Explanatory Memorandum to COM(2020)829 - Resilience of critical entities

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2020)829 - Resilience of critical entities.
source COM(2020)829 EN
date 16-12-2020


1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

To effectively protect Europeans, the European Union needs to continue to reduce vulnerabilities, including for the critical infrastru ctures that are essential for the functioning of our societies and economy. The livelihoods of European citizens and the good functioning of the internal market depend on different infrastructures for the reliable provision of services needed to maintain critical societal and economic activities. These services, vital under normal circumstances, are all the more important as Europe manages the effects of and looks towards recovering from the COVID-19 pandemic. It follows that entities providing essential services must be resilient, i.e. able to resist, absorb, accommodate to and recover from incidents that can lead to serious, potentially cross-sectoral and cross-border disruptions.

T his proposal aims to enhance the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities by increasing the resilience of critical entities providing such services. It reflects recent calls for action on the part of the Council1 and the European Parliament,2 both of which have encouraged the Commission to revise the current approach to better reflect the increased cha ll en ges to critical entities, and to ensure closer alignment with the Network and Information Systems (NIS) Directive3. This proposal is consistent and establishes close synergies with the proposed Directive on

measures for a high common level of cybersecurity across the Union; (“NIS 2 Directive”)

which will replace the NIS Directive in order to address the increased interc onnecte dness between the physical and digital world through a legislative framework with robust resilience measures, both for cyber and physical aspects as set out in the Security Union Strategy .

Furthermore, the proposal reflects national approaches in an increasing number of Member States, which tend to emphasise cross-sectoral and cross-border interd e pe nde nc ies and are more and more informed by resilience thinking, in which protection is but one element alongside risk prevention and mitigation, business continuity and recovery. Given that critical infrastructures run the risk of also being potential terrorist targets, the measures aimed at ensuring the resilience of critical entities contained in this proposal contribute to the objectives of the recently adopted EU Agenda on Counter-Terrorism5.

The European Union (EU) has long recognised the pan-European importance of critical infrastructures. For instance, the EU established the European Programme for Critical Infrastructure Protection (EPCIP) in 20066 and adopted the European Critical Infrastructure

1.

Council Conclusions of 10 December 2019 on complementary efforts to enhance resilience and counter hybrid


threats (14972/19).

Report on findings and recommendations of the European Parliament’s Special Committee on Terrorism

(2018/2044(INI)).

2.

Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a


high common level of security of network and information systems across the Union.

COM(2020) 605.

COM(2020) 795.

Communication from the Commission on a European Programme for Critical Infrastructure Protection.

COM (2006) 786.

2

3

(ECI) Directive in 2008.7 The ECI Directive, which applies only to the energy and transport sectors, provides a procedure for identifying and designating ECIs, the disruption or destruction of which would have significant cross-border impacts in at least two Member States. It also sets out specific protection requirements on ECI operators and competent Member State authorities. To date, 94 ECIs have been designated, two-thirds of which are located in three Member States in Central and Eastern Europe. However, the scope of EU action on critical infrastructure resilience extends beyond these measures, and includes sectoral and cross-sectoral measures on inter alia climate proofing, civil protection, foreign direct investment and cybersecurity.8 Meanwhile, Member States themselves have taken measures of their own in this area in ways that diverge from one another.

It is therefore apparent that the current framework on critical infrastructure protection is not sufficient to address the current challenges to critical infrastructures and the entities that operate them. Given the increasing interconnection among infrastructures, networks and operators delivering essential services across the internal market, it is necessary to fundamentally switch the current approach from protecting specific assets towards reinforcing the resilience of the critical entities that operate them.

