REPORT on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
15.10.2021 - (COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD)) - ***I
Committee on Civil Liberties, Justice and Home Affairs
Rapporteur: Michal Šimečka
Rapporteurs for the opinion (*):
Nils Torvalds, Committee on Industry, Research and Energy
Alex Agius Saliba, Committee on Internal Market and Consumer Protection
(*) Associated committees – Rule 57 of the Rules of Procedure
- DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION
- OPINION OF THE COMMITTEE ON INDUSTRY, RESEARCH AND ENERGY
- OPINION OF THE COMMITTEE ON THE INTERNAL MARKET AND CONSUMER PROTECTION
- OPINION OF THE COMMITTEE ON FOREIGN AFFAIRS
- OPINION OF THE COMMITTEE ON TRANSPORT AND TOURISM
- PROCEDURE – COMMITTEE RESPONSIBLE
- FINAL VOTE BY ROLL CALL IN COMMITTEE RESPONSIBLE
DRAFT EUROPEAN PARLIAMENT LEGISLATIVE RESOLUTION
on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
(COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD))
(Ordinary legislative procedure: first reading)
The European Parliament,
– having regard to the Commission proposal to Parliament and the Council (COM(2020)0829),
– having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C9‑0421/2020),
– having regard to Article 294(3) of the Treaty on the Functioning of the European Union,
– having regard to Rule 59 of its Rules of Procedure,
– having regard to the opinions of the Committee on Industry, Research and Energy,the Committee on Internal Market and Consumer Protection, the Committee on Foreign Affairs and the Committee on Transport and Tourism,
– having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs (A9-0289/2021),
1. Adopts its position at first reading hereinafter set out;
2. Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;
3. Instructs its President to forward its position to the Council, the Commission and the national parliaments.
Amendment 1
Proposal for a directive
Recital 1
|
|
Text proposed by the Commission |
Amendment |
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity. |
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react, accommodate to and recover from incidents that have the potential to disrupt the provision of essential services by the critical entity, the free movement of essential services and the functioning of the internal market. |
_________________ |
_________________ |
17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). |
17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). |
18 SWD(2019) 308. |
18 SWD(2019) 308. |
Amendment 2
Proposal for a directive
Recital 2
|
|
Text proposed by the Commission |
Amendment |
(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. |
(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not always adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with evolving hybrid and terrorist threats and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity, efficiency and lifespan of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. At Union level there is no single recognised list of critical infrastructure sectors. Instead, different legal acts cover different sectors. |
_________________ |
_________________ |
19 European Programme for Critical Infrastructure Protection (EPCIP). |
19 European Programme for Critical Infrastructure Protection (EPCIP). |
Amendment 3
Proposal for a directive
Recital 2 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(2a) Certain critical infrastructures have a pan-European dimension, such as the European Organisation for the Safety of Air Navigation, Eurocontrol, and the Union’s Global Satellite Navigation System, Galileo. |
Amendment 4
Proposal for a directive
Recital 3
|
|
Text proposed by the Commission |
Amendment |
(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. |
(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food production, processing and delivery, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption of essential services, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts on the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. |
Amendment 5
Proposal for a directive
Recital 4
|
|
Text proposed by the Commission |
Amendment |
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. |
(4) The entities involved in the provision of essential services are subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only creates varying levels of resilience but also impacts negatively on the maintenance of vital societal functions or economic activities across the Union, and leads to unfair competition and to obstacles to the proper functioning of the internal market. Investors and companies can rely on and trust critical entities that are resilient, and reliability and trust are cornerstones of a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. A Union framework will therefore also have the effect of levelling the playing field for critical entities across the Union. |
Amendment 6
Proposal for a directive
Recital 5
|
|
Text proposed by the Commission |
Amendment |
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities. |
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision and free movement of essential services in the internal market, to enhance the resilience of critical entities and to improve cross-border cooperation between competent authorities. It is essential that those rules be future-proof. To that end, the aim of this Directive is to make critical entities resilient, thereby improving their capacity to ensure the continuous provision of essential services in the face of a diverse set of risks. By laying down minimum rules, this Directive enables Member States to adopt or maintain more stringent rules to ensure the provision of essential services in the internal market and enhance resilience of critical entities. |
Amendment 7
Proposal for a directive
Recital 6
|
|
Text proposed by the Commission |
Amendment |
(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks. |
(6) In order to achieve that objective, Member States should identify critical entities that provide essential services in the sectors and subsectors set out in the Annex to this Directive. Those critical entites should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks. |
Amendment 8
Proposal for a directive
Recital 7
|
|
Text proposed by the Commission |
Amendment |
(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional. |
(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be regarded as lex specialis and should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional. |
Amendment 9
Proposal for a directive
Recital 8
|
|
Text proposed by the Commission |
Amendment |
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. |
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. As a result, the competent authorities designated under the NIS 2 Directive will be responsible for the supervision of entities identified as critical entities or entities equivalent to critical entities under this Directive as regards matters that fall under the scope of that Directive. |
_________________ |
_________________ |
20 [Reference to NIS 2 Directive, once adopted.] |
20 [Reference to NIS 2 Directive, once adopted.] |
Amendment 10
Proposal for a directive
Recital 10
|
|
Text proposed by the Commission |
Amendment |
(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. |
(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, and taking into account the hybrid nature of many threats and the Union’s strategy on resilience prepared by the Critical Entities Resilience Group, established by this Directive, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities of Member States under this Directive and the under NIS 2 Directive, including information sharing on incidents and threats and the exercise of supervisory tasks. |
Amendment 11
Proposal for a directive
Recital 11
|
|
Text proposed by the Commission |
Amendment |
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. |
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks, including cross-sectoral and cross-border risks, that may affect the provision of essential services, including accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences, criminal infiltration and sabotage. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. Member States should not consider as a risk any regular business risk to operations arising from market conditions or any risk arising from democratic decision-making. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. At their request the Commission should also be able to provide entities based in third countries with advisory expertise. |
Amendment 12
Proposal for a directive
Recital 12
|
|
Text proposed by the Commission |
Amendment |
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. |
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised minimum rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria and methodologies to identify critical entities should be laid down in a transparent manner. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. |
Amendment 13
Proposal for a directive
Recital 13 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(13a) In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council1a, which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure. It is crucial that Member States and the Commission be vigilant with regard to financial investments that foreign countries make in the operation of critical entities within the Union and the consequences that such investments could have on the ability to prevent significant disruptions. |
|
_________________ |
|
1a Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79I, 21.3.2019, p. 1). |
Amendment 14
Proposal for a directive
Recital 15
|
|
Text proposed by the Commission |
Amendment |
(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner. |
(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only and, consequently, such entities should not be subject to the obligations laid down in Chapters III to VI of this Directive. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner. |
_________________ |
_________________ |
22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1). |
22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1). |
23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349). |
23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349). |
24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84). |
24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84). |
25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). |
25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). |
26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). |
26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). |
27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595. |
27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595. |
Amendment 15
Proposal for a directive
Recital 16
|
|
Text proposed by the Commission |
Amendment |
(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level. |
(16) Member States should designate authorities competent to supervise the application of and enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively, including with competent authorities of other Member States. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level, including with competent authorities of other Member States. |
Amendment 16
Proposal for a directive
Recital 17
|
|
Text proposed by the Commission |
Amendment |
(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. |
(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. Each single point of contact should liaise and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States and with the Critical Entities Resilience Group. The single points of contact should use efficient, secure and standardised reporting channels. |
Amendment 17
Proposal for a directive
Recital 18
|
|
Text proposed by the Commission |
Amendment |
(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. |
