26 Amendments of Elena YONCHEVA related to 2020/0365(COD)
Amendment 76 #
Proposal for a directive
Recital 12
Recital 12
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria to identify critical entities, based on minimum indicators and methodologies for each sector and sub-sector, should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 86 #
Proposal for a directive
Recital 19
Recital 19
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular provide financial resources, develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 88 #
Proposal for a directive
Recital 20
Recital 20
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and on common specifications and methodologies established for each sector covered. They should include minimum indicators, in order to avoid further divergences between Member States, and contingency protocols.
Amendment 94 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular in full respect of Regulation (EU) 2016/679.
Amendment 96 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and in any case within 24 hours after having become aware of an incident, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Critical entities should also notify the users of their services of incidents, their consequences and, if possible, any safety measures or remedies that could be taken. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
Amendment 113 #
Proposal for a directive
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) “resilience” means the ability to prevent, resist, mitigate, manage, absorb, accommodate to and recover from an incident that disrupts or has the potential to disrupt the operations of a critical entity;
Amendment 114 #
Proposal for a directive
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) “incident” means any event having the potential to disrupt, or that disrupts,which results in a disruption of essential services or the destruction of essential infrastructure and has a significant cross- sectoral or cross-border effect on the delivery of essential services in one or more Member States as a result of the failure to maintain the operations of thea critical entity;
Amendment 117 #
Proposal for a directive
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) “essential service” means a service which is essential for the wellbeing of the people and for the maintenance of vital societal functions or economic activities, public safety, protecting the environment or the rule of law;
Amendment 123 #
Proposal for a directive
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysingssessing the extent of potential threats and hazards and evaluatgainst the resilience of a critical entity, analysing existing conditions of vulnerability that could facilitate the disrupt theion of operations of the critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services.
Amendment 138 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
Article 4 – paragraph 1 – subparagraph 1
1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment, based on common specifications and methodologies containing specific indicators established for each sector covered, of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11. The assessments shall include a minimum number of indicators, in order to avoid divergences between Member States.
Amendment 148 #
Proposal for a directive
Article 5 – paragraph 1
Article 5 – paragraph 1
1. By [three years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities, when applicable.
Amendment 155 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third ofthree Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 179 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States, with the Commission and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).
Amendment 192 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities, including financially, in order to enhancinge their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 196 #
Proposal for a directive
Article 10 – paragraph 1
Article 10 – paragraph 1
Member States shall ensure that critical entities assess within sixtwelve months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.
Amendment 202 #
Proposal for a directive
Article 11 – paragraph 1 – point e
Article 11 – paragraph 1 – point e
(e) ensure adequate employeestaff security management, including by setting out categories of personnel exercising critical functions, in compliance with applicable training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 215 #
Proposal for a directive
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. The background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the concerned personnel.
Amendment 220 #
Proposal for a directive
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours after having become aware of the incident, followed by a final detailed report not later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
Amendment 230 #
Proposal for a directive
Article 13 – paragraph 3 a (new)
Article 13 – paragraph 3 a (new)
3a. The competent authority concerned shall inform the public of the incident, or require the critical entity to inform the public, where the competent authority determines that it would be in the public interest to disclose the incident.
Amendment 231 #
Proposal for a directive
Article 13 – paragraph 3 b (new)
Article 13 – paragraph 3 b (new)
3b. Member States shall ensure that, in the event of a particular and significant threat of an incident concerning the critical entities, the critical entities inform those users of their services that could be affected by the incident or by the disruption of the services as its consequence and, where relevant, of any possible safety measures or remedies which the users could take.
Amendment 232 #
Proposal for a directive
Article 13 – paragraph 3 c (new)
Article 13 – paragraph 3 c (new)
3c. Once a year, the competent authority concerned shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.
Amendment 234 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third ofthree Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 243 #
Proposal for a directive
Article 15 – paragraph 2
Article 15 – paragraph 2
2. Upon request of one or more Member States, or at its own initiative, and in agreement withafter informing the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.
Amendment 249 #
Proposal for a directive
Article 15 – paragraph 4 – subparagraph 2
Article 15 – paragraph 4 – subparagraph 2
The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.
Amendment 256 #
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
Article 16 – paragraph 2 – subparagraph 1
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and, the Commission and the European Parliament. Where relevant for the performance of its tasks, the Critical Entities Resilience Group mayshall invite representatives of interested parthe relevant entities to participate in its work.
Amendment 267 #
5. Health — Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19 — EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health — Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC — Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2 — Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX — Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC