Legal provisions of COM(2024)192 - - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2024)192 - . |
|---|---|
| document | COM(2024)192 |
| date | May 7, 2024 |
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL
Fourth report assessing the implementation of the Directive on enhancing port security
1. INTRODUCTION
The main objective of Directive 2005/65/EC1 on enhancing port security (‘the Directive’) was to complement the measures adopted in 2004 by means of Regulation (EC) No 725/20042 on enhancing ship and port facility security (‘the Regulation’).
The scope of application of that Regulation was limited to cover security measures on board ships and the immediate interface between ships and ports. It is to these obligations, which essentially fall under the ISPS (International Ship and Port facility Security) Code which Member States have committed to implement as a priority, before agreeing to implement further obligations as part of the adoption of the Directive. The Directive complements the mechanism provided for in the Regulation, by establishing a security system for all of the port area, in order to ensure a high and equal level of security for all European ports serving direct sea-going services3.
Over 1 000 commercial maritime ports are operated along the 60 000 km of coastline in the European Union, one of the regions in the world with the largest number of ports. Around 850 of these ports (see point 5.1) fall within the scope of the Directive, i.e all ports housing one or more port facilities which are the subject of a security plan approved under the Regulation.
The objective of the Directive is to improve security coordination in areas of ports not covered by the Regulation and also to ensure that the enhancement of port security can support the security measures taken under the Regulation. Whilst responsibility for the implementation of security measures at port facility level essentially falls to the port facility operator4, the appropriate security measures at port level are, as a priority, the responsibility of the port authority5 and of those authorities which are responsible for keeping public order, safety and security measures within the port area (in both public and operational areas).
Article 19 of the Directive states that the Commission is to assess compliance with the Directive and the effectiveness of measures taken by 15 December 2008 and every five years thereafter.
The first report was adopted on 20 January 20096, the second on 18 November 20137 and the third report on 25 April 20198. This fourth report describes the measures taken in order to promote the implementation of standardised port security measures across the Union during the last five-year reference period.
The report is based on:
- exchanges of information with Member State authorities responsible for maritime security and other stakeholders;
- the results of the large number of port security inspections carried out by the Commission for the monitoring of this Directive during the period of reference;
- ongoing dialogue between the national authorities and the various players from the maritime and port sectors.
The report draws attention to the progress made, the various challenges encountered in achieving desired outcomes, as well as to the global impact of the Directive’s implementation.
2. CONCLUSIONS OF THE FIRST, SECOND AND THIRD REPORTS
The first report, prepared in 2008 by the Commission, in order to initially assess compliance with the Directive (in accordance with its Article 19) and the effectiveness of measures taken, stressed the fact that, although the Directive had been adopted at first reading and approved by a large majority at the European Parliament and unanimously at the Council, there had been significant delays in Member State transposition. This led to the opening of infringement proceedings, two of which had resulted in a judgment finding failure to fulfil obligations9.
At the end of this assessment period, the provisions of the Directive had finally been transposed into the national law of the vast majority of Member States. Unfortunately, there continued to be organisational and functional difficulties in terms of ensuring implementation in practical terms at port level, since local administrations did not yet have all the resources necessary to ensure the practical implementation of the Directive. The main difficulty related to defining the port perimeter from a security point of view.
The second report (covering the years 2009-2013) showed significant progress but that the measures needed to implement in full all provisions of the Directive still needed to be improved in most Member States. The level of security had increased in European ports and the combination of the implementation of the Regulation and the application of the Directive had made possible a credible framework for preventing security breaches in ports and to obtain adequate protection for maritime and port activities.
The introduction of security measures often led to a review of the organisation of ports, such as – for example – the movement and storage of goods, the control of access to different areas of the port or a definition of restricted areas. These measures proved to be very important for making port activities more efficient, in a highly competitive environment.
The third report (covering the years 2014-2018) concluded that further significant progress had been made. However, all security measures were not fully implemented in some Member States, in accordance with the provisions of Annex I and II of the Directive and further improvement was needed.
3. SUPPORT AND MONITORING MEASURES SINCE THE PREVIOUS EVALUATION PERIOD
The Directive – in keeping with the principle of subsidiarity – stipulates that Member States should themselves establish each port’s boundaries, leaving ports free to decide whether its provisions should also apply to adjacent areas. Member States should also ensure that port security assessments and plans are properly drawn up. However, during the evaluation period, a number of ports were still unable to meet the requirements of the Directive, in particular those related to establishing boundaries so as to enhance the security.
During the period 2019-2023, the Commission took specific initiatives to help Member States, together with a robust programme of monitoring activities deployed through a large number of inspections.