The operational environment in which critical entities operate has changed significantly in recent years. Firstly, the risk landscape is more complex than in 2008, involving today natural hazards9 (in many cases exacerbated by climate change), state-sponsored hybrid actions, terrorism, insider threats, pandemics, and accidents (such as industrial accidents). Secondly, operators are confronted with challenges in integrating new technologies such as 5G and unmanned vehicles into their operations, while at the same time addressing the vulnerabilities that such technologies could potentially create. Thirdly, these technologies and other trends make operators increasingly reliant on one another. The implications of this are clear – a disruption affecting the service provision by one operator in one sector has the potential to generate cascading effects on service provision in other sectors, and also potentially in other Member States or across the entire Union.

As evidenced by the 2019 evaluation of the ECI Directive10, existing European and national measures face limitations in helping operators confront the operational challenges that they face today and the vulnerabilities that their interdependent nature entail.

There are several reasons for this, as set out in the impact assessment that supported the development of the proposal. Firstly, operators are not fully aware of or do not fully understand the implications of the dynamic risk landscape within which they operate. Secondly, resilience efforts diverge significantly between Member States and sectors. Thirdly, similar types of entities are recognised as being critical by some Member States but not by others, meaning that comparable entities receive varying degrees of official capacity-building support (in the form of, e.g. guidance, training and exercise organisation) depending on where they operate in the Union, and are subject to different requirements. The fact that the

3.

9 10


Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical

infrastructures and the assessment of the need to improve their protection.

Communication from the Commission on an EU Strategy on adaptation to climate change. COM(2013) 216;

4.

Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil


Protection Mechanism; Regulation 2019/452 establishing a framework for the screening of foreign direct

investments into the Union; Directive 2016/1148 concerning measures for a high common level of security of

network and information systems across the Union.

Overview of natural and man-made disaster risks the European Union may face. SWD(2020) 330.

SWD(2019) 308.

8

requirements and government support to operators varies from one Member State to another creates obstacles to operators when acting across borders, notably for those critical entities operating in Member States with more stringent frameworks. Given the increasingly interconnected nature of service provision and sectors in the Member States and across the EU, an insufficient level of resilience on the part of one operator poses a serious risk for entities elsewhere in the internal market.

Besides jeopardisin g the smooth functioning of the internal market, disruptions, especially those with cross-border and potentially pan-European implications, have possibly serious negative implications for citizens, business, governments and the environment. Indeed, at the individual level, disruptions may affect Europeans’ ability to travel freely, work, and draw on essential public services like health care. In many cases, these and other core services that underpin daily life are provided by tightly interconnected networks of European businesses; a disruption to one business in one sector may have cascading effects across many other economic sectors. Finally, disruptions such as, for instance, large-scale power outages and serious transport accidents, may serve to erode security and public safety, prompting uncertainty and undermining confidence in critical entities, as well as in the authorities responsible for their oversight and for keeping the population safe and secure.

Consistency with existing provisions in the policy area

This proposal reflects the priorities of the Commission’s EU Security Union Strategy,11 which calls for a revised approach to critical infrastructure resilience that better reflects the current and anticipated future risk landscape, the increasingly tight interd e p e nde nc i es between different sectors, and also the increasingly interdependent relationships between physical and digital infrastructures.

The proposed directive replaces the ECI Directive as well as accounts for and builds on other existing and envisaged instruments. The proposed directive constitutes a considerable change as compared to the ECI Directive, which applies only to the energy and transport sectors, focuses solely on protective measures, and provides a procedure for identifying and designating ECIs through cross-border dialogue. First of all, the proposed directive would have a much wider sectoral scope, covering ten sectors, namely energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, and space. Secondly, the directive provides a procedure for Member States to identify critical entities using common criteria on the basis of a national risk assessment. Thirdly, the proposal sets out obligations on Member States and the critical entities that they identify, including ones with particular European significance, i.e. critical entities that provide essential services to or in more than one third of Member States that would be subject to specific oversight.

Where appropriate, the Commission would provide competent authorities and critical entities with support in complying with their obligations under the directive. In addition, the Critical Entities Resilience Group, which is a Commission expert group subject to the horizontal framework applicable to such groups, would provide advice to the Commission and promote strategic cooperation and the exchange of information. Finally, as the interde pe nd e nc ies do not stop at EU external borders, engagement with partner countries is also necessary. The proposed directive provides for a possibility of such cooperation, for instance in the area of risk assessments.

