4

 

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. The resilience of critical entities is of great importance for the functioning of the internal market and the security of the Union and its citizens. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

Amendment  4

 

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities. As this Directive provides for minimum rules, Member States are free to adopt or maintain more stringent rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities where they deem them necessary to protect national security.

Amendment  5

 

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible, preventing any overlap that could hinder the effectiveness of those two directives. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

__________________

__________________

20 [Reference to NIS 2 Directive, once adopted.]

20 [Reference to NIS 2 Directive, once adopted.]

Amendment  6

 

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences and criminal infiltration. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

Amendment  7

 

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. This Directive addresses the need to ensure continuity of the services essential for the maintenance of vital societal functions or economic activities, without prejudice to national competences in organising and delivering public services. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

Amendment  8

 

Proposal for a directive

Recital 16

 

Text proposed by the Commission

Amendment

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing national or Union-based sector-specific arrangements or national and Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

Amendment  9

 

Proposal for a directive

Recital 18

 

Text proposed by the Commission

Amendment

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities.

(18) Entities identified as critical entities under this Directive as well as entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive. Consequently, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. Member States should take measures to avoid double reporting and control, to ensure that strategies and requirements provided for in this Directive and the NIS 2 Directive are complementary and that critical entities are not subject to additional administrative burden.

Amendment  10

 

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States should in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Amendment  11

 

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately to prevent even worse consequences and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. Given the sensitivity of some events, appropriate forms of confidentiality should be established, together with mechanisms to prevent the dissemination of data that could compromise national security.

Amendment  12

 

Proposal for a directive

Recital 30

 

Text proposed by the Commission

Amendment

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. The assessment of critical entities under this Directive, in matters that fall under the scope of the NIS 2 Directive such as physical and non-physical cybersecurity, are the responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, when assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

Amendment  13

 

Proposal for a directive

Article 1 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

(a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

Amendment  14

 

Proposal for a directive

Article 1 – paragraph 2

 

Text proposed by the Commission

Amendment

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7.

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. In view of the interlinkages between cybersecurity and the physical security of entities, Member States shall ensure a coherent implementation of both directives.

Amendment  15

 

Proposal for a directive

Article 1 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. Member States shall ensure that their security strategies, including sector-specific security strategies, provide for a coordinated policy framework for enhanced coordination in the context of information sharing on incidents and threats and the exercise of supervisory tasks which avoids the duplication of requirements and reporting and monitoring activities.

Amendment  16

 

Proposal for a directive

Article 2 – paragraph 1 – point 6

 

Text proposed by the Commission

Amendment

(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities;

(6) “risk” means any circumstance or event having a potential adverse effect on the operations of critical entities;

Amendment  17

 

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) the relevant aspects from the national cybersecurity strategy as provided for in the NIS2 Directive and any other sectoral national strategy with a view to achieving coordination, complementarity and synergies.

Amendment  18

 

Proposal for a directive

Article 3 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. When drafting their strategies, Member States may consult local and regional authorities and take into consideration local capacities.

Amendment  19

 

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . Where relevant, the risk assessment shall consider the capacities of local and regional authorities.

__________________

__________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Amendment  20

 

Proposal for a directive

Article 4 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

Amendment  21

 

Proposal for a directive

Article 5 – paragraph 4 a (new)

 

Text proposed by the Commission

Amendment

 

4a. Member States may identify those entities that they have identified as essential entities under the NIS 2 Directive as critical entities under this Directive. Where a Member State decides not to identify the essential entities under the NIS 2 Directive as critical entities under this Directive, it shall justify the reasons therefor.

Amendment  22

 

Proposal for a directive

Article 6 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) the geographic area that could be affected by an incident, including any cross-border impacts;

(e) the geographic area that could be affected by an incident, including any cross-border impacts, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;

Amendment  23

 

Proposal for a directive

Article 8 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States, with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’) and with the critical entities. Each Member State shall ensure that the single point of contact designated under the NIS 2 Directive is the single point of contact under this Directive.

Amendment  24

 

Proposal for a directive

Article 8 – paragraph 3

 

Text proposed by the Commission

Amendment

3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

3. By [three years and six months after entry into force of this Directive], and in the first trimester every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

Amendment  25

 

Proposal for a directive

Article 8 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, including, where appropriate, local and regional authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.

Amendment  26

 

Proposal for a directive

Article 9 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States shall support critical entities in enhancing their resilience, developing protocols, agreements and cooperation, and in exchanging of information and expertise between the public and private sectors. That support shall include among others, developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing periodic training to personnel of critical entities.

Amendment  27

 

Proposal for a directive

Article 9 – paragraph 1 a (new)

 

Text proposed by the Commission

Amendment

 

1a. Where necessary, Member States shall allocate sufficient resources to support critical entities to fulfil compliance requirements, in particular to cover additional costs associated with learning and training activities or employing additional staff for reporting, monitoring and reviewing.

Amendment  28

 

Proposal for a directive

Article 9 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall establish information sharing tools to support voluntary information sharing between critical entities in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data.

3. Member States shall establish information sharing tools to support voluntary information sharing between critical entities, with the aim of increasing knowledge sharing and transparency within and between sectors, in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data.

Amendment  29

 

Proposal for a directive

Article 11 – paragraph 1 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) prevent incidents which might threaten the security and continuation of the supply of goods and services;

Amendment  30

 

Proposal for a directive

Article 11 – paragraph 1 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) make use of accepted European standards and specifications relevant to the resilience of critical entities, without imposing the use of a particular type of service or technology or discriminating in favour of it;

Amendment  31

 

Proposal for a directive

Article 11 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

(e) ensure adequate employee and training security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

Amendment  32

 

Proposal for a directive

Article 11 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the measures referred to in points (a) to (e) among relevant operators and their staff, through periodic training.

Amendment  33

 

Proposal for a directive

Article 12 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

1. Member States shall ensure that critical entities may submit duly justified requests for background checks on persons who fall within certain specific categories of their personnel, identified based on common national criteria including persons being considered for recruitment to critical functions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

Amendment  34

 

Proposal for a directive

Article 12 – paragraph 2 – subparagraph 1 – introductory part

 

Text proposed by the Commission

Amendment

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38, a background check as referred to in paragraph 1 shall:

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38, Member States shall ensure that a background check as referred to in paragraph 1 is carried out for the sole purpose of evaluating a potential security risk to the critical entity and in respect of the fundamental rights of the person concerned. A background check shall:

__________________

__________________

38 OJ L 119, 4.5.2016, p. 1.

38 OJ L 119, 4.5.2016, p. 1.

Amendment  35

 

Proposal for a directive

Article 12 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) cover previous employments, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years.

(c) in exceptional cases and based on national criteria, cover previous employments, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years.

Amendment  36

 

Proposal for a directive

Article 13 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

1. Member States shall ensure that critical entities only notify the competent authority of incidents that significantly disrupt their operations without undue delay, in order to avoid over-information and unnecessary data flow, and to guarantee the effective functioning of national authorities and private entities. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

Amendment  37

 

Proposal for a directive

Article 13 – paragraph 2 – point -a (new)

 

Text proposed by the Commission

Amendment

 

(-a) the impact on human life and the environmental consequences;

Amendment  38

 

Proposal for a directive

Article 13 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) the geographical area affected by the disruption or potential disruption.

(c) the geographical area affected by the disruption or potential disruption, taking into account whether that area is geographically isolated.

Amendment  39

 

Proposal for a directive

Article 16 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work.

2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of relevant parties to participate in its work, encouraging the involvement of SMEs, civil society and trade unions mainly in training related aspects.

Amendment  40

 

Proposal for a directive

Article 16 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to promote strategic cooperation and exchange of information.

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to facilitate strategic cooperation and information exchange.

Amendment  41

 

Proposal for a directive

Article 16 – paragraph 7 a (new)

 

Text proposed by the Commission

Amendment

 

7a. Critical Entities Resilience Group, in spirit of security cooperation and open access, may give, upon request, access to its findings and source data for use in academia, security research and for other beneficial uses. The requests for access should be reasoned and justified and the data provided shall respect the fundamental rights of persons and be proportionate to the influence on the entities in question.

Amendment  42

 

Proposal for a directive

Article 16 – paragraph 7 b (new)

 

Text proposed by the Commission

Amendment

 

7b. The Commission shall set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under [the NIS 2 Directive] in order to better accommodate communication between the two groups and, consequently, to minimise ambiguities between the different designated authorities under this Directive and [the NIS 2 Directive].

Amendment  43

 

Proposal for a directive

Article 17 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. In order to receive and properly use the information received under Article 8(3), the Commission shall keep a European registry of incidents with the aim of developing and sharing best practices and methodologies.

Amendment  44

 

Proposal for a directive

Article 22 – paragraph 2

 

Text proposed by the Commission

Amendment

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive]. For that purpose and with a view to further advancing strategic cooperation, the Commission shall take into account any non-binding guidance documents of the Critical Entities Resilience Group on the experience gained at a strategic level.

Amendment  45

 

Proposal for a directive

Annex - Point 5. Health (new)

 

 

Text proposed by the Commission

Sector

Subsector

Type of entity

 

Amendment

 

 

Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC

Amendment  46

 

Proposal for a directive

Annex - Point 8 a (new)

 

 

Text proposed by the Commission

Sector

Subsector

Type of entity

 

Amendment

Food

Wholesale market

 Food businesses as referred to in Annex I of Regulation (EC) N° 853/2004 (1a)

1a Regulation (EC) No 853/2004 of the European Parliament and of the Council of 29 April 2004 laying down specific hygiene rules for on the hygiene of foodstuffs  (OJ L 139, 30.04.2004, p.39).


PROCEDURE – COMMITTEE ASKED FOR OPINION

Title

Resilience of critical entities

References

COM(2020)0829 – C9-0421/2020 – 2020/0365(COD)

Committee responsible

 Date announced in plenary

LIBE

11.2.2021

 

 

 

Opinion by

 Date announced in plenary

ITRE

11.2.2021

Associated committees - date announced in plenary

29.4.2021

Rapporteur for the opinion

 Date appointed

Nils Torvalds

15.2.2021

Discussed in committee

26.5.2021

 

 

 

Date adopted

1.7.2021

 

 

 

Result of final vote

+:

–:

0:

58

0

14

Members present for the final vote

Nicola Beer, François-Xavier Bellamy, Hildegard Bentele, Tom Berendsen, Vasile Blaga, Michael Bloss, Paolo Borchia, Marc Botenga, Markus Buchheit, Martin Buschmann, Cristian-Silviu Buşoi, Jerzy Buzek, Carlo Calenda, Maria da Graça Carvalho, Ignazio Corrao, Ciarán Cuffe, Josianne Cutajar, Nicola Danti, Pilar del Castillo Vera, Christian Ehler, Valter Flego, Niels Fuglsang, Lina Gálvez Muñoz, Jens Geier, Bart Groothuis, Christophe Grudler, Henrike Hahn, Robert Hajšel, Ivo Hristov, Romana Jerković, Eva Kaili, Seán Kelly, Izabela-Helena Kloc, Łukasz Kohut, Andrius Kubilius, Miapetra Kumpula-Natri, Thierry Mariani, Marisa Matias, Eva Maydell, Joëlle Mélin, Iskra Mihaylova, Dan Nica, Angelika Niebler, Ville Niinistö, Mauri Pekkarinen, Tsvetelina Penkova, Morten Petersen, Markus Pieper, Clara Ponsatí Obiols, Manuela Ripa, Jérôme Rivière, Robert Roos, Massimiliano Salini, Sara Skyttedal, Jessica Stegrud, Beata Szydło, Riho Terras, Grzegorz Tobiszowski, Patrizia Toia, Evžen Tošenovský, Marie Toussaint, Isabella Tovaglieri, Viktor Uspaskich, Henna Virkkunen, Pernille Weiss, Carlos Zorrinho

Substitutes present for the final vote

Klemen Grošelj, Alicia Homs Ginel, Elena Lizzi, Jutta Paulus, Susana Solís Pérez, Nils Torvalds

 


FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION

58

+

NI

Martin Buschmann, Clara Ponsatí Obiols, Viktor Uspaskich

PPE

François-Xavier Bellamy, Hildegard Bentele, Tom Berendsen, Vasile Blaga, Cristian-Silviu Buşoi, Jerzy Buzek, Maria da Graça Carvalho, Pilar del Castillo Vera, Christian Ehler, Seán Kelly, Andrius Kubilius, Eva Maydell, Angelika Niebler, Markus Pieper, Massimiliano Salini, Sara Skyttedal, Riho Terras, Henna Virkkunen, Pernille Weiss

Renew

Nicola Beer, Nicola Danti, Valter Flego, Bart Groothuis, Klemen Grošelj, Christophe Grudler, Iskra Mihaylova, Mauri Pekkarinen, Morten Petersen, Susana Solís Pérez, Nils Torvalds

S&D

Carlo Calenda, Josianne Cutajar, Niels Fuglsang, Lina Gálvez Muñoz, Jens Geier, Robert Hajšel, Alicia Homs Ginel, Ivo Hristov, Romana Jerković, Eva Kaili, Łukasz Kohut, Miapetra Kumpula-Natri, Dan Nica, Tsvetelina Penkova, Patrizia Toia, Carlos Zorrinho

The Left

Marisa Matias

Verts/ALE

Michael Bloss, Ignazio Corrao, Ciarán Cuffe, Henrike Hahn, Ville Niinistö, Jutta Paulus, Manuela Ripa, Marie Toussaint

 

14

0

ECR

Izabela-Helena Kloc, Robert Roos, Jessica Stegrud, Beata Szydło, Grzegorz Tobiszowski, Evžen Tošenovský

ID

Paolo Borchia, Markus Buchheit, Elena Lizzi, Thierry Mariani, Joëlle Mélin, Jérôme Rivière, Isabella Tovaglieri

The Left

Marc Botenga

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 


 

 

OPINION OF THE COMMITTEE ON THE INTERNAL MARKET AND CONSUMER PROTECTION (23.7.2021)

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD))

Rapporteur for opinion ‘(*)’: Alex Agius Saliba

 

 

‘(*) Associated committee – Rule 57 of the Rules of Procedure’

 

 

 

SHORT JUSTIFICATION

On 16 December 2020, the Commission presented a proposal for a directive on the resilience of critical entities (RCE) together with an accompanying impact assessment, based on the 2019 assessment of the implementation of the Directive 2008/114/EC on European critical infrastructure (ECI). In view of the importance of cybersecurity for the resilience of critical entities, the Commission submitted in parallel also a proposal for a revised NIS Directive ('NIS 2'). To ensure full coherence, cyber-resilience obligations under NIS 2 would apply also to critical entities identified under the new proposal.