(18) Entities identified as critical entities under this Directive as well as entities in the digital infrastructure sector that are to be treated as equivalent are subject to the cybersecurity requirements of the NIS 2 Directive. The competent authorities designated under the two Directives should therefore cooperate in an effective and consistent manner, particularly in relation to risks and incidents affecting those entities. It is important that Member States take measures to avoid double reporting and checks and to ensure that the strategies and requirements provided for in this Directive and the NIS 2 Directive are complementary and that critical entities are not subject to an administrative burden beyond that which is necessary to achieve the objectives of this Directive. |
Amendment 18
Proposal for a directive
Recital 19
|
|
Text proposed by the Commission |
Amendment |
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union. |
(19) Member States should support critical entities in strengthening their resilience, in particular those that qualify as small or medium-sized enterprises (SMEs), in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States should in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Where necessary and justified by public interest objectives, Member States should be able to provide financial resources to critical entities, without prejudice to applicable rules on State aid. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support information sharing and good practices between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union. |
Amendment 19
Proposal for a directive
Recital 19 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(19a) When implementating this Directive, it is important that Member States take all the necessary actions to prevent any excessive administrative burdens, particularly on SMEs, and avoid duplications or unnecessary obligations. It is crucial that Member States assist with and facilitate the provision of adequate support to SMEs, when requested, by taking the technical and organisational measures required under this Directive. |
Amendment 20
Proposal for a directive
Recital 20
|
|
Text proposed by the Commission |
Amendment |
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States. |
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and should be in line with common criteria and methodologies. |
Amendment 21
Proposal for a directive
Recital 23
|
|
Text proposed by the Commission |
Amendment |
(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, when implementing resilience measures under this Directive, critical entities may consider referring to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 . |
(23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union acts. Moreover, critical entities ar also to take into consideration Directive 2008/96/EC of the European Parliament and of the Council30a, which introduces a network-wide road assessment to map the risks of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk of accidents and injuries, based on a site visit of an existing road or section of road. Ensuring the protection and resilience of critical entities is of the utmost importance for the railway sector and, when implementing resilience measures under this Directive, critical entities are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform31 . |
_________________ |
_________________ |
28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72). |
28 Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97/72, 9.4.2008, p. 72). |
29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.). |
29 Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6.). |
30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28). |
30 Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28). |
|
30a Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59). |
31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014. |
31 Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform C/2018/4014. |
Amendment 22
Proposal for a directive
Recital 24
|
|
Text proposed by the Commission |
Amendment |
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data. |
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular Regulation (EU) 2016/679. |
Amendment 23
Proposal for a directive
Recital 25
|
|
Text proposed by the Commission |
Amendment |
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. |
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and, in any event, no later than 24 hours after becoming aware of the incident in question, Member States’ competent authorities of any incident that significantly disrupts or has the potential to significantly disrupt their operations. The competent authority should inform the public of such an incident where it determines that it would be in the public interest to do so. The competent authority should ensure that the critical entity concerned inform users of its services that might be affected by such an incident of the incident and, where relevant, of any possible safety measures or remedies. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts, without undue delay. Information on incidents should be treated in a way that respects confidentiality and the security and commercial interests of the critical entity concerned. |
Amendment 24
Proposal for a directive
Recital 26
|
|
Text proposed by the Commission |
Amendment |
(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive. |
(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union and the internal market because they provide essential services to several Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive. |
Amendment 25
Proposal for a directive
Recital 27 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(27a) Standardisation should remain primarily a market-driven process. However, there might still be situations where it is appropriate to require compliance with specified standards at Union level. The Commission and the Member States should support and promote the development and implementation of standards and specifications relevant to the resilience of critical entities as set by the European Standardisation Organisations for the undertaking of technical and organisational measures aimed at ensuring critical entities’ resilience. Member States should also encourage the use of internationally accepted standards and specifications relevant to resilience measures applicable to critical entities. |
Amendment 26
Proposal for a directive
Recital 30
|
|
Text proposed by the Commission |
Amendment |
(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose. |
(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. The assessment of critical entities under this Directive, in matters that fall under the scope of the NIS 2 Directive such as physical and non-physical cybersecurity, is the responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, when assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose. |
Amendment 27
Proposal for a directive
Recital 31
|
|
Text proposed by the Commission |
Amendment |
(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32 . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. |
(31) In order to take into account new risks, technological developments or specificities of one or more of the sectors, the power to adopt acts in accordance with Article 290 Treaty on the Functioning of the European Union should be delegated to the Commission to supplement the resilience measures critical entities are to take by further specifying some or all of those measures. In order to avoid the divergent application of this Directive and to improve the functioning of the internal market, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission to supplement this Directive by drawing up a common list of essential services. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making32. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. |
_________________ |
_________________ |
32 OJ L 123, 12.5.2016, p. 1. |
32 OJ L 123, 12.5.2016, p. 1. |
Amendment 28
Proposal for a directive
Article 1 – paragraph 1 – introductory part
|
|
Text proposed by the Commission |
Amendment |
1. This Directive: |
1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market. To that end, this Directive: |
Amendment 29
Proposal for a directive
Article 1 – paragraph 1 – point a
|
|
Text proposed by the Commission |
Amendment |
(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations; |
(a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations; |
Amendment 30
Proposal for a directive
Article 1 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. |
2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. In view of the interlinkages between cybersecurity and the physical security of entities, Member States shall ensure a coherent implementation of this Directive and the NIS 2 Directive. |
Amendment 31
Proposal for a directive
Article 2 – paragraph 1 – point 3
|
|
Text proposed by the Commission |
Amendment |
(3) “incident” means any event having the potential to disrupt, or that disrupts, the operations of the critical entity; |
(3) “incident” means any event having the potential to disrupt, or that disrupts the provision of an essential service by a critical entity; |
Amendment 32
Proposal for a directive
Article 2 – paragraph 1 – point 4
|
|
Text proposed by the Commission |
Amendment |
(4) “infrastructure” means an asset, system or part thereof, which is necessary for the delivery of an essential service; |
(4) “infrastructure” means assets, including facilities, systems and equipment, or parts thereof, which are necessary for the delivery of an essential service; |
Amendment 33
Proposal for a directive
Article 2 – paragraph 1 – point 5
|
|
Text proposed by the Commission |
Amendment |
(5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities; |
(5) “essential service” means a service which is essential for the maintenance of vital societal functions, economic activities, public health and safety, the environment or the rule of law; |
Amendment 34
Proposal for a directive
Article 2 – paragraph 1 – point 6
|
|
Text proposed by the Commission |
Amendment |
(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities; |
(6) “risk” means any circumstance or event having a potential adverse effect on the ability of a critical entity to provide an essential service; |
Amendment 35
Proposal for a directive
Article 2 – paragraph 1 – point 7
|
|
Text proposed by the Commission |
Amendment |
(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysing potential threats and hazards and evaluating existing conditions of vulnerability that could disrupt the operations of the critical entity. |
(7) “risk assessment” means a methodology to determine the nature and extent of a risk by assessing potential threats and hazards against the resilience of a critical entity, analysing existing conditions of vulnerability that could lead to the disruption of the operations of a critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services; |
Amendment 36
Proposal for a directive
Article 2 – paragraph 1 – point 7 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(7a) ‘standard’ means standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council1a; |
|
____________ |
|
1a Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12) |
Amendment 37
Proposal for a directive
Article 2 – paragraph 1 – point 7 b (new)
|
|
Text proposed by the Commission |
Amendment |
|
(7b) ‘technical specification’ means technical specification as defined in Article 2 point (4), of Regulation (EU) No 1025/2012; |
Amendment 38
Proposal for a directive
Article 3 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex. |
1. Following a consultation open to all affected stakeholders, each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall take into account the Union strategy on resilience prepared by the Critical Entities Resilience Group, referred to in Article 16, and set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex. |
Amendment 39
Proposal for a directive
Article 3 – paragraph 2 – point c
|
|
Text proposed by the Commission |
Amendment |
(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter; |