Communication from the Commission on the EU Security Union Strategy. COM(2020) 605.


Consistency with other Union policies

The proposed directive has obvious links and is consistent with other sectoral and cross-sectoral EU initiatives on inter alia climate proofing, civil protection, foreign direct investment (FDI), cy bersecurity and the financial services acquis. In particular, the proposal is closely aligned and establishes close synergies with the proposed NIS 2 Directive, which aims at enhancing all-

hazards information and communication technology (ICT) resilience on the part of ‘essential entities’ and ‘important entities’ meeting specific thresholds in a large number of sectors. This

proposal for a directive on the resilience of critical entities aims to ensure that competent authorities designated under this directive and those designated under the proposed NIS 2 Directive take complementary measures and exchange information as necessary regarding cyber and non-cyber resilience, and that particularly critical entities in the sectors considered to

be ‘essential’ per the proposed NIS 2 Directive are also subject to more general resilience

5.

enhancing obligations to address non-cyber risks. The physical security of network and information systems of entities in the digital infrastructure sector is addressed comprehensively


in the proposed NIS 2 Directive as part of those entities’ cybersecurity risk management and

reporting obligations. In addition, the proposal builds on the existing financial services acquis, which establishes comprehensive requirements on financial entities to manage operational risks and ensure business continuity. Therefore, entities pertaining to the digital infrastructure, banking and financial infrastructure sectors should be treated as entities equivalent to critical entities pursuant to this Directive for the purposes of the obligations and activities of Member States while this Directive would not entail additional obligations on those entities.

The proposal also accounts for other sectoral and cross-sectoral initiatives on, e.g. civil protection, disaster risk reduction and climate change adaptation. Furthermore, the proposal recognises that in certain cases, existing EU legislation puts in place obligations on entities to address certain risk through protective measures. In such cases, e.g. on aviation or maritime security, the critical entities should describe those measures in their resilience plans. Furthermore, the proposed directive is without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union (TFEU).

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis

Unlike Directive 2008/114/EC which was based on Article 308 of the Treaty esablishing the European Community (corresponding to the current Article 352 of the Treaty on the Functioning of the European Union, this proposal for a directive is based on Article 114

TFEU, which involves the approximation of laws for the improvement of the internal market.

This is justified by the shift of the directive s aim, scope and content, increased interdependencies and the need to establish a more level playing field for critical entities. Instead of protecting a limited set of physical infrastructures the disruption or destruction of which would have significant cross-boder impacts, the aim is to enhance the resilience of entities in Member States which are critical for the provision of services which are essential for the maintenance of vital societal functions or economic activites in the internal market in a number of sectors underpinning the functioning of many other sectors of the economy of the Union. Because of the increased cross-border interde pe nde nc i es between the services provided using critical infrastructures in those sectors, a disruption in one Member State may have implications in other Member States or the Union as a whole.

The current legal framework as established at Member State level regulating the services in question entails substantially diverging obligations, which are likely to increase. The diverging national rules to which critical entities are subject not only compromise the reliable provision of services across the internal market but also risk to negatively impact competition.

This is principally due to the fact that similar types of entities providing similar types of services are considered as critical in some Member States but not in others. This means that entities that are, or that want to be, active in more than one Member State are subject to diverging obligations when acting across the internal market and that entities active in Member States with more stringent requirements may face obstacles compared to those in Member States with more lenient frameworks. T hese divergences are such that they have a direct negative effect on the functioning of the internal market.

