PURPOSE: to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.
PROPOSED ACT: Directive of the European Parliament and of the Council.
ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.
BACKGROUND: the EU established the European Programme for Critical Infrastructure Protection (EPCIP) in 2006 and adopted the European Critical Infrastructure (ECI) Directive in 2008, which applies to the energy and transport sectors. Both the Commissions EU Security Union Strategy for 2020-2025 and the recently adopted Counter-Terrorism Agenda for the EU stress the importance of ensuring the resilience of critical infrastructure in the face of physical and digital risks.
The livelihoods of European citizens and the good functioning of the internal market depend on different infrastructures for the reliable provision of services needed to maintain critical societal and economic activities. These services, vital under normal circumstances, are all the more important as Europe manages the effects of and looks towards recovering from the COVID-19 pandemic. It follows that entities providing essential services must be resilient, i.e. able to resist, absorb, accommodate to and recover from incidents that can lead to serious, potentially cross-sectoral and cross-border disruptions.
It is apparent that the current framework on critical infrastructure protection is not sufficient to address the current challenges to critical infrastructures and the entities that operate them. The Commission proposes to fundamentally switch the current approach from protecting specific assets towards reinforcing the resilience of the critical entities that operate them.
CONTENT: this proposal aims to enhance the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities by increasing the resilience of critical entities providing such services.
It reflects recent calls for action on the part of the Council and the European Parliament, both of which have encouraged the Commission to revise the current approach to better reflect the increased challenges to critical entities, and to ensure closer alignment with the Network and Information Systems (NIS) Directive.
The proposed directive:
- extends the scope of the 2008 Directive on European Critical Infrastructure. Ten sectors would now be covered: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration and space;
- lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;
- lays down obligations for Member States to have a strategy for ensuring the resilience of critical entities, carry out a national risk assessment and, on this basis, identify critical entities;
- establishes obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market;
- establishes rules on supervision and enforcement of critical entities, and specific oversight of critical entities considered to be of particular European significance.
Budgetary implications
The total financial resources necessary to support the implementation of this proposal are estimated to be EUR 42.9 million for the period 2021-2027, of which EUR 5.1 million is administrative expenditure. These
costs can be broken down as follows: (i) support activities by the Commission including staffing, projects, studies and support activities; (ii) advisory missions organised by the Commission; (iii) regular meetings of the Critical Entity Resilience Group, Comitology Committee and other meetings.