Progress: Procedure completed
Role | Committee | Rapporteur | Shadows |
---|---|---|---|
Lead | LIBE | ŠIMEČKA Michal ( Renew) | MANDL Lukas ( EPP), VITANOV Petar ( S&D), RIBA I GINER Diana ( Verts/ALE), TARDINO Annalisa ( ID), JAKI Patryk ( ECR), BARRENA ARZA Pernando ( GUE/NGL) |
Committee Opinion | AFET | MANDL Lukas ( EPP) | Nikos ANDROULAKIS ( S&D), Klemen GROŠELJ ( RE) |
Committee Opinion | ITRE | TORVALDS Nils ( Renew) | |
Committee Opinion | TRAN | DZHAMBAZKI Angel ( ECR) | Alviina ALAMETSÄ ( Verts/ALE) |
Committee Opinion | IMCO | AGIUS SALIBA Alex ( S&D) | |
Committee Opinion | ECON |
Lead committee dossier:
Legal Basis:
RoP 57, TFEU 114-p1
Legal Basis:
RoP 57, TFEU 114-p1Subjects
Events
PURPOSE: to ensure that services essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market and to enhance the resilience of critical entities providing such services.
LEGISLATIVE ACT: Directive (EU) 2022/2557 of the European Parliament and of the Council on the resilience of critical entities and repealing Council Directive 2008/114/EC.
CONTENT: critical entities are entities providing essential services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, and the environment. They need to be able to prevent, protect against, respond to, cope with and recover from hybrid attacks, natural disasters, terrorist threats and public health emergencies.
This Directive:
- lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them;
- lays down obligations for critical entities aimed at enhancing their resilience and ability to provide essential services in the internal market;
- establishes rules: (i) on the supervision of critical entities; (ii) on enforcement; (iii) for the identification of critical entities of particular European significance and on advisory missions to assess the measures that such entities have put in place to meet their obligations;
- lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market.
Scope
The new legislation strengthens the requirements for conducting risk assessment and reporting of actors considered critical. It covers 11 sectors , namely energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space and food (food production, processing and distribution).
This Directive is without prejudice to the Member States’ responsibility for safeguarding national security and defence and their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and maintaining law and order.
The Directive does not prevent Member States from adopting or maintaining provisions in national law to achieve a higher level of resilience of critical entities.
National strategies
Each Member State will adopt by 17 January 2026 a strategy for enhancing the resilience of critical entities. The Commission is empowered to adopt a delegated act, by 17 November 2023 to supplement this Directive by establishing a non-exhaustive list of essential services in the sectors and subsectors set out in the Annex. The competent authorities shall use that list of essential services for the purpose of carrying out a risk assessment by 17 January 2026, whenever necessary subsequently, and at least every four years.
Single point of contact
In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State will designate one single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level, where relevant within a competent authority.
Identification of critical entities
The Directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more Member States . In this case, the Commission may be requested by the Member States to organise an advisory mission or the Commission may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations arising from the directive.
Resilience measures for critical entities
Critical entities shall identify relevant risks that could significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the relevant authorities. Unless they are unable to do so for operational reasons, critical entities shall submit an initial notification within 24 hours of becoming aware of an incident, followed, where appropriate, by a detailed report within one month.
Where an incident has or could have a significant impact on the continued provision of essential services to or in six or more Member States, the competent authorities of the Member States affected by the incident will notify the incident to the Commission.
Member States will have to inform the public when they consider that it would be in the public interest to do so.
Critical Entities Resilience Group
The Critical Entities Resilience Group will support the Commission and facilitate cooperation among Member States and the exchange of information on issues relating to this Directive. Where requested by the European Parliament, the Commission may invite experts from the European Parliament to attend meetings of the Critical Entities Resilience Group.
ENTRY INTO FORCE: 16.1.2023
TRANSPOSITION: no later than 17.10.2024. The provisions will apply from 18.10.2024.
The European Parliament adopted by 595 votes to 17, with 24 abstentions, a legislative resolution on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities.
The European Parliament’s position at first reading under the ordinary legislative procedure amends the Commission proposal as follows:
Subject matter
This Directive sets out a Union framework with the aim of both enhancing the resilience of critical entities in the internal market by laying down harmonised minimum rules and assisting them by means of coherent and dedicated support and supervision measures.
This Directive:
- lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them;
- establishes common procedures for cooperation and reporting on the application of this Directive;
- lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market.
The new rules will harmonise the definition of critical infrastructure, so that it is consistent between the Member States.
Scope
Covering eleven sectors : energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food (including production, processing and delivery), health, public administration and space, the legislation tightens the requirements for risk assessments and reporting for actors considered critical.
This Directive is without prejudice to the Member States’ responsibility for safeguarding national security and defence and their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and maintaining law and order.
The obligations laid down in this Directive will not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States’ national security, public security or defence.
Strategy on the resilience of critical entities
Following a consultation that is, to the extent practically possible, open to relevant stakeholders, each Member State will adopt by three years from the date of entry into force of this Directive, a strategy for enhancing the resilience of critical entities.
Member States' risk assessments will take into account relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid or other antagonistic threats, which include terrorist offences.
No later than three years and six months from the date of entry into force of the Directive, each Member State will identify the critical entities for the sectors covered.
Single point of contact
Each Member State will designate one or more competent authorities responsible for ensuring the correct application of the rules set out in the Directive at national level. It will also have to designate a single contact point to act as a liaison point for cross-border cooperation with the single contact points of other Member States and with the Critical Entity Resilience Group. A Member State may provide that its single point of contact also liaises with the Commission and ensures cooperation with third countries.
Resilience measures for critical entities
Member States will ensure that critical entities take appropriate and proportionate technical, security and organisational measures to ensure their resilience, based on the relevant information provided by Member States on the Member State risk assessment and the outcome of the critical entity risk assessment.
Incident notifications
Member States will ensure that critical entities notify the competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Member States will ensure that, unless operationally unable to do so, critical entities submit an initial notification no later than 24 hours after becoming aware of an incident , followed, where relevant, by a detailed report no later than one month thereafter.
In order to determine the significance of a disruption, the following parameters should, in particular, be taken into account: (a) the number and proportion of users affected by the disruption; (b) the duration of the disruption; (c) the geographical area affected by the disruption, taking into account whether the area is geographically isolated.
Where an incident has or might have a significant impact on the continuity of the provision of essential services to or in six or more Member States , the competent authorities of the Member States affected by the incident will notify the Commission of that incident. Member States will inform the public where they determine that it would be in the public interest to do so.
Critical Entities Resilience Group
The Critical Entities Resilience Group will support the Commission and facilitate cooperation among Member States and the exchange of information on issues relating to this Directive. Where requested by the European Parliament, the Commission may invite experts from the European Parliament to attend meetings of the Critical Entities Resilience Group.
The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Michal ŠIMEČKA (Renew Europe, SK) on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities.
The proposed Directive aims to enhance the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities by increasing the resilience of critical entities providing such services. This report seeks to enhance certain aspects of the proposed Directive.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Definitions
Members proposed to extend the definition of essential services, so that protecting the environment, public health and safety, and the rule of law are also mentioned.
Risk assessment by Member States
With a view to enhancing cooperation between competent authorities of the Member States, Members proposed setting up single points of contact to exercise a liaison function and coordination with the critical entities with competent authorities and with the Critical Entities Resilience Group. The single point of contact should also simplify and harmonise reporting channels (one-stop-shop principle).
Identification of critical entities
The Commission should, in cooperation with the Member States, develop recommendations and guidelines to support Member States in identifying critical entities.
Member States’ support to critical entities
Members proposed that Member States should support critical entities in enhancing their resilience. That support should include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. Member States may provide financial resources to critical entities, without prejudice to applicable rules on State aid, where necessary and justified by public interest objectives.
Critical Entities Resilience Group
The Critical Entities Resilience Group should be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group should invite representatives of relevant stakeholders to participate in its work and the European Parliament to participate as an observer .
The Group should, inter alia : (i) prepare a Union strategy on resilience in compliance with the objectives set out in this Directive; (ii) promote and support coordinated risk assessments and joint actions among critical entities.
Notification of incidents
Critical entities should notify, as soon as reasonably possible under the given circumstances and, in any event, no later than 24 hours after becoming aware of the incident in question, Member States’ competent authorities of any incident that significantly disrupts or has the potential to significantly disrupt their operations. The competent authority should inform the public of such an incident where it determines that it would be in the public interest to do so. The competent authority should ensure that the critical entity concerned inform users of its services that might be affected by such an incident of the incident and, where relevant, of any possible safety measures or remedies.
The Commission and the Critical Entities Resilience Group should treat information provided as part of such notifications in a way that respects its confidentiality and protects the security and commercial interests of the critical entity or entities concerned.
In It is proposed that the Commission should keep a Union registry of incidents with the aim of developing and sharing best practices and methodologies.
Review
The Commission should periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report should assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report should be submitted by six years after the entry into force of this Directive and should assess in particular whether the scope of the Directive should be extended. For that purpose, the Commission should take into account relevant documents of the Critical Entities Resilience Group.
PURPOSE: to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.
PROPOSED ACT: Directive of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: the EU established the European Programme for Critical Infrastructure Protection (EPCIP) in 2006 and adopted the European Critical Infrastructure (ECI) Directive in 2008, which applies to the energy and transport sectors. Both the Commission’s EU Security Union Strategy for 2020-2025 and the recently adopted Counter-Terrorism Agenda for the EU stress the importance of ensuring the resilience of critical infrastructure in the face of physical and digital risks.
The livelihoods of European citizens and the good functioning of the internal market depend on different infrastructures for the reliable provision of services needed to maintain critical societal and economic activities. These services, vital under normal circumstances, are all the more important as Europe manages the effects of and looks towards recovering from the COVID-19 pandemic. It follows that entities providing essential services must be resilient, i.e. able to resist, absorb, accommodate to and recover from incidents that can lead to serious, potentially cross-sectoral and cross-border disruptions.
It is apparent that the current framework on critical infrastructure protection is not sufficient to address the current challenges to critical infrastructures and the entities that operate them. The Commission proposes to fundamentally switch the current approach from protecting specific assets towards reinforcing the resilience of the critical entities that operate them.
CONTENT: this proposal aims to enhance the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities by increasing the resilience of critical entities providing such services.
It reflects recent calls for action on the part of the Council and the European Parliament, both of which have encouraged the Commission to revise the current approach to better reflect the increased challenges to critical entities, and to ensure closer alignment with the Network and Information Systems (NIS) Directive.
The proposed directive:
- extends the scope of the 2008 Directive on European Critical Infrastructure. Ten sectors would now be covered: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration and space;
- lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;
- lays down obligations for Member States to have a strategy for ensuring the resilience of critical entities, carry out a national risk assessment and, on this basis, identify critical entities;
- establishes obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market;
- establishes rules on supervision and enforcement of critical entities, and specific oversight of critical entities considered to be of particular European significance.
Budgetary implications
The total financial resources necessary to support the implementation of this proposal are estimated to be EUR 42.9 million for the period 2021-2027, of which EUR 5.1 million is administrative expenditure. These
costs can be broken down as follows: (i) support activities by the Commission including staffing, projects, studies and support activities; (ii) advisory missions organised by the Commission; (iii) regular meetings of the Critical Entity Resilience Group, Comitology Committee and other meetings.
Documents
- Commission response to text adopted in plenary: SP(2022)718
- Final act published in Official Journal: Directive 2022/2557
- Final act published in Official Journal: OJ L 333 27.12.2022, p. 0164
- Draft final act: 00051/2022/LEX
- Results of vote in Parliament: Results of vote in Parliament
- Debate in Parliament: Debate in Parliament
- Decision by Parliament, 1st reading: T9-0394/2022
- Committee report tabled for plenary, 1st reading: A9-0289/2021
- Committee opinion: PE692.863
- Committee opinion: PE691.165
- Committee opinion: PE692.636
- Committee opinion: PE692.663
- Committee of the Regions: opinion: CDR0570/2021
- Amendments tabled in committee: PE693.909
- Committee draft report: PE691.097
- Contribution: SWD(2020)0358
- Contribution: SWD(2020)0359
- Contribution: COM(2020)0829
- Contribution: COM(2020)0829
- Contribution: COM(2020)0829
- Document attached to the procedure: SEC(2020)0433
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2020)0358
- Document attached to the procedure: EUR-Lex
- Document attached to the procedure: SWD(2020)0359
- Legislative proposal published: COM(2020)0829
- Legislative proposal published: EUR-Lex
- Document attached to the procedure: SEC(2020)0433
- Document attached to the procedure: EUR-Lex SWD(2020)0358
- Document attached to the procedure: EUR-Lex SWD(2020)0359
- Committee draft report: PE691.097
- Amendments tabled in committee: PE693.909
- Committee of the Regions: opinion: CDR0570/2021
- Committee opinion: PE692.663
- Committee opinion: PE692.636
- Committee opinion: PE691.165
- Committee opinion: PE692.863
- Draft final act: 00051/2022/LEX
- Commission response to text adopted in plenary: SP(2022)718
- Contribution: SWD(2020)0358
- Contribution: SWD(2020)0359
- Contribution: COM(2020)0829
- Contribution: COM(2020)0829
- Contribution: COM(2020)0829
Activities
- Dimitrios PAPADIMOULIS
Plenary Speeches (2)
- 2022/11/22 Resilience of critical entities (debate)
- 2022/11/22 Resilience of critical entities (debate)
- Michal ŠIMEČKA
Plenary Speeches (2)
- 2022/11/22 Resilience of critical entities (debate)
- 2022/11/22 Resilience of critical entities (debate)
- Angel DZHAMBAZKI
Plenary Speeches (1)
- 2022/11/22 Resilience of critical entities (debate)
- Maite PAGAZAURTUNDÚA
Plenary Speeches (1)
- 2022/11/22 Resilience of critical entities (debate)
- Nils TORVALDS
Plenary Speeches (1)
- 2022/11/22 Resilience of critical entities (debate)
- Juozas OLEKAS
Plenary Speeches (1)
- 2022/11/22 Resilience of critical entities (debate)
- Mislav KOLAKUŠIĆ
Plenary Speeches (1)
- 2022/11/22 Resilience of critical entities (debate)
- Benoît LUTGEN
Plenary Speeches (1)
- 2022/11/22 Resilience of critical entities (debate)
- Petar VITANOV
Plenary Speeches (1)
- 2022/11/22 Resilience of critical entities (debate)
Votes
Résilience des entités critiques - Resilience of critical entities - Resilienz kritischer Einrichtungen - A9-0289/2021 - Michal Šimečka - Accord provisoire - Am 98 #
Amendments | Dossier |
571 |
2020/0365(COD)
2021/05/27
TRAN
1 amendments...