Subsidiarity

A common legislative framework at European level in this area is justified given the interdependent, cross-border nature of relationships between critical infrastructure operations and their outputs, i.e. essential services. Indeed, an operator situated in one Member State may provide services in several other Member States or across the entire EU through tightly intertwined networks. It follows that a disruption affecting this operator could have far-reaching effects into other sectors and over national borders. The potential pan-European implications of disruptions call for action at EU level. In addition, diverging national rules result in a direct negative effect on the functioning of the internal market. As the impact assessment has demonstrated, many Member States and industry stakeholders see a need for a more common and coordinated European approach aimed at ensuring that entities are sufficiently resilient in the face of different risks that, while somewhat different from one Member State to another, create many common challenges that cannot be addressed through national measures or by individual operators alone.

Proportionality

The proposal is proportionate in relation to the stated overarching objective of the initiative. While the obligations on Member States and critical entities may in certain cases entail some additional administrative burden, e.g. where Member States need to develop a national strategy or where critical entities must implement certain technical and organisational measures, these are anticipated to be generally limited in nature. In this regard, it should be noted that many entities have already taken some security measures to protect their infrastructures and ensure business continuity.

In some cases, however, achieving compliance with the directive may require more substantial investments. Even in such cases, though, these investments are justified insofar as they would contribute to enhanced operatorleve and systemic resilience as well as a more coherent approach and an increased ability to provide reliable services across the Union. Furthermore, any additional burden resulting from the directive is expected to be far exceeded by the costs associated with having to manage and recover from major disruptions that jeopardise the uninterrupted provision of services relating to vital societal functions and the economic well-being of operators, individual Member States, the Union and its citizens more generall y.

Choice of the instrument

The proposal takes the form of a directive aimed at ensuring a more common approach to the resilience of critical entities in a number of sectors across the Union. The proposal sets out specific obligations on competent authorities to identify critical entities on the basis of

common criteria and the outcomes of the risk assessment. By way of a directive, it is possible to ensure that Member States apply a uniform approach in identifying critical entities, while at the same time accounting for specificities at national level, including varying levels of risk exposure and interde pe n de nc ies between sectors and over borders.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

CONSULTATIONS AND IMPACT ASSESSMENTS

Ex-post evaluations/fitness checks of existing legislation

The European Critical Infrastructure (ECI) Directive was in 2019 subject to an evaluation aimed at assessing the implementation of the directive in terms of its relevance, coherence, effectiveness, efficiency, EU added value and susta inabili ty .

The evaluation found that the context has changed considerably since the directive entered into force. In view of these changes, the directive was found to have only partial relevance. While the evaluation found that the directive was generally consistent with relevant European sectoral legislation and policy at international level, it was seen to be only partially effective due to the generality of some of its provisions. The directive was found to have generated EU added value insofar as it achieved results (i.e. a common framework for the protection of ECIs) that neither national nor other European initiatives could otherwise have achieved without initiating much longer, costlier and less well-defined processes. That being said, certain provisions were found to have had limited added value for many Member States.

With regard to susta inabili ty, certain effects generated by the directive (e.g. cross-border discussions, reporting requirements) were expected to cease were the directive to be repealed and not replaced. The evaluation found that there is continued support on the part of Member States for EU involvement in efforts to strengthen critical infrastructure resilience, and that there is some concern that the outright repeal of the directive might have negative effects in this area, and specifically on protection of designated ECIs. Member States were keen to

ensure that the Union’s engagement in the field continues to respect the principle of

subsidiarity, supports measures at national level, and facilitates cross-border cooperation, including with third countries.

Stakeholder

consultations

In developing this proposal, the Commission has consulted a wide variety of stakeholders, including: European Union Institutions and agencies; international organisations; Member State authorities; private entities, including individual operators and national and European industry associations representing operators in many different sectors; experts and expert networks, including the European Reference Network for Critical Infrastructure Protection (ERNCIP); members of academia; non-governmental organisations; and members of the public.

Stakeholders were consulted through a variety of means, including: a public feedback opportunity regarding the Inception Impact Assessment for this proposal; consultative seminars; targeted questionnaires; bilateral exchanges; and a public consultation (to support the 2019 evaluation of the ECI Directive). Moreover, the external contractor responsible for the feasibility study that supported the development of the impact assessment involved

SWD(2019) 310.