(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment as referred to in Article 4, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter, including measures to enhance cooperation between the public sector and the private sector and public and private entities; |
Amendment 40
Proposal for a directive
Article 3 – paragraph 2 – point c a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(ca) a list of all authorities and stakeholders involved in the implementation of the strategy; |
Amendment 41
Proposal for a directive
Article 3 – paragraph 2 – point d a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(da) a policy framework addressing the specific needs and characteristics of small and medium-sized enterprises identified as critical entities to improve their resilience; |
Amendment 42
Proposal for a directive
Article 3 – paragraph 2 – point d b (new)
|
|
Text proposed by the Commission |
Amendment |
|
(db) the relevant aspects of the national cybersecurity strategy provided for in the NIS 2 Directive and any other sectoral national strategy with a view to achieving coordination, complementarity and synergies. |
Amendment 43
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 1
|
|
Text proposed by the Commission |
Amendment |
The strategy shall be updated where necessary and at least every four years. |
Following a consultation open to all affected stakeholders, the strategy shall be updated at least every four years. |
Amendment 44
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11. |
1. The Commission is empowered to adopt a delegated act in accordance with Article 21 to supplement this Directive by establishing a list of essential services in the sectors and subsectors referred to in the Annex. The Commission shall adopt the delegated act no later than... [six months after the date of entry into force of this Directive]. Competent authorities designated pursuant to Article 8 shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of the essential services listed in the delegated act, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11. |
Amendment 45
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 2
|
|
Text proposed by the Commission |
Amendment |
The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . |
The risk assessment shall account for all relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34. |
_________________ |
_________________ |
34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6). |
34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6). |
Amendment 46
Proposal for a directive
Article 4 – paragraph 2 – subparagraph 1 – point c
|
|
Text proposed by the Commission |
Amendment |
(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors; |
(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors, including any risks to citizens and the internal market; |
Amendment 47
Proposal for a directive
Article 4 – paragraph 3
|
|
Text proposed by the Commission |
Amendment |
3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11. |
3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available, through their single point of contact referred to in Article 8(2), to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to Article 11. |
Amendment 48
Proposal for a directive
Article 4 – paragraph 5
|
|
Text proposed by the Commission |
Amendment |
5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4. |
5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4. |
Amendment 49
Proposal for a directive
Article 5 – paragraph 2 – introductory part
|
|
Text proposed by the Commission |
Amendment |
2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and apply the following criteria: |
2. When identifying critical entities pursuant to paragraph 1, Member States shall take into account the outcomes of the risk assessment pursuant to Article 4 and the strategy on the resilience of critical entities referred to in Article 3 and shall apply the following criteria: |
Amendment 50
Proposal for a directive
Article 5 – paragraph 2 – point b
|
|
Text proposed by the Commission |
Amendment |
(b) (the provision of that service depends on infrastructure located in the Member State; and |
(b) the provision of that essential service depends on infrastructure located in the Member State; and |
Amendment 51
Proposal for a directive
Article 5 – paragraph 2 – point c
|
|
Text proposed by the Commission |
Amendment |
(c) an incident would have significant disruptive effects on the provision of the service or of other essential services in the sectors referred to in the Annex that depend on the service. |
(c) an incident would have significant disruptive effects on the provision of the essential service or of other essential services in the sectors referred to in the Annex that depend on the service. |
Amendment 52
Proposal for a directive
Article 5 – paragraph 5
|
|
Text proposed by the Commission |
Amendment |
5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III. |
5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to achieving the highest possible degree of coherence and to reducing the burden on the critical entity in regard to the obligations pursuant to Chapter III. |
Amendment 53
Proposal for a directive
Article 5 – paragraph 6
|
|
Text proposed by the Commission |
Amendment |
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third of Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities. |
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide the same or similar essential services to or in more than three Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities. |
Amendment 54
Proposal for a directive
Article 5 – paragraph 7 – subparagraph 2
|
|
Text proposed by the Commission |
Amendment |
Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information. |
Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed in due time that they are no longer subject to the obligations pursuant to Chapter III as from the reception of that information. |
Amendment 55
Proposal for a directive
Article 5 – paragraph 7 a (new)–
|
|
Text proposed by the Commission |
Amendment |
|
7a. The Commission shall, in cooperation with the Member States, develop recommendations and guidelines to support Member States in identifying critical entities. |
Amendment 56
Proposal for a directive
Article 6 – paragraph 1 – point a
|
|
Text proposed by the Commission |
Amendment |
(a) the number of users relying on the service provided by the entity; |
(a) the number of users relying on the essential service provided by the entity; |
Amendment 57
Proposal for a directive
Article 6 – paragraph 1 – point b
|
|
Text proposed by the Commission |
Amendment |
(b) the dependency of other sectors referred to in the Annex on that service; |
(b) the dependency of other sectors and subsectors referred to in the Annex or of the supply chain on that essential service; |
Amendment 58
Proposal for a directive
Article 6 – paragraph 1 – point e
|
|
Text proposed by the Commission |
Amendment |
(e) the geographic area that could be affected by an incident, including any cross-border impacts; |
(e) the geographic area that could be affected by an incident, including any cross-border impacts, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas; |
Amendment 59
Proposal for a directive
Article 6 – paragraph 1 – point f
|
|
Text proposed by the Commission |
Amendment |
(f) the importance of the entity in maintaining a sufficient level of the service, taking into account the availability of alternative means for the provision of that service. |
(f) the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service. |
Amendment 60
Proposal for a directive
Article 6 – paragraph 3
|
|
Text proposed by the Commission |
Amendment |
3. The Commission may, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2. |
3. The Commission shall, after consultation of the Critical Entities Resilience Group, adopt guidelines to facilitate the application of the criteria referred to in paragraph 1, taking into account the information referred to in paragraph 2. |
Amendment 61
Proposal for a directive
Article 7 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [three years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities. |
1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [one year and six months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities. |
Amendment 62
Proposal for a directive
Article 8 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’). |
2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Commission and the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’) and, where relevant, to ensure cooperation with third countries. |
Amendment 63
Proposal for a directive
Article 8 – paragraph 3
|
|
Text proposed by the Commission |
Amendment |
3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3). |
3. By ... [four years and six months after entry into force of this Directive], and in the first trimester of every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3). |
Amendment 64
Proposal for a directive
Article 9 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. |
1. Member States shall support critical entities in enhancing their resilience. That support shall include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. Member States may provide financial resources to critical entities, without prejudice to applicable rules on State aid, where necessary and justified by public interest objectives. |
Amendment 65
Proposal for a directive
Article 10 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations. |
Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their provision of essential services concerned. |
Amendment 66
Proposal for a directive
Article 11 – paragraph 1 – point d
|
|
Text proposed by the Commission |
Amendment |
(d) recover from incidents, including business continuity measures and the identification of alternative supply chains; |
(d) recover from incidents, including business continuity measures and the identification of alternative supply chains, to ensure the continuous provision of the essential service; |
Amendment 67
Proposal for a directive
Article 11 – paragraph 1 – point e
|
|
Text proposed by the Commission |
Amendment |
(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12; |
(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, laying down appropriate training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12; where external providers are involved in employee security management, critical entities shall ensure that they comply with generally accepted standards and specifications |
Amendment 68
Proposal for a directive
Article 11 – paragraph 1 – point f
|
|
Text proposed by the Commission |
Amendment |
(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel. |
(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, including by means of periodic training. |
Amendment 69
Proposal for a directive
Article 11 – paragraph 3
|
|
Text proposed by the Commission |
Amendment |
3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned. |
3. Upon request of the Member State that identified the critical entity and in consultation with the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned. At their request the Commission may also offer advisory missions to entities based in third countries. |
Amendment 70
Proposal for a directive
Article 12 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. |
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. Such background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the persons concerned. |
Amendment 71
Proposal for a directive
Article 12 – paragraph 2 –subparagraph 1 – introductory part
|
|
Text proposed by the Commission |
Amendment |
2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38 , a background check as referred to in paragraph 1 shall: |
2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council, Member States shall ensure that a background check as referred to in paragraph 1 is carried out for the sole purpose of evaluating a potential security risk to the critical entity concerned. A background check shall: |
_________________ |
|
38 OJ L 119, 4.5.2016, p. 1. |
|
Amendment 72
Proposal for a directive
Article 13 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability. |
