Text proposed by the Commission

Amendment

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity.

(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react, accommodate to and recover from incidents that have the potential to disrupt the provision of essential services by the critical entity, the free movement of essential services and the functioning of the internal market.

_________________

_________________

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75).

18 SWD(2019) 308.

18 SWD(2019) 308.

Text proposed by the Commission

Amendment

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States.

(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not always adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with evolving hybrid and terrorist threats and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity, efficiency and lifespan of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. At Union level there is no single recognised list of critical infrastructure sectors. Instead, different legal acts cover different sectors.

_________________

_________________

19 European Programme for Critical Infrastructure Protection (EPCIP).

19 European Programme for Critical Infrastructure Protection (EPCIP).

Text proposed by the Commission

Amendment

(2a) Certain critical infrastructures have a pan-European dimension, such as the European Organisation for the Safety of Air Navigation, Eurocontrol, and the Union’s Global Satellite Navigation System, Galileo.

Text proposed by the Commission

Amendment

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food production, processing and delivery, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption of essential services, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.

Text proposed by the Commission

Amendment

(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.

(4) The entities involved in the provision of essential services are subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only creates varying levels of resilience but also impacts negatively on the maintenance of vital societal functions or economic activities across the Union, and leads to unfair competition and to obstacles to the proper functioning of the internal market. Investors and companies can rely on and trust critical entities that are resilient, and reliability and trust are cornerstones of a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. A Union framework will therefore also have the effect of levelling the playing field for critical entities across the Union.

Text proposed by the Commission

Amendment

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.

(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision and free movement of essential services in the internal market, to enhance the resilience of critical entities and to improve cross-border cooperation between competent authorities. It is essential that those rules be future-proof. To that end, the aim of this Directive is to make critical entities resilient, thereby improving their capacity to ensure the continuous provision of essential services in the face of a diverse set of risks. By laying down minimum rules, this Directive enables Member States to adopt or maintain more stringent rules to ensure the provision of essential services in the internal market and enhance resilience of critical entities.

Text proposed by the Commission

Amendment

(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

(6) In order to achieve that objective, Member States should identify critical entities that provide essential services in the sectors and subsectors set out in the Annex to this Directive. Those critical entites should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks.

Text proposed by the Commission

Amendment

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.

(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be regarded as lex specialis and should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.

Text proposed by the Commission

Amendment

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. As a result, the competent authorities designated under the NIS 2 Directive will be responsible for the supervision of entities identified as critical entities or entities equivalent to critical entities under this Directive as regards matters that fall under the scope of that Directive.

_________________

_________________

20 [Reference to NIS 2 Directive, once adopted.]

20 [Reference to NIS 2 Directive, once adopted.]

Text proposed by the Commission

Amendment

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.

(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, and taking into account the hybrid nature of many threats and the Union’s strategy on resilience prepared by the Critical Entities Resilience Group, established by this Directive, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities of Member States under this Directive and the under NIS 2 Directive, including information sharing on incidents and threats and the exercise of supervisory tasks.

Text proposed by the Commission

Amendment

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.

(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks, including cross-sectoral and cross-border risks, that may affect the provision of essential services, including accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences, criminal infiltration and sabotage. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. Member States should not consider as a risk any regular business risk to operations arising from market conditions or any risk arising from democratic decision-making. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. At their request the Commission should also be able to provide entities based in third countries with advisory expertise.

Text proposed by the Commission

Amendment

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised minimum rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria and methodologies to identify critical entities should be laid down in a transparent manner. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.

Text proposed by the Commission

Amendment

(13a) In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council1a, which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure. It is crucial that Member States and the Commission be vigilant with regard to financial investments that foreign countries make in the operation of critical entities within the Union and the consequences that such investments could have on the ability to prevent significant disruptions.

_________________

1a Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79I, 21.3.2019, p. 1).

Text proposed by the Commission

Amendment

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only and, consequently, such entities should not be subject to the obligations laid down in Chapters III to VI of this Directive. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner.

_________________

_________________

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338).

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595.

Text proposed by the Commission

Amendment

(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.