12

consultations with many stakeholders through, e.g. an online survey, a written questionnaire, one-on-one interviews, and virtual ‘field visits’ in 10 Member States.

These consultations allowed the Commission to explore the effectiveness, efficiency, relevance, coherence and EU added value of the existing framework for critical infrastructure resilience (i.e. the baseline situation), what problems it has generated, different policy options that might be considered in addressing these problems, and the specific impacts that these options might be expected to have. Generally speaking, the consultations pointed to a number of areas where there was overall consensus among stakeholders, not least that the existing EU framework on critical infrastructure resilience should be revamped in light of growing cross-sectoral interdependencies and a shifting threat landscape.

Specificall y, stakeholders were in general in a gre e ment that any new approach should consist of a combination of binding and non-binding measures, focus on resilience rather than asset-centric protection, and provide a more obvious link between measures aimed at enhancing cyber- and non - cy ber-re late d resilience. Furthermore, they supported an approach that accounts for provisions in existing sectoral legislation, encompasses at least those sectors covered by the current NIS Directive, and more uniform obligations on critical entities at national level, which in turn should be able to exercise sufficient security scrutiny of personnel with access to sensitive fa c il ities/infor mation. Additionally, stakeholders suggested that any new approach should create opportunities for Member States to carry out enhanced oversight over the activities of critical entities, but also ensure that critical entities of pan-European significance are identified and sufficiently resilient. Finally, they argued for more EU funding and support to, e.g. the implementation of any new instrument, capacity-building at national level, and public-private coordination/cooperation and the sharing of good practice, knowledge and expertise at different levels. The proposal at hand contains provisions that generally correspond to the views and preferences expressed by stakeholders.

Collection and use of expertise

As mentioned in the preceding section, the Commission has drawn on external expertise in the context of consultations with, e.g. independent experts, expert networks and members of academia, in developing the proposal at hand.

Im pact assessment

6.

The impact assessment that supported the development of this initiative explored different


policy options to address the general and specific problems described earlier. Besides the

baseline situation, which would entail no change over the current situation, these options included:

– Option 1: The retention of the existing ECI Directive, accompanied by voluntary

measures within the context of the existing EPCIP programme;

– Option 2: The revision of the existing ECI Directive to cover the same sectors as the

existing NIS Directive and to focus more on resilience. The new ECI directive would entail changes to the existing cross-border ECI designation process, including new designation criteria, and new requirements on Member States and operators;

– Option 3: The replacement of the existing ECI Directive with a new instrument

aimed at enhancing the resilience of critical entities in the sectors considered as essential by the proposed NIS 2 Directive. This option would set out minimum requirements for Member States and critical entities identified under the new

framework. A procedure for the identification of critical entities offering services to or in several if not all EU Member States would be provided. The implementation of the legislation would be supported by a dedicated knowledge hub within the Commission.

– Option 4: The replacement of the existing ECI Directive with a new instrument

aimed at enhancing the resilience of critical entities in the sectors considered as essential by the proposed NIS 2 Directive, as well as a more substantial role for the Commission in identifying critical entities and the creation of a dedicated EU Agency responsible for critical infrastructure resilience (which would assume the roles and responsibilities assigned to the knowledge hub proposed in previous option).

In light of the various economic, social and environmental impacts associated with each of the options, but also their value in terms of effectiveness, efficiency and proportionality, the impact assessment found that the preferred option was Option 3. While Options 1 and 2 would not deliver the changes needed to address the problem, Option 3 would result in a harmonised and more comprehensive resilience framework that would also be aligned with and account for existing Union law in related fields. Option 3 was also found to be proportionate and to appear politically feasible as it aligns with the statements of the Council and Parliament regarding the need for Union action in this area. Furthermore, this option was found to be likely to ensure flexibility and offer a future-proof framework that would allow critical entities to respond to different risks over time. Finally, the impact assessment found that this option would be complementary to existing sectoral and cross-sectoral frameworks and instruments. For instance, this option makes allowances for when designated entities meet certain obligations contained in this new instrum e nt throu g h obligations in existing ones, in which case they would not be required to take further action. On the other hand, they would be ex pected to take certai n measures where existing instruments do not cover the matter or are limited to only certain types of risks or measures.

