The European Parliament adopted by 595 votes to 17, with 24 abstentions, a legislative resolution on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities.
The European Parliament’s position at first reading under the ordinary legislative procedure amends the Commission proposal as follows:
Subject matter
This Directive sets out a Union framework with the aim of both enhancing the resilience of critical entities in the internal market by laying down harmonised minimum rules and assisting them by means of coherent and dedicated support and supervision measures.
This Directive:
- lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them;
- establishes common procedures for cooperation and reporting on the application of this Directive;
- lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market.
The new rules will harmonise the definition of critical infrastructure, so that it is consistent between the Member States.
Scope
Covering eleven sectors: energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food (including production, processing and delivery), health, public administration and space, the legislation tightens the requirements for risk assessments and reporting for actors considered critical.
This Directive is without prejudice to the Member States’ responsibility for safeguarding national security and defence and their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and maintaining law and order.
The obligations laid down in this Directive will not entail the supply of information the disclosure of which would be contrary to the essential interests of Member States’ national security, public security or defence.
Strategy on the resilience of critical entities
Following a consultation that is, to the extent practically possible, open to relevant stakeholders, each Member State will adopt by three years from the date of entry into force of this Directive, a strategy for enhancing the resilience of critical entities.
Member States' risk assessments will take into account relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid or other antagonistic threats, which include terrorist offences.
No later than three years and six months from the date of entry into force of the Directive, each Member State will identify the critical entities for the sectors covered.
Single point of contact
Each Member State will designate one or more competent authorities responsible for ensuring the correct application of the rules set out in the Directive at national level. It will also have to designate a single contact point to act as a liaison point for cross-border cooperation with the single contact points of other Member States and with the Critical Entity Resilience Group. A Member State may provide that its single point of contact also liaises with the Commission and ensures cooperation with third countries.
Resilience measures for critical entities
Member States will ensure that critical entities take appropriate and proportionate technical, security and organisational measures to ensure their resilience, based on the relevant information provided by Member States on the Member State risk assessment and the outcome of the critical entity risk assessment.
Incident notifications
Member States will ensure that critical entities notify the competent authority, without undue delay, of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Member States will ensure that, unless operationally unable to do so, critical entities submit an initial notification no later than 24 hours after becoming aware of an incident, followed, where relevant, by a detailed report no later than one month thereafter.
In order to determine the significance of a disruption, the following parameters should, in particular, be taken into account: (a) the number and proportion of users affected by the disruption; (b) the duration of the disruption; (c) the geographical area affected by the disruption, taking into account whether the area is geographically isolated.
Where an incident has or might have a significant impact on the continuity of the provision of essential services to or in six or more Member States, the competent authorities of the Member States affected by the incident will notify the Commission of that incident. Member States will inform the public where they determine that it would be in the public interest to do so.
Critical Entities Resilience Group
The Critical Entities Resilience Group will support the Commission and facilitate cooperation among Member States and the exchange of information on issues relating to this Directive. Where requested by the European Parliament, the Commission may invite experts from the European Parliament to attend meetings of the Critical Entities Resilience Group.