(16) Member States should designate authorities competent to supervise the application of and enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively, including with competent authorities of other Member States. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level, including with competent authorities of other Member States.

Text proposed by the Commission

Amendment

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard.

(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. Each single point of contact should liaise and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States and with the Critical Entities Resilience Group. The single points of contact should use efficient, secure and standardised reporting channels.

Text proposed by the Commission

Amendment

(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities.

(18) Entities identified as critical entities under this Directive as well as entities in the digital infrastructure sector that are to be treated as equivalent are subject to the cybersecurity requirements of the NIS 2 Directive. The competent authorities designated under the two Directives should therefore cooperate in an effective and consistent manner, particularly in relation to risks and incidents affecting those entities. It is important that Member States take measures to avoid double reporting and checks and to ensure that the strategies and requirements provided for in this Directive and the NIS 2 Directive are complementary and that critical entities are not subject to an administrative burden beyond that which is necessary to achieve the objectives of this Directive.

Text proposed by the Commission

Amendment

(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

(19) Member States should support critical entities in strengthening their resilience, in particular those that qualify as small or medium-sized enterprises (SMEs), in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States should in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Where necessary and justified by public interest objectives, Member States should be able to provide financial resources to critical entities, without prejudice to applicable rules on State aid. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support information sharing and good practices between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.

Text proposed by the Commission

Amendment

(19a) When implementating this Directive, it is important that Member States take all the necessary actions to prevent any excessive administrative burdens, particularly on SMEs, and avoid duplications or unnecessary obligations. It is crucial that Member States assist with and facilitate the provision of adequate support to SMEs, when requested, by taking the technical and organisational measures required under this Directive.

Text proposed by the Commission

Amendment

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States.

(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and should be in line with common criteria and methodologies.

Text proposed by the Commission

Amendment

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, when implementing resilience measures under this Directive, critical entities may consider referring to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 .

(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, critical entities ar also to take into consideration Directive 2008/96/EC of the European Parliament and of the Council30a, which introduces a network-wide road assessment to map the risks of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk of accidents and injuries, based on a site visit of an existing road or section of road. Ensuring the protection and resilience of critical entities is of the utmost importance for the railway sector and, when implementing resilience measures under this Directive, critical entities are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 .

_________________

_________________

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).

30a Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59).

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014.

Text proposed by the Commission

Amendment

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.

(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular Regulation (EU) 2016/679.

Text proposed by the Commission

Amendment

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.

(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and, in any event, no later than 24 hours after becoming aware of the incident in question, Member States’ competent authorities of any incident that significantly disrupts or has the potential to significantly disrupt their operations. The competent authority should inform the public of such an incident where it determines that it would be in the public interest to do so. The competent authority should ensure that the critical entity concerned inform users of its services that might be affected by such an incident of the incident and, where relevant, of any possible safety measures or remedies. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts, without undue delay. Information on incidents should be treated in a way that respects confidentiality and the security and commercial interests of the critical entity concerned.

Text proposed by the Commission

Amendment

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union and the internal market because they provide essential services to several Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

Text proposed by the Commission

Amendment

(27a) Standardisation should remain primarily a market-driven process. However, there might still be situations where it is appropriate to require compliance with specified standards at Union level. The Commission and the Member States should support and promote the development and implementation of standards and specifications relevant to the resilience of critical entities as set by the European Standardisation Organisations for the undertaking of technical and organisational measures aimed at ensuring critical entities’ resilience. Member States should also encourage the use of internationally accepted standards and specifications relevant to resilience measures applicable to critical entities.

Text proposed by the Commission

Amendment

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. The assessment of critical entities under this Directive, in matters that fall under the scope of the NIS 2 Directive such as physical and non-physical cybersecurity, is the responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, when assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.

Text proposed by the Commission

Amendment

(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. In order to avoid the divergent application of this Directive and to improve the functioning of the internal market, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission to supplement this Directive by drawing up a common list of essential services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

_________________

_________________

32 OJ L 123, 12.5.2016, p. 1.

32 OJ L 123, 12.5.2016, p. 1.

Text proposed by the Commission

Amendment

1. This Directive:

1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market. To that end, this Directive:

Text proposed by the Commission

Amendment

(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

(a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;

Text proposed by the Commission

Amendment

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7.