The impact assessment was subject to scrutiny by the Regulatory Scrutiny Board, which issued a positive opinion with reservations on 20 November 2020. The Board pointed to a number of elements of the impact assessment that should be addressed. Specifically, the Board requested further clarification concerning the risks related to critical infrastructure and the cross-border dimension, the link between the initiative and the ongoing revision of the NIS Directive, and the relationship between the preferred policy option and other pieces of sectoral legislation. Furthermore, the Board saw the need for further justification for expanding the sectoral scope of the instrument, and requested additional information concerning the criteria for selecting critical entities. Finally, as regards proportionality, the Board sought additional clarification as to how the preferred option would lead to better national responses to cross-border risks. These and other more d etailed comments provided by the Board have been addressed in the final version of the impact assessment, which, for instance, describes in more detail the cross-border risks to critical infrastructures and the relationship between this proposal and the proposal for the NIS 2 directive. The Board’s comments have also been accounted for in the proposed directive that follows

Regulatory fitness and simplification

In line with the Commission’s Regulatory Fitness and Performance Programme (REFIT), all initiatives aimed at changing existing EU legislation should seek to simplify and deliver stated policy objectives more efficiently. The findings of the impact assessment suggest that the proposal should reduce the overall burden on Member States. Closer alignment with the

services-oriented approach of the current NIS Directive is likely to lead to reduced compliance costs over time. For instance, the burdensome cross-border identification and designation process contained in the existing ECI Directive would be replaced with a risk-based procedure at national level aimed only at identifying critical entities subject to various obligations. On the basis of the risk assessment, Member States would identify critical entities, most of which are already designated operators of essential services per the current NIS Directive.

Furthermore, by taking measures to enhance their resilience, critical entities will be less likely to experience disruptions. Thus, the likelihood for disruptive incidents affecting negatively the provision of essential services in individual Member States and across Europe would be reduced. This, together with the positive effects resulting from harmonising at Union level diverging national rules, would have a positive impact on businesses, including micro-enterprises and small and medium enterprises, the overall health of the Union economy and the reliable functioning of the internal market.

Fundamental rights

The proposed legislation is intended to enhance the resilience of critical entities providing various forms of essential services, whilst eliminating regulatory obstacles to their ability to provide their services across the Union. In so doing, the overall risk for disruptions at both societal and individual level would be reduced and burdens would be reduced. That would contribute to ensuring a higher level of public security whilst also positively affecting the freedom of companies to conduct business, as well as many other economic operators reliant on the provision of essential services, ultimately benefitting consumers. The proposal s provisions aimed at ensuring effective employee security management will normally involve the processing of personal data. This is justified by the need to carry out background checks on specific categories of personnel. Moreover, any such processing of personal data will always be subject to compliance with Union rules on the protection of personal data, including the General Data Protection Regulation.13

4. BUDGETARY IMPLICATIONS

7.

The proposed directive has implications for the Union budget. The total financial resources


necessary to support the implementation of this proposal are estimated to be EUR 42.9 million

for the period 2021-2027, of which EUR 5.1 million is administrative expenditure. These costs can be broken down as follows:

– Support activities by the Commission including staffing, projects, studies and

support activities;

Advisory missions organised by the Commission;

Regular meetings of the Critical Entity Resilience Group, Comitology Committee and other meetings.

More detailed information is available in the Legislative Financial Statement that accompani es this proposal.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

3

5. OTHERELEMENTS

Implementation plans and monitoring, evaluation and reporting arrangements

The implementation of the proposed directive will be reviewed by four years and a half after its entry into force, after which the Commission will submit a report to the European Parliament and to the Council. This report will assess the extent to which the Member States have taken the necessary measures to comply with the directive. A report assessing the impact and added value of the directive will be submitted by the Commission to the European Parliament and to the Council by six years after the entry info force of the directive.