The RCE proposal reflects a switch from the current approach from protection of individual assets towards strengthening the resilience of the critical entities that operate them. It would require Member States to adopt national strategies and undertake regular risk assessments and also establishes obligations on critical entities to enhance their resilience and ability to provide essential services. The procedure of identifying critical entities would be different to that set out in ECI Directive. The Commission would also have specific oversight over critical entities of particular European significance.

The rapporteur is broadly supportive of the RCE proposal and believes it is important for IMCO to acknowledge that the existing EU-level measures aimed at protecting key services and infrastructures from physical risks need to be updated. Strengthening the resilience of critical entities in the Member States and levelling the playing field for critical entities across the Union is of outstanding importance considering the increasing interlinkages between sectors, entities and services in the internal market.

 

The IMCO Committee is associated pursuant to Rule 57 with shared competences as regards issues that raise questions under the remit of IMCO aimed at improving the functioning of the internal market.

Scope and definitions

The rapporteur welcomes the extension of the scope of the directive as it gives the possibility of encompassing new sectors that did not benefit from specific protection measures. However, the rapporteur believes that the general objective of ensuring a high level of resilience of critical entities and essential infrastructures and securing the delivery of essential services in order to improve the functioning of the internal market needs to be clearly spelt out.

Furthermore, he tries to ensure closer alignment and harmonisation of both RCE and NIS 2 Directives, where possible in particular in relation to scope and definitions. To this end, the rapporteur requires that physical non-cyber protection under the proposed RCE Directive are clearly separated from the requirements in NIS 2 through a clear distinction in the definition of “resilience” comprised in Article 2(2). Furthermore, he proposes a set of well-articulated definitions covering “critical entities”, “resilience”, “incident”, “essential infrastructure” among others.

Strategy and risk assessment by Member States

 

The rapporteur welcomes the strategy reinforcing the resilience of critical entities and the risk assessment that each Member State must adopt. However, he makes suggestions to improve the involvement and consultation with the critical entities and stakeholders, as these companies provide vital services for the smooth running of daily life and enhanced cooperation with them is key if we are to achieve the objectives of this Directive. He also acknowledges the importance of managing supply chain and supplier-related risks when used by critical entities to ensuring supply chains contribution to the resilience of the entities they supply to.

 

Identification of critical entities

 

The rapporteur supports that Member States will have to identify critical entities in key relevant sectors referred to in the Annex, however, he explains that Member States will be obliged to identify entities for those sectors and subsectors from the Annex that exist in the Member States and for which the entities are key providers of essential services for the maintenance of vital societal functions and economic activities. The rapporteur has therefore made suggestions in this area.

 

Competent authorities and single point of contact

 

The rapporteur acknowledges the importance of proper oversight and enhanced cooperation between competent authorities of the Member States. However, he notes that single points of contact should be established to exercise a liaison function and coordination with the critical entities with competent authorities and other single points of contact and with the Critical Entities Resilience Group. The single point of contact should also simplify and harmonise reporting channels (one-stop-shop principle).

 

Notification of incidents

The rapporteur believes that incidents that significantly disrupt the operations of critical entities and are of public interest shall be reported not only to the competent authorities, via the single point of contact, but as well as to the public or when necessary to the affected users. The rapporteur also suggests clarifying some of the requirements to notify incidents that have not yet happened and provides additional guidance as to the reporting thresholds.

 

 


AMENDMENTS

The Committee on the Internal Market and Consumer Protection calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:

Amendment  1

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover and protect from incidents or threats that have the potential to disrupt the operations of the critical entity, the functioning of the internal market or the free movement of essential services.

__________________

__________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

Proposal for a directive

Recital 2

 

Text proposed by the Commission

Amendment

(2) Despite existing measures at Union[1] and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to  natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.  Due to the increased cross-sectoral and cross-border interdependencies between critical infrastructures, an incident in one Member State can seriously affect activities in another Member State. In order to achieve a high level of resilience of critical infrastructures across the Union, essential services and  essential infrastructure should be protected and resilient in all Member States.

Amendment  3

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of essential service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption of essential services, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in a far-reaching and long-lasting negative impact on the delivery of those services across the internal market, including on individuals, consumers and business. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Amendment  4

Proposal for a directive

Recital 4

 

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services and essential infrastructure are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only creates heterogeneous levels of resilience and differences between Member States relating to the designation and oversight of critical entities  but also impacts negatively on the maintenance of vital societal functions or economic activities across the Union, and also leads to unfair competition and to obstacles to the proper functioning of the internal market . Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. A European framework should therefore also have the effect of levelling the playing field for critical entities across the Union.

Amendment  5

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision and free movement of essential services in the internal market and enhance the resilience of critical entities and essential infrastructure necessary for vital societal or economic activities within the Union. To this end, the aim of this Directive should be to make critical infrastructures and critical entities resilient thereby furthering their capacity to ensure continuous provision of essential services or essential infrastructure or at least to swiftly restore performance after an incident has taken place. Operators of critical infrastructures delivering essential services across the internal market in various sectors necessary for vital societal functions and economic activities, should become resilient against current and anticipated future risks.

Amendment  6

Proposal for a directive

Recital 6

 

Text proposed by the Commission

Amendment

(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

(6) In order to achieve that objective, Member States should identify critical entities that provide essential services or essential infrastructure falling within existing sectors and subsectors at national level as referred to in the Annex which should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks and possible crises.

Amendment  7

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 (hereafter “NIS 2 Directive”) is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 (the “NIS 2 Directive”) is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. A coherent approach should be ensured between these acts, such as by ensuring that entities under NIS 2 susceptible to being subject to obligations under this Directive, where possible, benefit from a single point of contact and a common set of rules. As a result, the supervision of entities identified as critical or equivalent to critical under this Directive, in matters that fall under the scope of the NIS2 Directive, will be a responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, entities that are identified as essential entities under the NIS 2 Directive, but are not identified as critical entities under this Directive, should also enhance the resilience of their physical infrastructure, where appropriate.

__________________

__________________

20 [Reference to NIS 2 Directive, once adopted.]

20 Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (OJ L ..., ..., p. ..).

Amendment  8

Proposal for a directive

Recital 10

 

Text proposed by the Commission

Amendment

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

In view of ensuring a comprehensive approach to the resilience of critical entities, and taking into account the objectives of the Union’s strategy on resilience  prepared by the Critical Entities Resilience Group, each Member State should adopt a national strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

Amendment  9

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of essential services vital for societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant risks, including cross-sectoral, cross-border, natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries, and risks arising for the general population or the internal market. Member States should not consider as a risk any regular business risk to operations derived from market conditions, or any risk derived from democratic decision-making. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

Amendment  10

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities of the sectors and subsectors on their territory listed in the Annex. Therefore, common criteria and specifications based on minimum indicators and methodologies for each sector and sub-sector to identify critical entities should be laid down in close cooperation with the relevant authorities. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. In order to avoid divergent application of this Directive and improve the functioning of the internal market, the Commission in cooperation with the Member States should provide detailed guidelines and make recommendations to support Member States in identifying the list of essential services and infrastructure and the critical entities for each national sector and subsector referred to in the Annex.

Amendment  11

Proposal for a directive

Recital 15

 

Text proposed by the Commission

Amendment

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only and consequently, such entities should not be subject to the obligations laid down in Chapters III to VI. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

__________________

__________________

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

Amendment  12

Proposal for a directive

Recital 16

 

Text proposed by the Commission

Amendment

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority.  In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

(16) Member States should designate authorities competent to supervise the application of and enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority.  In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

Amendment  13

Proposal for a directive

Recital 17

 

Text proposed by the Commission

Amendment

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard.

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. The single points of contact should also liaise, and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States, with the Critical Entities Resilience Group established by this Directive and with entities identified as critical entities under this Directive.  In order to facilitate the cooperation and communication with the Member States, entities identified as critical entities under this Directive should also designate a reference point of contact within the entity. The reference point of contact should be used by the critical entity to liaise, coordinate and communicate with the Member States, on measures related to the organisational and technical aspects related to the implementation of this Directive. To that end, the single points of contact should use efficient, secure, standardised and harmonised reporting channels.

Amendment  14

Proposal for a directive

Recital 18

 

Text proposed by the Commission

Amendment

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities.

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate in an effective and consistent manner, particularly in relation to cybersecurity risks and incidents affecting those entities.

Amendment  15

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

 

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, and should support the organisation of exercises to test their resilience, provide training to personnel of critical entities, provide financial resources without prejudice to existing competition law rules, in particular rules on state aid and  assistance and protect sensitive areas, facilities and other infrastructure, where necessary and justified by public interest objectives. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing and good practices between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Amendment  16

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and no later than 24 hours after becoming aware of a particular incident, Member States' competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Critical entities and competent authorities should also inform the public of such incidents where they determine that the disclosure of such incidents would be in the public interest. Critical entities should also notify potentially affected users of their services of the incident, its consequences and, where relevant, any possible safety measures or remedies to be taken by users. The notification should allow the competent authorities and users to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, procedures should be established for Member States to inform other affected Member States and other critical entities through single points of contact. The information on the incidents should be treated  in a way that respects confidentiality and protects the security and commercial interest of the critical entity concerned.

Amendment  17

Proposal for a directive

Recital 26

 

Text proposed by the Commission

Amendment

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructure and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union and the internal market because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive. While Union institutions, bodies or agencies and the services they provide are not covered under this Directive, the Commission should nevertheless provide guidance and strategies, to identify which of those institutions, bodies or agencies and which of their services could potentially be considered as entities equivalent to critical entities providing essential services for the functioning of the internal market and should ensure their enhanced resilience.

Amendment  18

Proposal for a directive

Recital 27

 

Text proposed by the Commission

Amendment

(27) Where any Member State considers that additional information is necessary to be able to advise a critical entity in meeting its obligations under Chapter III or to assess the compliance of a critical entity of particular European significance with those obligations, in agreement with the Member State where the infrastructure of that entity is located, the Commission should organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, notably on their organisation and conduct, the follow-up to be given and the obligations for the critical entities of particular European significance concerned. The advisory missions should, without prejudice to the need for the Member State where the advisory mission is conducted and the entity concerned to comply with the rules of this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such missions could, where relevant, be requested through the Emergency Response Coordination Centre.

(27) Where any Member State considers that additional information is necessary to be able to advise a critical entity in meeting its obligations under Chapter III or to assess the compliance of a critical entity of particular European significance with those obligations, in agreement with the Member State of establishment and the Member States in which the infrastructure of that entity is located, the Commission should organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, notably on their organisation and conduct, the follow-up to be given and the obligations for the critical entities of particular European significance concerned. The advisory missions should, without prejudice to the need for the Member State where the advisory mission is conducted and the entity concerned to comply with the rules of this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such missions could, where relevant, be requested through the Emergency Response Coordination Centre.

Amendment  19

Proposal for a directive

Recital 27a

 

Text proposed by the Commission

Amendment

 

(27a) Standardisation should remain primarily a market-driven process. However, there may still be situations where it is appropriate to require compliance with specified standards at Union level. The Commission and the Member States should also support and promote the development and implementation of standards and specifications relevant to the resilience of critical entities as set by the European Standardisation Organisations for the undertaking of technical and organisational measures aimed at ensuring critical entities’ resilience under Article 11(1) of this Directive. Member States should also encourage the use of internationally accepted standards and specifications relevant to resilience measures applicable to critical entities.

Amendment  20

Proposal for a directive

Article 1 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. This Directive:

1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities and essential infrastructure within the Union in order to ensure an effective provision of essential services, including in crisis situations, and to improve the functioning of the internal market.