Amendment 131 #
Proposal for a directive Annex 1- table - 2. Transport - point e new 2.Transport
source: 693.635
2021/05/28
TRAN
121 amendments...
Amendment 10 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure such as high speed rail or air traffic management, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity and the functioning of the internal market. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 100 #
Proposal for a directive Article 11 – paragraph 1 – point c (c) as far as possible prevent and, where necessary, effectively and quickly resist and mitigate the consequences of incidents, including the implementation of risk and crisis management procedures and protocols and
Amendment 101 #
Proposal for a directive Article 11 – paragraph 1 – point d (d) examine and evaluate damage, recover from incidents, including business continuity measures and the identification of alternative supply chains;
Amendment 102 #
Proposal for a directive Article 11 – paragraph 1 – point f (f) raise awareness about the incidents and disruptions that may occur, including criminal infiltration, as well as measures referred to in points (a) to (e) among relevant personnel.
Amendment 103 #
Proposal for a directive Article 11 – paragraph 1 – point f (f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, who should receive regular training.
Amendment 104 #
Proposal for a directive Article 11 – paragraph 1 – point f a (new) (f a) ensure the adequate maintenance and up keep of existing physical infrastructure related to the transport and energy sectors, especially in the face of increased potential for natural threats exacerbated by climate change, in order to avoid neglect and increase the lifetimes of such infrastructures which can in turn reduce costs associated with new builds and lower environmental impacts. Special focus should be given to cross-border links, such as regional cross-border rail connections or disused rail links, that might have been neglected in the absence of a concerted union level approach.
Amendment 105 #
Proposal for a directive Article 11 – paragraph 3 3. Upon request of the Member State that identified the critical entity
Amendment 106 #
Proposal for a directive Article 12 – paragraph 2 – point b (b) cover any criminal records of at least the preceding five years, and for a maximum of ten years, on crimes relevant for recruitment on a specific position, in the Member State or Member States or the third country or countries of nationality of the person and in any of the Member States or third countries of residence during that period of time;
Amendment 107 #
Proposal for a directive Article 12 – paragraph 2 – point c (c) cover previous employments, certificates of service, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years.
Amendment 108 #
Proposal for a directive Article 13 – paragraph 4 4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident. Where the notification relates to the direct risk to human life, the competent authority shall ensure that relevant public security and safety services are mobilised and sent to the place of incident within a minimum amount of time.
Amendment 109 #
Proposal for a directive Article 14 – paragraph 2 2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential
Amendment 11 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities, as well as the free movement and safety of citizens. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are often not recognised consistently as critical in all Member States which can mean a lack of adequate coordination between Member States in the protection of important cross-border and intersectoral critical infrastructures such as those in the transport and energy sectors. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 111 #
Proposal for a directive Article 15 – paragraph 1 – subparagraph 1 That Member State shall also inform, without undue thorough delay, the Commission and the Critical Entities Resilience Group of any supervisory or enforcement actions, including any assessments of compliance or orders issued, that its competent authority has undertaken pursuant to Articles 18 and 19 in respect of that entity.
Amendment 112 #
Proposal for a directive Article 15 – paragraph 3 – introductory part 3. The advisory mission shall report its findings to the Commission, the Critical Entities Resilience Group and the critical entity of particular European significance concerned within a period of
Amendment 113 #
Proposal for a directive Article 15 – paragraph 3 – subparagraph 3 That Member State shall take due and objectively account of those views and provide information to the Commission and the Critical Entities Resilience Group on any measures it has taken pursuant to the communication.
Amendment 114 #
Proposal for a directive Article 16 – paragraph 1 1. A Critical Entities Resilience Group is established with effect from [
Amendment 115 #
Proposal for a directive Article 16 – paragraph 2 – introductory part Amendment 116 #
Proposal for a directive Article 16 – paragraph 3 – point c (c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border, cross-sectoral dependencies and regarding risks and incidents;
Amendment 117 #
Proposal for a directive Article 16 – paragraph 3 – point h (h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive;
Amendment 118 #
Proposal for a directive Article 16 – paragraph 4 4. By [
Amendment 119 #
Proposal for a directive Article 16 – paragraph 6 Amendment 12 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities, including traffic and transport. This is due to a
Amendment 120 #
Proposal for a directive Article 16 – paragraph 7 7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [
Amendment 121 #
Proposal for a directive Article 16 – paragraph 7 7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [t
Amendment 122 #
Proposal for a directive Article 18 – paragraph 1 – introductory part 1. In order to assess the compliance of the entities that the Member States identified as critical entities pursuant to Article 5 with the obligations pursuant to this Directive, they shall ensure that the competent authorities shall have the powers
Amendment 123 #
Proposal for a directive Article 18 – paragraph 2 – introductory part 2. Member States shall ensure that the competent authorities have the powers
Amendment 124 #
Proposal for a directive Article 22 – paragraph 1 By [
Amendment 125 #
Proposal for a directive Article 22 – paragraph 1 By [
Amendment 126 #
Proposal for a directive Article 22 – paragraph 2 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this
Amendment 127 #
Proposal for a directive Article 22 – paragraph 2 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [
Amendment 128 #
Proposal for a directive Article 22 – paragraph 2 a (new) The Commission shall, by [6 years after the entry into force of this Directive] carry out a review of the application of this Directive and sector-specific legislation. The review shall focus on identifying duplications/overlapping in the respective legislation, regulatory requirements or procedures, with a view to improve coherence and legal certainty between this Directive and the relevant sector-specific legislation. To this end, the Commission shall prepare a report which it shall transmit to the European Parliament and the Council, accompanied where necessary by a legislative proposal.
Amendment 129 #
Proposal for a directive Article 24 – paragraph 1 – introductory part 1. Member States shall adopt and publish, by [
Amendment 13 #
Proposal for a directive Recital 2 (2) Despite existing measures at 19 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors such as certain transport and tourism sectors, and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 130 #
Proposal for a directive Article 24 – paragraph 1 – subparagraph 1 They shall apply those provisions from [
Amendment 14 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities
Amendment 15 #
Proposal for a directive Recital 2 (2) Despite existing measures at 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions
Amendment 16 #
Proposal for a directive Recital 2 a (new) (2 a) The growing problem of criminal infiltration in critical transport infrastructure, in particular logistic nodes such as ports and airports, is undermining the operations of critical entities in this sector and therefore the effective provision of essential services throughout the European Union;
Amendment 17 #
Proposal for a directive Recital 2 b (new) (2 b) Increasing threats to the EU's critical infrastructure and economic safety arise from foreign interference, by both state and non-state actors, due to a growing influence in or control of non- European entities over critical transport infrastructure, such as ports or airports, as a result of their acquisitions of or substantial investments in strategic companies and the transfer of strategic knowledge;
Amendment 18 #
Proposal for a directive Recital 2 c (new) (2 c) The transport sector encompasses critical entities in the subsectors of road, rail, air, inland waterways, and maritime transport, including ports and terminals;
Amendment 19 #
Proposal for a directive Recital 2 d (new) (2 d) Certain critical infrastructures have a pan-European dimension, such as the European aviation organisation Eurocontrol and the European global satellite positioning system Galileo;
Amendment 20 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks
Amendment 21 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies, particularly the transport and tourism sectors, in the face of low-probability risks.
Amendment 22 #
Proposal for a directive Recital 3 a (new) (3 a) The COVID-19 pandemic has once more shown the transport sector's strategic importance to European society and economy in enabling the critical mobility of goods and people, underlining the need to ensure the resilience of critical transport infrastructure across the European Union;
Amendment 23 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. The resilience of critical entities gives investors and companies reliability and trust, which are cornerstones to a well- working internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 24 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market and can pose a threat to EU citizens. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 25 #
Proposal for a directive Recital 5 (5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities whilst also ensuring the need to dedicate significant resources to the maintenance of existing critical infrastructure, such as rail connections, roads and ports, in order to maximise their life times and ensure their resilience in face of climate change. Special focus should be given to cross-border links, such as regional cross-border rail connections or disused rail links, that might have been neglected in the absence of a concerted union level approach.
Amendment 26 #
Proposal for a directive Recital 5 (5) It is therefore necessary to lay down harmonised
Amendment 27 #
Proposal for a directive Recital 6 (6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance, including to SMEs, and awareness raising aimed at achieving a high level of resilience in the face of all relevant risks.
Amendment 28 #
Proposal for a directive Recital 6 (6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support, protection and guidance aimed at achieving a high level of resilience in the face of all relevant risks.
Amendment 29 #
Proposal for a directive Recital 7 Amendment 30 #
Proposal for a directive Recital 8 a (new) (8 a) The swift technological development in and digitalisation of the transport sector, via the growing use of smart mobility systems such as cooperative intelligent transport systems, connected and automated mobility, and mobility as a service, underline the interconnectedness between the physical and digital world in this sector and calls for an effective approach to allow for resilient digital transport infrastructure in Europe;
Amendment 31 #
Proposal for a directive Recital 10 (10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, and taking account of the hybrid nature of many threats, Member States should ensure that their
Amendment 32 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, climate change, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. Such assessments should be based on and regularly updated with latest scientific knowledge on evolving threats such as climate change in order to ensure timely adaption to an evolving threat landscape. When carrying out those risk assessments, Member States should take into account other general or sector- specific risk assessment carried out pursuant to other
Amendment 33 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities, for example multi-modal hubs for transport, rail infrastructure or air traffic management. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-
Amendment 34 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, criminal infiltration, and antagonistic threats, including foreign interference and terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 35 #
Proposal for a directive Recital 14 (14) Entities pertaining to the digital infrastructure sector are in essence based on network and information systems and fall within the scope of the NIS 2 Directive, which addresses the physical security of such systems as part of their cybersecurity risk management and reporting obligations. Since those matters are covered by the NIS 2 Directive, the obligations of this Directive do not apply to such entities. However, considering the importance of the services provided by entities in the digital infrastructure sector for the provision of other essential services, such as critical transport services, Member States should identify, based on the criteria and using the procedure provided for in this Directive mutatis mutandis, entities pertaining to the digital infrastructure sector that should be treated as equivalent to critical entities for the purposes of Chapter II only, including the provision on Member States’ support in enhancing the resilence of these entities. Consequently, such entities should not be subject to the obligations laid down in Chapters III to VI. Since the obligations for critical entities laid down in Chapter II to provide certain information to the competent authorities relate to the application of Chapters III and IV, those entities should not be subject to those obligations either.
Amendment 36 #
Proposal for a directive Recital 19 (19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, raise awareness, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 37 #
Proposal for a directive Recital 19 (19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop
Amendment 38 #
Proposal for a directive Recital 19 a (new) (19 a) In their implementation of this Directive, Member States should take all the necessary actions to prevent any excessive administrative burdens, particularly on SMEs, and avoid duplications or unnecessary obligations. Member States should assist and facilitate adequate support to SMEs when requested in taking the technical and organisational measures required under this Directive.
Amendment 39 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States. Further harmonisation of security and safety standards and certification requirements is urgently necessary for critical infrastructure sectors, such as safe parking areas and rest areas, where divergent interpretations persist. Welcomes in this regard the standard certification rating system for Safe and Secure Truck Parking Areas.
Amendment 40 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments,
Amendment 41 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed
Amendment 42 #
Proposal for a directive Recital 23 (23) Regulation (EC) No 300/2008 of
Amendment 43 #
Proposal for a directive Recital 23 (23) Regulation (EC) No 300/2008 of the European Parliament and of the Council28 , Regulation (EC) No 725/2004 of the European Parliament and of the Council29 and Directive 2005/65/EC of the European Parliament and of the Council30 establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required in this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors
Amendment 44 #
Proposal for a directive Recital 24 (24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing
Amendment 45 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities, as well as to other entities on a voluntary basis, of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such
Amendment 46 #
Proposal for a directive Recital 28 (28) In order to support the Commission and facilitate strategic cooperation and the exchange of information, including best practices, on issues relating to this Directive, a Critical Entities Resilience Group, which is a Commission expert group, should be established. Member States should endeavour to ensure effective and efficient cooperation of the designated representatives of their competent authorities in the Critical Entities Resilience Group. The group should begin to perform its tasks from
Amendment 47 #
Proposal for a directive Recital 30 (30) Member States should ensure that
Amendment 48 #
Proposal for a directive Recital 30 (30) Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, raise awareness, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.