Detailed explanation of the specific provisions of the proposal Subject matter, scope and definitions (Articles 1-2)

Article 1 sets out the subject matter and scope of the directive, which lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and to enable them to meet specific obligations aimed at enhancing their resilience and improving their ability to provide those services in the internal market. The directive also establishes rules on supervision and enforcement of critical entities and the specific oversight of critical entities considered to be of particular European significance. Article 1 also explains the relationship between the directive and other relevant acts of Union law, and the conditions under which information that is confidential pursuant to Union and national rules shall be exchanged with the Commission and other relevant authorities. Article 2 provides a list of definitions that apply.

8.

National frameworks on the resilience of critical entities (Articles 3-9)


Article 3 states that Member States shall adopt a strategy for reinforcing the resilience of critical entities, describes the elements that it should contain, explains that it should be updated regularly and where necessary, and stipulates that Member States shall communicate their strategies and any updates of their strategies to the Commission. Article 4 states that competent authorities shall establish a list of essential services and carry out regularly an assessment of all relevant risks that may affect the provision of those essential services with a view to identifying critical entities. This assessment shall account for the risk assessments carried out in accordance with other relevant acts of Union law, the risks arising from the dependencies between specific sectors, and available information on incidents. Member States shall ensure that relevant elements of the risk assessment are made available to critical entities, and that data on the types of risks identified and the outcomes of their risk assessments is made regularly available to the Commission

Article 5 states that Member States shall identify critical entities in specific sectors and sub-sectors. The identification process should account for the outcomes of the risk assessment and apply specific criteria. Member States shall establish a list of critical entities, which shall be updated where necessary and regularly. Critical entities shall be duly notified of their identification and the obligations that this entails. Competent authorities responsible for the implementation of the directive shall notify the competent authorities responsible for the implementation of the NIS 2 Directive of the identification of critical entities. Where an entity has been identified as critical by two or more Member States, the Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity. Where critical entities provide services to or in more than one third of Member States, the Member State concerned shall notify to the Commission the identities of those critical entities.

Article 6 defines the term ‘significant disruptive effect’ as referred to in Article 5(2), and requires that Member States submit to the Commission certain forms of information pertaining to the critical entities that they identify and how they were identified. Article 6 also empowers the Commission, after consultation of the Critical Entities Resilience Group, to adopt relevant guidelines.

Article 7 establishes that Member States should identify entities in the banking, financial market infrastructure and digital infrastructure sectors that are to be treated as equivalent to critical entities for the purposes of chapter II only. These entities should be notified of their identification.

Article 8 stipulates that each Member State shall designate and ensure that adequate resources are provided to one or more competent authorities responsible for the correct application of the directive at national level as well as a single point of contact tasked with ensuring crossborder cooperation. The single point of contact shall provide a summary report on incident notifications to the Commission on a regular basis. Article 8 requires that competent authorities responsible for the application of the directive cooperate with other relevant national authorities, including competent authorities designated under the NIS 2 Directive. Article 9 stipulates that Member States shall provide support to critical entities in ensuring their resilience, and shall facilitiate cooperation and the voluntary exchange of information and good practices between competent authorities and critical entities.

9.

Resilience of critical entities (Articles 10-13)


Article 10 states that critical entities shall regularly assess all relevant risks on the basis of national risk assessments and other relevant sources of information. Article 11 stipulates that critical entities shall take appropriate and proportionate technical and organisational measures to ensure their resilience, and shall ensure that these measures are described in a resilience plan or equivalent document or documents. Member States may request that the Commission organise advisory missions to provide advice to critical entities in meeting their obligations. Article 11 also empowers the Commission, where necessary, to adopt delegated and implementing acts.