Amendment  21

Proposal for a directive

Article 1 – paragraph 1 – introductory part – subparagraph 1 a (new)

 

Text proposed by the Commission

Amendment

 

To that end, this Directive:

Amendment  22

Proposal for a directive

Article 1 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify  identifying critical entities and entities to be treated as equivalent in certain respects, in sectors and subsectors set out in the Annex and to enable and support those entities to meet their obligations under this Directive and to enhance their ability to provide essential services in the internal market;

Amendment  23

Proposal for a directive

Article 1 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) establishes obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market;

(b) establishes obligations for critical entities aimed at enhancing the resilience of their infrastructures and improving the ability of those entities to provide essential services in the internal market;

Amendment  24

Proposal for a directive

Article 1 – paragraph 2

 

Text proposed by the Commission

Amendment

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7.

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY (the ‘NIS 2 Directive’)], without prejudice to Article 7.

Amendment  25

Proposal for a directive

Article 1 – paragraph 4

 

Text proposed by the Commission

Amendment

4. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of critical entities.

 

4. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of the entities concerned.

Amendment  26

Proposal for a directive

Article 2 – paragraph 1 – point 1

 

Text proposed by the Commission

Amendment

(1) “critical entity” means a public or private entity of a type referred to in the Annex, which has been identified as such by a Member State in accordance with Article 5;

(1) “critical entity” means a public or private entity of a type which provides essential services or essential infrastructure necessary for the proper functioning of vital societal or economic activities within one or more Member States, which falls within sectors and subsectors set out in the Annex and which has been identified as such by a Member State in accordance with Article 5;

Amendment  27

Proposal for a directive

Article 2 – paragraph 1 – point 1 a (new)

 

Text proposed by the Commission

Amendment

 

(1a) “entity equivalent to a critical entity” means an entity identified by a Member State as belonging to the digital infrastructure, banking and financial infrastructure sectors referred to in points 3, 4 or 8 of the Annex;

Amendment  28

Proposal for a directive

Article 2 – paragraph 1 – point 2

 

Text proposed by the Commission

Amendment

(2) “resilience” means the ability to prevent, resist, mitigate, absorb, accommodate to and recover from an incident that disrupts or has the potential to disrupt the operations of a critical entity;

(2) “resilience” means the ability to prevent, resist, mitigate, manage, absorb, accommodate, and recover and protect from, a incident or threat that disrupts or has the potential to disrupt the operations of a critical entity;

Amendment  29

Proposal for a directive

Article 2 – paragraph 1 – point 3

 

Text proposed by the Commission

Amendment

(3) “incident” means any event having the potential to disrupt, or that disrupts, the operations of the critical entity;

(3) “incident” means any event which results in a disruption of essential services or the destruction of essential infrastructure and has a significant effect on the delivery of those services in one or more Member States as a result of the failure to maintain the operations of that critical entity;

Amendment  30

Proposal for a directive

Article 2 – paragraph 1 – point 4

 

Text proposed by the Commission

Amendment

(4) “infrastructure” means an asset, system or part thereof, which is necessary for the delivery of an essential service;

(4) “essential infrastructure” means an asset, system or part thereof, which is necessary for the delivery of an essential service;

Amendment  31

Proposal for a directive

Article 2 – paragraph 1 – point 5

 

Text proposed by the Commission

Amendment

(5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities;

(5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities and proper functioning of the internal market and the disruption of which would have a significant effect on the provision of that service or of other essential or cross-sectoral services, in  one or more Member States;

Amendment  32

Proposal for a directive

Article 2 – paragraph 1 – point 7

 

Text proposed by the Commission

Amendment

 

(7)  “risk assessment” means a methodology to determine the nature and extent of a risk by assessing the extent of potential threats and hazards  to  the resilience of the critical entity, analysing existing conditions of vulnerability that could facilitate the disruption of operations of the critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services;

Amendment  33

Proposal for a directive

Article 2 – paragraph 1 – point 7 a (new)

 

Text proposed by the Commission

Amendment

 

(7a) "national strategy on the resilience of critical entities" means a coherent framework of a Member State setting out strategic objectives and priorities on the security and resilience of critical entities;

Amendment  34

Proposal for a directive

Article 2 – paragraph 1 – point 7 b (new)

 

Text proposed by the Commission

Amendment

 

(7b) ‘standard’ means standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012 of the European Parliament and of the Council1a;

 

__________________

 

1a Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)

Amendment  35

Proposal for a directive

Article 2 – paragraph 1 – point 7 c (new)

 

Text proposed by the Commission

Amendment

 

(7c) ‘technical specification’ means  technical specification as defined in point (4) of Article 2 of Regulation (EU) No 1025/2012;

Amendment  36

Proposal for a directive

Article 3 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

1. Each Member State shall, after consultation with critical entities, adopt by [two years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. That strategy shall take into account the European strategy on resilience prepared by the Critical Entities Resilience Group and set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

Amendment  37

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies;

(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral  interdependencies and the connections in the supply chain;

Amendment  38

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter;

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter, including measures to enhance cooperation between the public and private sectors and public and private entities;

Amendment  39

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) a list of the authorities and actors involved in the implementation of the national strategy on the resilience of critical entities;

Amendment  40

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) a policy framework addressing resilience in the supply chain of critical entities used by those entities for the provision of their essential services;

Amendment  41

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 1 – point d b (new)

 

Text proposed by the Commission

Amendment

 

(db) a policy framework addressing the specific needs of small and medium-sized enterprises and  providing guidance and support for the compliance with the obligations set out by this Directive;

Amendment  42

Proposal for a directive

Article 3 – paragraph 2 – subparagraph 2

 

Text proposed by the Commission

Amendment

The strategy shall be updated where necessary and at least every four years.

The strategy shall be updated where necessary and at least every four years after consultation with the identified critical entities.

Amendment  43

Proposal for a directive

Article 3 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall communicate their strategies, and any updates of their strategies, to the Commission within three months from their adoption.

3. Member States shall communicate their strategies, and any updates thereto, to the Commission and to the identified critical entities through the single point of contact, within three months from their adoption.

Amendment  44

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 1

 

Text proposed by the Commission

Amendment

Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Competent authorities designated pursuant to Article 8 shall establish a list of essential services, which fall within the relevant sectors referred to in the Annex. They shall, after consulting critical entities, carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect and disrupt the provision of those essential services. The risk assessment shall be used on a continuous basis by competent authorities of the Member State with a view to identifying essential services, and the corresponding critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Amendment  45

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

__________________

__________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Amendment  46

Proposal for a directive

Article 4 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors;

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors, including any risks to citizens and the internal market;

Amendment  47

Proposal for a directive

Article 4 – paragraph 2 – subparagraph 2

 

Text proposed by the Commission

Amendment

For the purposes of point (c) of the first subparagraph, Member States shall cooperate with the competent authorities of other Member States and third countries, as appropriate.

For the purposes of point (c) of the first subparagraph, Member States shall closely cooperate with the Commission and the competent authorities of other Member States and third countries.

Amendment  48

Proposal for a directive

Article 4 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available, through their single point of contact, to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

Amendment  49

Proposal for a directive

Article 4 – paragraph 4

 

Text proposed by the Commission

Amendment

4. Each Member State shall provide the Commission with data on the types of risks identified and the outcomes of the risk assessments, per sector and sub-sector referred to in the Annex, by [three years after entry into force of this Directive] and subsequently where necessary and at least every four years.

4. Each Member State shall provide the Commission with data on the types of risks identified and the outcomes of the risk assessments, per sector and sub-sector referred to in the Annex, by [three years after entry into force of this Directive] and subsequently where necessary and at least every five years.

Amendment  50

Proposal for a directive

Article 4 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

5. The Commission shall, in cooperation with the Member States, and after consultation with the Critical Entities Resilience Group, develop a voluntary common reporting template for the purposes of complying with paragraph 4, taking into consideration the differences between sectors and subsectors and existing practices in the Member States.

Amendment  51

Proposal for a directive

Article 5 – paragraph 1

 

Text proposed by the Commission

Amendment

1. By [three years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities.

1. By [three years and three months after entry into force of this Directive] Member States shall , where infrastructure exists, identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities.

Amendment  52

Proposal for a directive

Article 5 – paragraph 2 – introductory part

 

Text proposed by the Commission

Amendment

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and apply the following criteria:

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and the strategy on the resilience of critical entities referred to in Article 3 and apply the following criteria:

Amendment  53

Proposal for a directive

Article 5 – paragraph 3 – subparagraph 1

 

Text proposed by the Commission

Amendment

Each Member State shall establish a list of the critical entities identified and ensure that those critical entities are notified of their identification as critical entities within one month of that identification, informing them of their obligations pursuant to Chapters II and III and the date from which the provisions of those Chapters apply to them.

Each Member State shall establish a list of the critical entities identified and ensure that those critical entities are notified, through the Member State’s single point of contact, of their identification as critical entities within  three months month of that identification, informing them of their obligations pursuant to Chapters II and III and the date from which the provisions of those Chapters apply to them.

Amendment  54

Proposal for a directive

Article 5 – paragraph 3 - subparagraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

When establishing the list of critical entities under this Directive, Member States shall develop a coherent approach in relation to the NIS 2 Directive, taking into account its scope. Member States shall ensure that essential entities falling within Annex I of the NIS 2 Directive, but that are not identified as critical entities under this Directive, enhance, where appropriate, the resilience of their essential services to physical non-cybersecurity incidents or threats and hybrid incidents or threats.

Amendment  55

Proposal for a directive

Article 5 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III.

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States for the provision of the same or similar essential services, these Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III.

Amendment  56

Proposal for a directive

Article 5 – paragraph 6

 

Text proposed by the Commission

Amendment

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third of Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as critical entity for the provision of the same or similar essential services to or in more than one fifth of Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

Amendment  57

Proposal for a directive

Article 5 – paragraph 7 a new

 

Text proposed by the Commission

Amendment

 

7a. The Commission shall, in cooperation with the Member States, develop recommendations and guidelines to support Member States in identifying specific essential services, infrastructures and the entities providing them and include them in their list of critical entities.

Amendment  58

Proposal for a directive

Article 6 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) the dependency of other sectors referred to in the Annex on that service;

(b) the dependency of other sectors or subsectors as referred to in the Annex or the supply chain on that service;

Amendment  59

Proposal for a directive

Article 6 – paragraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public safety;

(c) the impact that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, consumer protection and public safety;

Amendment  60

Proposal for a directive

Article 6 – paragraph 1 – point d

 

Text proposed by the Commission

Amendment

(d) the market share of the entity in the market for such services;

(d) the market share of the entity in the market for such services, the type of entity and the impact it has on the functioning of the internal market and the delivery of one or more essential services;

Amendment  61

Proposal for a directive

Article 6 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) the geographic area that could be affected by an incident, including any cross-border impacts;

(e) the geographic area that could be affected by an incident, including any cross-border and cross-sector impact and interdependencies between infrastructure and sectors and between Member States and third countries;

Amendment  62

Proposal for a directive

Article 6 – paragraph 1 – point e a (new)

 

Text proposed by the Commission

Amendment

 

(ea) the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;

Amendment  63

Proposal for a directive

Article 6 – paragraph 2 – subparagraph 1 – point b a (new)

 

Text proposed by the Commission

Amendment

 

(ba) the geographical coverage of the services provided by the critical entities in each sector, including information on any cross-border impacts;

Amendment  64

Proposal for a directive

Article 6 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) any thresholds applied to specify one or more of the criteria in paragraph 1.

(c) any thresholds applied to specify one or more of the criteria in paragraph 1 and any methodology used for the application of those thresholds.

Amendment  65

Proposal for a directive

Article 6 – paragraph 3

 

Text proposed by the Commission

Amendment

3. The Commission may, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2.

3. The Commission may, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2 and the differences between sectors and subsectors and existing practices in the Member States.

Amendment  66

Proposal for a directive

Article 7 – paragraph 1

 

Text proposed by the Commission

Amendment

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [three years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [three years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities and the concerned entities shall not be subject to the obligations laid down in Chapters II or the relevant provisions related to the application of Chapters III and IV.

Amendment  67

Proposal for a directive

Article 7 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Member States shall ensure that the entities referred to in paragraph 1 are, without undue delay, notified of their identification as entities referred to in this Article.

3. Member States shall ensure that the entities referred to in paragraph 1 are, without undue delay, notified, through the Member States’ single points of contact, of their identification as entities as referred to in this Article.

Amendment  68

Proposal for a directive

Article 8 – paragraph 2

 

Text proposed by the Commission

Amendment

1. Each Member State shall designate one or more competent authorities responsible for the correct application, and where necessary enforcement, of the rules of this Directive at national level (‘competent authority’). Member States may designate an existing authority or authorities.

1. Each Member State shall designate a single point of contact. The designated single point of contact shall exercise a liaison function with the identified critical entities and ensure cross-border cooperation with competent authorities and the single points of contact of other Member States and with the Critical Entities Resilience Group referred to in Article 16 and where relevant ensure cooperation with third countries.

Amendment  69

Proposal for a directive

Article 8 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, consumer protection and market surveillance, as well as with relevant interested parties, including critical entities.

Amendment  70

Proposal for a directive

Article 8 – paragraph 7

 

Text proposed by the Commission

Amendment

7. Each Member State shall notify the Commission of the designation of the competent authority and single point of contact within three months from that designation, including their precise tasks and responsibilities under this Directive, their contact details and any subsequent change thereto. Each Member State shall make public its designation of the competent authority and single point of contact.

7. Each Member State shall notify the Commission, the Critical Entities Resilience Group and the identified critical entities in its territory of the designation of the competent authority and single point of contact within three months from that designation, including their precise tasks and responsibilities under this Directive, their contact details and any subsequent change thereto. Each Member State shall make public its designation of the competent authority and single point of contact.