These monitoring activities and initiatives have focused on the following main areas:
- maintaining a system of regular reporting on the performance and implementation of action plans by Member States in order to ensure the practical implementation of the Directive;
- the performance of 80 inspections in the period 2019-2023 to monitor implementation of the Directive in accordance with Regulation (EC) No 324/200810, as amended by Commission Implementing Regulation (EU) 2016/462, with 30 inspections of national administrations and 50 inspections of ports;
- collating and disseminating best practices within the MARSEC Committee.
It should be noted that throughout the period under examination, the maritime sector increased the use of digital technologies, bringing many benefits but also certain risks relating to cyber-incidents. Security systems themselves in port facilities and ports may increasingly rely on digital technologies. Although the EU maritime security legislation is focused on physical security, it does provide a useful framework through which to consider where cybersecurity risk-management measures may be the most adequate. Some ports may already be concerned by the cybersecurity requirements put in place by the NIS Directive11 and a larger number would be concerned under the subsequent NIS 2 Directive12.
Regulation (EC) No 725/2004 establishes that Port Facility Security Assessments must consider the security of computer systems and networks. Article 4 of the Directive states that port security measures should be closely coordinated with measures taken pursuant to Regulation 725/2004. In consequence, if cybersecurity has been assessed as an important aspect for one or several port facilities of a port, then this should be reflected in the port security assessment and plan. As a result of this, the Commission inspections may then include cybersecurity when assessing the conformity with the entire maritime security legislation.
4. MONITORING THE IMPLEMENTATION OF THE DIRECTIVE
4.1. Monitoring action plans for completion of the practical implementation of the Directive
Since 2009, the Commission has had a system for receiving regular information from Member States on the implementation of the Directive. A sustained dialogue is in place with the authorities of the Member States in order to obtain regular and reliable information on the extent to which assessments have been carried out and port security plans adopted. In addition, the annual Member States monitoring reports submitted to the Commission are the base for the monitoring of the status of port security assessments and plans by the Commission services. The information received over the 2019-2023 period has in general been complete, and gives the Commission a good overview of the implementation of the Directive in Member States. This often leads to a smoother process during inspections, as the Commission can more easily identify outstanding issues and clarify these with Member States.
4.2. Inspections carried out by the Commission in order to monitor the implementation of the Directive
The procedures for conducting Commission inspections to monitor the implementation of the Directive are carried out in accordance with Regulation (EC) No 324/2008, as amended.
The inspections carried out, both regarding national administrations and direct inspections of a sample of ports, have shown that although the legal framework of the implementation of the Directive has generally been applied correctly, there remains a series of recurrent common issues regarding proper implementation at Member State Port level. Some recurring serious deficiencies are related to non-timely review of Port Security Assessments and Port Security Plans, which seems to indicate a certain level of tension in the allocation of resources. In 2022, for example, the non-timely review of Port Security Assessments and Port Security Plans represented 8 deficiencies found over 17 inspections. Although the deficiency should not be difficult to correct, the fact that it is recurrent indicates a structural problem. It can therefore be said that implementation of the Directive has continued to improve in the last years, even if structural deficiencies are sometimes still being found.
As an illustration, there has been one infringement procedure (see paragraph 4.3) during this reporting period. Structural deficiencies are still being found when inspecting the implementation of Directive 2005/65, in particular with regards to the setting of port security boundaries. The requirement to carry out port security assessments, which is a necessary step before setting port security boundaries, is not always met.
In setting port security boundaries, Member States were reminded to pay particular attention to the proper definition of port areas that are relevant to port security, as required by Annex I of the Directive. Where the competent port security authority defines boundaries of a port as being the same as a port facility, certain obligations of the Directive also need to be respected. The decision itself must be based on a port security assessment, and a port security officer must be appointed for each port by the Member State. The Member States need to take into account all these requirements when implementing Directive 2005/65. On port boundaries, the Guidelines from the TAPS II Study, on enhancing port security -that were distributed and shared with Member States- retain their full useful character.
The review of port security assessments and port security plans remains a significant concern. According to Article 10 of the Directive, Member States shall ensure that port security assessments and port security plans are reviewed as appropriate, and at least once every five years. Inspections have shown that this five years regular review is not yet done everywhere. Changes regarding port facilities did not result in a review of the port security assessments and port security plans. In several cases the five-year deadline had been missed. This type of deficiency has been found in 13 Member States over the 2019-2023 period.