Amendment 49 #
Proposal for a directive Recital 33 (33) Since the objectives of this Directive, namely to ensure the safe, undisturbed provision in the internal market of services essential for the maintenance of vital societal functions or economic activities and to enhance the resilience of critical entities providing such services, cannot be sufficiently achieved by the Member States, but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on the European Union. In accordance with the principle of proportionality, as set out in that Article
Amendment 50 #
Proposal for a directive Recital 34 a (new) (34 a) Member States and the Commission should ensure the necessary training and tools are in place for authorities and wider stakeholders to successfully implement this Directive with a special attention to rapidly evolving risks such as those related to cyber security and climate change.
Amendment 51 #
Proposal for a directive Recital 34 b (new) (34 b) In order to fully ensure an adequate approach is being taken to reduce vulnerabilities and increase the resilience of Member States in view of the threats to critical entities, it is important to recognise the role of local communities and local authorities inbeing able to provide and offer safeguards in the case of a significant disruption or disruptions to critical entities. Member States and the Commission should therefore consider the local level context, and in particular the decentralisation of energy and the role of alternative energy networks, in the implementation of this Directive to ensure a comprehensive approach is being taken to reduce all risks that threaten societal and economic activities.
Amendment 52 #
Proposal for a directive Recital 34 c (new) (34 c) In accordance with applicable Union and national law, including Regulation 2019/452 that provides a framework for the screening of foreign direct investments into the Union, the potential threat posed by foreign ownership of critical infrastructures within the Union must be acknowledged as services, the economy, free movement and the safety of EU citizens depends on the proper functioning of critical infrastructure. Member States and the Commission should remain vigilant to the financial investments being made by foreign countries into the operation of critical entities within the Union and the consequences that such investments could have on the ability to prevent significant disruptions.
Amendment 53 #
Proposal for a directive Article 1 – paragraph 1 – introductory part 1. To that end, this Directive:
Amendment 54 #
Proposal for a directive Article 1 – paragraph 1 – point b (b) establishes obligations for critical entities aimed at enhancing their resilience and improving their ability to provide and subsequently maintain those services in the internal market;
Amendment 55 #
Proposal for a directive Article 1 a (new) Article 1 a To be placed before Paragraph 1 1. This Directive lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and improve the functioning of the internal market.
Amendment 56 #
Proposal for a directive Article 2 – paragraph 1 – point 2 Amendment 57 #
Proposal for a directive Article 2 – paragraph 1 – point 4 Amendment 58 #
Proposal for a directive Article 3 – paragraph 1 1. Each Member State shall, following consultation with critical entities, adopt by [
Amendment 59 #
Proposal for a directive Article 3 – paragraph 1 1. Each Member State shall adopt by [t
Amendment 60 #
Proposal for a directive Article 3 – paragraph 2 – point a (a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies and the need for the exchange of information between entities;
Amendment 61 #
Proposal for a directive Article 3 – paragraph 2 – point c (c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, the maintenance requirements associated with critical entities, and the measures to support critical entities taken in accordance with this Chapter;
Amendment 62 #
Proposal for a directive Article 3 – paragraph 2 – point d a (new) (d a) an approach to increasing the resilience of local and regional communities in Member States and which recognises, but is not limited to, the role of decentralised local renewable energy supplies, energy storage systems and back-up energy storage systems such as battery electric vehicles, in offering alternative access to energy should a critical entity in the energy sector be significantly disrupted.
Amendment 63 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 1 The strategy shall be updated where necessary and at least every
Amendment 64 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 1 a (new) Amendment 65 #
Proposal for a directive Article 3 – paragraph 2 a (new) 2 a. Incorporation of the latest scientific understanding of risks posed to critical entities. In particular, the strategies should fully incorporate for the latest scientific evidence concerning future climate change impacts on critical entities.
Amendment 66 #
Proposal for a directive Article 3 – paragraph 3 3. Member States shall communicate their strategies, and any updates of their strategies, to the Commission within three months from their adoption, and be made publicly available.
Amendment 67 #
Proposal for a directive Article 4 – paragraph 1 – introductory part 1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [
Amendment 68 #
Proposal for a directive Article 4 – paragraph 1 – introductory part 1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [t
Amendment 69 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, climate change, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34
Amendment 70 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, criminal infiltration, antagonistic
Amendment 71 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, attacks, sabotage, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34. _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 72 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, cyber attacks including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 73 #
Proposal for a directive Article 4 – paragraph 2 – point d a (new) (d a) an assessment of existing national level plans, strategies or other initiatives designed to increase the resilience of local and regional communities in view of the potential consequences of a significant disruption or disruptions to critical entities.
Amendment 74 #
Proposal for a directive Article 4 – paragraph 4 4. Each Member State shall provide the Commission with data on the types of risks identified and the outcomes of the risk assessments, per sector and sub-sector referred to in the Annex, by [three years after entry into force of this Directive] and subsequently where necessary and at least every four years, and be made publicly available.
Amendment 75 #
Proposal for a directive Article 4 – paragraph 4 4. Each Member State shall provide the Commission with data on the types of risks identified and the outcomes of the risk assessments, per sector and sub-sector referred to in the Annex, by [
Amendment 76 #
Proposal for a directive Article 4 – paragraph 5 5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4, and shall provide a publicly available report reviewing the risk assessments made by Member States.
Amendment 77 #
Proposal for a directive Article 4 – paragraph 5 5. The Commission
Amendment 78 #
Proposal for a directive Article 4 – paragraph 5 a (new) 5 a. Member States and the Commission shall ensure the necessary resources, capabilities and technologies are in place to handle the exchange of information and data pursuant to this Article. Special attention should be given to the handling of sensitive data, including by means of secure data exchange protocols, and to avoid data misuse, whilst recognising the need for non-sensitive data to be made publicly available to ensure transparency.
Amendment 79 #
Proposal for a directive Article 5 – paragraph 1 1. By [
Amendment 80 #
Proposal for a directive Article 5 – paragraph 1 1. By [t
Amendment 81 #
(b) (the provision of that service depends on infrastructure located in the Member State; and the existing possibilities;
Amendment 82 #
Proposal for a directive Article 5 – paragraph 3 – introductory part 3. Each Member State shall establish a list of the critical entities identified and ensure that those critical entities are notified of their identification as critical entities within
Amendment 83 #
Proposal for a directive Article 5 – paragraph 4 4. Member States shall ensure that their competent authorities designated pursuant to Article 8 of this Directive notify the competent authorities that the Member States designated in accordance with Article 8 of [the NIS 2 Directive], of the identity of the critical entities that they
Amendment 84 #
Proposal for a directive Article 5 – paragraph 6 6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than
Amendment 85 #
Proposal for a directive Article 5 – paragraph 7 – introductory part 7. Member States shall, where necessary and in any event at least every
Amendment 86 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, public transport, the environment and public safety;
Amendment 87 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public security and safety;
Amendment 88 #
Proposal for a directive Article 6 – paragraph 2 – introductory part 2. Member States shall submit to the Commission by [
Amendment 89 #
Proposal for a directive Article 6 – paragraph 2 – introductory part 2. Member States shall submit to the Commission by [t
Amendment 90 #
Proposal for a directive Article 6 – paragraph 2 – subparagraph 1 They shall subsequently submit that information where necessary, and at least every
Amendment 91 #
Proposal for a directive Article 7 – paragraph 1 1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [
Amendment 92 #
Proposal for a directive Article 7 – paragraph 1 1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [t
Amendment 93 #
Proposal for a directive Article 8 – paragraph 1 – introductory part Amendment 94 #
Proposal for a directive Article 8 – paragraph 3 3. By [
Amendment 95 #
Proposal for a directive Article 8 – paragraph 3 3. By [t
Amendment 96 #
5 a. In the event of exceptional situations and high-risk incidents where critical entities and responsible national authorities fail to ensure that the incident is absorbed and remedied, the Commission should intervene through the available levers to help the critical entity to resolve this issue;
Amendment 97 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, raise awareness, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 98 #
Proposal for a directive Article 10 – paragraph 1 Member States shall ensure that critical entities assess within six months after
Amendment 99 #
Proposal for a directive Article 11 – paragraph 1 – point b (b) ensure adequate physical protection of sensitive areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment, emergency call systems for the notification of competent authorities, and access controls;
source: 693.634
2021/05/31
ITRE
67 amendments...
Amendment 25 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity endangering the overall economic and social well-being of citizens. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 26 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC18 conducted in 2019 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react to, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75). 18 SDW(2019) 308.
Amendment 27 #
(1a) In the context of ensuring the resilience of critical entities, decentralisation may be considered a preemptive measure. Encouraging the construction of extensive cross-border installations does not necessarily promote the resilience of Member States, moreover, it can result in cross-border vulnerability.
Amendment 28 #
Proposal for a directive Recital 1 b (new) (1b) It should likewise be taken into account that some objects are of such national strategic importance, that sharing vital information about them on international platforms would represent a security concern rather than a security measure.
Amendment 29 #
Proposal for a directive Recital 1 c (new) Amendment 30 #
Proposal for a directive Recital 1 d (new) (1d) In order to avoid overlaps, the scope of this Directive should be limited to entities that are not already covered by other Union legislation.
Amendment 31 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a
Amendment 32 #
Proposal for a directive Recital 2 a (new) (2a) In accordance with the principle of subsidiarity, national, bilateral and regional interests should be distinguished from issues that call for coordinated measures at Union level.
Amendment 33 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. Innovation and technology advancements contribute to the creation of new forms and types of infrastructure systems that use innovations aimed at reducing costs and increasing efficiency and may have implications on risk and resilience. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks and the capital importance of raw materials, chemical, pharmaceutical and manufacturing industries and of products that are essential to many critical infrastructure sectors.
Amendment 34 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market and for the security and safety of Member State citizens. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low- probability risks.
Amendment 35 #
(3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, agri- food, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.
Amendment 36 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. The resilience of critical entities is of great importance for the functioning of the internal market and the security of the Union, however, this Directive should not limit the responsibility of Member States to protect national security. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 37 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market and affects the safety and security of Member State citizens. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 38 #
Proposal for a directive Recital 5 (5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience
Amendment 39 #
Proposal for a directive Recital 7 (7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional. Resilience of energy infrastructures is integral to growth and production across the Union, in particular it contributes to reduce energy poverty, ensuring a decent standard of living and to energy security.
Amendment 40 #
Proposal for a directive Recital 7 (7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of national or Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.
Amendment 41 #
Proposal for a directive Recital 7 a (new) (7a) This Directive should apply to the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, agri-food, public administration, and space. As far as digital infrastructures that fall within the scope of the NIS 2 Directive are concerned, only the provisions of this Directive concerning the national frameworks on the resilience of critical entities should apply. Infrastructures belonging to one of those sectors, other than digital infrastructures, but with a digital feature, should fall within the scope of both this Directive and the NIS 2 Directive in their entirety.
Amendment 42 #
Proposal for a directive Recital 8 (8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible, preventing any overlap that could hinder the simultaneous legislative effectiveness of the two regulations. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the
Amendment 43 #
Proposal for a directive Recital 10 (10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. In case a critical entity is located in one Member States but the consequences of a disaster could have an impact in more than one Member State, coordination between competent authorities on crisis management and resilience strategy should be encouraged. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.
Amendment 44 #
Proposal for a directive Recital 10 (10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks without, however, causing additional double costs for operators.
Amendment 45 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities
Amendment 46 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an
Amendment 47 #
Proposal for a directive Recital 12 (12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. This Directive addresses the need to ensure continuity of the services essential for the maintenance of vital societal functions or economic activities, without prejudice to national competence in organising and delivering public services. Therefore, criteria to identify critical entities should be laid down. In the
Amendment 48 #
Proposal for a directive Recital 16 (16) Member States, in coordination with their own national security authorities, should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the
Amendment 49 #
Proposal for a directive Recital 16 (16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing
Amendment 50 #
Proposal for a directive Recital 18 (18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. In particular Member States, in the transposition acts for NIS 2 Directive and this Directive, should provide measures to avoid double reporting and control, to ensure strategies and requirements are complementary and that entities can benefit from simplified enforcement and reporting conditions.
Amendment 51 #
Proposal for a directive Recital 19 (19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States
Amendment 52 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, in close cooperation with police, defence and national security authorities.
Amendment 53 #
Proposal for a directive Recital 20 a (new) (20a) Member States should be free to choose which entities they want to list as "critical", thereby respecting the fact that security matters fully remain a competence of Member States.
Amendment 54 #
Proposal for a directive Recital 24 (24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the intensity of hybrid threats, which are increasingly difficult to track and identify, and by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data. Specific training for employees and operators should be developed.
Amendment 55 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately to prevent even worse consequences and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be
Amendment 56 #
Proposal for a directive Article 1 – paragraph 1 – point a (a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations, especially if they are particularly vulnerable;
Amendment 57 #
Proposal for a directive Article 1 – paragraph 1 – point a (a) lays down obligations for Member States to take certain measures aimed at ensuring the continuous provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;
Amendment 58 #
Proposal for a directive Article 1 – paragraph 1 – point b (b) establishes obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market and, in the event of an interruption, to quickly limit any damage or consequences in consultation with the designated national authorities;
Amendment 59 #
Proposal for a directive Article 1 – paragraph 2 2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)],
Amendment 60 #
Proposal for a directive Article 2 – paragraph 1 – point 7 a (new) (7a) ‘security-critical technologies’ means the technologies needed to ensure that critical entities are resilient to hostile threats such as terrorism and hybrid threats.