Amendment  71

Proposal for a directive

Article 9 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States shall support critical entities in enhancing their resilience. That support may include financial resources for the development of guidelines and guidance materials, methodologies, certificates, research and exercises to test the resilience of critical entities and the preparedness of their employees and the provision of periodic training to the personnel of critical entities, the provision of shared infrastructure and assistance and the protection of sensitive areas, facilities and other infrastructure, where necessary.

Amendment  72

Proposal for a directive

Article 9 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Member States shall ensure that the competent authorities cooperate and exchange information and good practices with critical entities of the sectors referred to in the Annex.

2. Member States shall ensure that the competent authorities cooperate and exchange information and good practices, through their single point of contact, with critical entities of the sectors referred to in the Annex.

Amendment  73

Proposal for a directive

Article 10 – paragraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.

The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services or hinder the proper functioning of the internal market. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in other Member States, on European level, and in third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity or on the supply chain, including aspects concerning the relationships between each entity and its suppliers or service providers.

Amendment  74

Proposal for a directive

Article 11 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) prevent incidents from occurring, including through disaster risk reduction and climate adaptation measures;

(a) carry out risk analysis and manage incidents and prevent them from occurring, including through disaster risk reduction and climate adaptation measures;

Amendment  75

Proposal for a directive

Article 11 – paragraph 1 – point a a (new)

 

Text proposed by the Commission

Amendment

 

(aa) evaluate possible safety risks for the beneficiaries of the essential service;

Amendment  76

Proposal for a directive

Article 11 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) ensure adequate physical protection of sensitive areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment and access controls;

(b) ensure adequate physical protection of sensitive and key areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment and access controls;

Amendment  77

Proposal for a directive

Article 11 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

(e) ensure adequate employee security management, training requirements and qualifications including by setting out categories of personnel exercising critical functions, safety and security tasks, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12 as laid out in Union and national law;

Amendment  78

Proposal for a directive

Article 11 – paragraph 1 – point e a (new)

 

Text proposed by the Commission

Amendment

 

(ea) ensure supply chain security, including security-related aspects concerning the relationships between each entity and its service providers such as security services;

Amendment  79

Proposal for a directive

Article 11 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel also through training.

Amendment  80

Proposal for a directive

Article 11 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Member States shall ensure that critical entities have in place and apply a resilience plan or equivalent document or documents, describing in detail the measures pursuant to paragraph 1. Where critical entities have taken measures pursuant to obligations contained in other acts of Union law that are also relevant for the measures referred to in paragraph 1, they shall also describe those measures in the resilience plan or equivalent document or documents.

2. Member States shall ensure that critical entities have in place and apply a resilience plan or equivalent document or documents detailing the measures in accordance with paragraph 1. Where critical entities have put in place measures pursuant to obligations laid down in other Union legislation that are also relevant to the measures referred to in paragraph 1, they shall also describe those measures in the resilience plan or equivalent document or documents.

Amendment  81

Proposal for a directive

Article 11 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. Member States shall ensure that critical entities designate within three months after receiving the notification referred to in Article 5(3), a single point of contact to exercise a liaison function with the Member States on issues related to the technical and organisational measures referred to in paragraph 1 of this Article.

Amendment  82

Proposal for a directive

Article 11 – paragraph 4

 

Text proposed by the Commission

Amendment

4. The Commission is empowered to adopt delegated acts in accordance with Article 21 supplementing paragraph 1 by establishing detailed rules specifying some or all of the measures to be taken pursuant to that paragraph. It shall adopt those delegated acts in as far as necessary for the effective and consistent application of that paragraph in accordance with the objectives of this Directive, having regard to any relevant developments in risks, technology or the provision of the services concerned as well as to any specificities relating to particular sectors and types of entities.

4. The Commission is empowered to adopt delegated acts in accordance with Article 21 to supplement some or all of the measures to be taken pursuant to paragraph 1 of this Article in order to ensure coherence with existing requirements under Union and national law and to take account of new threats, technological developments or sectorial specificities. It shall adopt those delegated acts in as far as necessary for the effective and consistent application of that paragraph in accordance with the objectives of this Directive, having regard to any relevant developments in risks, technology or the provision of the services concerned as well as to any specificities relating to particular sectors and types of entities.

Amendment  83

Proposal for a directive

Article 12 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. Those persons shall be informed in advance about the checks, including general information about how, when and by whom the checks will be carried out.

Amendment  84

Proposal for a directive

Article 12 – paragraph 2 – subparagraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) cover previous employments, education and any gaps in education or employment  in the person’s resume during at least the preceding five years and for a maximum of ten years.

(c) in exceptional cases, when deemed necessary by Member States, cover previous employments, education and any gaps in education or employment in the person’s resume during the preceding five years and when justifiable for a maximum of the ten preceding years.

Amendment  85

Proposal for a directive

Article 12 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. The background checks referred to in paragraph 1 of this Article shall fully respect the requirements under Union and national law. The results communicated to the entity shall be limited to what is strictly necessary to achieve the aims of the background check.

Amendment  86

Proposal for a directive

Article 13 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

1. Member States shall ensure that critical entities notify the competent authority, through their single point of contact, without undue delay and, in any case, no later than 24 hours after becoming aware of a particular incident, of incidents that have had a significant impact on, or significantly disrupt or have the potential to significantly disrupt, the operations of the critical entity. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability. The information provided has to be treated swiftly by the competent authorities in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.

 

If the incident has, or may have, a significant impact on critical entities or the continuity of the provision of essential services critical entities of particular European significance shall additionally notify such incidents to the Commission. The Commission shall inform the Critical Entities Resilience Group of any such notifications without undue delay. The Commission and the Critical Entities Resilience Group shall, in accordance with Union law, treat the information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.

Amendment  87

Proposal for a directive

Article 13 – paragraph 2 – introductory part

 

Text proposed by the Commission

Amendment

2. In order to determine the significance of the disruption or the potential disruption to the critical entity’s operations resulting from an incident, the following parameters shall, in particular, be taken into account:

2. In order to determine the significance of the impact, disruption or the potential disruption to the critical entity’s operations resulting from an incident, at least the following parameters shall, in particular, be taken into account:

Amendment  88

Proposal for a directive

Article 13 – paragraph 2 – point a

 

Text proposed by the Commission

Amendment

(a) the number of users affected by the disruption or potential disruption;

(a) the number of users affected by the incident;

Amendment  89

Proposal for a directive

Article 13 – paragraph 2 – point b

 

Text proposed by the Commission

Amendment

(b) the duration of the disruption or anticipated duration of a potential disruption;

(b) the duration of the incident and of the disruption or the anticipated duration of potential disruption;

Amendment  90

Proposal for a directive

Article 13 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) the geographical area affected by the disruption or potential disruption.

(c) the geographical spread of the area affected by the incident and the disruption.

Amendment  91

Proposal for a directive

Article 13 – paragraph 2 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) the extent to which the functioning of the essential services or essential infrastructure is affected;

Amendment  92

Proposal for a directive

Article 13 – paragraph 2 – point c b (new)

 

Text proposed by the Commission

Amendment

 

(cb) the degree of isolation of the areas affected by the incident, and in particular if it affects insular and outermost regions or mountainous areas;

Amendment  93

Proposal for a directive

Article 13 – paragraph 2 – point c c (new)

 

Text proposed by the Commission

Amendment

 

(cc) any impact on human life or the environment.

Amendment  94

Proposal for a directive

Article 13 – paragraph 2 – point c d (new)

 

Text proposed by the Commission

Amendment

 

(cd) the impact on economic and societal activities and on the internal market.

Amendment  95

Proposal for a directive

Article 13 – paragraph 3

 

Text proposed by the Commission

Amendment

On the basis of the information provided in the notification by the critical entity, the competent authority, via its single point of contact, shall inform the single point of contact of other affected Member States if the incident has, or may have, a significant impact on critical entities and the continuity of the provision of essential services in one or more other Member States.

On the basis of the information provided in the notification by the critical entity, the competent authority shall, through its single point of contact, inform, without undue delay, the single point of contact of other affected Member States if the incident has, or may have, a significant impact on critical entities and the continuity of the provision of essential services in one or more other Member States. The single points of contact of the Member States affected by the incident shall inform the relevant critical entities on their territories.

In so doing, the single points of contact shall, in accordance with Union law or national legislation that complies with Union law, treat the information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.

In so doing, the competent authorities and single points of contact shall, in accordance with Union law or national legislation that complies with Union law, treat the information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.

Amendment  96

Proposal for a directive

Article 13 – paragraph 3 a (new)

 

Text proposed by the Commission

Amendment

 

3a. The competent authority concerned shall, through its single point of contact, inform the public of the incident, or require the critical entity to inform the public through its single point of contact, where it determines that it would be in the public interest to disclose the incident.

Amendment  97

Proposal for a directive

Article 13 – paragraph 3 b (new)

 

Text proposed by the Commission

Amendment

 

3b. The competent authority shall ensure that, in the event of a particular and significant threat of an incident concerning critical entities or critical infrastructure, the critical entities shall inform users of their services that could be affected by the incident or by the disruption of the services and of its consequences and, where relevant, of any possible safety measures or remedies.

Amendment  98

Proposal for a directive

Article 13 – paragraph 3 c (new)

 

Text proposed by the Commission

Amendment

 

3c. Once a year, the competent authority concerned shall submit, through its single point of contact, a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.

Amendment  99

Proposal for a directive

Article 13 – paragraph 4

 

Text proposed by the Commission

Amendment

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident.

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it, through the Member State’s single point of contact, with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident.

Amendment  100

Proposal for a directive

Article 14 – paragraph 2

 

Text proposed by the Commission

Amendment

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third of Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

2. An entity shall be considered a critical entity of particular European significance where it has been identified as a critical entity and it provides the same or similar essential services to or in more than one fifth of Member States and has been notified as such to the Commission by one of those Member States pursuant to Article 5(1) and (6), respectively.

Amendment  101

Proposal for a directive

Article 14 – paragraph 3 – subparagraph 1

 

Text proposed by the Commission

Amendment

The Commission shall, without undue delay upon receiving the notification pursuant to Article 5(6), notify the entity concerned that it is considered a critical entity of particular European significance, informing that entity of its obligations pursuant to this Chapter and the date from which those obligations apply to it.

The Commission shall, without undue delay upon receiving the notification pursuant to Article 5(6), notify the Member State of establishment, the Member States in which the infrastructure is located and the entity concerned that it is considered a critical entity of particular European significance, informing the relevant Member States and that entity of their obligations pursuant to this Chapter and the date from which those obligations apply to them.

Amendment  102

Proposal for a directive

Article 15 – paragraph 1 – subparagraph 1

 

Text proposed by the Commission

Amendment

Upon request of one or more Member States or of the Commission, the Member State where the infrastructure of the critical entity of particular European significance is located shall, together with that entity, inform the Commission and the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Upon request of one or more Member States or of the Commission, the Member State of establishment and the Member States in which the infrastructure of the critical entity of particular European significance is located shall, together with that entity, inform the Commission and the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Amendment  103

Proposal for a directive

Article 15 – paragraph 2

 

Text proposed by the Commission

Amendment

2. Upon request of one or more Member States,  and in agreement with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

2. Upon request of one or more Member States, and in agreement with the Member State in which the entity is established or the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

Amendment  104

Proposal for a directive

Article 15 – paragraph 3 – subparagraph 1

 

Text proposed by the Commission

Amendment

The advisory mission shall report its findings to the Commission, the Critical Entities Resilience Group and the critical entity of particular European significance concerned within a period of three months after the conclusion of the advisory mission.

The advisory mission shall report its findings to the Member State of establishment or the Member State in which the infrastructure is located, the Commission, the Critical Entities Resilience Group and the critical entity of particular European significance concerned within a period of three months after the conclusion of the advisory mission.

Amendment  105

Proposal for a directive

Article 15 – paragraph 3 – subparagraph 2

 

Text proposed by the Commission

Amendment

The Critical Entities Resilience Group shall analyse the report and, where necessary, shall advise the Commission on whether the critical entity of particular European significance concerned complies with its obligations pursuant to Chapter III and, where appropriate, which measures could be taken to improve the resilience of that entity.

The Critical Entities Resilience Group shall analyse the report and, where necessary, shall advise the Member States and the Commission on whether the critical entity of particular European significance concerned complies with its obligations pursuant to Chapter III and, where appropriate, which measures could be taken to improve the resilience of that entity.

Amendment  106

Proposal for a directive

Article 15 – paragraph 3 – subparagraph 3

 

Text proposed by the Commission

Amendment

The Commission shall, based on that advice, communicate its views to the Member State where the infrastructure of that entity is located, the Critical Entities Resilience Group and that entity on whether that entity complies with its obligations pursuant to Chapter III and, where appropriate, which measures could be taken to improve the resilience of that entity.

The Commission shall, based on that advice, communicate its views to the Member State of establishment or the Member State in which the infrastructure of that entity is located, the Critical Entities Resilience Group and that entity on whether that entity complies with its obligations pursuant to Chapter III and, where appropriate, which measures could be taken to improve the resilience of that entity.

Amendment  107

Proposal for a directive

Article 15 – paragraph 3 – subparagraph 4

 

Text proposed by the Commission

Amendment

That Member State shall take due account of those views and provide information to the Commission and the Critical Entities Resilience Group on any measures it has taken pursuant to the communication.