Furthermore, Commission inspections in Member States ports disclosed the difficulties that some ports experience to launch the five-year review process of port security assessments and plans. The main challenge is the large number of authorities and actors involved in the revision and approval process. This requires advance planning well ahead of the five-year anniversary date. However, some Member States have not ensured adequate supervision of the port security plans and their implementation. Finally, there are some deficiencies related to the need to take into account all requirements when establishing the port security assessment or discrepancies between port security assessments and port security plans.
4.3. Infringement procedures
A declining number of infringement procedures is a good indicator of improved implementation.
As referred to in the second report, from 2009 to 2013 five infringement procedures had to be initiated; three cases were related to delays regarding the implementation of the Directive at Member State level and the other two cases related to incorrect implementation revealed during inspections.
Between 2014 and 2018 only one infringement procedure took place, and this for the reason of incorrect implementation of the Directive: on 6 April 2017 the European Court of Justice gave its judgment on Case C-58/16. For a series of ports, the German Land of North Rhine-Westfalia had failed to define the boundaries, approve port security assessments and plans, and appoint port security officers. In early 2018 Germany confirmed that all ports in North Rhine-Westfalia were now in conformity with the provision of the Directive and that Germany was in compliance with the Court judgment.
Between 2019 and 2023, one infringement procedure has been launched against Sweden for failing to fulfil its obligations arising from the EU maritime security legislation, including the Directive. The proceedings relating to this infringement have not yet concluded.
5. SPECIFIC POINTS RESULTING FROM THE ASSESSMENTS
5.1. Critical size of the ports subject to the requirements of the practical implementation of the Directive
The inspections carried out from 2019 to 2023 have continued to show that the Directive is especially useful for medium and large-sized ports, where the coordination of security measures throughout the port and by different relevant actors is an important element that the Directive should bring, if applied correctly. Inspections have also shown that the implementation of the Directive can be more difficult in small ports.
As indicated in the previous report, it should be noted that the Directive applies to all ports situated in Member States housing one or more port facilities covered by a port facility security plan approved under Regulation (EC) No 725/2004 (Article 2(2)) and also that Member States are required to ensure that port security measures are closely coordinated with measures taken in application of the Regulation (Articles 4 and 7). The Directive stipulates that the Member States should themselves establish each individual port’s boundaries and allows them discretion in terms of deciding whether to apply the Directive to port adjacent areas if these have an impact on the security of the said port.
Consequently, in order to ensure the balanced implementation of useful measures in accordance with the principle of proportionality, the co-legislators have decided that if the boundaries of a port facility within the meaning of Regulation (EC) No 725/2004 have been defined as effectively covering the entire port, the relevant provisions of the Regulation shall take precedence over the provisions of the Directive.
This provision has been widely used by Member States in ports with only one port facility under the Regulation. On the basis of the port security assessment, the port boundaries have very often (but not always) been defined as being the same as that of the port facility. Therefore, of the 859 ports housing one or several port facilities covered by a port facility security plan approved under the Regulation, 389 ports have been considered as falling under the provisions of Article 2(4) of the Directive, i.e. 45.3 % of ports in the European Union. This has particularly been the case in Member States with small ports scattered along coastlines or on islands13.
The Commission has found a number of issues relating to the implementation of Article 2(4) between 2019 and 2023. The reasoning for using Article 2(4) should be clearly demonstrated and documented on a case-by-case basis, following a proper port security assessment. The fulfilment of this requirement has on occasion been found to be lacking.
5.2. Awareness of the threat and awareness-raising amongst players
The Directive has made it possible to set up port security committees responsible for providing practical advice (9th recital). In Member States with this type of structure, this generally consists of local representatives from the bodies responsible for security (police, coastguards, maritime affairs, customs, etc.) and also, in most cases, private operators acting in the port. This provides an appropriate forum for the essential exchange of information and for the dissemination of knowledge of possible threats, thus promoting awareness amongst all stakeholders. Commission inspections have shown that the existence of port security committees considerably improves the coordination between relevant actors.
Increasing awareness of the protection of ports forms part of general security policy, of which all staff employed at the port (i.e. staff of port undertakings but also those employed by external companies involved in port activities) and also the various users of the port need to be aware of. Awareness-raising activities provide key tools for ensuring effective dissemination as regards information on the need for and content of security measures. It is important that security measures are seen as a means to encouraging a port’s economic activities and how to further develop these activities. Training exercises are an essential element of the Directive, and should also be used to increase awareness of security policy within the port.
