Resilience of critical entities

2020/0365(COD)

PURPOSE: to ensure that services essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market and to enhance the resilience of critical entities providing such services.

LEGISLATIVE ACT: Directive (EU) 2022/2557 of the European Parliament and of the Council on the resilience of critical entities and repealing Council Directive 2008/114/EC.

CONTENT: critical entities are entities providing essential services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, and the environment. They need to be able to prevent, protect against, respond to, cope with and recover from hybrid attacks, natural disasters, terrorist threats and public health emergencies.

This Directive:

- lays down obligations on Member States to take specific measures aimed at ensuring that services which are essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them;

- lays down obligations for critical entities aimed at enhancing their resilience and ability to provide essential services in the internal market;

- establishes rules: (i) on the supervision of critical entities; (ii) on enforcement; (iii) for the identification of critical entities of particular European significance and on advisory missions to assess the measures that such entities have put in place to meet their obligations;

- lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the Union and to improve the functioning of the internal market.

Scope

The new legislation strengthens the requirements for conducting risk assessment and reporting of actors considered critical. It covers 11 sectors, namely energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space and food (food production, processing and distribution).

This Directive is without prejudice to the Member States’ responsibility for safeguarding national security and defence and their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and maintaining law and order.

The Directive does not prevent Member States from adopting or maintaining provisions in national law to achieve a higher level of resilience of critical entities.

National strategies

Each Member State will adopt by 17 January 2026 a strategy for enhancing the resilience of critical entities. The Commission is empowered to adopt a delegated act, by 17 November 2023 to supplement this Directive by establishing a non-exhaustive list of essential services in the sectors and subsectors set out in the Annex. The competent authorities shall use that list of essential services for the purpose of carrying out a risk assessment by 17 January 2026, whenever necessary subsequently, and at least every four years.

Single point of contact

In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State will designate one single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level, where relevant within a competent authority.

Identification of critical entities

The Directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more Member States. In this case, the Commission may be requested by the Member States to organise an advisory mission or the Commission may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations arising from the directive.

Resilience measures for critical entities

Critical entities shall identify relevant risks that could significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the relevant authorities. Unless they are unable to do so for operational reasons, critical entities shall submit an initial notification within 24 hours of becoming aware of an incident, followed, where appropriate, by a detailed report within one month.

Where an incident has or could have a significant impact on the continued provision of essential services to or in six or more Member States, the competent authorities of the Member States affected by the incident will notify the incident to the Commission.

Member States will have to inform the public when they consider that it would be in the public interest to do so.

Critical Entities Resilience Group

The Critical Entities Resilience Group will support the Commission and facilitate cooperation among Member States and the exchange of information on issues relating to this Directive. Where requested by the European Parliament, the Commission may invite experts from the European Parliament to attend meetings of the Critical Entities Resilience Group.

ENTRY INTO FORCE: 16.1.2023

TRANSPOSITION: no later than 17.10.2024. The provisions will apply from 18.10.2024.