That Member State concerned shall take due account of those views and provide information to the Commission and the Critical Entities Resilience Group on any measures it has taken pursuant to the communication.

Amendment  108

Proposal for a directive

Article 15 – paragraph 4 – subparagraph 1

 

Text proposed by the Commission

Amendment

Each advisory mission shall consist of experts from Member States and of Commission representatives. Member States may propose candidates to be part of an advisory mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity and ensuring a geographically balanced representation among Member States. The Commission shall bear the costs related to the participation in the advisory mission.

Each advisory mission shall consist of experts from the relevant Member States and of Commission representatives. Member States may propose candidates to be part of an advisory mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity and ensuring a geographically balanced representation among Member States, including at least one from the Member State in which the critical entity is established. The Commission shall bear the costs related to the participation in the advisory mission.

Amendment  109

Proposal for a directive

Article 15 – paragraph 4 – subparagraph 2

 

Text proposed by the Commission

Amendment

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State of establishment and the Member State in which the infrastructure of the critical entity or the critical entity of European significance concerned is located.

Amendment  110

Proposal for a directive

Article 15 – paragraph 6

 

Text proposed by the Commission

Amendment

6. Member States shall ensure that the critical entity of particular European significance concerned provides the advisory mission with access to all information, systems and facilities relating to the provision of its essential services necessary for the performance of its tasks.

6. Member States shall ensure that critical entity of particular European significance concerned provides the advisory mission with access to all information, documents, systems, locations and facilities relating to the provision of its essential services necessary for the performance of its tasks and for the fulfilment of the advisory mission. Any information exchanged shall be limited to that which is relevant and necessary for, and proportionate to, the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of critical entities.

Amendment  111

Proposal for a directive

Article 15 – paragraph 7

 

Text proposed by the Commission

Amendment

7. The advisory mission shall be carried out in compliance with the applicable national law of the Member State where that infrastructure is located.

7. The advisory mission shall be carried out in compliance with the applicable national law of the Member State in which the advisory mission takes place.

Amendment  112

Proposal for a directive

Article 15 – paragraph 8 a (new)

 

Text proposed by the Commission

Amendment

 

8a. The Commission shall, after consulting with the Critical Entities Resilience Group, identify the specific critical services, systems or products that may be subject to the risk assessment referred to in Article 10.

Amendment  113

Proposal for a directive

Article 16 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work.

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties or stakeholders, such as representatives of European professional associations, associations of critical entities, critical entities of particular European significance, industry and research centres relevant for each focused economic sector to participate in its work.

Amendment  114

Proposal for a directive

Article 16 – paragraph 3 – point a

 

Text proposed by the Commission

Amendment

(a) supporting the Commission in assisting Member States in reinforcing their capacity to contribute to ensuring the resilience of critical entities in accordance with this Directive;

(a) supporting the Commission in assisting Member States in reinforcing their capacity to contribute to ensuring the resilience of critical entities in accordance with this Directive and promoting its uniform implementation in the Member States;

Amendment  115

Proposal for a directive

Article 16 – paragraph 3 – point b

 

Text proposed by the Commission

Amendment

(b) evaluating the strategies on the resilience of critical entities referred to in Article 3 and identifying best practices in respect of those strategies;

(b) evaluating the national strategies on the resilience of critical entities referred to in Article 3, Member States preparedness and identifying best practices in respect of those strategies;

Amendment  116

Proposal for a directive

Article 16 – paragraph 3 – point b a (new)

 

Text proposed by the Commission

Amendment

 

(ba)  exchanging information on priorities and key challenges relating to the resilience of critical entities;

Amendment  117

Proposal for a directive

Article 16 – paragraph 3 – point c

 

Text proposed by the Commission

Amendment

 

(c) facilitating the exchange of information and best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border dependencies and regarding risks and incidents;

Amendment  118

Proposal for a directive

Article 16 – paragraph 3 – point c a (new)

 

Text proposed by the Commission

Amendment

 

(ca) preparing a European strategy on resilience  in compliance with the objectives set out by this Directive;

Amendment  119

Proposal for a directive

Article 16 – paragraph 3 – point h a (new)

 

Text proposed by the Commission

Amendment

 

(ha) promoting and supporting coordinated risk assessments and joint actions among critical entities;

Amendment  120

Proposal for a directive

Article 16 – paragraph 3 – point h b (new)

 

Text proposed by the Commission

Amendment

 

(hb) publishing relevant findings from its work, to facilitate academic and security research;

Amendment  121

Proposal for a directive

Article 16 – paragraph 3 – point h c (new)

 

Text proposed by the Commission

Amendment

 

(hc) exchanging best practices and information on all other matters in relation to the implementation of this Directive, including the application and development of standards and technical specifications;

Amendment  122

Proposal for a directive

Article 16 – paragraph 3 – point i a (new)

 

Text proposed by the Commission

Amendment

 

(ia) supporting Member States and critical entities in meeting the obligations set out in Chapter III by means of best practices, information exchange and non-binding guidance documents.

Amendment  123

Proposal for a directive

Article 16 – paragraph 3 – point i b (new)

 

Text proposed by the Commission

Amendment

 

(ib) carrying out coordinated security risk assessments of specific critical services, systems or product supply chains, taking into account technical and, where relevant, non-technical risk factors.

Amendment  124

Proposal for a directive

Article 16 – paragraph 3 –subparagraph 1 a (new)

 

Text proposed by the Commission

Amendment

 

In carrying its tasks, the Critical Entities Resilience Group shall preserve the confidentiality of the information that has been exchanged and protect the security and commercial interests of the Member States and of the critical entities concerned.

Amendment  125

Proposal for a directive

Article 16 – paragraph 4

 

Text proposed by the Commission

Amendment

4. By [24 months after entry into force of this Directive] and every two years thereafter, the Critical Entities Resilience Group shall establish a work programme in respect of actions to be undertaken to implement its objectives and tasks, which shall be consistent with the requirements and objectives of this Directive.

4. By [12 months after entry into force of this Directive] and every two years thereafter, the Critical Entities Resilience Group shall establish a work programme in respect of actions to be undertaken to implement its objectives and tasks, which shall be consistent with the requirements and objectives of this Directive.

Amendment  126

Proposal for a directive

Article 16 – paragraph 7

 

Text proposed by the Commission

Amendment

7. The Commission shall provide to the  Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years.

7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. The Commission shall regularly publish a summary report of the activities of the Critical Entities Resilience Group.

Amendment  127

Proposal for a directive

Article 16 a (new)

 

Text proposed by the Commission

Amendment

 

Article 16a

 

Standardisation

 

The Commission and the Member States shall support and promote the development and implementation of standards set by relevant European standardisation bodies in order to promote the convergent implementation of Articles 11 and 12.

Amendment  128

Proposal for a directive

Article 21 – paragraph 6

 

Text proposed by the Commission

Amendment

6. A delegated act adopted pursuant to Article 11(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

6. A delegated act adopted pursuant to Article 11(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.


PROCEDURE – COMMITTEE ASKED FOR OPINION

Title

Resilience of critical entities

References

COM(2020)0829 – C9-0421/2020 – 2020/0365(COD)

Committee responsible

 Date announced in plenary

LIBE

11.2.2021

 

 

 

Opinion by

 Date announced in plenary

IMCO

11.2.2021

Associated committees - date announced in plenary

29.4.2021

Rapporteur for the opinion

 Date appointed

Alex Agius Saliba

18.2.2021

Discussed in committee

26.5.2021

22.6.2021

 

 

Date adopted

12.7.2021

 

 

 

Result of final vote

+:

–:

0:

41

1

3

Members present for the final vote

Alex Agius Saliba, Andrus Ansip, Pablo Arias Echeverría, Alessandra Basso, Brando Benifei, Adam Bielan, Hynek Blaško, Biljana Borzan, Vlad-Marius Botoş, Markus Buchheit, Andrea Caroppo, Anna Cavazzini, Dita Charanzová, Deirdre Clune, David Cormand, Carlo Fidanza, Evelyne Gebhardt, Alexandra Geese, Sandro Gozi, Maria Grapini, Svenja Hahn, Virginie Joron, Eugen Jurzyca, Marcel Kolaja, Kateřina Konečná, Andrey Kovatchev, Jean-Lin Lacapelle, Maria-Manuel Leitão-Marques, Morten Løkkegaard, Antonius Manders, Leszek Miller, Anne-Sophie Pelletier, Miroslav Radačovský, Christel Schaldemose, Andreas Schwab, Tomislav Sokol, Ivan Štefanec, Róża Thun und Hohenstein, Marco Zullo

Substitutes present for the final vote

Clara Aguilera, Maria da Graça Carvalho, Christian Doleschal, Claude Gruffat, Jiří Pospíšil, Kosma Złotowski

 

 



 

FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION

41

+

ECR

Adam Bielan, Carlo Fidanza, Kosma Złotowski

ID

Alessandra Basso, Hynek Blaško, Markus Buchheit, Virginie Joron, Jean-Lin Lacapelle

PPE

Pablo Arias Echeverría, Andrea Caroppo, Maria da Graça Carvalho, Deirdre Clune, Christian Doleschal, Andrey Kovatchev, Antonius Manders, Jiří Pospíšil, Andreas Schwab, Tomislav Sokol, Ivan Štefanec, Róża Thun und Hohenstein

Renew

Andrus Ansip, Vlad-Marius Botoş, Dita Charanzová, Sandro Gozi, Svenja Hahn, Morten Løkkegaard, Marco Zullo

S&D

Alex Agius Saliba, Clara Aguilera, Brando Benifei, Biljana Borzan, Evelyne Gebhardt, Maria Grapini, Maria-Manuel Leitão-Marques, Leszek Miller, Christel Schaldemose

Verts/ALE

Anna Cavazzini, David Cormand, Alexandra Geese, Claude Gruffat, Marcel Kolaja

 

1

-

ECR

Eugen Jurzyca

 

3

0

ID

Miroslav Radačovský

The Left

Kateřina Konečná, Anne-Sophie Pelletier

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 

 


 


 

OPINION OF THE COMMITTEE ON FOREIGN AFFAIRS (28.9.2021)

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 C9-0421/2020 2020/0365(COD))

Rapporteur for opinion: Lukas Mandl

 


 

AMENDMENTS

The Committee on Foreign Affairs calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:

Amendment  1

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity, thereby endangering the democratic, social, and economic life in one or more Member States.

_________________

_________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

 

Proposal for a directive

Recital 2

 

Text proposed by the Commission

Amendment

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current potential and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to an increasingly challenging security environment, with multi-faceted threats the Union is facing in a highly multipolar world, including hybrid threats and emerging technologies, in particular artificial intelligence, with unreliable behaviour by certain global actors, a dynamic threat landscape with an evolving threat by hostile states and non-state actors and growing global interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

__________________

__________________

19 European Programme for Critical Infrastructure Protection (EPCIP).

19 European Programme for Critical Infrastructure Protection (EPCIP).

Amendment  3

 

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, telecommunication services (including hardware, software, firmware and networks), drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes but which are also of relevance for the Common Security and Defence Policy. Infrastructure owned, managed or operated by or on behalf of the Union as part of its space programmes is particularly important for the security of the Union and its Member States and the proper functioning of the missions and operations of the Common Security and Defence Policy. Pursuant to Regulation (EU) 2021/696 of the European Parliament and of the Council1a, such infrastructure is to be adequately protected. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market and can put at risk the security and safety of Union citizens and the economic, social and democratic life and financial interests of the Union. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability - high impact risks and the crucial importance to secure our supply chain of, inter alia, raw materials, chemicals and pharmaceutical products that are essential to many critical infrastructure sectors.

 

__________________

 

1a Regulation (EU) 2021/696 of the European Parliament and of the Council of 28 April 2021 establishing the Union Space Programme and the European Union Agency for the Space Programme and repealing Regulations (EU) No 912/2010, (EU) No 1285/2013 and (EU) No 377/2014 and Decision No 541/2014/EU (OJ L 170, 12.5.2021, p. 69).

Amendment  4

Proposal for a directive

Recital 3 a (new)

 

Text proposed by the Commission

Amendment

 

(3a) The Union understands hybrid campaigns to be ‘multidimensional, combining coercive and subversive measures, using both conventional and unconventional tools and tactics, such as diplomatic, military, economic, and technological tools and tactics, to destabilise the adversary. Hybrid campaigns are designed to be difficult to detect or attribute, and can be used by state and non-state actors. The internet and online networks allow state and non-state actors to conduct aggressive action in new ways. They can be used to hack critical infrastructure, entities and democratic processes, launch persuasive disinformation and propaganda campaigns, steal information and unload sensitive data into the public domain. Large-scale cyber-attacks on critical entities and infrastructure across borders have the potential to invoke Article 222 TFEU.

Amendment  5

Proposal for a directive

Recital 3 b (new)

 

Text proposed by the Commission

Amendment

 

(3b) Large-scale cyber security incidents and crises at Union level, the high degree of interdependence between sectors and countries require a coordinated action to ensure a rapid and effective response, as well as better prevention and preparedness for similar situations in the future. The availability of cyber-resilient critical networks and entities, and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union within as well as beyond its borders. Given the blurring of lines between the realms of civilian and military matters and the dual-use nature of cyber tools and technologies, there is a need for a comprehensive and holistic approach.

