The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Michal ŠIMEČKA (Renew Europe, SK) on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities.
The proposed Directive aims to enhance the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities by increasing the resilience of critical entities providing such services. This report seeks to enhance certain aspects of the proposed Directive.
The committee responsible recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the proposal as follows:
Definitions
Members proposed to extend the definition of essential services, so that protecting the environment, public health and safety, and the rule of law are also mentioned.
Risk assessment by Member States
With a view to enhancing cooperation between competent authorities of the Member States, Members proposed setting up single points of contact to exercise a liaison function and coordination with the critical entities with competent authorities and with the Critical Entities Resilience Group. The single point of contact should also simplify and harmonise reporting channels (one-stop-shop principle).
Identification of critical entities
The Commission should, in cooperation with the Member States, develop recommendations and guidelines to support Member States in identifying critical entities.
Member States’ support to critical entities
Members proposed that Member States should support critical entities in enhancing their resilience. That support should include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities. Member States may provide financial resources to critical entities, without prejudice to applicable rules on State aid, where necessary and justified by public interest objectives.
Critical Entities Resilience Group
The Critical Entities Resilience Group should be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group should invite representatives of relevant stakeholders to participate in its work and the European Parliament to participate as an observer.
The Group should, inter alia: (i) prepare a Union strategy on resilience in compliance with the objectives set out in this Directive; (ii) promote and support coordinated risk assessments and joint actions among critical entities.
Notification of incidents
Critical entities should notify, as soon as reasonably possible under the given circumstances and, in any event, no later than 24 hours after becoming aware of the incident in question, Member States’ competent authorities of any incident that significantly disrupts or has the potential to significantly disrupt their operations. The competent authority should inform the public of such an incident where it determines that it would be in the public interest to do so. The competent authority should ensure that the critical entity concerned inform users of its services that might be affected by such an incident of the incident and, where relevant, of any possible safety measures or remedies.
The Commission and the Critical Entities Resilience Group should treat information provided as part of such notifications in a way that respects its confidentiality and protects the security and commercial interests of the critical entity or entities concerned.
In It is proposed that the Commission should keep a Union registry of incidents with the aim of developing and sharing best practices and methodologies.
Review
The Commission should periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report should assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report should be submitted by six years after the entry into force of this Directive and should assess in particular whether the scope of the Directive should be extended. For that purpose, the Commission should take into account relevant documents of the Critical Entities Resilience Group.