Amendment 61 #
Proposal for a directive Article 3 – paragraph 2 – point a (a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities and their supply chain taking into account cross- border and cross-sectoral interdependencies;
Amendment 62 #
Proposal for a directive Article 3 – paragraph 2 – point b (b) a governance framework to achieve the strategic objectives and priorities, including a description of the roles and responsibilities of the different authorities, (public and private) critical entities and other parties involved in the implementation of the strategy, including, where necessary, police, defence and national security authorities;
Amendment 63 #
(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter, including measures to establish a cooperation framework among stakeholders, including critical entities, operators and suppliers of technology solutions;
Amendment 64 #
Proposal for a directive Article 3 – paragraph 2 – point d a (new) (da) the identification of technological needs and gaps to be addressed to ensure that critical entities are resilient, including security-critical technologies such as secure communications, biometrics, artificial intelligence, autonomous vehicles and space observation.
Amendment 65 #
Proposal for a directive Article 3 – paragraph 3 3. Member States shall communicate their strategies, and any updates of their strategies, to the Commission within
Amendment 66 #
Proposal for a directive Article 3 – paragraph 3 a (new) 3a. When drafting their strategies, Member States may consult local and regional authorities and take into consideration local capacities .
Amendment 67 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 2 The risk assessment shall account for all relevant natural and man-made risks, including
Amendment 68 #
Proposal for a directive Article 4 – paragraph 2 – subparagraph 2 For the purposes of point (c) of the first subparagraph, Member States shall cooperate with the competent authorities of other Member States and third countries, as appropriate, as well as local and regional authorities.
Amendment 69 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public administration, health, energy supplies, national defence and public safety;
Amendment 70 #
Proposal for a directive Article 8 – paragraph 5 5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, including, where appropriate, local and regional authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.
Amendment 71 #
Proposal for a directive Article 8 – paragraph 5 5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of national security, defence, civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.
Amendment 72 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities in enhancing their resilience, developing protocols, agreements, cooperation and exchange of information and expertise between the public and private sectors. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 73 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities in enhancing their resilience. That support
Amendment 74 #
Proposal for a directive Article 9 – paragraph 1 a (new) 1a. Where necessary, Member States shall allocate additional resources to support critical entities to fulfil requirements of this Directive, in particular to cover additional costs associated with learning and training activities or employing additional staff for reporting, monitoring and reviewing.
Amendment 75 #
Proposal for a directive Article 9 – paragraph 3 3. Member States shall establish information sharing tools to support voluntary information sharing between critical entities, with the aim of increasing knowledge sharing and increased transparency within and between sectors, in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data.
Amendment 76 #
Proposal for a directive Article 10 – paragraph 2 The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services, including an assessment of the international situation. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.
Amendment 77 #
Proposal for a directive Article 11 – paragraph 1 – point a (a) prevent incidents from occurring, including through disaster risk reduction
Amendment 78 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate employee and training security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 79 #
Proposal for a directive Article 11 – paragraph 1 – point f (f) raise awareness about and provide training on the measures referred to in points (a) to (e) among relevant personnel and operators.
Amendment 80 #
Proposal for a directive Article 12 – paragraph 2 – point c (c) cover possible links to extremist groups as well as previous employments, education and any gaps in education or employment in the person’s resume during at least the preceding five years and for a maximum of ten years
Amendment 81 #
Proposal for a directive Article 13 – paragraph 1 1. Member States shall ensure that critical entities only notif
Amendment 82 #
Proposal for a directive Article 13 – paragraph 2 – point -a (new) (-a) the impact on human life and the environmental consequences;
Amendment 83 #
Proposal for a directive Article 13 – paragraph 4 a (new) Amendment 84 #
Proposal for a directive Article 16 – paragraph 2 – subparagraph 1 2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work, encouraging the active involvement of SMEs and civil society and trade unions for worker- related aspects such as training.
Amendment 85 #
Proposal for a directive Article 16 – paragraph 7 a (new) Amendment 86 #
Proposal for a directive Article 17 – paragraph 2 a (new) 2a. In order to receive and properly use the information received in accordance with Article 13(4a) the Commission shall keep a European registry of incidents and develop a common European reporting centre, with the aim of developing and sharing best practices and methodologies.
Amendment 87 #
Proposal for a directive Article 18 – paragraph 1 – subparagraph 1 a (new) In order to ensure mutual confidence between the competent authorities and critical entities, supervision shall be conducted in a clear and transparent way.
Amendment 88 #
Proposal for a directive Article 18 – paragraph 4 4. Member States shall ensure that the powers provided for in paragraphs 1, 2 and 3 can only be exercised subject to appropriate safeguards. Those safeguards shall guarantee, in particular, that such exercise takes place in an objective, transparent and proportionate manner and that the rights and legitimate interests of the critical entities affected are duly safeguarded, including their rights to be heard, of defence and to an effective remedy before an independent court.
Amendment 89 #
Proposal for a directive Article 22 – paragraph 2 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive]
Amendment 90 #
Proposal for a directive Annex - Point 5. Health (new) Amendment 91 #
Proposal for a directive Annex - Point 8 a (new) source: 693.620
2021/06/01
IMCO
100 amendments...
Amendment 101 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity and the functioning of the internal market. __________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 102 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react to, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity. __________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 103 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with
Amendment 104 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross-
Amendment 105 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only
Amendment 106 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market and it negatively affects consumers. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent
Amendment 107 #
Proposal for a directive Recital 4 a (new) (4a) Due to the increased cross-sectoral and cross-border interdependencies between critical infrastructures, an incident in one Member State can seriously affect activities in another Member State. In order to achieve a high level of resilience of critical infrastructures across the Union, essential services or essential infrastructure should be equally strongly protected and resilient in all Member States. National measures alone are therefore insufficient in addressing risks and situations of disruption of essential services or essential infrastructure.
Amendment 108 #
Proposal for a directive Recital 4 b (new) (4b) Differences between national rules relating to the designation and oversight of critical infrastructures as well as differences in requirements may cause distortions of competition within the internal market. A European framework should therefore also have the effect of levelling the playing field for critical entities across the Union.
Amendment 109 #
Proposal for a directive Recital 5 (5) Since it is not practical to expect full and continuous critical infrastructure protection , the aim of this Directive should be to make critical infrastructures resilient thereby furthering their capacity to ensure continuous provision of essential services or essential infrastructure or at least to swiftly restore performance after an incident has taken place. Operators of critical infrastructures delivering essential services across the internal market in various sectors necessary for vital societal functions and economic activities, should become resilient against a range of natural and man-made, intentional or unintentional, current and anticipated future risks. It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.
Amendment 110 #
Proposal for a directive Recital 8 (8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. As a result, the supervision of entities identified as critical or equivalent to critical under this Directive, in matters that fall under the scope of the NIS2 Directive, will be a responsibility of the competent authorities designated under the NIS 2 Directive. __________________ 20[Reference to NIS 2 Directive, once adopted.]
Amendment 111 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector- specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 112 #
Proposal for a directive Recital 12 (12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also
Amendment 113 #
Proposal for a directive Recital 12 (12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities in the relevant existing national sectors and subsectors on their territory listed in the Annex. Therefore, common criteria, based on minimum indicators and methodologies for each sector and sub-sector to identify
Amendment 114 #
Proposal for a directive Recital 12 a (new) (12a) The Commission should provide detailed guidelines to support Member States in identifying critical entities for each national sector and subsector referred to in the Annex and to avoid the risk of a heterogeneous implementation of the Directive.
Amendment 115 #
Proposal for a directive Recital 16 (16) In coordination with their national relevant authorities, Member States, should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.
Amendment 116 #
Proposal for a directive Recital 17 (17) In order to facilitate cross-border
Amendment 117 #
Proposal for a directive Recital 17 a (new) (17a) In order to facilitate the cooperation and communication with the Member States, entities identified as critical entities under this Directive should also designate a single point of contact within the entity. The single point of contact should be used by the critical entity to liaise, coordinate and communicate with the Member States, on measures related to the organisational and technical aspects related to the implementation of this Directive.
Amendment 118 #
Proposal for a directive Recital 18 (18) Given that under the NIS 2 Directive entities identified as critical entities, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity risks and incidents affecting those entities. Member States should pay particular attention when transposing this Directive and the NIS 2 Directive in order to ensure that the obligations imposed by each instrument are complementary and that entities can benefit from simplified enforcement conditions and reporting obligations.
Amendment 119 #
Proposal for a directive Recital 19 (19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies
Amendment 120 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States. They should also be based on common specifications and methodologies for each sector. They should include minimum indicators, in order to avoid further divergences between Member States, and contingency protocols.
Amendment 121 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, ensuring close cooperation between relevant authorities.
Amendment 122 #
Proposal for a directive Recital 24 (24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing intensity of hybrid threats, which are increasingly difficult to track and identify, but also by the phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data. Specific trainings for employees and operators should be established.
Amendment 123 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that
Amendment 124 #
Proposal for a directive Article 1 – paragraph 1 – introductory part 1. This Directive lays down measures with a view to achieve a high level of resilience of critical entities within the Union in order to ensure an effective provision of essential services and to improve the functioning of the internal market. To that end, this Directive:
Amendment 125 #
Proposal for a directive Article 1 – paragraph 1 – point a (a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations, especially if they are particularly vulnerable;
Amendment 126 #
Proposal for a directive Article 1 – paragraph 1 – point b (b) establishes obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market, and, in the event of an interruption, to promptly limit the damage or mitigate possible consequences in consultation with the designated national authorities;
Amendment 127 #
Proposal for a directive Article 1 – paragraph 2 2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. A coherent approach shall be ensured between these acts, such as by ensuring that entities under NIS 2 susceptible to being subject to obligations under this Directive, where possible, benefit from a single point of contact and a common set of rules.
Amendment 128 #
Proposal for a directive Article 1 – paragraph 4 4. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of
Amendment 129 #
Proposal for a directive Article 2 – paragraph 1 – point 2 (2) “resilience” means the ability to prevent, resist, manage, mitigate, absorb, accommodate to and recover from an incident that disrupts or has the potential to disrupt the operations of a critical entity;
Amendment 130 #
Proposal for a directive Article 2 – paragraph 1 – point 3 (3) “incident” means any event
Amendment 131 #
Proposal for a directive Article 2 – paragraph 1 – point 5 (5) “essential service” means a service which is essential for the wellbeing of citizens and the maintenance of vital societal functions or economic activities and proper functioning of the internal market and the disruption of which would have a significant cross-sectoral or cross- border effect on the provision of that service, in on one or more Member States;
Amendment 132 #
Proposal for a directive Article 2 – paragraph 1 – point 5 (5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities and the provision of that service or of other essential services would be significantly disrupted by an incident;
Amendment 133 #
Proposal for a directive Article 2 – paragraph 1 – point 6 (6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities; regular business risk to operations derived from market conditions, or risk derived from democratic decision-making shall not be considered as a "risk" within the meaning of this Directive.
Amendment 134 #
Proposal for a directive Article 2 – paragraph 1 – point 7 (7) “risk assessment” means a methodology to determine the nature and extent of a risk by a
Amendment 135 #
Proposal for a directive Article 3 – paragraph 1 1. Each Member State shall adopt by [t
Amendment 136 #
Proposal for a directive Article 3 – paragraph 2 – point a (a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies and the connections in the supply chains;
Amendment 137 #
Proposal for a directive Article 3 – paragraph 2 – point c (c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter including measures to enhance cooperation between the public and private entities;
Amendment 138 #
Proposal for a directive Article 3 – paragraph 2 – point d a (new) (da) a policy framework addressing specific needs of SMEs in complying with obligations set by this Directive in relation to guidance and support in improving their resilience to non-cybersecurity threats and incentivising the adoption of necessary measures;
Amendment 139 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 Amendment 140 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks
Amendment 141 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 2 The risk assessment shall account for all relevant natural and man-made risks, including accidents, hybrid threats, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . __________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 142 #
Proposal for a directive Article 4 – paragraph 2 – point c (c) any risks arising from the dependencies between the sectors referred
Amendment 143 #
Proposal for a directive Article 4 – paragraph 2 – subparagraph 2 For the purposes of point (c) of the first subparagraph, Member States shall closely cooperate with the Commission and the competent authorities of other Member States and third countries
Amendment 144 #
Proposal for a directive Article 4 – paragraph 4 4. Each Member State shall provide the Commission with data on the types of risks identified and the outcomes of the risk assessments, per sector and sub-sector referred to in the Annex, by [three years after entry into force of this Directive] and subsequently where necessary and at least every f
Amendment 145 #
Proposal for a directive Article 4 – paragraph 5 5. The Commission
Amendment 146 #
Proposal for a directive Article 5 – paragraph 1 a (new) 1a. The European Commission may issue recommendations to Member States to identify specific essential services, infrastructures and the entities providing them and include them in their list of critical entities.
Amendment 147 #
Proposal for a directive Article 5 – paragraph 2 – point c Amendment 148 #
Proposal for a directive Article 5 – paragraph 2 – subparagraph 1 a (new) The Commission shall provide detailed guidelines to support Member States in identifying critical entities for each sector, subsector and types of entities referred to in the Annex.