Amendment  6

Proposal for a directive

Recital 7

 

Text proposed by the Commission

Amendment

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market and for the security and safety of Union citizens, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional and ensures collaboration with likeminded international organisations in maintaining resilience.

Amendment  7

Proposal for a directive

Recital 8

 

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary. In view of the higher frequency and particular characteristics of cyber risks and the growing number of cyber attacks and cyber enabled incidents led by hostile state and non state actors, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should apply coherently and consistently with this Directive, whenever possible and necessary.

_________________

_________________

20 [Reference to NIS 2 Directive, once adopted.]

20 [Reference to NIS 2 Directive, once adopted.]

Amendment  8

Proposal for a directive

Recital 8 a (new)

 

Text proposed by the Commission

Amendment

 

(8a) As climate change is leading to an increase in the frequency, intensity and complexity of natural disasters which can result in a disruption of essential services or the destruction of essential infrastructure with a significant cross-sectoral or transboundary effects, a coherent approach between this Directive and Decision No 1313/2013/EU of the European Parliament and the Council1a, as amended, is necessary especially on issues covering preparedness and response actions.

 

_________________

 

1a Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).

Amendment  9

 

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, the negative consequences of climate change, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences and hybrid threats such as foreign interferences and malicious disinformation campaigns, as well as CBRN threats. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law, especially under Decision No1313/2013/EU of the European Parliament and the Council1a and should consider the dependencies between sectors, including from other Member States and third countries. Synergy with NATO in the area of civil preparedness can be important, notably with the NATO Civil Emergency Planning Committee, which outlined seven key resilience preparedness factors taken into account when measuring resilience. Furthermore, the threat analysis process within the framework of the CSDP should also be taken into account. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

 

__________________

 

1a Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).

Amendment  10

Proposal for a directive

Recital 12

 

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria, based on minimum indicators and methodologies for each sector and sub-sector to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is detailed, specific, comparable and standardized, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

Amendment  11

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises, including cross-sectoral and cross-border exercises, where appropriate, to test their resilience and provide training to personnel of critical entities. Member States could also explore the possibility of increasing cooperation with international organisations such as the North Atlantic Treaty Organisation, the Organisation for Economic Cooperation and Development, the Organisation for Security and Co-operation in Europe and the United Nations. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Amendment  12

Proposal for a directive

Recital 20

 

Text proposed by the Commission

Amendment

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States.

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, using a common methodology established for each sector covered.

Amendment  13

Proposal for a directive

Recital 24

 

Text proposed by the Commission

Amendment

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.

(24) The risk of misuse of the access rights within the critical entity’s organisation to harm and cause damage is of increasing concern, especially in the context of growing foreign interference, malicious disinformation and radicalisation which could lead to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel, while fully respecting their fundamental rights, labour law and data protection and privacy, ruling out any discrimination of biased recruitment procedures, and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.

Amendment  14

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. The notification should also trigger, where appropriate, an information to users or citizens potentially affected, with clear safety and security guidance. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

Amendment  15

 

Proposal for a directive

Recital 29

 

Text proposed by the Commission

Amendment

(29) In order to achieve the objectives of this Directive, and without prejudice to the legal responsibility of Member States and critical entities to ensure compliance with their respective obligations set out therein, the Commission should, where it considers it appropriate, undertake certain supporting activities aimed at facilitating compliance with those obligations. When providing support to Member States and critical entities in the implementation of obligations under this Directive, the Commission should build on existing structures and tools, such as those under the Union Civil Protection mechanism and the European Reference Network for Critical Infrastructure Protection.

(29) In order to achieve the objectives of this Directive, and without prejudice to the legal responsibility of Member States and critical entities to ensure compliance with their respective obligations set out therein, the Commission should, where it considers it appropriate, undertake certain supporting activities aimed at facilitating compliance with those obligations. Such activities should also include training courses on different aspects of the resilience of critical entities. Special focus of those courses should be dedicated, among other things, to emerging disruptive technologies. When providing support and training to Member States and critical entities in the implementation of obligations under this Directive, the Commission should build on existing structures and tools, such as those under the Union Civil Protection mechanism and the European Reference Network for Critical Infrastructure Protection, or the European Security and Defence College, which can contribute to the development of a common European security culture. The Commission and the Member States should also ensure that research opportunities in the field of critical entity resilience under Horizon Europe, and the European Defence Fund are fully exploited.

Amendment  16

Proposal for a directive

Article 1 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. This Directive:

1. This Directive lays down measures with a view to achieve a high level of resilience of critical entities in order to ensure the provision of essential services within the Union, and by doing so, ensuring the functioning of the internal market and the provisioning of essential social services.

 

To that end, this Directive:

Amendment  17

 

Proposal for a directive

Article 2 – paragraph 1 – point 3

 

Text proposed by the Commission

Amendment

(3) “incident” means any event having the potential to disrupt, or that disrupts, the operations of the critical entity;

(3) “incident” means any natural or man-made event which has the potential to jeopardize the safety and security, to disrupt the delivery of essential services or the destruction of essential infrastructure in one or more Member States as the results of failure to maintain the operations of that critical entity;

Amendment  18

 

Proposal for a directive

Article 2 – paragraph 1 – point 5

 

Text proposed by the Commission

Amendment

(5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities;

(5) “essential service” means a service which is essential for the maintenance of vital societal or democratic functions or economic activities, public safety and the rule of law;

Amendment  19

Proposal for a directive

Article 3 – paragraph 2 – point a

 

Text proposed by the Commission

Amendment

(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies;

(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies, also in the event of a hybrid threat;

Amendment  20

Proposal for a directive

Article 3 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. Each Member State shall establish national procedures and arrangements between relevant national authorities and bodies to ensure that the Member State effectively participates in and supports the coordinated management of large-scale incidents that impact critical entities and crises at Union level, including responses to relevant requests under the solidarity and mutual defence clauses pursuant to Article 222 TFEU and Article 42(7) TEU, respectively.

Amendment  21

 

Proposal for a directive

Article 4 – paragraph 1 – subparagaph 1

 

Text proposed by the Commission

Amendment

Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment based on a common methodology and indicators, of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Amendment  22

 

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, hybrid threats and large-scale incidents, terrorist offences involving conventional and non-conventional weapons such as CBRN agents pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

 

Risk assessment should take into account inter alia maintaining the continuity of government, energy supply, population movement, water and food resources, emergency response, civil transportation and communications systems.

__________________

__________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Amendment  23

Proposal for a directive

Article 5 – paragraph 1

 

Text proposed by the Commission

Amendment

1. By [three years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities.

1. By [three years and three months after entry into force of this Directive] Member States, based on common guidelines issued by the Commission, shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities.

Amendment  24

Proposal for a directive

Article 6 – paragraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public safety;

(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public safety, the rule of law and fundamental rights;

Amendment  25

 

Proposal for a directive

Article 8 – paragraph 5

 

Text proposed by the Commission

Amendment

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.

5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection law enforcement, security and defence and protection of personal data, as well as with relevant interested parties, including critical entities. At the same time, considering the fact that some critical entities might be private, Member States should find ways to allow a timely effective and thorough cooperation between those entities, private emergency operators potentially operating in those entities and certified by national bodies, and national authorities.

Amendment  26

 

Proposal for a directive

Article 9 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States and when necessary the Commission, shall support critical entities, including where appropriate and feasible financially, in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises, including cross-sectoral and cross-border exercises, where appropriate, to test their resilience and providing awareness programs and training to personnel of national competent authorities and critical entities.

Amendment  27

Proposal for a directive

Article 11 – paragraph 1 – point a

 

Text proposed by the Commission

Amendment

(a) prevent incidents from occurring, including through disaster risk reduction and climate adaptation measures;

(a) prevent incidents from occurring, including through disaster risk reduction and climate adaptation measures and measures contributing to the fight against climate change;

Amendment  28

Proposal for a directive

Article 11 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) ensure adequate physical protection of sensitive areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment and access controls;

(b) ensure adequate physical protection of sensitive areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment and access controls, while fully respecting data protection and privacy regulations and complying with sectoral and labour law;

Amendment  29

Proposal for a directive

Article 11 – paragraph 1 – point e

 

Text proposed by the Commission

Amendment

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

(e) ensure adequate staff security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12, while fully complying with sectoral and labour law;

Amendment  30

Proposal for a directive

Article 11 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel and include them through social dialogue into the definition, set up and follow up of those measures.

Amendment  31

Proposal for a directive

Article 12 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

1. Member States shall ensure that critical entities may submit requests for proportionate background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the public authorities competent to carry out such background checks. Those checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the concerned personnel, while fully respecting sectoral and labour law.

Amendment  32

Proposal for a directive

Article 13 – paragraph 2 – point a a (new)

 

Text proposed by the Commission

Amendment

 

(aa) the impact on human life and the environmental consequences;

Amendment  33

Proposal for a directive

Article 15 – paragraph 4 – subparagraph 1

 

Text proposed by the Commission

Amendment

Each advisory mission shall consist of experts from Member States and of Commission representatives. Member States may propose candidates to be part of an advisory mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity and ensuring a geographically balanced representation among Member States. The Commission shall bear the costs related to the participation in the advisory mission.

Each advisory mission shall consist of experts from Member States and of Commission representatives. Member States may propose candidates to be part of an advisory mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity, diverse background and ensuring a geographically and gender balanced representation among Member States. The Commission shall bear the costs related to the participation in the advisory mission.

Amendment  34

Proposal for a directive

Article 16 – paragraph 2 – subparagraph 1

 

Text proposed by the Commission

Amendment

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work.

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work, ensuring a diverse participation of stakeholders, and notably trade unions.

Amendment  35

Proposal for a directive

Article 16 – paragraph 7 a (new)

 

Text proposed by the Commission

Amendment

 

7a. The Critical Entities Resilience Group, in the spirit of security cooperation and open access, shall regularly publish its findings and appropriately anonymised source data for the general public for use in academia, security research and for other beneficial uses.

Amendment  36

Proposal for a directive

Article 17 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

2a. In order to receive and properly use the information received according to article 13 the Commission shall keep a European registry of incidents and develop a common European reporting centre, with the aim of developing and sharing best practices and methodologies.

Amendment  37

 

Proposal for a directive

Article 17 – paragraph 2 b (new)

 

Text proposed by the Commission

Amendment

 

2b. The Commission shall increase the cooperation with relevant international fora and like-minded third countries especially Western Balkan and Neighbourhood countries, inter alia under the European Programme for Critical Infrastructure Protection and potential successor programmes and through common training activities and exercises as well as the sharing of best practices.

Amendment  38

Proposal for a directive

Annex – Sector 9 – Title

 

Text proposed by the Commission

Amendment

9. Public administration

9. Public administration and democratic institutions

Amendment  39

Proposal for a directive

Annex – Sector 9 – Type of entity – 3 a (new)

 

Text proposed by the Commission

Amendment

 

— Central, regional and local governments and assemblies

 

 


PROCEDURE – COMMITTEE ASKED FOR OPINION

Title

Resilience of critical entities

References

COM(2020)0829 – C9-0421/2020 – 2020/0365(COD)

Committee responsible

 Date announced in plenary

LIBE

11.2.2021

 

 

 

Opinion by

 Date announced in plenary

AFET

11.3.2021

Rapporteur for the opinion

 Date appointed

Lukas Mandl

22.2.2021

Discussed in committee

16.6.2021

12.7.2021

 

 

Date adopted

27.9.2021

 

 

 

Result of final vote

+:

–:

0:

58

8

0

Members present for the final vote

Alviina Alametsä, Alexander Alexandrov Yordanov, Maria Arena, Petras Auštrevičius, Traian Băsescu, Anna Bonfrisco, Fabio Massimo Castaldo, Susanna Ceccardi, Włodzimierz Cimoszewicz, Katalin Cseh, Tanja Fajon, Anna Fotyga, Michael Gahler, Kinga Gál, Sunčana Glavak, Raphaël Glucksmann, Klemen Grošelj, Bernard Guetta, Sandra Kalniete, Maximilian Krah, Andrius Kubilius, David Lega, Miriam Lexmann, Nathalie Loiseau, Antonio López-Istúriz White, Claudiu Manda, Lukas Mandl, Thierry Mariani, David McAllister, Vangelis Meimarakis, Sven Mikser, Francisco José Millán Mon, Javier Nart, Urmas Paet, Demetris Papadakis, Kostas Papadakis, Tonino Picula, Manu Pineda, Thijs Reuten, Jérôme Rivière, María Soraya Rodríguez Ramos, Nacho Sánchez Amor, Isabel Santos, Jacek Saryusz-Wolski, Andreas Schieder, Radosław Sikorski, Jordi Solé, Sergei Stanishev, Tineke Strik, Hermann Tertsch, Hilde Vautmans, Idoia Villanueva Ruiz, Viola Von Cramon-Taubadel, Thomas Waitz, Isabel Wiseler-Lima, Salima Yenbou, Željana Zovko

Substitutes present for the final vote

Vladimír Bilčík, Ioan-Rareş Bogdan, Özlem Demirel, Angel Dzhambazki, Markéta Gregorová, Evin Incir, Assita Kanko, Pierfrancesco Majorino, Mick Wallace

 


FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION

58

+

ECR

Angel Dzhambazki, Anna Fotyga, Assita Kanko, Jacek Saryusz-Wolski, Hermann Tertsch