5.3. Inspection and supervision of port security plans
In accordance with Article 13 of the Directive, Member States shall conduct inspections in a way that enables them to monitor, in an appropriate and regular manner, port security plans and the implementation of those plans. This is a crucial issue which is still not performed adequately in all Member States, mainly due to the discrepancy between the objectives established and the resources needed to conduct such checks.
The inspection reports serve as a basis for the national authorities to provide advice and assistance to the competent authorities in the ports, with a view to rectifying the shortcomings identified. This practice should be encouraged and extended. Indeed, it is also important that there is follow-up by the inspecting body to verify that corrective measures have been put in place to rectify the shortcomings identified. However, some Member States still do not systematically carry out this verification of compliance on a regular and appropriate basis. The Commission observed this deficiency in 6 Member States over the 2019-2023 period. It is important that the human and financial resources needed for these monitoring tasks are put in place as soon as possible.
The supervision of port security plans may also allow Member States to better coordinate the implementation of the Directive with other measures designed to protect port infrastructure. One such example that has been noted during Commission inspections is the work done by Member States to protect critical infrastructure more horizontally, in particular with the Directive on the Resilience of Critical Entities14 or the “NIS 2 Directive”. This can notably allow Member States and ports to use existing organisational structures, such as information sharing or incident reporting structures, to address security from a wider perspective.
6. CONCLUSION
The assessment of the implementation of Directive 2005/65/EC has shown that significant progress has been achieved over the past five years. However, further improvement is still needed in some areas and in some Member States. This is notably the case regarding security measures identified and prescribed in Annex I (Port Security Assessment) and II (Port Security Plan) of the Directive.
An illustration of a major deficiency linked to Annex I is the lack of proper setting of port security boundaries, while - linked to both Annexes - there is a rather large number of instances of late review of port security assessments and plans. The latter should be reviewed at least once every five years, but this is not consistently the case everywhere. The main reason for this is the large number of competent authorities that are involved in the review and approval process.
Nevertheless, this Report does show a general positive progress over the past years in the level of security coordination among local authorities, port operators and public law enforcement bodies.
Moreover, despite the COVID-19 pandemic, the recourse to alternative inspection methods allowed, as far as it was possible, continuity. As a result, a large number of port security inspections could be carried out, thus significantly contributing to the high level of port security achieved and maintained. The findings of inspections also continue to be exchanged regularly between Member States through the MARSEC Committee, with particular emphasis placed on the exchange of best practices.
The Commission has identified the need to develop guidance to clarify the legislative requirements concerning the security of network and information systems used by ports and port facilities, according to Regulation (EC) No 725/2004 of 31 March 2004 on enhancing ship and port facility security and Directive 2005/65/EC of 26 October 2005 on enhancing port security. Guidance materials already exist on cybersecurity in the maritime sector, but the need to focus on those cybersecurity measures and mechanisms that are defined in the existing EU maritime security legislation has been set as a priority for the next evaluation period.
The Regulation and the Directive remain key elements in securing EU ports and thus directly contribute to the objectives of the Security Union. The Directive shows how heterogenous complex infrastructure can be secured through individual local port assessments and corresponding plans, based upon a common approach and through fostering coordination and communication amongst a high number of stakeholders involved. The Commission considers, overall, that this framework is meeting expectations and that Directive 2005/65 on enhancing port security does not currently require amendment.
The Commission will continue to work with Member States to improve the implementation of the Directive, with the common objective of better safeguarding EU ports, and to monitor its correct application.
1Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security – OJ L 310, 25.11.2005, p. 2
2Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security - OJ L 129, 29.4.2004, p. 6
3The EFTA Surveillance Authority ensures that Iceland and Norway comply with their obligations under the agreement on the European Economic Area.
4In the vast majority of cases, port facility operators are private operators.
5The port security authority is appointed by the Member State in accordance with Article 5 of the Directive.
6 COM(2009)2 final
7COM(2013)792 final
8COM(2019)191 final
9Case C-464/08 Commission v Estonia, 3 September 2009 and Case C-527/08 Commission v United Kingdom, 3 September 2009.
10Commission Regulation (EC) No 324/2008 of 9 April 2008 laying down revised procedures for conducting Commission inspections in the field of maritime security, as amended, OJ L 98, 10.4.2008, p.5.
11 Directive (EU) 2016/1148 of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (to be repealed by the NIS 2 Directive with effect from 18.10.2024)
12 Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)
13These ports with a single port facility falling under Article 2(4) of the Directive represent a significant proportion of ports in Finland (48/64, or 75 %), Sweden (112/156, or 72 %), Greece (82/123, or 67 %), and Denmark (37/71, or 52 %).
14 Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC, OJ L 333, 27.12.2022, p. 164–198
EN EN