Amendment 149 #
Proposal for a directive Article 5 – paragraph 3 – subparagaph 1 Each Member State shall establish a list of the critical entities identified and ensure that those critical entities are notified of their identification as critical entities within
Amendment 150 #
Proposal for a directive Article 5 – paragraph 3 – subparagraph 1 a (new) When establishing the list of critical entities under this Directive, Member States shall develop a coherent approach in relation to the NIS 2 Directive, taking into account its scope. Member States shall ensure that essential entities falling in Annex I of the NIS 2 Directive, but that are not identified as critical entities under this Directive, enhance, where appropriate, the resilience of their essential services to non-cybersecurity attacks, threats or incidents.
Amendment 151 #
Proposal for a directive Article 5 – paragraph 6 6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one
Amendment 152 #
Proposal for a directive Article 5 – paragraph 6 6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than
Amendment 153 #
Proposal for a directive Article 6 – paragraph 1 – introductory part 1. When determining the significance of a disruptive effect as referred to in point (
Amendment 154 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment
Amendment 155 #
Proposal for a directive Article 6 – paragraph 1 – point e (e) the geographic area that could be affected by an incident, including any cross-border and cross-sector impacts;
Amendment 156 #
Proposal for a directive Article 6 – paragraph 1 – point e a (new) (ea) the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;
Amendment 157 #
Proposal for a directive Article 6 – paragraph 2 – point b a (new) (ba) the geographical coverage of the services provided by the critical entities in each sector, including information on any cross-border impacts;
Amendment 158 #
Proposal for a directive Article 8 – paragraph 3 3. By [three years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the
Amendment 159 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities in enhancing their resilience and also in developing specific protocols, agreements, cooperation and exchange of information and expertise between the public and the private sector. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 160 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidelines and guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing periodic training to personnel of critical entities.
Amendment 161 #
Proposal for a directive Article 10 – paragraph 2 The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services which would hinder the proper functioning of the internal market. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.
Amendment 162 #
Proposal for a directive Article 10 – paragraph 2 The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services, including an assessment of the international situation. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.
Amendment 163 #
Proposal for a directive Article 10 – paragraph 2 The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in
Amendment 164 #
Proposal for a directive Article 11 – paragraph 1 – point a (a) prevent incidents from occurring, including through disaster risk reduction, protection from hybrid threats and climate adaptation measures;
Amendment 165 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate employee security management and training, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 166 #
Proposal for a directive Article 11 – paragraph 1 – point f (f) raise awareness and train employees and operators about the measures referred to in points (a) to (e) among relevant personnel.
Amendment 167 #
Proposal for a directive Article 11 – paragraph 1 – point f (f) raise awareness about the measures
Amendment 168 #
Proposal for a directive Article 11 – paragraph 2 2. Member States shall ensure that critical entities have in place and apply a resilience plan or equivalent document or documents
Amendment 169 #
Proposal for a directive Article 11 – paragraph 2 a (new) 2a. Member States shall ensure that critical entities designate within three months after receiving the notification referred to in Article 5(3), a single point of contact to exercise a liaison function with the Member States on issues related to the technical and organisational measures referred to in paragraph 1.
Amendment 170 #
Proposal for a directive Article 11 – paragraph 4 Amendment 171 #
Proposal for a directive Article 12 – paragraph 1 1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. Those persons shall be informed in advance about the checks, including general information about how, when and by whom the checks will be carried out.
Amendment 172 #
Proposal for a directive Article 12 – paragraph 2 – point c (c) in exceptional cases, when deemed necessary by Member States, cover previous employments, education and any gaps in education or employment in the person’s resume during a
Amendment 173 #
Proposal for a directive Article 12 – paragraph 2 a (new) 2a. The background checks referred to in paragraph 1 shall fully respect the requirements under Union and national law. The results communicated to the entity should be limited to what is strictly necessary to achieve the aims of the background check.
Amendment 174 #
Proposal for a directive Article 13 – paragraph 1 1. Member States shall ensure that critical entities notify without undue delay, but no later than 24 hours after the detection of the incident the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
Amendment 175 #
Proposal for a directive Article 13 – paragraph 1 – subparagraph 1 a (new) If the incident has, or may have, a significant impact on critical entities or the continuity of the provision of essential services in more than three Member States, critical entities of particular European significance shall additionally notify such incidents to the Commission. The Commission shall inform the Critical Entities Resilience Group of any such notifications without undue delay. The Commission and the Critical Entities Resilience Group shall, in accordance with Union law, treat the information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.
Amendment 176 #
Proposal for a directive Article 13 – paragraph 1 a (new) 1a. The information provided has to be treated swiftly by the competent authorities in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.
Amendment 177 #
Proposal for a directive Article 13 – paragraph 2 – point a (a) the number of individual and business users affected by the disruption or potential disruption;
Amendment 178 #
Proposal for a directive Article 13 – paragraph 2 – point a (a) the estimated number of users affected by the disruption or potential disruption;
Amendment 179 #
Proposal for a directive Article 13 – paragraph 2 – point c a (new) (ca) the degree of isolation of the areas affected by the incident, and in particular if it affects insular and outermost regions or mountainous areas;
Amendment 180 #
Proposal for a directive Article 13 – paragraph 2 – point c a (new) (ca) the impact on the functioning of the internal market
Amendment 181 #
Proposal for a directive Article 13 – paragraph 2 – point c a (new) (ca) any impact on human life or the environment.
Amendment 182 #
Proposal for a directive Article 13 – paragraph 3 – subparagraph 2 In so doing, the competent authorities and single points of contact shall, in accordance with Union law or national legislation that complies with Union law, treat the information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.
Amendment 183 #
Proposal for a directive Article 13 – paragraph 4 – subparagraph 1 a (new) The competent authority shall inform the public of the incident where it determines that it would be in the public interest to do so. The competent authority shall ensure that critical entities inform users of their services that could be affected by the incident and where relevant, of any possible safety measures or remedies.
Amendment 184 #
Proposal for a directive Article 14 – paragraph 2 2. An entity shall be considered a critical entity of particular European
Amendment 185 #
Proposal for a directive Article 14 – paragraph 2 2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than
Amendment 187 #
Proposal for a directive Article 15 – paragraph 1 – subparagraph 1 Upon request of one or more Member States
Amendment 188 #
Proposal for a directive Article 15 – paragraph 2 2. Upon request of one or more Member States,
Amendment 189 #
Proposal for a directive Article 15 – paragraph 3 – subparagraph 2 The Critical Entities Resilience Group shall analyse the report and, where necessary, shall advise the Member States and the Commission on whether the critical entity of particular European significance concerned complies with its obligations pursuant to Chapter III and, where appropriate, which measures could be taken to improve the resilience of that entity.
Amendment 190 #
Proposal for a directive Article 15 – paragraph 4 – subparagraph 1 Each advisory mission shall consist of experts from Member States and of Commission representatives. Member States may propose candidates to be part of an advisory mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity and ensuring a geographically balanced representation among Member States, including at least one from the Member State in which the critical entity is located. The Commission shall bear the costs related to the participation in the advisory mission.
Amendment 191 #
Proposal for a directive Article 16 – paragraph 2 – subparagraph 1 The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties and stakeholders to participate in its work.
Amendment 192 #
Proposal for a directive Article 16 – paragraph 3 – point a (a) supporting the Commission in assisting Member States in reinforcing their capacity to contribute to ensuring the resilience of critical entities in accordance with this Directive and promoting its uniform implementation in the Member States;
Amendment 193 #
Proposal for a directive Article 16 – paragraph 3 – point b (b) evaluating the national strategies on the resilience of critical entities referred to in Article 3, the Member States preparedness and identifying best practices in respect of those strategies;
Amendment 194 #
Proposal for a directive Article 16 – paragraph 3 – point b a (new) (ba) exchanging information on political priorities and key challenges relating to the resilience of critical entities;
Amendment 195 #
Proposal for a directive Article 16 – paragraph 3 – point c (c) facilitating the exchange of information and best practices with regard to the identification of critical entities by the Member States in
Amendment 196 #
Proposal for a directive Article 16 – paragraph 3 – point h a (new) (ha) promoting and supporting coordinated risk assessments and joint actions among critical entities;
Amendment 197 #
Proposal for a directive Article 16 – paragraph 3 – point h a (new) (ha) publishing relevant findings from its work, to facilitate academic and security research.
Amendment 198 #
Proposal for a directive Article 16 – paragraph 4 4. By [12
Amendment 199 #
Proposal for a directive Article 16 – paragraph 7 7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. The Commission shall regularly publish a summary report of the activities of the Critical Entities Resilience Group.
Amendment 200 #
Proposal for a directive Article 21 – paragraph 6 6. A delegated act adopted pursuant to Article 11(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of t
source: 692.785
2021/06/17
LIBE
225 amendments...
Amendment 100 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that
Amendment 101 #
Proposal for a directive Recital 26 (26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to
Amendment 102 #
Proposal for a directive Recital 26 (26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a
Amendment 103 #
Proposal for a directive Recital 33 (33) Since the objectives of this Directive, namely to ensure the provision
Amendment 104 #
Proposal for a directive Recital 33 a (new) (33a) This Directive complies with the Charter of Fundamental Rights of the European Union (the ‘Charter’). Obligations put on the Member States should not have the effect of putting in place measures that do not fully comply with the Charter.
Amendment 105 #
Proposal for a directive Article 1 – paragraph 1 – introductory part 1. This Directive
Amendment 106 #
Proposal for a directive Article 1 – paragraph 1 – point a (a) lays down obligations for Member States to take certain measures aimed at protecting people and ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;
Amendment 107 #
Proposal for a directive Article 1 – paragraph 1 – point a (a) lays down obligations for Member States to take
Amendment 108 #
Proposal for a directive Article 1 – paragraph 1 – point b (b) establishes rights and obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market;
Amendment 109 #
Proposal for a directive Article 1 – paragraph 1 – point c (c) establishes harmonised rules on supervision and enforcement of critical entities, and specific oversight of critical entities considered to be of particular European significance.
Amendment 110 #
Proposal for a directive Article 1 – paragraph 4 4. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security
Amendment 111 #
Proposal for a directive Article 2 – paragraph 1 – point 1 (1) “critical entity” means a
Amendment 112 #
Proposal for a directive Article 2 – paragraph 1 – point 1 (1) “critical entity” means a public or private entity of a type referred to in the Annex, which has been identified as such by a Member State or the Commission in accordance with Article 5;
Amendment 113 #
Proposal for a directive Article 2 – paragraph 1 – point 2 (2) “resilience” means the ability to prevent, resist, mitigate, manage, absorb, accommodate to and recover from an incident that disrupts or has the potential to disrupt the operations of a critical entity;
Amendment 114 #
Proposal for a directive Article 2 – paragraph 1 – point 3 (3) “incident” means any event
Amendment 115 #
Proposal for a directive Article 2 – paragraph 1 – point 3 (3) “incident” means any event having the potential to disrupt, or that disrupts
Amendment 116 #
Proposal for a directive Article 2 – paragraph 1 – point 4 (4) “infrastructure” means
Amendment 117 #
Proposal for a directive Article 2 – paragraph 1 – point 5 (5) “essential service” means a service which is essential for the wellbeing of the people and for the maintenance of vital societal functions or economic activities, public safety, protecting the environment or the rule of law;
Amendment 118 #
Proposal for a directive Article 2 – paragraph 1 – point 5 (5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities, public safety, the environment, the rule of law or fundamental rights;
Amendment 119 #
Proposal for a directive Article 2 – paragraph 1 – point 6 (6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities with respect to the proper functioning of the essential services they provide;
Amendment 120 #
Proposal for a directive Article 2 – paragraph 1 – point 6 (6) “risk” means any circumstance or event having a potential adverse effect on the
Amendment 121 #
Proposal for a directive Article 2 – paragraph 1 – point 6 (6) “risk” means any circumstance or event having a potential adverse effect on the
Amendment 122 #
Proposal for a directive Article 2 – paragraph 1 – point 6 (6) “risk” means any vulnerability, circumstance or event having a potential adverse effect on the resilience of critical entities;
Amendment 123 #
Proposal for a directive Article 2 – paragraph 1 – point 7 (7) “risk assessment” means a methodology to determine the nature and extent of a risk by a
Amendment 124 #
Proposal for a directive Article 2 – paragraph 1 – point 7 (7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysing potential threats and hazards and evaluating existing conditions of vulnerability that could disrupt the
Amendment 125 #
Proposal for a directive Article 2 – paragraph 1 – point 7 a (new) (7a) "Security Liaison Officer" means a point of contact for security related issues between the owner or operator of the critical entity and the relevant Member State authority.
Amendment 126 #
Proposal for a directive Article 3 – paragraph 1 1.
Amendment 127 #
Proposal for a directive Article 3 – paragraph 1 1. Each Member State shall adopt by [
Amendment 128 #
Proposal for a directive Article 3 – paragraph 1 – subparagraph 1 a (new) Where in a Member State several regional strategies are adopted, the provisions of this Article shall apply mutatis mutandis.
Amendment 129 #
Proposal for a directive Article 3 – paragraph 2 – point a (a) strategic objectives and priorities for the purposes of enhancing the overall
Amendment 130 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 1– point b (b) a governance framework to achieve the strategic objectives and priorities, including a description of the roles and responsibilities of the different authorities, critical entities (public and private) and other parties involved in the implementation of the strategy
Amendment 131 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 1 – point d (d) a policy framework for enhanced coordination between the competent authorities designated pursuant to Article 8 of this Directive and pursuant to [the NIS 2 Directive]
Amendment 132 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 1 – point d a (new) (da) a policy framework addressing the specific needs of critical entities, taking into account the specificities of the sector and the nature of the critical entities, such as public or private entities and large, small or medium-sized enterprises);
Amendment 133 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 1 – point d a (new) (da) a policy framework addressing the specific needs and characteristics of small and medium-sized enterprises identified as critical entities to improve their resilience;
Amendment 134 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 1 – point d a (new) (da) a list of all national and cross- border authorities involved in the implementation of the strategy on multiple and inter-dependent sectors;
Amendment 135 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 2 Amendment 136 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 2 The strategy shall be updated where necessary and shall be completely reviewed at least every four years.