ID

Anna Bonfrisco, Susanna Ceccardi

NI

Fabio Massimo Castaldo, Kinga Gál

PPE

Alexander Alexandrov Yordanov, Traian Băsescu, Vladimír Bilčík, Ioan-Rareş Bogdan, Michael Gahler, Sunčana Glavak, Sandra Kalniete, Andrius Kubilius, David Lega, Miriam Lexmann, Antonio López-Istúriz White, David McAllister, Lukas Mandl, Vangelis Meimarakis, Francisco José Millán Mon, Radosław Sikorski, Isabel Wiseler-Lima, Željana Zovko

Renew

Petras Auštrevičius, Katalin Cseh, Klemen Grošelj, Bernard Guetta, Nathalie Loiseau, Javier Nart, Urmas Paet, María Soraya Rodríguez Ramos, Hilde Vautmans

S&D

Maria Arena, Włodzimierz Cimoszewicz, Tanja Fajon, Raphaël Glucksmann, Evin Incir, Pierfrancesco Majorino, Claudiu Manda, Sven Mikser, Demetris Papadakis, Tonino Picula, Thijs Reuten, Nacho Sánchez Amor, Isabel Santos, Andreas Schieder, Sergei Stanishev

Verts/ALE

Alviina Alametsä, Markéta Gregorová, Jordi Solé, Tineke Strik, Viola Von Cramon-Taubadel, Thomas Waitz, Salima Yenbou

 

8

-

ID

Maximilian Krah, Thierry Mariani, Jérôme Rivière

NI

Kostas Papadakis

The Left

Özlem Demirel, Manu Pineda, Idoia Villanueva Ruiz, Mick Wallace

 

0

0

 

 

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 

 


 

 

OPINION OF THE COMMITTEE ON TRANSPORT AND TOURISM (12.7.2021)

for the Committee on Civil Liberties, Justice and Home Affairs

on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities

(COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD))

Rapporteur for opinion: Angel Dzhambazki

 

SHORT JUSTIFICATION

The changing nature of the threat landscape requires better protection and more investment in the EU’s resilience capacities to reduce vulnerabilities, including for the critical infrastructures that are essential for the functioning of our societies and economy.

 

The proposal for a Directive on the resilience of critical entities (RCE Directive) expands both the scope and depth of the 2008 European Critical Infrastructure (ECI) Directive. It covers ten sectors, namely energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration and space. Noteworthy provisions include to obligation for Member States to have a strategy for ensuring the resilience of critical entities, carry out a national risk assessment and, on this basis, identify critical entities. Critical entities would be required to carry out risk assessments of their own, take appropriate technical and organisational measures in order to boost resilience and report disruptive incidents to national authorities. Furthermore, critical entities providing services to or in at least one-third of Member States would be subject to specific oversight, including advisory missions organised by the Commission.

 

The rapporteur welcomes this proposal, as Transport is a corner stone sector in the ECI directive. It is also the lifeline of our economies and the last year marked by the spread of the Chinese coronavirus has unequivocally been a proof. Rapid action on resilience of critical infrastructure and supply chains were vital to the mitigation of the negative effects of the pandemic on our societies. The proposal for a Directive on the resilience of critical entities gives us the chance to comprehensively assess the condition of critical infrastructure and emergency procedures across all crucial sectors. Given the growing cross-sectoral interdependencies across borders as well as the introduction of smart technologies and rapid digitisation, this appraisal process will be of utmost importance. However, this could also lead to the emergence of novel threats which raises the need for building a resilient and future-proof RCE Directive. While the Rapporteur believes that the principle of subsidiarity and a decision-making process close to European citizens' needs are important, it is equally important to ensure mutual reliance on the projects, processes and infrastructure of common interest.


AMENDMENTS

The Committee on Transport and Tourism calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:

Amendment  1

 

Proposal for a directive

Recital 1

 

Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure such as rail, air traffic management or ports and terminals, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity and the functioning of the internal market.

__________________

__________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Amendment  2

 

Proposal for a directive

Recital 2

 

Text proposed by the Commission

Amendment

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities, as well as the free movement and safety of citizens. This is due to a dynamic threat landscape with evolving manmade threats such as terrorism, criminal infiltration, foreign interference and cyberattacks and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity, efficiency and lifespan of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States, which necessitates a higher level of coordination and a more integrated approach in the protection of important cross-border and horizontal critical infrastructures such as those in the transport and energy sectors.

__________________

__________________

19 European Programme for Critical Infrastructure Protection (EPCIP).

19 European Programme for Critical Infrastructure Protection (EPCIP).

Amendment  3

 

Proposal for a directive

Recital 2 a (new)

 

Text proposed by the Commission

Amendment

 

(2a)  The growing problem of criminal infiltration in critical transport infrastructure, in particular logistic nodes such as ports and airports, is undermining the operations of critical entities in that sector and, therefore, the effective provision of essential services throughout the Union.

Amendment  4

 

Proposal for a directive

Recital 2 b (new)

 

Text proposed by the Commission

Amendment

 

(2b)  Increasing threats to the Union's critical infrastructure and economic safety arise from foreign interference, by both state and non-state actors, due to the growing influence of non-European entities, or the control they have, over critical transport infrastructure, such as rail connections, ports or airports, which has come about as a result of their acquisition of or substantial investments in strategic companies and the transfer of strategic knowledge.

Amendment  5

 

Proposal for a directive

Recital 2 c (new)

 

Text proposed by the Commission

Amendment

 

(2c)  The transport sector encompasses critical entities in the subsectors of road, rail, air, inland waterways, and maritime transport, including ports and terminals.

Amendment  6

 

Proposal for a directive

Recital 2 d (new)

 

Text proposed by the Commission

Amendment

 

(2d)  Certain critical infrastructures have a pan-European dimension, such as the European Organisation for the Safety of Air Navigation, Eurocontrol, and the European Union’s Global Satellite Navigation System, Galileo.

Amendment  7

 

Proposal for a directive

Recital 3

 

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies, particularly the transport and tourism sectors, in the face of low-probability risks and has demonstrated the importance of strategic sectors, such as the transport sector, through the implementation of green lanes, which has provided secure supply chains for healthcare and emergency services and ensured an essential food supply and the supply of medical and pharmaceutical products, underlining the need to ensure the resilience of critical transport infrastructure across the Union.

Amendment  8

 

Proposal for a directive

Recital 4

 

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market and in some cases even poses a threat to Union citizens. The resilience of critical entities gives investors and companies reliability and trust, which are cornerstones to a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

Amendment  9

 

Proposal for a directive

Recital 5

 

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down a harmonised minimum set of rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities, which would prevent divergences between Member States. Such an approach would facilitate the deployment of common specifications and methodologies for future risk assessments that include minimum common indicators for each sector and for both public and private entities. In that regard, the future framework should also take into account innovation and new smart technologies, such as digitalisation, automation, data management, cooperative intelligent transport systems, connected and automated mobility and artificial intelligence, particularly in sectors such as the transport sector, which is currently undergoing a comprehensive transformation. In the context of the Trans-European Network (TEN-T), more resilient infrastructure will require improved management schemes that include an integrated vision that is able to identify threats in the design and operational phases (prevention, monitoring, maintenance), while minimising any impact during emergency events and ensuring a prompt social and economic recovery. Special focus should also be given to cross-border links.

Amendment  10

 

Proposal for a directive

Recital 6

 

Text proposed by the Commission

Amendment

(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support, protection and guidance, including to SMEs, and awareness raising aimed at achieving a high level of resilience in the face of all relevant risks..

Amendment  11

 

Proposal for a directive

Recital 8 a (new)

 

Text proposed by the Commission

Amendment

 

(8a) The swift technological development in and digitalisation of the transport sector, via the growing use of smart mobility systems such as cooperative intelligent transport systems, connected and automated mobility and mobility as a service, underlines the interconnectedness between the physical and digital world in that sector and calls for an effective approach to allow for resilient digital transport infrastructure in Europe.

Amendment  12

 

Proposal for a directive

Recital 10

 

Text proposed by the Commission

Amendment

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, and taking account of the hybrid nature of many threats, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber and non-cyber threats and the exercise of supervisory tasks.

Amendment  13

 

Proposal for a directive

Recital 11

 

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities, for example multi-modal hubs for transport, such as ports, rail infrastructure or air traffic management. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, climate change, public health emergencies such as pandemics, criminal infiltration, and antagonistic threats, including foreign interference and terrorist offences. Such assessments should be based on and regularly updated with the latest scientific knowledge on evolving threats in order to ensure timely adaption to an evolving threat landscape. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

Amendment  14

 

Proposal for a directive

Recital 13 a (new)

 

Text proposed by the Commission

Amendment

 

(13a)  In order to fully ensure that an adequate approach is being taken to reduce vulnerabilities and increase the resilience of Member States in view of the threats to critical entities, it is important to preserve the resilience, where applicable, of local and regional communities to the potential consequences of a significant disruption to critical entities.

Amendment  15

Proposal for a directive

Recital 13 b (new)

 

Text proposed by the Commission

Amendment

 

(13b) In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council1a, which establishes a framework for the screening of foreign direct investments into the Union, the potential threat posed by foreign ownership of critical infrastructures within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure. Member States and the Commission should be vigilant with regard to financial investments that foreign countries make in the operation of critical entities within the Union and the consequences that such investments could have on the ability to prevent significant disruptions.

 

_________________

 

1a Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79I, 21.3.2019, p. 1).

Amendment  16

 

Proposal for a directive

Recital 19

 

Text proposed by the Commission

Amendment

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, raise awareness, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union. Such training and tools should facilitate the implementation of this Directive, in particular in relation to rapidly evolving risks such as those related to cyber security and climate change. Such training and tools should be extended to other involved stakeholders where necessary.

Amendment  17

 

Proposal for a directive

Recital 19 a (new)

 

Text proposed by the Commission

Amendment

 

(19a)   In their implementation of this Directive, Member States should take all the necessary actions to prevent any excessive administrative burdens, particularly on SMEs, and avoid duplications or unnecessary obligations. Member States should assist with and facilitate the provision of adequate support to SMEs, when requested, by taking the technical and organisational measures required under this Directive.

Amendment  18

 

Proposal for a directive

Recital 20

 

Text proposed by the Commission

Amendment

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States.

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks and establish measures to combat them. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States. They should also be based on common specifications and methodologies for each sector. In order to avoid divergences between Member States, they should include minimum indicators. They should also include contingency protocols. Further harmonisation of security and safety standards and certification requirements is urgently necessary for critical infrastructure sectors and, in addition, for safe parking areas and rest areas, where divergent interpretations persist.

Amendment  19

 

Proposal for a directive

Recital 23

 

Text proposed by the Commission

Amendment

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, when implementing resilience measures under this Directive, critical entities may consider referring to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 .

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, critical entities should also take into consideration Directive 2008/96/EC of the European Parliament and of the Council30a, which introduces a network-wide road assessment to map the risks of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk of accidents and injuries, based on a site visit of an existing road or section of road. Ensuring the protection and resilience of critical entities is of the utmost importance for the railway sector and, when implementing resilience measures under this Directive, critical entities are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31

__________________

__________________

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

 

30a Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59).

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

Amendment  20

 

Proposal for a directive

Recital 24

 

Text proposed by the Commission

Amendment

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. This is particularly the case for critical entities in the transport sector, such as logistic hubs like ports and airports, where there is, in some cases, a substantial and growing problem of criminal infiltration. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.

Amendment  21

 

Proposal for a directive

Recital 25

 

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities, as well as other entities on a voluntary basis, of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

Amendment  22

 

Proposal for a directive

Article 1 – paragraph -1 (new)

 

Text proposed by the Commission

Amendment

 

-1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and improve the functioning of the internal market.

Amendment  23

 

Proposal for a directive

Article 1 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. This Directive:

1. To that end, this Directive:

Amendment  24

Proposal for a directive

Article 3 – paragraph 2 – point a

 

Text proposed by the Commission

Amendment

(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies;

(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies and the need for the exchange of information between entities;

Amendment  25

Proposal for a directive

Article 3 – paragraph 2 – point c

 

Text proposed by the Commission

Amendment

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter;

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, the maintenance requirements associated with critical entities, and the measures to support critical entities taken in accordance with this Chapter;

Justification

The adequate maintenance of critical entities plays an essential role in their upkeep and therefor resilience to risks. This is particularly important in the transport sector for modes such as rail that demand high maintenance requirements.

Amendment  26

 

Proposal for a directive

Article 3 – paragraph 2 – point d a (new)

 

Text proposed by the Commission

Amendment

 

(da) strategies or other initiatives designed to increase the resilience of local and regional communities in view of the potential consequences of a significant disruption or disruptions to critical entities, where applicable;

Amendment  27

Proposal for a directive

Article 3 – paragraph 2 – point d b (new)

 

Text proposed by the Commission

Amendment

 

(db) a roadmap that details the necessary measures to be taken by the critical entities in order for them to increase their resilience to the impact of climate change by way of achieving climate neutral operations by 2050, and to meet national and Union objectives for climate adaptation.

Amendment  28

 

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 1

 

Text proposed by the Commission

Amendment

Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services by using harmonised specifications or methodologies with detailed indicators depending on the specificities of each sector, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11 in order to ensure minimum levels of service and resilience of the critical infrastructure.

