The livelihoods of European citizens and the good functioning of the internal market depend on the reliable provision of services fundamental for societal or economic activities in many different sectors. For this reason, the Commission presented today a proposal for a directive on the resilience of critical entities that underpin these services in many vital sectors.
With this proposal, the Commission intends to create an all-hazards framework to support Member States in ensuring that critical entities are able to prevent, resist, absorb and recover from disruptive incidents, no matter if they are caused by natural hazards, accidents, terrorism, insider threats, or public health emergencies like the one the world faces today. The proposal, which covers ten sectors, namely energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Noteworthy provisions include:
- Member States would be obligated to, among other things, have a strategy for ensuring the resilience of critical entities, carry out a national risk assessment and, on this basis, identify critical entities.
- Critical entities would be required to carry out risk assessments of their own, take appropriate technical and organisational measures in order to boost resilience, and report disruptive incidents to national authorities.
- Critical entities providing services to or in at least one-third of Member States would be subject to specific oversight, including advisory missions organised by the Commission.
- The Commission would offer different forms of support to Member States and critical entities, a Union-level risk overview, best practices, methodologies, cross-border training activities and exercises to test the resilience of critical entities.
- Regular cross-border cooperation with regard to the implementation of the directive would be facilitated through an expert group, the Critical Entities Resilience Group.
The Commission also adopted today a proposal for a revised Network and Information Systems Directive (NIS2), which aims to ensure robust cyber resilience on the part of a large number of entities. In order to ensure alignment between the two instruments, all critical entities identified under the critical entities resilience directive would be subject to cyber resilience obligations under NIS2.
The proposed directive will now be considered in the Council and in the Parliament, both of which must agree on the text before it becomes EU law.
This adopted act is open for feedback for a period of 8 weeks, starting on 16 December 2020 and ending at midnight Brussels time on 11 February 2021. All feedback received will be summarised by the European Commission and presented to the European Parliament and Council with the aim of feeding into the legislative debate. A link to the Commission’s “Have your say” portal is available here.
Background
The EU established the European Programme for Critical Infrastructure Protection (EPCIP) in 2006 and adopted the European Critical Infrastructure (ECI) Directive in 2008, which applies to the energy and transport sectors. Both the Commission‘s EU Security Union Strategy for 2020-2025 and the recently adopted Counter-Terrorism Agenda for the EU stress the importance of ensuring the resilience of critical infrastructure in the face of physical and digital risks.
As both the 2019 evaluation of the ECI Directive and the impact assessment supporting this proposal have found, existing European and national measures do not ensure sufficiently that operators are able to confront the increasingly complex operational challenges that they face today. This proposal reflects these findings, but also recent calls by the Council and the Parliament on the Commission to revise the current approach to critical infrastructure protection.
More information
- Press Release
- Commission proposal for a Directive on the resilience of critical entities
- Annex 1 of the Directive on the resilience of critical entities, the Impact Assessment and a summary of the Impact Assessment
- EU Security Union Strategy
- Counter-Terrorism Agenda
- EU Cybersecurity Strategy
Details
- Publication date
- 16 December 2020