27 Amendments of Paolo BORCHIA related to 2020/0365(COD)
Amendment 26 #
Proposal for a directive
Recital 1
Recital 1
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC18 conducted in 2019 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, react to, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75). 18 SDW(2019) 308.
Amendment 31 #
Proposal for a directive
Recital 2
Recital 2
(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist and hybrid threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to industrial accidents, human and cyber actions natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 34 #
Proposal for a directive
Recital 3
Recital 3
(3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market and for the security and safety of Member State citizens. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low- probability risks.
Amendment 37 #
Proposal for a directive
Recital 4
Recital 4
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market and affects the safety and security of Member State citizens. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 40 #
Proposal for a directive
Recital 7
Recital 7
(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of national or Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.
Amendment 42 #
Proposal for a directive
Recital 8
Recital 8
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible, preventing any overlap that could hinder the simultaneous legislative effectiveness of the two regulations. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. _________________ 20 [Reference to NIS 2 Directive, once adopted.]
Amendment 44 #
Proposal for a directive
Recital 10
Recital 10
(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks without, however, causing additional double costs for operators.
Amendment 45 #
Proposal for a directive
Recital 11
Recital 11
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidenindustrial accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector-specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 48 #
Proposal for a directive
Recital 16
Recital 16
(16) Member States, in coordination with their own national security authorities, should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.
Amendment 52 #
Proposal for a directive
Recital 20
Recital 20
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, in close cooperation with police, defence and national security authorities.
Amendment 54 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the intensity of hybrid threats, which are increasingly difficult to track and identify, and by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data. Specific training for employees and operators should be developed.
Amendment 55 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately to prevent even worse consequences and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. Given the sensitivity of some events, appropriate forms of confidentiality should be established, together with mechanisms to prevent the dissemination of uncontrolled information.
Amendment 56 #
Proposal for a directive
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations, especially if they are particularly vulnerable;
Amendment 58 #
Proposal for a directive
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) establishes obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market and, in the event of an interruption, to quickly limit any damage or consequences in consultation with the designated national authorities;
Amendment 60 #
Proposal for a directive
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
(7a) ‘security-critical technologies’ means the technologies needed to ensure that critical entities are resilient to hostile threats such as terrorism and hybrid threats.
Amendment 61 #
Proposal for a directive
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities and their supply chain taking into account cross- border and cross-sectoral interdependencies;
Amendment 62 #
Proposal for a directive
Article 3 – paragraph 2 – point b
Article 3 – paragraph 2 – point b
(b) a governance framework to achieve the strategic objectives and priorities, including a description of the roles and responsibilities of the different authorities, (public and private) critical entities and other parties involved in the implementation of the strategy, including, where necessary, police, defence and national security authorities;
Amendment 63 #
(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter, including measures to establish a cooperation framework among stakeholders, including critical entities, operators and suppliers of technology solutions;
Amendment 64 #
Proposal for a directive
Article 3 – paragraph 2 – point d a (new)
Article 3 – paragraph 2 – point d a (new)
(da) the identification of technological needs and gaps to be addressed to ensure that critical entities are resilient, including security-critical technologies such as secure communications, biometrics, artificial intelligence, autonomous vehicles and space observation.
Amendment 67 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 2
Article 4 – paragraph 1 – subparagraph 2
The risk assessment shall account for all relevant natural and man-made risks, including accidenindustrial accidents, hybrid threats, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34. _________________ 34 Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 69 #
Proposal for a directive
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public administration, health, energy supplies, national defence and public safety;
Amendment 71 #
Proposal for a directive
Article 8 – paragraph 5
Article 8 – paragraph 5
5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of national security, defence, civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.
Amendment 72 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities in enhancing their resilience, developing protocols, agreements, cooperation and exchange of information and expertise between the public and private sectors. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 76 #
Proposal for a directive
Article 10 – paragraph 2
Article 10 – paragraph 2
The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services, including an assessment of the international situation. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.
Amendment 77 #
Proposal for a directive
Article 11 – paragraph 1 – point a
Article 11 – paragraph 1 – point a
(a) prevent incidents from occurring, including through disaster risk reduction and climate adaptation measuresmeasures and measures to protect against hybrid threats and industrial accidents and limit the effects of climate change;
Amendment 78 #
Proposal for a directive
Article 11 – paragraph 1 – point e
Article 11 – paragraph 1 – point e
(e) ensure adequate employee and training security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 79 #
Proposal for a directive
Article 11 – paragraph 1 – point f
Article 11 – paragraph 1 – point f
(f) raise awareness about and provide training on the measures referred to in points (a) to (e) among relevant personnel and operators.