Article 12 states that Member States shall ensure that critical entities may submit requests for background checks for persons who fall or might come to fall within certain specific categories of personnel, and that these requests are assessed expeditiously by the authorities responsible for carrying out such background checks. The article describes the purpose, scope and contents of the background checks, all of which shall comply with the General Data Protection Regulation.

Article 13 states that Member States shall ensure that critical entities notify the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Competent authorities in turn shall provide the notifying critical entity with relevant follow-up information. Via the single point of contact, competent authorities shall also inform the single points of contact in other affected Member States in the event that the incident has, or may have, cross-border impacts in one or more other Member States.

10.

Specific oversight over critical entities of particular European significance (Articles 14-15)


Article 14 defines critical entities of particular European significance as entities that have been identifed as critical entities and that provide essential services to or in more than one third of Member States. Upon receiving notification pursuant to Article 5(6), the Commission

shall inform the entity concerned that it is considered a critical entity of particular European signficance, the obligations that this entails and the date from which those obligations begin to apply. Article 15 describes the specific oversight arrangements applicable to critical entities of particular European significance, which include, upon request, that host Member States provide the Commission and Critical Entities Resilience Group with information concerning the risk assessment pursuant to Article 10 and the measures taken in accordance with Article 11, as well as any supervisory or enforcement actions. Article 15 also stipulates that the Commission may organise advisory missions to assess the measures put in place by specific critical entities of particular European significance. On the basis of an analysis of the advisory mission’s findings by the Critical Entities Resilience Group, the Commission shall communicate its views to the Member State where the infrastructure of the entity is located on whether that entity complies with its obligations and, where appropriate, which measures could be taken to improve the resilience of the entity. The article describes the composition, organisation and funding of the advisory missions. It also stipulates that the Commission shall adopt an implementing act laying down rules on the procedural arrangements for the conduct and reports of advisory missions.

11.

Cooperation and reporting (Articles 16-17)


Article 16 describes the role and tasks of the Critical Entities Resilience Group, which shall be composed of representatives of the Member States and the Commission. It shall support the Commission and facilitate strategic cooperation and the exchance of information. The article explains that the Commission may adopt implementing acts laying down procedural arrangements necessary for the functioning of the Critical Entities Resilience Group. Article 17 stipulates that the Commission shall, where appropriate, support Member States and critical entities in complying with their obligations under the directive, and complement Member State activities referred to in Article 9.

12.

Supervision and enforcement (Articles 18-19)


and

Article 18 states that Member States have certain powers, means and responsibilities in ensuring the implementation and enforcement of the directive. Member States shall ensure that, when a competent authority assesses the compliance of a critical entity, it shall inform the competent authorities of the Member State concerned designated under the NIS 2 Directive and may request these authorities to assess the cybersecurity of such entity, and should cooperate and exchange information for this purpose. Article 19 states that, in accordance with long-standing practice, Member States are to lay down the rules on penalties applicable to infringements and to take all measures necessary to ensure that they are implemented.

13.

Final provisions (Articles 20-26)


Article 20 states that the Commission shall be assisted by a committee within the meaning of Regulation (EU) 182/2011. This is a standard article. Article 21 confers to the Commission the power to adopt delegated acts subject to conditions laid down in the article. This, too, is a standard article. Article 22 states that the Commission shall submit a report to the European Parliament and to the Council assessing the extent to which the Member States have taken the necessary measures to comply with the directive. A report assessing the impact and added value of the directive and whether the scope of the directive should be extended to other sectors or subsectors, including the food production, processing and distribution sector, must be submitted regularly to the European Parliament and to the Council.

Article 23 states that Directive 2008/114/EC is repealed with effect from the date of entry into application of the directive. Article 24 states that Member States shall adopt and publish, within the set time period, the laws, regulations and administrative provisions necessary to comply with the directive, and inform the Commission thereof. The text of the main provisions of national law which they adopt in the field covered by this directive shall be communicated to the Commission. Article 25 states that the directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. Article 26 states that the directive is addressed to the Member States.