Amendment 137 #
Proposal for a directive Article 3 – paragraph 2 – subparagraph 2 The strategy shall be updated where necessary and at least every
Amendment 138 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment, based on common specifications and methodologies containing specific indicators established for each sector covered, of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.
Amendment 139 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 1. Competent authorities designated pursuant to Article 8 shall establish, in close coordination with the Commission, a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.
Amendment 140 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [
Amendment 141 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 2 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including threats from and sabotage by insiders, as well as terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 142 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 2 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Title II of the Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 143 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 2 The risk assessment shall account for all relevant natural and man-made risks, including accidents, hybrid threats, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision
Amendment 144 #
Proposal for a directive Article 4 – paragraph 2 – subparagraph 2 For the purposes of point (c) of the first subparagraph, Member States shall cooperate with the competent authorities of other Member States
Amendment 145 #
Proposal for a directive Article 4 – paragraph 4 4. Each Member State shall provide the Commission with data on the types of risks identified and the outcomes of the risk assessments, per sector and sub-sector referred to in the Annex, by [
Amendment 146 #
Proposal for a directive Article 4 – paragraph 5 5. The Commission
Amendment 147 #
Proposal for a directive Article 4 – paragraph 5 5. The Commission
Amendment 148 #
Proposal for a directive Article 5 – paragraph 1 1. By [three years and three months after entry into force of this Directive] Member States shall identify for each
Amendment 149 #
Proposal for a directive Article 5 – paragraph 1 1. By [three years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points
Amendment 150 #
Proposal for a directive Article 5 – paragraph 1 1. By [
Amendment 151 #
Proposal for a directive Article 5 – paragraph 2 – point b (b)
Amendment 152 #
Proposal for a directive Article 5 – paragraph 2 – point c (c) an incident would have significant disruptive effects on the provision of the essential service or of other essential services in the sectors referred to in the Annex that depend on the service.
Amendment 153 #
Proposal for a directive Article 5 – paragraph 5 5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in
Amendment 154 #
Proposal for a directive Article 5 – paragraph 5 5.
Amendment 155 #
Proposal for a directive Article 5 – paragraph 6 6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their
Amendment 156 #
Proposal for a directive Article 5 – paragraph 6 6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than
Amendment 157 #
Proposal for a directive Article 5 – paragraph 6 6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred
Amendment 158 #
Proposal for a directive Article 5 – paragraph 7 – subparagraph 1 7. Member States shall, where necessary and in any event at least every
Amendment 159 #
Proposal for a directive Article 5 – paragraph 7 – subparagraph 2 Where those updates lead to the identification of additional critical entities, paragraphs 3, 4, 5 and 6 shall apply. In addition, Member States shall ensure that entities that are no longer identified as critical entities pursuant to any such update are notified thereof and are informed in due time that they are no longer subject to the obligations pursuant to Chapter III as from
Amendment 160 #
Proposal for a directive Article 6 – paragraph 1 – point a (a) the number of users relying on the essential service provided by the entity;
Amendment 161 #
Proposal for a directive Article 6 – paragraph 1 – point a (a) the number of
Amendment 162 #
Proposal for a directive Article 6 – paragraph 1 – point b (b) the dependency of other sectors referred to in the Annex on that essential service;
Amendment 163 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on the provision of essential services to the affected population, economic and societal activities, the environment and public safety;
Amendment 164 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment
Amendment 165 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the
Amendment 166 #
Proposal for a directive Article 6 – paragraph 1 – point f (f) the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.
Amendment 167 #
Proposal for a directive Article 6 – paragraph 1 – point f a (new) (fa) the scarcity of the resources needed to produce components of the infrastructure necessary for the provision of the service.
Amendment 168 #
Proposal for a directive Article 6 – paragraph 2 – subparagraph 1 – introductory part 2. Member States shall submit to the Commission by [
Amendment 169 #
Proposal for a directive Article 6 – paragraph 2 – subparagraph 1 – point b (b) the number of critical entities identified for each sector and subsector referred to in the Annex, and
Amendment 170 #
Proposal for a directive Article 6 – paragraph 2 – subparagraph 2 They shall subsequently submit that information where necessary, and at least every
Amendment 171 #
Proposal for a directive Article 6 – paragraph 3 3. The Commission
Amendment 172 #
Proposal for a directive Article 6 – paragraph 3 3. The Commission
Amendment 173 #
Proposal for a directive Article 7 – paragraph 1 1. As regards the sectors referred to in points
Amendment 174 #
Proposal for a directive Article 7 – paragraph 1 1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [
Amendment 175 #
Proposal for a directive Article 7 – paragraph 2 Amendment 176 #
Proposal for a directive Article 8 – paragraph 1 – subparagraph 1 1. Each Member State shall designate one or more competent authorities responsible for the correct application, and where necessary enforcement, of the rules of this Directive
Amendment 177 #
Proposal for a directive Article 8 – paragraph 1 – subparagraph 2 Where they designate more than one authority, they shall clearly set out the territorial delineation of competences and the respective tasks of the authorities concerned and ensure that they cooperate
Amendment 178 #
Proposal for a directive Article 8 – paragraph 1 a (new) 1a. The Commission shall publish recommendations on minimum requirements and guidelines on the functioning and governance of competent authorities.
Amendment 179 #
Proposal for a directive Article 8 – paragraph 2 2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States, with the Commission and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).
Amendment 180 #
Proposal for a directive Article 8 – paragraph 2 a (new) 2a. Without prejudice to the provisions established under sector-specific legislative frameworks and the NIS 2 Directive, the single point of contact referred to in paragraph 2 shall be the sole point of contact for public and private critical entities operating cross-border services when reporting incidents or risks of incident happening within the Member State of the single point of contact, in order to ensure swift and simplified coordination of information.
Amendment 181 #
Proposal for a directive Article 8 – paragraph 3 3. By [
Amendment 182 #
Proposal for a directive Article 8 – paragraph 5 5. Member States shall ensure that their competent authorities,
Amendment 183 #
Proposal for a directive Article 8 – paragraph 5 5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities and the competent authorities of other Member States, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.
Amendment 184 #
Proposal for a directive Article 8 – paragraph 5 5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including academia, civil society and critical entities.
Amendment 185 #
Proposal for a directive Article 8 – paragraph 6 6. Member States shall ensure that their competent authorities designated pursuant to this Article cooperate with competent authorities of other Member States designated under this Directive and with the competent authorities designated pursuant to [the NIS 2 Directive], on cybersecurity risks and cyber incidents affecting critical entities, as well as the measures taken by competent authorities designated under [the NIS 2 Directive] relevant for critical entities.
Amendment 186 #
Proposal for a directive Article 8 – paragraph 6 6. Member States shall ensure that their competent authorities designated pursuant to this Article cooperate with competent authorities designated pursuant to [the NIS 2 Directive] on
Amendment 187 #
Proposal for a directive Article 8 – paragraph 7 7. Each Member State shall notify the Commission of the designation of the competent authority and single point of contact within
Amendment 188 #
Proposal for a directive Article 8 – paragraph 7 a (new) 7a. Each Member State shall implement an appropriate communication mechanism between the relevant Member State authority and the Security Liaison Officer or equivalent with the objective of exchanging relevant information concerning identified risks and threats in relation to the critical entities concerned. That communication mechanism shall be without prejudice to national requirements concerning access to sensitive and classified information.
Amendment 189 #
Proposal for a directive Article 8 – paragraph 8 8. The Commission shall publish a list of Member States’ single points of contacts
Amendment 190 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical
Amendment 191 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities in enhancing their resilience and ensure that such support is given at all levels of government. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 192 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities, including financially, in order to enhanc
Amendment 193 #
Proposal for a directive Article 9 – paragraph 3 3. Member States shall establish information sharing tools to support voluntary sharing of information
Amendment 194 #
Proposal for a directive Article 9 – paragraph 3 3. Member States shall establish information sharing tools to support
Amendment 195 #
Proposal for a directive Article 10 – paragraph 1 Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their
Amendment 196 #
Proposal for a directive Article 10 – paragraph 1 Member States shall ensure that critical entities assess within
Amendment 197 #
Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every
Amendment 198 #
Proposal for a directive Article 10 – paragraph 2 The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services, including an assessment of the international situation. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.
Amendment 199 #
Proposal for a directive Article 11 – paragraph 1 – point a (a) prevent incidents from occurring, including through disaster risk reduction and climate adaptation measures, and measures contributing to the fight against climate change;
Amendment 200 #
Proposal for a directive Article 11 – paragraph 1 – point d (d) recover from incidents, including business continuity measures and the identification of alternative supply chains to ensure the continuation of the essential service;
Amendment 201 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12
Amendment 202 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate
Amendment 203 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate employee security management, including by setting out categories of personnel exercising critical functions, ensuring appropriate training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 204 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate employee security management and training, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 205 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate employee security management and training, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 206 #
Proposal for a directive Article 11 – paragraph 1 – point e a (new) (ea) ensure that a resilience liaison officer or an equivalent is designated for all designated critical entities in order to facilitate cooperation and communication with the relevant Member State authority and the Commission;
Amendment 207 #
Proposal for a directive Article 11 – paragraph 1 – point f (f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel, including laying down appropriate training requirements and qualifications.
Amendment 208 #
Proposal for a directive Article 11 – paragraph 1 – point ea (new) (ea) evaluate critical personnel to ensure that they are fit for the job.
Amendment 209 #
Proposal for a directive Article 11 – paragraph 2 a (new) 2a. Member States shall ensure that where the measures referred to in paragraph 1 have the potential to limit the exercise of fundamental rights and freedoms of natural persons, these limitations shall be limited to what is strictly necessary and proportionate in a democratic society.
Amendment 210 #
Proposal for a directive Article 11 – paragraph 3 3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned. Where necessary and appropriate, the Commission may mobilise financial support for that Member State and the relevant critical entity, including from the Internal Security Fund, without prejudice to applicable budgetary procedures and controls.
Amendment 211 #
Proposal for a directive Article 11 – paragraph 3 3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned. The Commission may also offer advisory missions to critical entities based in third countries at their request.
Amendment 212 #
Proposal for a directive Article 11 – paragraph 3 3. Upon request of the Member State that identified the critical entity
Amendment 213 #
Proposal for a directive Article 11 – paragraph 4 Amendment 214 #
Proposal for a directive Article 11 – paragraph 4 4. The Commission is empowered to adopt delegated acts in accordance with Article 21 supplementing paragraph 1 by establishing detailed rules specifying some or all of the measures to be taken pursuant to that paragraph. It shall adopt those delegated acts
Amendment 215 #
Proposal for a directive Article 12 – paragraph 1 1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. The background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the concerned personnel.
Amendment 216 #
Proposal for a directive Article 12 – paragraph 1 1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific
Amendment 217 #
Proposal for a directive Article 12 – paragraph 1 1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel and who carry out sensitive tasks, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.
Amendment 218 #
Proposal for a directive Article 12 – paragraph 3 Amendment 219 #
Proposal for a directive Article 13 – paragraph 1 1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their
Amendment 220 #
Proposal for a directive Article 13 – paragraph 1 1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours after having become aware of the incident, followed by a final detailed report not later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
Amendment 221 #
Proposal for a directive Article 13 – paragraph 1 1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents
Amendment 222 #
Proposal for a directive Article 13 – paragraph 1 1. Member States shall ensure that critical entities notify without undue delay and within 24 hours the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
Amendment 223 #
Proposal for a directive Article 13 – paragraph 1 1. Member States shall ensure that critical entities notify with
Amendment 224 #
Proposal for a directive Article 13 – paragraph 2 Amendment 225 #
Proposal for a directive Article 13 – paragraph 2 – point a Amendment 226 #
Proposal for a directive Article 13 – paragraph 2 – point b Amendment 227 #
Proposal for a directive Article 13 – paragraph 2 – point c Amendment 228 #
Proposal for a directive Article 13 – paragraph 3 – subparagraph 1 3. On the basis of the information provided in the notification by the critical entity, the competent authority, via its single point of contact, shall inform the single point of contact of other affected Member States if the incident has, or may have, a
Amendment 229 #
Proposal for a directive Article 13 – paragraph 3 – subparagraph 2 In so doing, the single points of contact shall, in accordance with Union law or national legislation that complies with
Amendment 230 #
Proposal for a directive Article 13 – paragraph 3 a (new) 3a. The competent authority concerned shall inform the public of the incident, or require the critical entity to inform the public, where the competent authority determines that it would be in the public interest to disclose the incident.
Amendment 231 #
Proposal for a directive Article 13 – paragraph 3 b (new) 3b. Member States shall ensure that, in the event of a particular and significant threat of an incident concerning the critical entities, the critical entities inform those users of their services that could be affected by the incident or by the disruption of the services as its consequence and, where relevant, of any possible safety measures or remedies which the users could take.
Amendment 232 #
Proposal for a directive Article 13 – paragraph 3 c (new) 3c. Once a year, the competent authority concerned shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.