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours of a critical entity becoming aware of an incident, followed by a detailed report no later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability. |
|
Where an incident has or might have a significant impact on critical entities or on the continuity of the provision of essential services in more than three Member States, Member States shall ensure that the critical entities concerned notify such incidents to the Commission. The Commission shall inform the Critical Entities Resilience Group of any such notifications without undue delay. The Commission and the Critical Entities Resilience Group shall, in accordance with Union law, treat information provided as part of such notifications in a way that respects its confidentiality and protects the security and commercial interests of the critical entity or entities concerned. |
Amendment 73
Proposal for a directive
Article 13 – paragraph 2 – point c
|
|
Text proposed by the Commission |
Amendment |
(c) the geographical area affected by the disruption or potential disruption. |
(c) the geographical area affected by the disruption or potential disruption, taking into account whether the area is geographically isolated. |
Amendment 74
Proposal for a directive
Article 13 – paragraph 3 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
3a. The competent authority concerned shall submit a summary report annually to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article. |
Amendment 75
Proposal for a directive
Article 13 – paragraph 4
|
|
Text proposed by the Commission |
Amendment |
4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident. |
4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident. The competent authority shall inform the public of an incident where it determines that it would be in the public interest to do so. The competent authority shall ensure that critical entities inform users of their services that might be affected by an incident of the incident and, where relevant, of any possible safety measures or remedies. |
Amendment 76
Proposal for a directive
Article 13 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
Article 13a |
|
Standards |
|
In order to promote the consistent implementation of this Directive, Member States shall, without imposing or discriminating in favour of the use of a particular type of technology, encourage the use of standards and specifications relevant to the security and resilience of critical entities. |
Amendment 77
Proposal for a directive
Article 14 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third of Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively. |
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides the same or similar essential services to or in more than three Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively. |
Amendment 78
Proposal for a directive
Article 15 – paragraph 1 – subparagraph 1
|
|
Text proposed by the Commission |
Amendment |
Upon request of one or more Member States or of the Commission, the Member State where the infrastructure of the critical entity of particular European significance is located shall, together with that entity, inform the Commission and the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11. |
Upon request of one or more Member States or of the Commission, a critical entity of particular European significance shall, inform the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11. |
Amendment 79
Proposal for a directive
Article 15 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
2. Upon request of one or more Member States, or at its own initiative, and in agreement with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre. |
2. Upon request of one or more Member States, or at its own initiative, and in consultation with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre. |
Amendment 80
Proposal for a directive
Article 15 – paragraph 4 – subparagraph 2
|
|
Text proposed by the Commission |
Amendment |
The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located. |
The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located. |
Amendment 81
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
|
|
Text proposed by the Commission |
Amendment |
The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work. |
The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group shall invite representatives of relevant stakeholders to participate in its work and the European Parliament to participate as an observer. |
Amendment 82
Proposal for a directive
Article 16 – paragraph 3 – point c
|
|
Text proposed by the Commission |
Amendment |
(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border dependencies and regarding risks and incidents; |
(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border and cross sectoral dependencies and regarding risks and incidents; |
Amendment 83
Proposal for a directive
Article 16 – paragraph 3 – point c a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(ca) preparing a Union strategy on resilience in compliance with the objectives set out in this Directive; |
Amendment 84
Proposal for a directive
Article 16 – paragraph 3 – point h
|
|
Text proposed by the Commission |
Amendment |
(h) exchanging information and best practices on research and development relating to the resilience of critical entities in accordance with this Directive; |
(h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive; |
Amendment 85
Proposal for a directive
Article 16 – paragraph 3 – point h a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(ha) promoting and supporting coordinated risk assessments and joint actions among critical entities; |
Amendment 86
Proposal for a directive
Article 16 – paragraph 5
|
|
Text proposed by the Commission |
Amendment |
5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to promote strategic cooperation and exchange of information. |
5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to facilitate strategic cooperation and exchange of information. |
Amendment 87
Proposal for a directive
Article 16 – paragraph 7
|
|
Text proposed by the Commission |
Amendment |
7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. |
7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. The Commission shall regularly publish a summary report of the activities of the Critical Entities Resilience Group. |
|
The Commission shall set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under the NIS 2 Directive in order to better accommodate communication between the two groups and, consequently, to minimise ambiguities between the different authorities designated under this Directive and the NIS 2 Directive. |
Amendment 88
Proposal for a directive
Article 17 – paragraph 2 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
2a. In order to receive and properly use the information received under Article 8(3), the Commission shall keep a Union registry of incidents with the aim of developing and sharing best practices and methodologies. |
Amendment 89
Proposal for a directive
Article 21 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
2. The power to adopt delegated acts referred to in Article 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators. |
2. The power to adopt delegated acts referred to in Articles 4(1) and 11(4) shall be conferred on the Commission for a period of five years from date of entry into force of this Directive or any other date set by the co-legislators. |
Amendment 90
Proposal for a directive
Article 21 – paragraph 3
|
|
Text proposed by the Commission |
Amendment |
3. The delegation of power referred to in Article 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
3. The delegation of power referred to in Articles 4(1) and 11(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force. |
Amendment 91
Proposal for a directive
Article 22 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive. |
By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive. The report shall contain separate country chapters on the concrete implementation progress in each Member State. |
Amendment 92
Proposal for a directive
Article 22 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector. |
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended. For that purpose, the Commission shall take into account relevant documents of the Critical Entities Resilience Group. |
Amendment 93
Proposal for a directive
Annex – table – point 2 – Transport – point e (new)
|
||||
Text proposed by the Commission |
||||
2.Transport |
a) Air |
— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856 |
||
— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports |
||||
— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459 |
||||
|
(b) Rail |
— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60 |
||
— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU |
||||
|
(c) Water |
— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies |
||
|
— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports |
|||
|
— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council |
|||
|
(d) Road |
Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control |
||
|
— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65 |
|||
|
||||
Amendment |
||||
2.Transport |
a) Air |
— Air carriers referred to in point (4) of Article 3 of Regulation (EC) No 300/200856 |
||
— Airport managing bodies referred to in point (2) of Article 2 of Directive 2009/12/EC57 , airports referred to in point (1) of Article 2 of that Directive, including the core airports listed in Section 2 of Annex II to Regulation (EU) No 1315/201358 , and entities operating ancillary installations contained within airports |
||||
— Traffic management control operators providing air traffic control (ATC) services referred to in point (1) of Article 2 of Regulation (EC) No 549/200459 |
||||
|
(b) Rail |
— Infrastructure managers referred to in point (2) of Article 3 of Directive 2012/34/EU60 |
||
— Railway undertakings referred to in point (1) of Article 3 of Directive 2012/34/EU, including operators of service facilities referred to in point (12) of Article 3 of Directive 2012/34/EU |
||||
|
(c) Water |
— Inland, sea and coastal passenger and freight water transport companies, referred to for maritime transport in Annex I to Regulation (EC) No 725/200461 , not including the individual vessels operated by those companies |
||
— Managing bodies of ports referred to in point (1) of Article 3 of Directive 2005/65/EC62 , including their port facilities referred to in point (11) of Article 2 of Regulation (EC) No 725/2004, and entities operating works and equipment contained within ports |
||||
— Operators of vessel traffic services referred to in point (o) of Article 3 of Directive 2002/59/EC63 of the European Parliament and of the Council |
||||
|
(d) Road |
Road authorities referred to in point (12) of Article 2 of Commission Delegated Regulation (EU) 2015/96264 responsible for traffic management control |
||
— Operators of Intelligent Transport Systems referred to in point (1) of Article 4 of Directive 2010/40/EU65 |
||||
|
(e) public transport |
—Public transport authorities and service operators as referred to in Article 2, points (b) and (d), of Regulation (EC) No 1370/2007 of the European Parliament and of the Council65a. |
||
|
|
_____________________ |
||
|
|
65a Regulation (EC) No 1370/2007 of the European Parliament and of the Council of 23 October 2007 on public passenger transport services by rail and by road and repealing Council Regulations (EEC) Nos 1191/69 and 1107/70 (OJ L 315, 3.12.2007, p. 1). |
||
Amendment 94
Proposal for a directive
Annex – section 5 – subsection 6 (new)
|
Amendment 95
Proposal for a directive
Annex – Sector 9 – Title
|
|
Text proposed by the Commission |
Amendment |
9. Public administration |
9. Public administration and democratic institutions |
Amendment 96
Proposal for a directive
Annex – Sector 9 – Type of entity – 3 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
— Central, regional and local governments and assemblies |
Amendment 97
Proposal for a directive
Annex – section 10 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
