18 Amendments of Henna VIRKKUNEN related to 2020/0365(COD)
Amendment 14 #
Proposal for a directive
Recital 2
Recital 2
(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat, criminal infiltration, foreign interference, and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 16 #
Proposal for a directive
Recital 2 a (new)
Recital 2 a (new)
(2 a) The growing problem of criminal infiltration in critical transport infrastructure, in particular logistic nodes such as ports and airports, is undermining the operations of critical entities in this sector and therefore the effective provision of essential services throughout the European Union;
Amendment 18 #
Proposal for a directive
Recital 2 c (new)
Recital 2 c (new)
(2 c) The transport sector encompasses critical entities in the subsectors of road, rail, air, inland waterways, and maritime transport, including ports and terminals;
Amendment 19 #
Proposal for a directive
Recital 2 d (new)
Recital 2 d (new)
(2 d) Certain critical infrastructures have a pan-European dimension, such as the European aviation organisation Eurocontrol and the European global satellite positioning system Galileo;
Amendment 22 #
Proposal for a directive
Recital 3 a (new)
Recital 3 a (new)
(3 a) The COVID-19 pandemic has once more shown the transport sector's strategic importance to European society and economy in enabling the critical mobility of goods and people, underlining the need to ensure the resilience of critical transport infrastructure across the European Union;
Amendment 27 #
Proposal for a directive
Recital 6
Recital 6
(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance, including to SMEs, and awareness raising aimed at achieving a high level of resilience in the face of all relevant risks.
Amendment 30 #
Proposal for a directive
Recital 8 a (new)
Recital 8 a (new)
(8 a) The swift technological development in and digitalisation of the transport sector, via the growing use of smart mobility systems such as cooperative intelligent transport systems, connected and automated mobility, and mobility as a service, underline the interconnectedness between the physical and digital world in this sector and calls for an effective approach to allow for resilient digital transport infrastructure in Europe;
Amendment 34 #
Proposal for a directive
Recital 11
Recital 11
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, criminal infiltration, and antagonistic threats, including foreign interference and terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 35 #
Proposal for a directive
Recital 14
Recital 14
(14) Entities pertaining to the digital infrastructure sector are in essence based on network and information systems and fall within the scope of the NIS 2 Directive, which addresses the physical security of such systems as part of their cybersecurity risk management and reporting obligations. Since those matters are covered by the NIS 2 Directive, the obligations of this Directive do not apply to such entities. However, considering the importance of the services provided by entities in the digital infrastructure sector for the provision of other essential services, such as critical transport services, Member States should identify, based on the criteria and using the procedure provided for in this Directive mutatis mutandis, entities pertaining to the digital infrastructure sector that should be treated as equivalent to critical entities for the purposes of Chapter II only, including the provision on Member States’ support in enhancing the resilence of these entities. Consequently, such entities should not be subject to the obligations laid down in Chapters III to VI. Since the obligations for critical entities laid down in Chapter II to provide certain information to the competent authorities relate to the application of Chapters III and IV, those entities should not be subject to those obligations either.
Amendment 36 #
Proposal for a directive
Recital 19
Recital 19
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, raise awareness, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 38 #
Proposal for a directive
Recital 19 a (new)
Recital 19 a (new)
(19 a) In their implementation of this Directive, Member States should take all the necessary actions to prevent any excessive administrative burdens, particularly on SMEs, and avoid duplications or unnecessary obligations. Member States should assist and facilitate adequate support to SMEs when requested in taking the technical and organisational measures required under this Directive.
Amendment 44 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern, which is particularly the case for critical entities in the transport sector, such as logistic hubs like ports and airports, where there is a substantial and growing problem of criminal infiltration. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.
Amendment 45 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities, as well as to other entities on a voluntary basis, of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
Amendment 48 #
Proposal for a directive
Recital 30
Recital 30
(30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, raise awareness, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.
Amendment 70 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
Article 4 – paragraph 1 – subparagraph 1
The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, criminal infiltration, antagonistic threats, including foreign interference and terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 97 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, raise awareness, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 102 #
Proposal for a directive
Article 11 – paragraph 1 – point f
Article 11 – paragraph 1 – point f
(f) raise awareness about the incidents and disruptions that may occur, including criminal infiltration, as well as measures referred to in points (a) to (e) among relevant personnel.
Amendment 127 #
Proposal for a directive
Article 22 – paragraph 2
Article 22 – paragraph 2
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [sixfour years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.