Amendment 233 #
Proposal for a directive Article 14 – paragraph 2 2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than
Amendment 234 #
Proposal for a directive Article 14 – paragraph 2 2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than
Amendment 235 #
Proposal for a directive Article 14 – paragraph 2 2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in
Amendment 236 #
Proposal for a directive Article 14 – paragraph 3 – subparagraph 1 3. The Commission shall, without undue delay upon receiving the notification pursuant to Article 5(6), notify the entity concerned that it is considered a critical entity of particular European significance, informing that entity of its rights and obligations pursuant to this Chapter and the date from
Amendment 237 #
Proposal for a directive Article 15 – paragraph 1 – subparagraph 1 1. Upon request of one or more Member States or of the Commission,
Amendment 238 #
Proposal for a directive Article 15 – paragraph 1 – subparagraph 1 1. Upon request of one or more Member States or of the Commission, the Member State where the
Amendment 239 #
Proposal for a directive Article 15 – paragraph 1 – subparagraph 2 That
Amendment 240 #
Proposal for a directive Article 15 – paragraph 2 2. Upon request of one or more Member States,
Amendment 241 #
Proposal for a directive Article 15 – paragraph 2 2. Upon request of one or more Member States, or at its own initiative, and in agreement with the Member State where the
Amendment 242 #
Proposal for a directive Article 15 – paragraph 2 2. Upon request of one or more Member States, or at its own initiative, and in
Amendment 243 #
Proposal for a directive Article 15 – paragraph 2 2. Upon request of one or more Member States, or at its own initiative, and
Amendment 244 #
Proposal for a directive Article 15 – paragraph 3 – subparagraph 1 3. The a
Amendment 245 #
Proposal for a directive Article 15 – paragraph 3 – subparagraph 3 The Commission shall
Amendment 246 #
Proposal for a directive Article 15 – paragraph 3 – subparagraph 4 Th
Amendment 247 #
Proposal for a directive Article 15 – paragraph 4 – subparagraph 1 4. Each a
Amendment 248 #
Proposal for a directive Article 15 – paragraph 4 – subparagraph 2 The Commission shall organise the programme of an a
Amendment 249 #
Proposal for a directive Article 15 – paragraph 4 – subparagraph 2 The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and
Amendment 250 #
Proposal for a directive Article 15 – paragraph 5 5. The Commission shall adopt an implementing act laying down rules on the procedural arrangements for the conduct and reports of a
Amendment 251 #
Proposal for a directive Article 15 – paragraph 6 6. Member States shall ensure that the critical entity of particular European significance concerned provides the a
Amendment 252 #
Proposal for a directive Article 15 – paragraph 7 7. The a
Amendment 253 #
Proposal for a directive Article 15 – paragraph 8 8. When organising the a
Amendment 254 #
Proposal for a directive Article 16 – paragraph 2 – subparagraph 1 2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group
Amendment 255 #
Proposal for a directive Article 16 – paragraph 2 – subparagraph 1 2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of the European Parliament and of interested parties to participate in its work.
Amendment 256 #
Proposal for a directive Article 16 – paragraph 2 – subparagraph 1 2. The Critical Entities Resilience Group shall be composed of representatives of the Member States
Amendment 257 #
Proposal for a directive Article 16 – paragraph 2 – subparagraph 2 The
Amendment 258 #
Proposal for a directive Article 16 – paragraph 7 7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [
Amendment 259 #
Proposal for a directive Article 18 – paragraph 1 – point a (a) conduct unannounced on-site inspections of the premises that the critical entity uses to provide its essential services, and off-site supervision of critical entities’ measures pursuant to Article 11;
Amendment 260 #
Proposal for a directive Article 18 – paragraph 1 – point b (b) conduct
Amendment 261 #
Proposal for a directive Article 18 – paragraph 5 a (new) 5a. The Commission shall establish the methodology and content of a peer- review system for monitoring and assessing the effectiveness of the Member States’ implementing measures.
Amendment 262 #
Proposal for a directive Article 19 – paragraph 1 Member States
Amendment 263 #
Proposal for a directive Article 22 – paragraph 1 By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the different Member States have taken the necessary measures to comply with this Directive. That report shall contain separate country chapters on the concrete implementation progress in each Member State.
Amendment 264 #
Proposal for a directive Article 22 – paragraph 2 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended
Amendment 265 #
Proposal for a directive Article 22 – paragraph 2 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [
Amendment 266 #
Proposal for a directive Article 22 – paragraph 2 The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [
Amendment 267 #
5. Health — Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19 — EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health — Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC — Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2 — Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX — Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC
Amendment 268 #
— Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC
Amendment 269 #
10a. Food production, processing and distribution — Food businesses referred to in point (2) of Article 3 of Regulation (EC) No 178/2002 (31)
Amendment 270 #
Proposal for a directive Annex – section 10 a (new) 10a. Agri-food sector Wholesale markets Entities of public interest that ensure an essential service for the provision and distribution of agricultural, fishing, fresh and perishable food productions to the agri-food chain until the final consumer, for vast regional and interregional areas.
Amendment 46 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity. Such disruption could negatively impact the functioning of the internal market and of essential social services. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 47 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the
Amendment 48 #
Proposal for a directive Recital 2 (2) Despite existing measures at 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic
Amendment 49 #
Proposal for a directive Recital 2 (2) Despite existing measures at 19 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with
Amendment 50 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical
Amendment 51 #
Proposal for a directive Recital 2 (2) Despite existing measures at 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities
Amendment 52 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the protection of the population and the performance of vital societal functions or economic activities. This is due to
Amendment 53 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, waste management, food supply chain, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned,
Amendment 54 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food production, processing and delivery, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting
Amendment 55 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market and on the human wellbeing. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.
Amendment 56 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. The resilience of critical entities gives investors and companies reliability and trust, something that are cornerstones of a well-working internal market. It also ensures that essential social services are not interrupted, thereby contributing to protecting the weakest in society. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 57 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. Thus, the Member States and the Commission should aim at reaching a common understanding of classifications with a view to achieving the highest possible level of protection of critical entities across the Union.
Amendment 58 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are
Amendment 59 #
Proposal for a directive Recital 4 (4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical
Amendment 60 #
Proposal for a directive Recital 4 a (new) (4a) At Union level there is no single recognised list of critical infrastructure sectors and different pieces of legislation cover different sets of sectors.
Amendment 61 #
Proposal for a directive Recital 5 (5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market
Amendment 62 #
Proposal for a directive Recital 5 (5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities. It is essential that those rules are future-proof.
Amendment 63 #
Proposal for a directive Recital 5 (5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services
Amendment 64 #
Proposal for a directive Recital 6 (6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks. At the same time, Member States should limit the amount of additional bureaucratic measures they impose on critical entities to the absolute minimum and should make sure that national and international notification requirements do not duplicate notification requirements at Union level.
Amendment 65 #
Proposal for a directive Recital 6 (6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks. To this end, mutual information and cooperation between Member States should be improved.
Amendment 66 #
Proposal for a directive Recital 6 (6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of
Amendment 67 #
Proposal for a directive Recital 6 a (new) (6a) Account should be taken of the fact that the operations of many critical entities are limited to the local or regional level, including EU regions. In accordance with Member States’ constitutional order and requirements, Member States should be able to delegate tasks under this Directive to territorial entities, as appropriate, in order to better guarantee the provision of essential services to their entire population.
Amendment 68 #
Proposal for a directive Recital 7 (7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be regarded as lex specialis and should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.
Amendment 69 #
Proposal for a directive Recital 9 Amendment 70 #
Proposal for a directive Recital 10 (10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authorit
Amendment 71 #
Proposal for a directive Recital 10 (10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. Such requirements should not translate into excessive burdens for operators.
Amendment 72 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man-
Amendment 73 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences, in order to avoid a shortage of critical resources needed for the development of the infrastructure in question. When
Amendment 74 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including threats from or sabotage by insiders and terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including
Amendment 75 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector- specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of
Amendment 76 #
Proposal for a directive Recital 12 (12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria to identify critical entities, based on minimum indicators and methodologies for each sector and sub-sector, should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 77 #
Proposal for a directive Recital 12 (12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised minimum rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible and taking into account security requirements, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 78 #
Proposal for a directive Recital 12 (12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down in a transparent manner. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 79 #
Proposal for a directive Recital 15 Amendment 80 #
Proposal for a directive Recital 16 (16) Member States should designate authorities competent to supervise the application of and, where necessary,
Amendment 81 #
Proposal for a directive Recital 16 (16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively, including across borders. All competent
Amendment 82 #
Proposal for a directive Recital 16 (16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing
Amendment 83 #
Proposal for a directive Recital 17 a (new) (17a) Security Liaison Officers should be identified for all designated critical entities in order to facilitate cooperation and communication with relevant national critical infrastructure protection authorities.
Amendment 84 #
Proposal for a directive Recital 18 (18)
Amendment 85 #
Proposal for a directive Recital 19 (19) Member States should support critical entities in strengthening their resilience, in particular those that qualify as small or medium-sized companies, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 86 #
Proposal for a directive Recital 19 (19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular provide financial resources, develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should
Amendment 87 #
Proposal for a directive Recital 19 (19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support
Amendment 88 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and on common specifications and methodologies established for each sector covered. They should include minimum indicators, in order to avoid further divergences between Member States, and contingency protocols.
Amendment 89 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, taking into account assessments made by police, defence and other national authorities involved in public security.
Amendment 90 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every
Amendment 91 #
Proposal for a directive Recital 20 a (new) (20a) This directive should apply without prejudice to Member States’ competences with respect to the maintenance of public security, defence and national security in full compliance with Union law.
Amendment 92 #
Proposal for a directive Recital 24 Amendment 93 #
Proposal for a directive Recital 24 (24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing intensity of hybrid threats, which are increasingly difficult to track and identify, and by the concerning phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the
Amendment 94 #
Proposal for a directive Recital 24 (24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular in full respect of Regulation (EU) 2016/679.
Amendment 95 #
Proposal for a directive Recital 24 (24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within certain specific categories of its personnel and who fulfil sensitive tasks and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.
Amendment 96 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances and in any case within 24 hours after having become aware of an incident, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Critical entities should also notify the users of their services of incidents, their consequences and, if possible, any safety measures or remedies that could be taken. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the
Amendment 97 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their
Amendment 98 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. In light of the sensitivity of certain incidents, appropriate confidentiality should be ensured.
Amendment 99 #
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances but no later than 24 hours after the discovery, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
source: 693.909
2021/06/22
AFET
2 amendments...
Amendment 67 #
Proposal for a directive Annex – Sector 9 – Title 9. Public administration and democratic institutions
Amendment 68 #
Proposal for a directive Annex – Sector 9 – Type of entity – 3 a (new) — Central, regional and local governments and assemblies
source: 694.954
2021/06/23
AFET
55 amendments...
Amendment 12 #
Proposal for a directive Recital 1 (1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity, thereby endangering the democratic, social, and economic life in one or more Member States. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 13 #
Proposal for a directive Recital 2 (2) Despite existing measures at 19 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current, potential and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to an increasingly challenging security environment, with multi-faceted threats the Union is facing in a highly multipolar world with unreliable global actors, a dynamic threat landscape with an evolving terrorist threat and growing global interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long- term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 14 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current, minimise impacts of potential failures or malicious activities affecting or targeting their premises, networks and activities, and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with hybrid threats,emerging technologies, an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 15 #
Proposal for a directive Recital 2 (2) Despite existing measures at 19 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with hybrid threats, emerging technologies, in particular artificial intelligence, an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 16 #
Proposal for a directive Recital 2 (2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities
Amendment 17 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, telecommunication services (including HW, SW, FW and networks), drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based
Amendment 18 #
Proposal for a directive Recital 3 (3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability
Amendment 19 #
(3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes but which are also of relevance for the Common Security and Defence Policy (CSDP). These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low- probability risks.
Amendment 20 #
Proposal for a directive Recital 3 a (new) (3 a) The Union understands hybrid campaigns to be ‘multidimensional, combining coercive and subversive measures, using both conventional and unconventional tools and tactics (diplomatic, military, economic, and technological) to destabilise the adversary. They are designed to be difficult to detect or attribute, and can be used by state and non-state actors. The internet and online networks allow state and non-state actors to conduct aggressive action in new ways. They can be used to hack critical infrastructure, entities and democratic processes, launch persuasive disinformation and propaganda campaigns, steal information and unload sensitive data into the public domain. Large-scale cyber-attacks on critical entities and infrastructure across borders have the potential to invoke Article 222 TFEU (the 'solidarity clause').
Amendment 21 #
Proposal for a directive Recital 3 b (new) (3 b) Large-scale cyber security incidents and crises at Union level, the high degree of interdependence between sectors and countries require a coordinated action to ensure a rapid and effective response, as well as better prevention and preparedness for similar situations in the future. The availability of cyber-resilient critical networks and entities, and information systems and the availability, confidentiality and integrity of data are vital for the security of the Union within as well as beyond its borders. Given the blurring of lines between the realms of civilian and military matters and the dual-use nature of cyber tools and technologies, there is a need for a comprehensive and holistic approach.
Amendment 22 #
Proposal for a directive Recital 7 (7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional and ensures collaboration with likeminded international organisations in maintaining resilience.
Amendment 23 #
Proposal for a directive Recital 8 (8) Given the importance of
Amendment 24 #
Proposal for a directive Recital 8 a (new) (8 a) As climate change is leading to an increase in the frequency, intensity and complexity of natural disasters which can result in a disruption of essential services or the destruction of essential infrastructure with a significant cross- sectoral or transboundary effects, a coherent approach between this Directive and Decision No 1313/2013/EU of the European Parliament and the Council1a, as amended, is necessary especially on issues covering preparedness and response actions. _________________ 1aDecision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).