10 a. Food production, processing and distribution |
|
— Food businesses as referred to in Article 3, point (2), of Regulation (EC) No 178/2002 of the European Parliament and of the Council1a |
|
________________ |
|
1a Regulation (EC) No 178/2002 of the European Parliament and of the Council of 28 January 2002 laying down the general principles and requirements of food law, establishing the European Food Safety Authority and laying down procedures in matters of food safety (OJ L 31, 1.2.2002, p. 1). |
OPINION OF THE COMMITTEE ON INDUSTRY, RESEARCH AND ENERGY (2.7.2021)
for the Committee on Civil Liberties, Justice and Home Affairs
on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
(COM(2020)0829 – C9‑0421/2020 – (2020)0365(COD))
Rapporteur for opinion: Nils Torvalds
(*) Associated committees – Rule 57 of the Rules of Procedure
AMENDMENTS
The Committee on Industry, Research and Energy calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:
Amendment 1
Proposal for a directive
Recital 1
|
|
Text proposed by the Commission |
Amendment |
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity. |
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity endangering the overall economic and social well-being of citizens. |
__________________ |
__________________ |
17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). |
17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). |
18 SWD(2019) 308. |
18 SWD(2019) 308. |
Amendment 2
Proposal for a directive
Recital 3
|
|
Text proposed by the Commission |
Amendment |
(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. |
(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, food certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Innovation and technology advancements contribute to the creation of new forms and types of infrastructure systems that use innovations aimed at reducing costs and increasing efficiency and may have implications on risk and resilience. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. Resilience of energy infrastructures plays an important role in economic growth across the Union and contributes to ensuring a decent standard of living to vulnerable energy consumers. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. |
Amendment 3
Proposal for a directive
Recital 4
|
|
Text proposed by the Commission |
Amendment |
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. |
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. The resilience of critical entities is of great importance for the functioning of the internal market and the security of the Union and its citizens. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. |
Amendment 4
Proposal for a directive
Recital 5
|
|
Text proposed by the Commission |
Amendment |
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities. |
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities. As this Directive provides for minimum rules, Member States are free to adopt or maintain more stringent rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities where they deem them necessary to protect national security. |
Amendment 5
Proposal for a directive
Recital 8
|
|
Text proposed by the Commission |
Amendment |
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. |
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible, preventing any overlap that could hinder the effectiveness of those two directives. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. |
__________________ |
__________________ |
20 [Reference to NIS 2 Directive, once adopted.] |
20 [Reference to NIS 2 Directive, once adopted.] |
Amendment 6
Proposal for a directive
Recital 11
|
|
Text proposed by the Commission |
Amendment |
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. |
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences and criminal infiltration. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. |
Amendment 7
Proposal for a directive
Recital 12
|
|
Text proposed by the Commission |
Amendment |
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. |
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. This Directive addresses the need to ensure continuity of the services essential for the maintenance of vital societal functions or economic activities, without prejudice to national competences in organising and delivering public services. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. |
Amendment 8
Proposal for a directive
Recital 16
|
|
Text proposed by the Commission |
Amendment |
(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level. |
(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing national or Union-based sector-specific arrangements or national and Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level. |
Amendment 9
Proposal for a directive
Recital 18
|
|
Text proposed by the Commission |
Amendment |
(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. |
(18) Entities identified as critical entities under this Directive as well as entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive. Consequently, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. Member States should take measures to avoid double reporting and control, to ensure that strategies and requirements provided for in this Directive and the NIS 2 Directive are complementary and that critical entities are not subject to additional administrative burden. |
Amendment 10
Proposal for a directive
Recital 19
|
|
Text proposed by the Commission |
Amendment |
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union. |
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States should in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union. |
Amendment 11
Proposal for a directive
Recital 25
|
|
Text proposed by the Commission |
Amendment |
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. |
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately to prevent even worse consequences and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. Given the sensitivity of some events, appropriate forms of confidentiality should be established, together with mechanisms to prevent the dissemination of data that could compromise national security. |
Amendment 12
Proposal for a directive
Recital 30
|
|
Text proposed by the Commission |
Amendment |
(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose. |
(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. The assessment of critical entities under this Directive, in matters that fall under the scope of the NIS 2 Directive such as physical and non-physical cybersecurity, are the responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, when assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose. |
Amendment 13
Proposal for a directive
Article 1 – paragraph 1 – point a
|
|
Text proposed by the Commission |
Amendment |
(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations; |
(a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations; |
Amendment 14
Proposal for a directive
Article 1 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. |
2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. In view of the interlinkages between cybersecurity and the physical security of entities, Member States shall ensure a coherent implementation of both directives. |
Amendment 15
Proposal for a directive
Article 1 – paragraph 3 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
3a. Member States shall ensure that their security strategies, including sector-specific security strategies, provide for a coordinated policy framework for enhanced coordination in the context of information sharing on incidents and threats and the exercise of supervisory tasks which avoids the duplication of requirements and reporting and monitoring activities. |
Amendment 16
Proposal for a directive
Article 2 – paragraph 1 – point 6
|
|
Text proposed by the Commission |
Amendment |
(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities; |
(6) “risk” means any circumstance or event having a potential adverse effect on the operations of critical entities; |
Amendment 17
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 1 – point d a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(da) the relevant aspects from the national cybersecurity strategy as provided for in the NIS2 Directive and any other sectoral national strategy with a view to achieving coordination, complementarity and synergies. |
Amendment 18
Proposal for a directive
Article 3 – paragraph 3 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
3a. When drafting their strategies, Member States may consult local and regional authorities and take into consideration local capacities. |
Amendment 19
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 2
|
|
Text proposed by the Commission |
Amendment |
The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . |
The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . Where relevant, the risk assessment shall consider the capacities of local and regional authorities. |
__________________ |
__________________ |
34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6). |
34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6). |
Amendment 20
Proposal for a directive
Article 4 – paragraph 5
|
|
Text proposed by the Commission |
Amendment |
5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4. |
5. The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4. |
Amendment 21
Proposal for a directive
Article 5 – paragraph 4 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
4a. Member States may identify those entities that they have identified as essential entities under the NIS 2 Directive as critical entities under this Directive. Where a Member State decides not to identify the essential entities under the NIS 2 Directive as critical entities under this Directive, it shall justify the reasons therefor. |
Amendment 22
Proposal for a directive
Article 6 – paragraph 1 – point e
|
|
Text proposed by the Commission |
Amendment |
(e) the geographic area that could be affected by an incident, including any cross-border impacts; |
(e) the geographic area that could be affected by an incident, including any cross-border impacts, taking into account the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas; |
Amendment 23
Proposal for a directive
Article 8 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’). |
2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States, with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’) and with the critical entities. Each Member State shall ensure that the single point of contact designated under the NIS 2 Directive is the single point of contact under this Directive. |
Amendment 24
Proposal for a directive
Article 8 – paragraph 3
|
|
Text proposed by the Commission |
Amendment |
3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3). |
3. By [three years and six months after entry into force of this Directive], and in the first trimester every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3). |
Amendment 25
Proposal for a directive
Article 8 – paragraph 5
|
|
Text proposed by the Commission |
Amendment |
5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities. |
5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, including, where appropriate, local and regional authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities. |
Amendment 26
Proposal for a directive
Article 9 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. |
1. Member States shall support critical entities in enhancing their resilience, developing protocols, agreements and cooperation, and in exchanging of information and expertise between the public and private sectors. That support shall include among others, developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing periodic training to personnel of critical entities. |
Amendment 27
Proposal for a directive
Article 9 – paragraph 1 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
1a. Where necessary, Member States shall allocate sufficient resources to support critical entities to fulfil compliance requirements, in particular to cover additional costs associated with learning and training activities or employing additional staff for reporting, monitoring and reviewing. |