2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. In view of the interlinkages between cybersecurity and the physical security of entities, Member States shall ensure a coherent implementation of this Directive and the NIS 2 Directive.

Text proposed by the Commission

Amendment

(3) “incident” means any event having the potential to disrupt, or that disrupts, the operations of the critical entity;

(3) “incident” means any event having the potential to disrupt, or that disrupts the provision of an essential service by a critical entity;

Text proposed by the Commission

Amendment

(4) “infrastructure” means an asset, system or part thereof, which is necessary for the delivery of an essential service;

(4) “infrastructure” means assets, including facilities, systems and equipment, or parts thereof, which are necessary for the delivery of an essential service;

Text proposed by the Commission

Amendment

(5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities;

(5) “essential service” means a service which is essential for the maintenance of vital societal functions, economic activities, public health and safety, the environment or the rule of law;

Text proposed by the Commission

Amendment

(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities;

(6) “risk” means any circumstance or event having a potential adverse effect on the ability of a critical entity to provide an essential service;

Text proposed by the Commission

Amendment

(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysing potential threats and hazards and evaluating existing conditions of vulnerability that could disrupt the operations of the critical entity.

(7) “risk assessment” means a methodology to determine the nature and extent of a risk by assessing potential threats and hazards against the resilience of a critical entity, analysing existing conditions of vulnerability that could lead to the disruption of the operations of a critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services;

Text proposed by the Commission

Amendment

(7a) ‘standard’ means standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council1a;

____________

1a Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12)

Text proposed by the Commission

Amendment

(7b) ‘technical specification’ means technical specification as defined in Article 2 point (4), of Regulation (EU) No 1025/2012;

Text proposed by the Commission

Amendment

1. Each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

1. Following a consultation open to all affected stakeholders, each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall take into account the Union strategy on resilience prepared by the Critical Entities Resilience Group, referred to in Article 16, and set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.

Text proposed by the Commission

Amendment

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter;

(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment as referred to in Article 4, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter, including measures to enhance cooperation between the public sector and the private sector and public and private entities;

Text proposed by the Commission

Amendment

(ca) a list of all authorities and stakeholders involved in the implementation of the strategy;

Text proposed by the Commission

Amendment

(da) a policy framework addressing the specific needs and characteristics of small and medium-sized enterprises identified as critical entities to improve their resilience;

Text proposed by the Commission

Amendment

(db) the relevant aspects of the national cybersecurity strategy provided for in the NIS 2 Directive and any other sectoral national strategy with a view to achieving coordination, complementarity and synergies.

Text proposed by the Commission

Amendment

The strategy shall be updated where necessary and at least every four years.

Following a consultation open to all affected stakeholders, the strategy shall be updated at least every four years.

Text proposed by the Commission

Amendment

1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

1. The Commission is empowered to adopt a delegated act in accordance with Article 21 to supplement this Directive by establishing a list of essential services in the sectors and subsectors referred to in the Annex. The Commission shall adopt the delegated act no later than... [six months after the date of entry into force of this Directive]. Competent authorities designated pursuant to Article 8 shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of the essential services listed in the delegated act, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.

Text proposed by the Commission

Amendment

The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 .

The risk assessment shall account for all relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34.

_________________

_________________

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).

Text proposed by the Commission

Amendment

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors;

(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors, including any risks to citizens and the internal market;

Text proposed by the Commission

Amendment

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available, through their single point of contact referred to in Article 8(2), to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11.

Text proposed by the Commission

Amendment

5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.

Text proposed by the Commission

Amendment

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and apply the following criteria:

2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and the strategy on the resilience of critical entities referred to in Article 3 and shall apply the following criteria:

Text proposed by the Commission

Amendment

(b) (the provision of that service depends on infrastructure located in the Member State; and

(b) the provision of that essential service depends on infrastructure located in the Member State; and

Text proposed by the Commission

Amendment

(c) an incident would have significant disruptive effects on the provision of the service or of other essential services in the sectors referred to in the Annex that depend on the service.