Amendment 25 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. While the Civil Emergency Planning Committee of NATO can serve as an important ally in this task as it has outlined the seven key resilience preparedness factors that are taken into account when measuring resilience. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 26 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences, foreign interferences and malicious disinformation campaigns, as well as CBRN threats. When carrying out those risk assessments, Member States should take into account other general or sector- specific risk assessment carried out pursuant to other acts of Union law, especially under Decision No 1313/2013/EU of the European Parliament and the Council1a and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 27 #
Proposal for a directive Recital 11 (11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, various effects of climate change, public health emergencies such as pandemics, hybrid threats and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 28 #
Proposal for a directive Recital 12 (12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, c
Amendment 29 #
Proposal for a directive Recital 20 (20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, using a common methodology established for each sector covered.
Amendment 30 #
Proposal for a directive Recital 24 (24) The risk of
Amendment 31 #
Proposal for a directive Recital 25 (25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. The notification should also trigger, where appropriate, an information to users or citizens potentially affected, with clear safety and security guidance. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
Amendment 32 #
Proposal for a directive Recital 29 (29) In order to achieve the objectives of this Directive, and without prejudice to the legal responsibility of Member States and critical entities to ensure compliance with their respective obligations set out therein, the Commission should, where it considers it appropriate, undertake certain supporting activities aimed at facilitating compliance with those obligations. Such activities should also include training courses on different aspects of the resilience of critical entities and that special focus of these courses be dedicated to emerging disruptive technologies such as quantum computing. When providing support to Member States and critical entities in the implementation of obligations under this Directive, the Commission should build on existing structures and tools, such as those under the Union Civil Protection mechanism and the European Reference Network for Critical Infrastructure Protection.
Amendment 33 #
Proposal for a directive Recital 29 (29) In order to achieve the objectives of this Directive, and without prejudice to the legal responsibility of Member States and critical entities to ensure compliance with their respective obligations set out therein, the Commission should, where it considers it appropriate, undertake certain supporting activities aimed at facilitating compliance with those obligations. When providing support to Member States and critical entities in the implementation of
Amendment 34 #
Proposal for a directive Recital 29 (29) In order to achieve the objectives of this Directive, and without prejudice to the legal responsibility of Member States and critical entities to ensure compliance with their respective obligations set out therein, the Commission should, where it considers it appropriate, undertake certain supporting activities aimed at facilitating compliance with those obligations. When providing support and training to Member States and critical entities in the implementation of obligations under this Directive, the Commission should build on existing structures and tools, such as those under the Union Civil Protection mechanism and the European Reference Network for Critical Infrastructure Protection, or the European Security and Defence College, which can contribute to the development of a common European security culture.
Amendment 35 #
Proposal for a directive Recital 29 a (new) (29 a) In order to achieve the objective of this Directive, as well as to increase the resilience of the Union's neighbouring countries, the Commission and the EEAS should undertake training activities and exercises in order to increase the resilience of critical entities in EU Enlargement and Neighbourhood countries.
Amendment 36 #
Proposal for a directive Article 1 – paragraph 1 – introductory part 1. This Directive lays down measures with a view to achieve a high level of resilience of critical entities in order to ensure the provision of essential services within the Union, and by doing so, ensuring the functioning of the internal market and the provisioning of essential social services. To that end, this Directive:
Amendment 37 #
Proposal for a directive Article 1 – paragraph 2 2. This Directive shall not apply to matters covered by Directive (EU) XX/YY [proposed Directive on measures for a high common level of cybersecurity across the Union; (‘NIS 2 Directive’)], without prejudice to Article 7. This Directive is without prejudice to the competences of Member States concerning the maintenance of public security, defence and national security in compliance with Union law. As a consequence: (a) public administration entities that carry out activities in the areas of public security, law enforcement, defence or national security are excluded. (b) entities in the sectors referred to in the Annex carrying out activities of a dual nature in connection with or for the benefit of public security, law enforcement, defence or national security are excluded.
Amendment 38 #
Proposal for a directive Article 2 – paragraph 1 – point 3 (3) “incident” means any
Amendment 39 #
Proposal for a directive Article 2 – paragraph 1 – point 5 (5) “essential service” means a service which is essential for the maintenance of vital societal functions or economic activities, public safety, the environment, the rule of law and fundamental rights;
Amendment 40 #
Proposal for a directive Article 2 – paragraph 1 – point 5 (5) “essential service” means a service which is essential for the maintenance of vital societal and democratic functions
Amendment 41 #
Proposal for a directive Article 3 – paragraph 2 – point a (a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies
Amendment 42 #
Proposal for a directive Article 4 – paragraph 1 – introductory part 1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment based on a common methodology and indicators established for each specific sector covered, of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.
Amendment 43 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . Whereas the emphasis on maintaining continuity of government, energy supply, population movement, water and food resources, emergency response, civil transportation and communications systems are the most essential components to maintaining resilience in the event of a crisis. _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 44 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including
Amendment 45 #
Proposal for a directive Article 4 – paragraph 1 – subparagraph 1 The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, hybrid threats and large-scale incidents, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 46 #
Proposal for a directive Article 5 – paragraph 1 1. By [three years and three months after entry into force of this Directive] Member States, based on common guidelines issued by the Commission, shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities.
Amendment 47 #
Proposal for a directive Article 5 – paragraph 6 6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than
Amendment 48 #
Proposal for a directive Article 6 – paragraph 1 – point b (b) the dependency of other sectors referred to in the Annex on that service, including sectors providing infrastructures and services for institutions in charge of security and defence;
Amendment 49 #
Proposal for a directive Article 6 – paragraph 1 – point c (c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public safety, the rule of law and fundamental rights;
Amendment 50 #
Proposal for a directive Article 8 – paragraph 5 5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection and territorial defence, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities. At the same time, considering the fact that some critical entities might be private, Member States should find ways to allow a timely effective and thorough cooperation between these entities, private emergency operators potentially operating in these entities and certified by national bodies, and national authorities.
Amendment 51 #
Proposal for a directive Article 8 – paragraph 5 5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement, security and defence and protection of personal data, as well as with relevant interested parties, including critical entities.
Amendment 52 #
Proposal for a directive Article 9 – paragraph 1 1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises, including cross-sectoral and cross-border exercises, where appropriate, to test their resilience and providing awareness programs and training to personnel of national competent authorities and critical entities.
Amendment 53 #
Proposal for a directive Article 9 – paragraph 1 1. Member States and when necessary the Commission, shall support critical entities, including financially, in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 54 #
Proposal for a directive Article 11 – paragraph 1 – point a (a) prevent incidents from occurring, including through disaster risk reduction and climate adaptation measures and measures contributing to the fight against climate change;
Amendment 55 #
Proposal for a directive Article 11 – paragraph 1 – point b (b) ensure adequate physical protection of sensitive areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as
Amendment 56 #
Proposal for a directive Article 11 – paragraph 1 – point e (e) ensure adequate
Amendment 57 #
Proposal for a directive Article 11 – paragraph 1 – point f (f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel and include them through social dialogue into the definition, set up and follow up of those measures.
Amendment 58 #
Proposal for a directive Article 12 – paragraph 1 1. Member States shall ensure that critical entities may submit requests for proportionate background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the public authorities competent to carry out such background checks. Those checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the concerned personnel, while fully respecting sectoral and labour law.
Amendment 59 #
Proposal for a directive Article 13 – paragraph 2 – point a a (new) (a a) the impact on human life and the environmental consequences;
Amendment 60 #
Proposal for a directive Article 14 – paragraph 2 2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than
Amendment 61 #
Proposal for a directive Article 15 – paragraph 4 – introductory part 4. Each advisory mission shall consist of experts from Member States and of Commission representatives. Member States may propose candidates to be part of an advisory mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity, diverse background and ensuring a geographically and gender balanced representation among Member States. The Commission shall bear the costs related to the participation in the advisory mission.
Amendment 62 #
Proposal for a directive Article 16 – paragraph 2 – introductory part 2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work, ensuring a diverse participation of stakeholders, and notably trade unions.
Amendment 63 #
Proposal for a directive Article 16 – paragraph 7 a (new) 7 a. The Critical Entities Resilience Group, in the spirit of security cooperation and open access, shall regularly publish its findings and appropriately anonymised source data for the general public for use in academia, security research and for other beneficial uses.
Amendment 64 #
Proposal for a directive Article 17 – paragraph 2 a (new) 2 a. In order to receive and properly use the information received according to article 13 the Commission shall keep a European registry of incidents and develop a common European reporting centre, with the aim of developing and sharing best practices and methodologies.
Amendment 65 #
Proposal for a directive Article 17 – paragraph 2 a (new) 2 a. The Commission shall continue cooperation with third countries, inter alia under the European Programme for Critical Infrastructure Protection and potential successor programmes, and shall support the sharing of best practices with like-minded partners.
Amendment 66 #
Proposal for a directive Article 17 – paragraph 2 a (new) 2 a. The Commission shall increase the cooperation with relevant international fora and like-minded third countries especially candidate and Neighbourhood countries, through common training activities and the sharing of best practices.
source: 694.948
|
History
(these mark the time of scraping, not the official date of the change)
docs/9 |
|
docs/11 |
|
docs/11 |
|
events/9 |
|
events/13 |
|
events/14 |
|
events/14/summary |
|
events/13 |
|
procedure/final |
|
procedure/stage_reached |
Old
Procedure completed, awaiting publication in Official JournalNew
Procedure completed |
docs/0 |
|
docs/13 |
|
docs/13/date |
Old
2021-03-19T00:00:00New
2021-03-18T00:00:00 |
docs/14 |
|
docs/14 |
|
docs/14/date |
Old
2021-03-19T00:00:00New
2021-03-18T00:00:00 |
docs/15 |
|
docs/15 |
|
docs/15/date |
Old
2021-03-19T00:00:00New
2021-03-18T00:00:00 |
docs/16 |
|
docs/16 |
|
docs/16/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
docs/17 |
|
docs/17 |
|
docs/17/date |
Old
2021-02-24T00:00:00New
2021-02-23T00:00:00 |
docs/18 |
|
events/0 |
|
docs/0 |
|
docs/13 |
|
docs/14 |
|
docs/14 |
|
docs/14/date |
Old
2021-03-18T00:00:00New
2021-03-19T00:00:00 |
docs/15 |
|
docs/15 |
|
docs/15/date |
Old
2021-03-18T00:00:00New
2021-03-19T00:00:00 |
docs/16 |
|
docs/16 |
|
docs/16/date |
Old
2021-03-18T00:00:00New
2021-03-19T00:00:00 |
docs/17 |
|
docs/17 |
|
docs/17/date |
Old
2021-02-24T00:00:00New
2021-02-25T00:00:00 |
docs/18 |
|
docs/18/date |
Old
2021-02-23T00:00:00New
2021-02-24T00:00:00 |
events/0 |
|
events/12 |
|
procedure/stage_reached |
Old
Awaiting signature of actNew
Procedure completed, awaiting publication in Official Journal |
docs/0 |
|
docs/13 |
|
docs/13/date |
Old
2021-03-19T00:00:00New
2021-03-18T00:00:00 |
docs/14 |
|
docs/14 |
|
docs/14/date |
Old
2021-03-19T00:00:00New
2021-03-18T00:00:00 |
docs/15 |
|
docs/15 |
|
docs/15/date |
Old
2021-03-19T00:00:00New
2021-03-18T00:00:00 |
docs/16 |
|
docs/16 |
|
docs/16/date |
Old
2021-02-25T00:00:00New
2021-02-24T00:00:00 |
docs/17 |
|
docs/17 |
|
docs/17/date |
Old
2021-02-24T00:00:00New
2021-02-23T00:00:00 |
docs/18 |
|
events/0 |
|
docs/0 |
|
docs/13 |
|
docs/14 |
|
docs/14 |
|
docs/14/date |
Old
2021-03-18T00:00:00New
2021-03-19T00:00:00 |
docs/15 |
|
docs/15 |
|
docs/15/date |
Old
2021-03-18T00:00:00New
2021-03-19T00:00:00 |
docs/16 |
|
docs/16 |
|
docs/16/date |
Old
2021-03-18T00:00:00New
2021-03-19T00:00:00 |
docs/17 |
|
docs/17 |
|
docs/17/date |
Old
2021-02-24T00:00:00New
2021-02-25T00:00:00 |
docs/18 |
|
docs/18/date |
Old
2021-02-23T00:00:00New
2021-02-24T00:00:00 |
events/0 |
|
docs/12 |
|
events/11 |
|
procedure/stage_reached |
Old
Awaiting Council's 1st reading positionNew
Awaiting signature of act |
docs/12 |
|
events/10/summary |
|
docs/12/docs/0/url |
https://www.europarl.europa.eu/doceo/document/TA-9-2022-0394_EN.html
|
events/9/docs |
|
events/10/docs/0/url |
https://www.europarl.europa.eu/doceo/document/TA-9-2022-0394_EN.html
|
docs/11 |
|
docs/12 |
|
events/9 |
|
events/10 |
|
forecasts |
|
procedure/stage_reached |
Old
Awaiting Parliament's position in 1st readingNew
Awaiting Council's 1st reading position |
docs/0 |
|
docs/11 |
|
docs/11/date |
Old
2021-03-19T00:00:00New
2021-03-18T00:00:00 |
docs/12 |
|
docs/12 |
|
docs/12/date |