Amendment 28
Proposal for a directive
Article 9 – paragraph 3
|
|
Text proposed by the Commission |
Amendment |
3. Member States shall establish information sharing tools to support voluntary information sharing between critical entities in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data. |
3. Member States shall establish information sharing tools to support voluntary information sharing between critical entities, with the aim of increasing knowledge sharing and transparency within and between sectors, in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data. |
Amendment 29
Proposal for a directive
Article 11 – paragraph 1 – point c a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(ca) prevent incidents which might threaten the security and continuation of the supply of goods and services; |
Amendment 30
Proposal for a directive
Article 11 – paragraph 1 – point d a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(da) make use of accepted European standards and specifications relevant to the resilience of critical entities, without imposing the use of a particular type of service or technology or discriminating in favour of it; |
Amendment 31
Proposal for a directive
Article 11 – paragraph 1 – point e
|
|
Text proposed by the Commission |
Amendment |
(e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12; |
(e) ensure adequate employee and training security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12; |
Amendment 32
Proposal for a directive
Article 11 – paragraph 1 – point f
|
|
Text proposed by the Commission |
Amendment |
(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel. |
(f) raise awareness about the measures referred to in points (a) to (e) among relevant operators and their staff, through periodic training. |
Amendment 33
Proposal for a directive
Article 12 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. |
1. Member States shall ensure that critical entities may submit duly justified requests for background checks on persons who fall within certain specific categories of their personnel, identified based on common national criteria including persons being considered for recruitment to critical functions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. |
Amendment 34
Proposal for a directive
Article 12 – paragraph 2 – subparagraph 1 – introductory part
|
|
Text proposed by the Commission |
Amendment |
2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38, a background check as referred to in paragraph 1 shall: |
2. In accordance with applicable Union and national law, including Regulation (EU) 2016/679/EU of the European Parliament and of the Council38, Member States shall ensure that a background check as referred to in paragraph 1 is carried out for the sole purpose of evaluating a potential security risk to the critical entity and in respect of the fundamental rights of the person concerned. A background check shall: |
__________________ |
__________________ |
38 OJ L 119, 4.5.2016, p. 1. |
38 OJ L 119, 4.5.2016, p. 1. |
Amendment 35
Proposal for a directive
Article 12 – paragraph 2 – subparagraph 1 – point c
|
|
Text proposed by the Commission |
Amendment |
(c) cover previous employments, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years. |
(c) in exceptional cases and based on national criteria, cover previous employments, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years. |
Amendment 36
Proposal for a directive
Article 13 – paragraph 1
|
|
Text proposed by the Commission |
Amendment |
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability. |
1. Member States shall ensure that critical entities only notify the competent authority of incidents that significantly disrupt their operations without undue delay, in order to avoid over-information and unnecessary data flow, and to guarantee the effective functioning of national authorities and private entities. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability. |
Amendment 37
Proposal for a directive
Article 13 – paragraph 2 – point -a (new)
|
|
Text proposed by the Commission |
Amendment |
|
(-a) the impact on human life and the environmental consequences; |
Amendment 38
Proposal for a directive
Article 13 – paragraph 2 – point c
|
|
Text proposed by the Commission |
Amendment |
(c) the geographical area affected by the disruption or potential disruption. |
(c) the geographical area affected by the disruption or potential disruption, taking into account whether that area is geographically isolated. |
Amendment 39
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
|
|
Text proposed by the Commission |
Amendment |
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work. |
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of relevant parties to participate in its work, encouraging the involvement of SMEs, civil society and trade unions mainly in training related aspects. |
Amendment 40
Proposal for a directive
Article 16 – paragraph 5
|
|
Text proposed by the Commission |
Amendment |
5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to promote strategic cooperation and exchange of information. |
5. The Critical Entities Resilience Group shall meet regularly and at least once a year with the Cooperation Group established under [the NIS 2 Directive] to facilitate strategic cooperation and information exchange. |
Amendment 41
Proposal for a directive
Article 16 – paragraph 7 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
7a. Critical Entities Resilience Group, in spirit of security cooperation and open access, may give, upon request, access to its findings and source data for use in academia, security research and for other beneficial uses. The requests for access should be reasoned and justified and the data provided shall respect the fundamental rights of persons and be proportionate to the influence on the entities in question. |
Amendment 42
Proposal for a directive
Article 16 – paragraph 7 b (new)
|
|
Text proposed by the Commission |
Amendment |
|
7b. The Commission shall set up a common secretariat for the Critical Entities Resilience Group and the Cooperation Group established under [the NIS 2 Directive] in order to better accommodate communication between the two groups and, consequently, to minimise ambiguities between the different designated authorities under this Directive and [the NIS 2 Directive]. |
Amendment 43
Proposal for a directive
Article 17 – paragraph 2 a (new)
|
|
Text proposed by the Commission |
Amendment |
|
2a. In order to receive and properly use the information received under Article 8(3), the Commission shall keep a European registry of incidents with the aim of developing and sharing best practices and methodologies. |
Amendment 44
Proposal for a directive
Article 22 – paragraph 2
|
|
Text proposed by the Commission |
Amendment |
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector. |
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive]. For that purpose and with a view to further advancing strategic cooperation, the Commission shall take into account any non-binding guidance documents of the Critical Entities Resilience Group on the experience gained at a strategic level. |
Amendment 45
Proposal for a directive
Annex - Point 5. Health (new)
|
||
Text proposed by the Commission |
||
Sector |
Subsector |
Type of entity |
|
||
Amendment |
||
|
|
Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC |
Amendment 46
Proposal for a directive
Annex - Point 8 a (new)
|
||
Text proposed by the Commission |
||
Sector |
Subsector |
Type of entity |
|
||
Amendment |
||
Food |
Wholesale market |
— Food businesses as referred to in Annex I of Regulation (EC) N° 853/2004 (1a) |
1a Regulation (EC) No 853/2004 of the European Parliament and of the Council of 29 April 2004 laying down specific hygiene rules for on the hygiene of foodstuffs (OJ L 139, 30.04.2004, p.39). |
PROCEDURE – COMMITTEE ASKED FOR OPINION
Title |
Resilience of critical entities |
|||
References |
COM(2020)0829 – C9-0421/2020 – 2020/0365(COD) |
|||
Committee responsible Date announced in plenary |
LIBE 11.2.2021 |
|
|
|
Opinion by Date announced in plenary |
ITRE 11.2.2021 |
|||
Associated committees - date announced in plenary |
29.4.2021 |
|||
Rapporteur for the opinion Date appointed |
Nils Torvalds 15.2.2021 |
|||
Discussed in committee |
26.5.2021 |
|
|
|
Date adopted |
1.7.2021 |
|
|
|
Result of final vote |
+: –: 0: |
58 0 14 |
||
Members present for the final vote |
Nicola Beer, François-Xavier Bellamy, Hildegard Bentele, Tom Berendsen, Vasile Blaga, Michael Bloss, Paolo Borchia, Marc Botenga, Markus Buchheit, Martin Buschmann, Cristian-Silviu Buşoi, Jerzy Buzek, Carlo Calenda, Maria da Graça Carvalho, Ignazio Corrao, Ciarán Cuffe, Josianne Cutajar, Nicola Danti, Pilar del Castillo Vera, Christian Ehler, Valter Flego, Niels Fuglsang, Lina Gálvez Muñoz, Jens Geier, Bart Groothuis, Christophe Grudler, Henrike Hahn, Robert Hajšel, Ivo Hristov, Romana Jerković, Eva Kaili, Seán Kelly, Izabela-Helena Kloc, Łukasz Kohut, Andrius Kubilius, Miapetra Kumpula-Natri, Thierry Mariani, Marisa Matias, Eva Maydell, Joëlle Mélin, Iskra Mihaylova, Dan Nica, Angelika Niebler, Ville Niinistö, Mauri Pekkarinen, Tsvetelina Penkova, Morten Petersen, Markus Pieper, Clara Ponsatí Obiols, Manuela Ripa, Jérôme Rivière, Robert Roos, Massimiliano Salini, Sara Skyttedal, Jessica Stegrud, Beata Szydło, Riho Terras, Grzegorz Tobiszowski, Patrizia Toia, Evžen Tošenovský, Marie Toussaint, Isabella Tovaglieri, Viktor Uspaskich, Henna Virkkunen, Pernille Weiss, Carlos Zorrinho |
|||
Substitutes present for the final vote |
Klemen Grošelj, Alicia Homs Ginel, Elena Lizzi, Jutta Paulus, Susana Solís Pérez, Nils Torvalds |
FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION
58 |
+ |
NI |
Martin Buschmann, Clara Ponsatí Obiols, Viktor Uspaskich |
PPE |
François-Xavier Bellamy, Hildegard Bentele, Tom Berendsen, Vasile Blaga, Cristian-Silviu Buşoi, Jerzy Buzek, Maria da Graça Carvalho, Pilar del Castillo Vera, Christian Ehler, Seán Kelly, Andrius Kubilius, Eva Maydell, Angelika Niebler, Markus Pieper, Massimiliano Salini, Sara Skyttedal, Riho Terras, Henna Virkkunen, Pernille Weiss |
Renew |
Nicola Beer, Nicola Danti, Valter Flego, Bart Groothuis, Klemen Grošelj, Christophe Grudler, Iskra Mihaylova, Mauri Pekkarinen, Morten Petersen, Susana Solís Pérez, Nils Torvalds |
S&D |
Carlo Calenda, Josianne Cutajar, Niels Fuglsang, Lina Gálvez Muñoz, Jens Geier, Robert Hajšel, Alicia Homs Ginel, Ivo Hristov, Romana Jerković, Eva Kaili, Łukasz Kohut, Miapetra Kumpula-Natri, Dan Nica, Tsvetelina Penkova, Patrizia Toia, Carlos Zorrinho |
The Left |
Marisa Matias |
Verts/ALE |
Michael Bloss, Ignazio Corrao, Ciarán Cuffe, Henrike Hahn, Ville Niinistö, Jutta Paulus, Manuela Ripa, Marie Toussaint |
14 |
0 |
ECR |
Izabela-Helena Kloc, Robert Roos, Jessica Stegrud, Beata Szydło, Grzegorz Tobiszowski, Evžen Tošenovský |
ID |
Paolo Borchia, Markus Buchheit, Elena Lizzi, Thierry Mariani, Joëlle Mélin, Jérôme Rivière, Isabella Tovaglieri |
The Left |
Marc Botenga |
Key to symbols:
+ : in favour
- : against
0 : abstention
OPINION OF THE COMMITTEE ON THE INTERNAL MARKET AND CONSUMER PROTECTION (23.7.2021)
for the Committee on Civil Liberties, Justice and Home Affairs
on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
(COM(2020)0829 – C9‑0421/2020 – 2020/0365(COD))
Rapporteur for opinion ‘(*)’: Alex Agius Saliba
‘(*) Associated committee – Rule 57 of the Rules of Procedure’
SHORT JUSTIFICATION
On 16 December 2020, the Commission presented a proposal for a directive on the resilience of critical entities (RCE) together with an accompanying impact assessment, based on the 2019 assessment of the implementation of the Directive 2008/114/EC on European critical infrastructure (ECI). In view of the importance of cybersecurity for the resilience of critical entities, the Commission submitted in parallel also a proposal for a revised NIS Directive ('NIS 2'). To ensure full coherence, cyber-resilience obligations under NIS 2 would apply also to critical entities identified under the new proposal.