(c) an incident would have significant disruptive effects on the provision of the essential service or of other essential services in the sectors referred to in the Annex that depend on the service.

Text proposed by the Commission

Amendment

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III.

5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to achieving the highest possible degree of coherence and to reducing the burden on the critical entity in regard to the obligations pursuant to Chapter III.

Text proposed by the Commission

Amendment

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third of Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide the same or similar essential services to or in more than three Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.

Text proposed by the Commission

Amendment

Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information.

Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed in due time that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information.

Text proposed by the Commission

Amendment

7a. The Commission shall, in cooperation with the Member States, develop recommendations and guidelines to support Member States in identifying critical entities.

Text proposed by the Commission

Amendment

(a) the number of users relying on the service provided by the entity;

(a) the number of users relying on the essential service provided by the entity;

Text proposed by the Commission

Amendment

(b) the dependency of other sectors referred to in the Annex on that service;

(b) the dependency of other sectors and subsectors referred to in the Annex or of the supply chain on that essential service;

Text proposed by the Commission

Amendment

(e) the geographic area that could be affected by an incident, including any cross-border impacts;

(e) the geographic area that could be affected by an incident, including any cross-border impacts, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;

Text proposed by the Commission

Amendment

(f) the importance of the entity in maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service.

(f) the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.

Text proposed by the Commission

Amendment

3. The Commission may, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2.

3. The Commission shall, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2.

Text proposed by the Commission

Amendment

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [three years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.

1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [one year and six months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.

Text proposed by the Commission

Amendment

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).

2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Commission and the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’) and, where relevant, to ensure cooperation with third countries.

Text proposed by the Commission

Amendment

3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

3. By ... [four years and six months after entry into force of this Directive], and in the first trimester of every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).

Text proposed by the Commission

Amendment

1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.

1. Member States shall support critical entities in enhancing their resilience. That support shall include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. Member States may provide financial resources to critical entities, without prejudice to applicable rules on State aid, where necessary and justified by public interest objectives.

Text proposed by the Commission

Amendment

Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.

Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their provision of essential services concerned.

Text proposed by the Commission

Amendment

(d) recover from incidents, including business continuity measures and the identification of alternative supply chains;

(d) recover from incidents, including business continuity measures and the identification of alternative supply chains, to ensure the continuous provision of the essential service;

Text proposed by the Commission

Amendment

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;

(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, laying down appropriate training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12; where external providers are involved in employee security management, critical entities shall ensure that they comply with generally accepted standards and specifications

Text proposed by the Commission

Amendment

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel.

(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, including by means of periodic training.

Text proposed by the Commission

Amendment

3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned.

3. Upon request of the Member State that identified the critical entity and in consultation with the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned. At their request the Commission may also offer advisory missions to entities based in third countries.

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.

1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. Such background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the persons concerned.

Text proposed by the Commission

Amendment

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38 , a background check as referred to in paragraph 1 shall:

2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council, Member States shall ensure that a background check as referred to in paragraph 1 is carried out for the sole purpose of evaluating a potential security risk to the critical entity concerned. A background check shall:

_________________

38 OJ L 119, 4.5.2016, p. 1.

Text proposed by the Commission

Amendment

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours of a critical entity becoming aware of an incident, followed by a detailed report no later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.

Where an incident has or might have a significant impact on critical entities or on the continuity of the provision of essential services in more than three Member States, Member States shall ensure that the critical entities concerned notify such incidents to the Commission. The Commission shall inform the Critical Entities Resilience Group of any such notifications without undue delay. The Commission and the Critical Entities Resilience Group shall, in accordance with Union law, treat information provided as part of such notifications in a way that respects its confidentiality and protects the security and commercial interests of the critical entity or entities concerned.

Text proposed by the Commission

Amendment

(c) the geographical area affected by the disruption or potential disruption.

(c) the geographical area affected by the disruption or potential disruption, taking into account whether the area is geographically isolated.

Text proposed by the Commission

Amendment

3a. The competent authority concerned shall submit a summary report annually to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.

Text proposed by the Commission

Amendment

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident.