Amendment  29

 

Proposal for a directive

Article 4 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, criminal infiltration, antagonistic threats, including cyber-attacks, foreign interference and terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34

__________________

__________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Amendment  30

 

Proposal for a directive

Article 4 – paragraph 5

 

Text proposed by the Commission

Amendment

5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

5. The Commission, in cooperation with the Member States, shall develop a common reporting template for the purposes of complying with paragraph 4.

Amendment  31

 

Proposal for a directive

Article 5 – paragraph 6

 

Text proposed by the Commission

Amendment

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third of Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than two Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

Amendment  32

 

Proposal for a directive

Article 6 – paragraph 1 – point c

 

Text proposed by the Commission

Amendment

(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public safety;

(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public security and safety;

Amendment  33

 

Proposal for a directive

Article 9 – paragraph 1

 

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, awareness raising, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

Amendment  34

 

Proposal for a directive

Article 10 – paragraph 2

 

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.

The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services, which would hinder the proper functioning of the internal market. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.

Amendment  35

 

Proposal for a directive

Article 11 – paragraph 1 – point b

 

Text proposed by the Commission

Amendment

(b) ensure adequate physical protection of sensitive areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment and access controls;

(b) ensure adequate maintenance and physical protection of sensitive areas, facilities and other infrastructure in order to increase the lifespan of such existing infrastructures. Protection measure may include fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment, emergency call systems for the notification of competent authorities, and access controls;

Amendment  36

 

Proposal for a directive

Article 11 – paragraph 1 – point f

 

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the incidents and disruptions that could occur, including criminal infiltration, as well as the measures referred to in points (a) to (e) among relevant personnel .

Amendment  37

 

Proposal for a directive

Article 11 – paragraph 3

 

Text proposed by the Commission

Amendment

3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned.

3. Upon request of the Member State that identified the critical entity, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned.

Amendment  38

 

Proposal for a directive

Article 13 – paragraph 4

 

Text proposed by the Commission

Amendment

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident.

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident. Where the notification relates to the direct risk to human life, the competent authority shall ensure that relevant public security and safety services are mobilised and, where relevant, sent to the place of incident within a minimum amount of time.

Amendment  39

 

Proposal for a directive

Article 14 – paragraph 2

 

Text proposed by the Commission

Amendment

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third of Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than two Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6),respectively.

Amendment  40

 

Proposal for a directive

Article 16 – paragraph 3 – point c

 

Text proposed by the Commission

Amendment

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border dependencies and regarding risks and incidents;

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border and cross-sectoral dependencies and regarding risks and incidents;

Amendment  41

 

Proposal for a directive

Article 16 – paragraph 3 – point h

 

Text proposed by the Commission

Amendment

(h) exchanging information and best practices on research and development relating to the resilience of critical entities in accordance with this Directive;

(h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive;

Amendment  42

 

Proposal for a directive

Article 18 – paragraph 1 – introductory part

 

Text proposed by the Commission

Amendment

1. In order to assess the compliance of the entities that the Member States identified as critical entities pursuant to Article 5 with the obligations pursuant to this Directive, they shall ensure that the competent authorities shall have the powers and means to:

1. In order to assess the compliance of the entities that the Member States identified as critical entities pursuant to Article 5 with the obligations pursuant to this Directive, they shall ensure that the competent authorities shall have the powers, means and human and financial resources to:

Amendment  43

 

Proposal for a directive

Article 18 – paragraph 2 – introductory part

 

Text proposed by the Commission

Amendment

2. Member States shall ensure that the competent authorities have the powers and means to require, where necessary for the performance of their tasks under this Directive, that the entities that they identified as critical entities pursuant to paragraph 5 provide, within a reasonable time period set by those authorities:

2. Member States shall ensure that the competent authorities have the powers, means and human and financial resources to require, where necessary for the performance of their tasks under this Directive, that the entities that they identified as critical entities pursuant to paragraph 5 provide, within a reasonable time period set by those authorities:

Amendment  44

 

Proposal for a directive

Article 22 – paragraph 2

 

Text proposed by the Commission

Amendment

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [four years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.

Amendment  45

 

Proposal for a directive

Article 22 – paragraph 2 a (new)

 

Text proposed by the Commission

Amendment

 

The Commission shall, by ... [6 years after the date of entry into force of this Directive], carry out a review of the application of this Directive and sector-specific legal acts. The review shall focus on identifying duplications in the legal acts, regulatory requirements or procedures concerned, and any overlap between them, with a view to improving coherence between this Directive and the relevant sector-specific legislation and legal certainty. To that end, the Commission shall prepare a report, which it shall transmit to the European Parliament and to the Council, accompanied, where necessary, by a legislative proposal.

Amendment  46

 

Proposal for a directive

Article 24 – paragraph 1 – subparagraph 2

 

Text proposed by the Commission

Amendment

They shall apply those provisions from [two years after entry into force of this Directive + one day].

They shall apply those provisions from [30 months after entry into force of this Directive + one day].

Amendment  47

Proposal for a directive

Annex - table - point 2. Transport - point e new

 

Text proposed by the Commission

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

 

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

 

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

 

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

 

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

 

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

 

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

 

Amendment

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

 

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

 

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

 

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

 

(e) public transport

—Public transport authorities and service operators referred to in points (b) and (d) of Article 2 of Regulation (EC) No 1370/2007 of the European Parliament and of the Council65a.

 

 

________________

 

 

65a Regulation (EC) No 1370/2007 of the European Parliament and of the Council of 23 October 2007 on public passenger transport services by rail and by road and repealing Council Regulations (EEC) Nos 1191/69 and 1107/70 (OJ L 315, 3.12.2007, p. 1).


PROCEDURE – COMMITTEE ASKED FOR OPINION

Title

Resilience of critical entities

References

COM(2020)0829 – C9-0421/2020 – 2020/0365(COD)

Committee responsible

 Date announced in plenary

LIBE

11.2.2021

 

 

 

Opinion by

 Date announced in plenary

TRAN

11.2.2021

Rapporteur for the opinion

 Date appointed

Angel Dzhambazki

25.1.2021

Date adopted

12.7.2021

 

 

 

Result of final vote

+:

–:

0:

48

0

1

Members present for the final vote

Magdalena Adamowicz, Andris Ameriks, Izaskun Bilbao Barandica, Paolo Borchia, Marco Campomenosi, Massimo Casanova, Ciarán Cuffe, Jakop G. Dalunde, Johan Danielsson, Karima Delli, Anna Deparnay-Grunenberg, Gheorghe Falcă, Giuseppe Ferrandino, Mario Furore, Søren Gade, Isabel García Muñoz, Elsi Katainen, Kateřina Konečná, Julie Lechanteux, Peter Lundgren, Benoît Lutgen, Elżbieta Katarzyna Łukacijewska, Marian-Jean Marinescu, Tilly Metz, Cláudia Monteiro de Aguiar, Caroline Nagtegaal, Jan-Christoph Oetjen, Philippe Olivier, João Pimenta Lopes, Rovana Plumb, Dominique Riquet, Dorien Rookmaker, Massimiliano Salini, Sven Schulze, Vera Tax, Barbara Thaler, Henna Virkkunen, Petar Vitanov, Elissavet Vozemberg-Vrionidi, Roberts Zīle, Kosma Złotowski

Substitutes present for the final vote

Clare Daly, Nicola Danti, Angel Dzhambazki, Tomasz Frankowski, Michael Gahler, Maria Grapini, Alessandra Moretti, Marianne Vind

 


 

FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION

48

+

ECR

Angel Dzhambazki, Peter Lundgren, Roberts Zīle, Kosma Złotowski

ID

Paolo Borchia, Marco Campomenosi, Massimo Casanova, Julie Lechanteux, Philippe Olivier

NI

Mario Furore, Dorien Rookmaker

PPE

Magdalena Adamowicz, Gheorghe Falcă, Tomasz Frankowski, Michael Gahler, Elżbieta Katarzyna Łukacijewska, Benoît Lutgen, Marian-Jean Marinescu, Cláudia Monteiro de Aguiar, Massimiliano Salini, Sven Schulze, Barbara Thaler, Henna Virkkunen, Elissavet Vozemberg-Vrionidi

Renew

Izaskun Bilbao Barandica, Nicola Danti, Søren Gade, Elsi Katainen, Caroline Nagtegaal, Jan-Christoph Oetjen, Dominique Riquet

S&D

Andris Ameriks, Johan Danielsson, Giuseppe Ferrandino, Isabel García Muñoz, Maria Grapini, Alessandra Moretti, Rovana Plumb, Vera Tax, Marianne Vind, Petar Vitanov

The Left

Clare Daly, Kateřina Konečná

Verts/ALE

Ciarán Cuffe, Jakop G. Dalunde, Karima Delli, Anna Deparnay-Grunenberg, Tilly Metz

 

0

-

 

 

 

1

0

The Left

João Pimenta Lopes

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 

 

 

 

 


 


PROCEDURE – COMMITTEE RESPONSIBLE

Title

Resilience of critical entities

References

COM(2020)0829 – C9-0421/2020 – 2020/0365(COD)

Date submitted to Parliament

16.12.2020

 

 

 

Committee responsible

 Date announced in plenary

LIBE

11.2.2021

 

 

 

Committees asked for opinions

 Date announced in plenary

AFET

11.3.2021

ECON

11.2.2021

ITRE

11.2.2021

IMCO

11.2.2021

 

TRAN

11.2.2021

 

 

 

Not delivering opinions

 Date of decision

ECON

26.1.2021

 

 

 

Associated committees

 Date announced in plenary

ITRE

29.4.2021

IMCO

29.4.2021

 

 

Rapporteurs

 Date appointed

Michal Šimečka

24.2.2021

 

 

 

Discussed in committee

24.2.2021

26.5.2021

22.6.2021

3.9.2021

 

11.10.2021

 

 

 

Date adopted

12.10.2021

 

 

 

Result of final vote

+:

–:

0:

57

6

0

Members present for the final vote

Magdalena Adamowicz, Katarina Barley, Pernando Barrena Arza, Pietro Bartolo, Nicolas Bay, Vladimír Bilčík, Vasile Blaga, Ioan-Rareş Bogdan, Patrick Breyer, Saskia Bricmont, Jorge Buxadé Villalba, Damien Carême, Caterina Chinnici, Clare Daly, Marcel de Graaff, Anna Júlia Donáth, Lena Düpont, Cornelia Ernst, Laura Ferrara, Nicolaus Fest, Maria Grapini, Andrzej Halicki, Sophia in ‘t Veld, Patryk Jaki, Marina Kaljurand, Assita Kanko, Fabienne Keller, Peter Kofod, Moritz Körner, Jeroen Lenaers, Juan Fernando López Aguilar, Lukas Mandl, Roberta Metsola, Nadine Morano, Javier Moreno Sánchez, Maite Pagazaurtundúa, Nicola Procaccini, Emil Radev, Paulo Rangel, Terry Reintke, Diana Riba i Giner, Ralf Seekatz, Michal Šimečka, Birgit Sippel, Sara Skyttedal, Martin Sonneborn, Tineke Strik, Ramona Strugariu, Annalisa Tardino, Milan Uhrík, Tom Vandendriessche, Bettina Vollath, Elissavet Vozemberg-Vrionidi, Jadwiga Wiśniewska, Javier Zarzalejos

Substitutes present for the final vote

Olivier Chastel, Tanja Fajon, Jan-Christoph Oetjen, Philippe Olivier, Anne-Sophie Pelletier, Thijs Reuten, Rob Rooken, Maria Walsh

Date tabled

15.10.2021

 


 

FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE

57

+

EPP

Magdalena Adamowicz, Vladimír Bilčík, Vasile Blaga, Ioan-Rareş Bogdan, Lena Düpont, Andrzej Halicki, Jeroen Lenaers, Lukas Mandl, Roberta Metsola, Nadine Morano, Emil Radev, Paulo Rangel, Ralf Seekatz, Sara Skyttedal, Elissavet Vozemberg-Vrionidi, Maria Walsh, Javier Zarzalejos

S&D

Katarina Barley, Pietro Bartolo, Caterina Chinnici, Tanja Fajon, Maria Grapini, Marina Kaljurand, Juan Fernando López Aguilar, Javier Moreno Sánchez, Thijs Reuten, Birgit Sippel, Bettina Vollath

Renew

Olivier Chastel, Anna Júlia Donáth, Sophia in 't Veld, Fabienne Keller, Moritz Körner, Jan-Christoph Oetjen, Maite Pagazaurtundúa, Michal Šimečka, Ramona Strugariu

Greens/EFA

Patrick Breyer, Saskia Bricmont, Damien Carême, Terry Reintke, Diana Riba i Giner, Tineke Strik

ID

Nicolas Bay, Nicolaus Fest, Peter Kofod, Philippe Olivier, Annalisa Tardino, Tom Vandendriessche

ECR

Jorge Buxadé Villalba, Patryk Jaki, Assita Kanko, Nicola Procaccini, Rob Rooken, Jadwiga Wiśniewska

NI

Laura Ferrara, Martin Sonneborn

 

6

-

ID

Marcel de Graaff

NI

Milan Uhrík

The Left

Pernando Barrena Arza, Clare Daly, Cornelia Ernst, Anne-Sophie Pelletier

 

0

0

 

 

 

Key to symbols:

+ : in favour

- : against

0 : abstention

 

 

Last updated: 29 April 2022
Legal notice - Privacy policy