The RCE proposal reflects a switch from the current approach from protection of individual assets towards strengthening the resilience of the critical entities that operate them. It would require Member States to adopt national strategies and undertake regular risk assessments and also establishes obligations on critical entities to enhance their resilience and ability to provide essential services. The procedure of identifying critical entities would be different to that set out in ECI Directive. The Commission would also have specific oversight over critical entities of particular European significance.
The rapporteur is broadly supportive of the RCE proposal and believes it is important for IMCO to acknowledge that the existing EU-level measures aimed at protecting key services and infrastructures from physical risks need to be updated. Strengthening the resilience of critical entities in the Member States and levelling the playing field for critical entities across the Union is of outstanding importance considering the increasing interlinkages between sectors, entities and services in the internal market.
The IMCO Committee is associated pursuant to Rule 57 with shared competences as regards issues that raise questions under the remit of IMCO aimed at improving the functioning of the internal market.
Scope and definitions
The rapporteur welcomes the extension of the scope of the directive as it gives the possibility of encompassing new sectors that did not benefit from specific protection measures. However, the rapporteur believes that the general objective of ensuring a high level of resilience of critical entities and essential infrastructures and securing the delivery of essential services in order to improve the functioning of the internal market needs to be clearly spelt out.
Furthermore, he tries to ensure closer alignment and harmonisation of both RCE and NIS 2 Directives, where possible in particular in relation to scope and definitions. To this end, the rapporteur requires that physical non-cyber protection under the proposed RCE Directive are clearly separated from the requirements in NIS 2 through a clear distinction in the definition of “resilience” comprised in Article 2(2). Furthermore, he proposes a set of well-articulated definitions covering “critical entities”, “resilience”, “incident”, “essential infrastructure” among others.
Strategy and risk assessment by Member States
The rapporteur welcomes the strategy reinforcing the resilience of critical entities and the risk assessment that each Member State must adopt. However, he makes suggestions to improve the involvement and consultation with the critical entities and stakeholders, as these companies provide vital services for the smooth running of daily life and enhanced cooperation with them is key if we are to achieve the objectives of this Directive. He also acknowledges the importance of managing supply chain and supplier-related risks when used by critical entities to ensuring supply chains contribution to the resilience of the entities they supply to.
Identification of critical entities
The rapporteur supports that Member States will have to identify critical entities in key relevant sectors referred to in the Annex, however, he explains that Member States will be obliged to identify entities for those sectors and subsectors from the Annex that exist in the Member States and for which the entities are key providers of essential services for the maintenance of vital societal functions and economic activities. The rapporteur has therefore made suggestions in this area.
Competent authorities and single point of contact
The rapporteur acknowledges the importance of proper oversight and enhanced cooperation between competent authorities of the Member States. However, he notes that single points of contact should be established to exercise a liaison function and coordination with the critical entities with competent authorities and other single points of contact and with the Critical Entities Resilience Group. The single point of contact should also simplify and harmonise reporting channels (one-stop-shop principle).
Notification of incidents
The rapporteur believes that incidents that significantly disrupt the operations of critical entities and are of public interest shall be reported not only to the competent authorities, via the single point of contact, but as well as to the public or when necessary to the affected users. The rapporteur also suggests clarifying some of the requirements to notify incidents that have not yet happened and provides additional guidance as to the reporting thresholds.
AMENDMENTS
The Committee on the Internal Market and Consumer Protection calls on the Committee on Civil Liberties, Justice and Home Affairs, as the committee responsible, to take into account the following amendments:
Amendment 1
Proposal for a directive
Recital 1
|
|
Text proposed by the Commission |
Amendment |
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity. |
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover and protect from incidents or threats that have the potential to disrupt the operations of the critical entity, the functioning of the internal market or the free movement of essential services. |
__________________ |
__________________ |
17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). |
17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). |
18 SWD(2019) 308. |
18 SWD(2019) 308. |
Amendment 2
Proposal for a directive
Recital 2
|
|
Text proposed by the Commission |
Amendment |
(2) Despite existing measures at Union[1] and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. |
(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. Due to the increased cross-sectoral and cross-border interdependencies between critical infrastructures, an incident in one Member State can seriously affect activities in another Member State. In order to achieve a high level of resilience of critical infrastructures across the Union, essential services and essential infrastructure should be protected and resilient in all Member States. |
Amendment 3
Proposal for a directive
Recital 3
|
|
Text proposed by the Commission |
Amendment |
(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. |
(3) Those growing interdependencies are the result of an increasingly cross-border and interdependent network of essential service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption of essential services, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in a far-reaching and long-lasting negative impact on the delivery of those services across the internal market, including on individuals, consumers and business. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks. |
Amendment 4
Proposal for a directive
Recital 4
|
|
Text proposed by the Commission |
Amendment |
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. |
(4) The entities involved in the provision of essential services and essential infrastructure are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only creates heterogeneous levels of resilience and differences between Member States relating to the designation and oversight of critical entities but also impacts negatively on the maintenance of vital societal functions or economic activities across the Union, and also leads to unfair competition and to obstacles to the proper functioning of the internal market . Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. A European framework should therefore also have the effect of levelling the playing field for critical entities across the Union. |
Amendment 5
Proposal for a directive
Recital 5
|
|
Text proposed by the Commission |
Amendment |
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities. |
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision and free movement of essential services in the internal market and enhance the resilience of critical entities and essential infrastructure necessary for vital societal or economic activities within the Union. To this end, the aim of this Directive should be to make critical infrastructures and critical entities resilient thereby furthering their capacity to ensure continuous provision of essential services or essential infrastructure or at least to swiftly restore performance after an incident has taken place. Operators of critical infrastructures delivering essential services across the internal market in various sectors necessary for vital societal functions and economic activities, should become resilient against current and anticipated future risks. |
Amendment 6
Proposal for a directive
Recital 6
|
|
Text proposed by the Commission |
Amendment |
(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks. |
(6) In order to achieve that objective, Member States should identify critical entities that provide essential services or essential infrastructure falling within existing sectors and subsectors at national level as referred to in the Annex which should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks and possible crises. |
Amendment 7
Proposal for a directive
Recital 8
|
|
Text proposed by the Commission |
Amendment |
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 (hereafter “NIS 2 Directive”) is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. |
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 (the “NIS 2 Directive”) is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. A coherent approach should be ensured between these acts, such as by ensuring that entities under NIS 2 susceptible to being subject to obligations under this Directive, where possible, benefit from a single point of contact and a common set of rules. As a result, the supervision of entities identified as critical or equivalent to critical under this Directive, in matters that fall under the scope of the NIS2 Directive, will be a responsibility of the competent authorities designated under the NIS 2 Directive. Furthermore, entities that are identified as essential entities under the NIS 2 Directive, but are not identified as critical entities under this Directive, should also enhance the resilience of their physical infrastructure, where appropriate. |
__________________ |
__________________ |
20 [Reference to NIS 2 Directive, once adopted.] |
20 Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148 (OJ L ..., ..., p. ..). |
Amendment 8
Proposal for a directive
Recital 10
|
|
Text proposed by the Commission |
Amendment |
(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. |
In view of ensuring a comprehensive approach to the resilience of critical entities, and taking into account the objectives of the Union’s strategy on resilience prepared by the Critical Entities Resilience Group, each Member State should adopt a national strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. |
Amendment 9
Proposal for a directive
Recital 11
|
|
Text proposed by the Commission |
Amendment |
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. |
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of essential services vital for societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant risks, including cross-sectoral, cross-border, natural and man-made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries, and risks arising for the general population or the internal market. Member States should not consider as a risk any regular business risk to operations derived from market conditions, or any risk derived from democratic decision-making. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. |