4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident. The competent authority shall inform the public of an incident where it determines that it would be in the public interest to do so. The competent authority shall ensure that critical entities inform users of their services that might be affected by an incident of the incident and, where relevant, of any possible safety measures or remedies.

Text proposed by the Commission

Amendment

Article 13a

Standards

In order to promote the consistent implementation of this Directive, Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of standards and specifications relevant to the security and resilience of critical entities.

Text proposed by the Commission

Amendment

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third of Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides the same or similar essential services to or in more than three Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.

Text proposed by the Commission

Amendment

Upon request of one or more Member States or of the Commission, the Member State where the infrastructure of the critical entity of particular European significance is located shall, together with that entity, inform the Commission and the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Upon request of one or more Member States or of the Commission, a critical entity of particular European significance shall, inform the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.

Text proposed by the Commission

Amendment

2. Upon request of one or more Member States, or at its own initiative, and in agreement with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

2. Upon request of one or more Member States, or at its own initiative, and in consultation with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.

Text proposed by the Commission

Amendment

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.

The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.

Text proposed by the Commission

Amendment

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work.

The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group shall invite representatives of relevant stakeholders to participate in its work and the European Parliament to participate as an observer.

Text proposed by the Commission

Amendment

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border dependencies and regarding risks and incidents;

(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border and cross sectoral dependencies and regarding risks and incidents;

Text proposed by the Commission

Amendment

(ca) preparing a Union strategy on resilience in compliance with the objectives set out in this Directive;

Text proposed by the Commission

Amendment

(h) exchanging information and best practices on research and development relating to the resilience of critical entities in accordance with this Directive;

(h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive;

Text proposed by the Commission

Amendment

(ha) promoting and supporting coordinated risk assessments and joint actions among critical entities;

Text proposed by the Commission

Amendment

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to promote strategic cooperation and exchange of information.

5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to facilitate strategic cooperation and exchange of information.

Text proposed by the Commission

Amendment

7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years.

7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. The Commission shall regularly publish a summary report of the activities of the Critical Entities Resilience Group.

The Commission shall set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under the NIS 2 Directive in order to better accommodate communication between the two groups and, consequently, to minimise ambiguities between the different authorities designated under this Directive and the NIS 2 Directive.

Text proposed by the Commission

Amendment

2a. In order to receive and properly use the information received under Article 8(3), the Commission shall keep a Union registry of incidents with the aim of developing and sharing best practices and methodologies.

Text proposed by the Commission

Amendment

2. The power to adopt delegated acts referred to in Article 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators.

2. The power to adopt delegated acts referred to in Articles 4(1) and 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators.

Text proposed by the Commission

Amendment

3. The delegation of power referred to in Article 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

3. The delegation of power referred to in Articles 4(1) and 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

Text proposed by the Commission

Amendment

By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive.

By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive. The report shall contain separate country chapters on the concrete implementation progress in each Member State.

Text proposed by the Commission

Amendment

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.

The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended. For that purpose, the Commission shall take into account relevant documents of the Critical Entities Resilience Group.

Text proposed by the Commission

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

Amendment

2.Transport

a) Air

— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856

— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports

— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459

(b) Rail

— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60

— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU

(c) Water

— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies

— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports

— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council

(d) Road

Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control

— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65

(e) public transport

—Public transport authorities and service operators as referred to in Article 2, points (b) and (d), of Regulation (EC) No 1370/2007 of the European Parliament and of the Council65a.

_____________________

65a Regulation (EC) No 1370/2007 of the European Parliament and of the Council of 23 October 2007 on public passenger transport services by rail and by road and repealing Council Regulations (EEC) Nos 1191/69 and 1107/70 (OJ L 315, 3.12.2007, p. 1).

Text proposed by the Commission

Amendment

9. Public administration

9. Public administration and democratic institutions

Text proposed by the Commission

Amendment

— Central, regional and local governments and assemblies

Text proposed by the Commission

Amendment

10 a. Food production, processing and distribution

— Food businesses as referred to in Article 3, point (2), of Regulation (EC) No 178/2002 of the European Parliament and of the Council1a

________________

1a Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (OJ L 31, 1.2.2002, p. 1).