Amendment 10
Proposal for a directive
Recital 12
|
|
Text proposed by the Commission |
Amendment |
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. |
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities of the sectors and subsectors on their territory listed in the Annex. Therefore, common criteria and specifications based on minimum indicators and methodologies for each sector and sub-sector to identify critical entities should be laid down in close cooperation with the relevant authorities. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. In order to avoid divergent application of this Directive and improve the functioning of the internal market, the Commission in cooperation with the Member States should provide detailed guidelines and make recommendations to support Member States in identifying the list of essential services and infrastructure and the critical entities for each national sector and subsector referred to in the Annex. |
Amendment 11
Proposal for a directive
Recital 15
|
|
Text proposed by the Commission |
Amendment |
(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner. |
(15) The EU financial services acquis establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks and ensure business continuity. This includes Regulation (EU) No 648/2012 of the European Parliament and of the Council22 , Directive 2014/65/EU of the European Parliament and of the Council23 and Regulation (EU) No 600/2014 of the European Parliament and of the Council24 as well as Regulation (EU) No 575/2013 of the European Parliament and of the Council25 and Directive 2013/36/EU of the European Parliament and of the Council26 . The Commission has recently proposed to complement this framework with Regulation XX/YYYY of the European Parliament and of the Council [proposed Regulation on digital operational resilience for the financial sector (hereafter “DORA Regulation”)27 ], which lays down requirements for financial firms to manage ICT risks, including the protection of physical ICT infrastructures. Since the resilience of entities listed in points 3 and 4 of the Annex is comprehensively covered by the EU financial services acquis, those entities should also be treated as equivalent to critical entities for the purposes of Chapter II of this Directive only and consequently, such entities should not be subject to the obligations laid down in Chapters III to VI. To ensure a consistent application of the operational risk and digital resilience rules in the financial sector, Member States’ support to enhancing the overall resilience of financial entities equivalent to critical entities should be ensured by the authorities designated pursuant to Article 41 of [DORA Regulation], and subject to the procedures set out in that legislation in a fully harmonised manner. |
__________________ |
__________________ |
22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1). |
22 Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1). |
23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349). |
23 Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349). |
24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84). |
24 Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84). |
25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). |
25 Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). |
26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). |
26 Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). |
27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595. |
27 Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014, COM(2020) 595. |
Amendment 12
Proposal for a directive
Recital 16
|
|
Text proposed by the Commission |
Amendment |
(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level. |
(16) Member States should designate authorities competent to supervise the application of and enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level. |
Amendment 13
Proposal for a directive
Recital 17
|
|
Text proposed by the Commission |
Amendment |
(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. |
(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. The single points of contact should also liaise, and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States, with the Critical Entities Resilience Group established by this Directive and with entities identified as critical entities under this Directive. In order to facilitate the cooperation and communication with the Member States, entities identified as critical entities under this Directive should also designate a reference point of contact within the entity. The reference point of contact should be used by the critical entity to liaise, coordinate and communicate with the Member States, on measures related to the organisational and technical aspects related to the implementation of this Directive. To that end, the single points of contact should use efficient, secure, standardised and harmonised reporting channels. |
Amendment 14
Proposal for a directive
Recital 18
|
|
Text proposed by the Commission |
Amendment |
(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. |
(18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate in an effective and consistent manner, particularly in relation to cybersecurity risks and incidents affecting those entities. |
Amendment 15
Proposal for a directive
Recital 19
|
|
Text proposed by the Commission |
Amendment |
|
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, and should support the organisation of exercises to test their resilience, provide training to personnel of critical entities, provide financial resources without prejudice to existing competition law rules, in particular rules on state aid and assistance and protect sensitive areas, facilities and other infrastructure, where necessary and justified by public interest objectives. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing and good practices between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union. |
Amendment 16
Proposal for a directive
Recital 25
|
|
Text proposed by the Commission |
Amendment |
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. |
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and no later than 24 hours after becoming aware of a particular incident, Member States' competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Critical entities and competent authorities should also inform the public of such incidents where they determine that the disclosure of such incidents would be in the public interest. Critical entities should also notify potentially affected users of their services of the incident, its consequences and, where relevant, any possible safety measures or remedies to be taken by users. The notification should allow the competent authorities and users to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, procedures should be established for Member States to inform other affected Member States and other critical entities through single points of contact. The information on the incidents should be treated in a way that respects confidentiality and protects the security and commercial interest of the critical entity concerned. |
Amendment 17
Proposal for a directive
Recital 26
|
|
Text proposed by the Commission |
Amendment |
(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive. |
(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructure and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union and the internal market because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive. While Union institutions, bodies or agencies and the services they provide are not covered under this Directive, the Commission should nevertheless provide guidance and strategies, to identify which of those institutions, bodies or agencies and which of their services could potentially be considered as entities equivalent to critical entities providing essential services for the functioning of the internal market and should ensure their enhanced resilience. |
Amendment 18
Proposal for a directive
Recital 27
|
|
Text proposed by the Commission |
Amendment |
(27) Where any Member State considers that additional information is necessary to be able to advise a critical entity in meeting its obligations under Chapter III or to assess the compliance of a critical entity of particular European significance with those obligations, in agreement with the Member State where the infrastructure of that entity is located, the Commission should organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, notably on their organisation and conduct, the follow-up to be given and the obligations for the critical entities of particular European significance concerned. The advisory missions should, without prejudice to the need for the Member State where the advisory mission is conducted and the entity concerned to comply with the rules of this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such missions could, where relevant, be requested through the Emergency Response Coordination Centre. |
(27) Where any Member State considers that additional information is necessary to be able to advise a critical entity in meeting its obligations under Chapter III or to assess the compliance of a critical entity of particular European significance with those obligations, in agreement with the Member State of establishment and the Member States in which the infrastructure of that entity is located, the Commission should organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, notably on their organisation and conduct, the follow-up to be given and the obligations for the critical entities of particular European significance concerned. The advisory missions should, without prejudice to the need for the Member State where the advisory mission is conducted and the entity concerned to comply with the rules of this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such missions could, where relevant, be requested through the Emergency Response Coordination Centre. |
Amendment 19
Proposal for a directive
Recital 27a
|
|
Text proposed by the Commission |
Amendment |
|
(27a) Standardisation should remain primarily a market-driven process. However, there may still be situations where it is appropriate to require compliance with specified standards at Union level. The Commission and the Member States should also support and promote the development and implementation of standards and specifications relevant to the resilience of critical entities as set by the European Standardisation Organisations for the undertaking of technical and organisational measures aimed at ensuring critical entities’ resilience under Article 11(1) of this Directive. Member States should also encourage the use of internationally accepted standards and specifications relevant to resilience measures applicable to critical entities. |
Amendment 20
Proposal for a directive
Article 1 – paragraph 1 – introductory part
|
|
Text proposed by the Commission |
Amendment |
1. This Directive: |
1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities and essential infrastructure within the Union in order to ensure an effective provision of essential services, including in crisis situations, and to improve the functioning of the internal market. |
Amendment