Activities of Maria GRAPINI related to 2020/0365(COD)
Plenary speeches (1)
Resilience of critical entities (debate)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
Amendments (72)
Amendment 15 #
Proposal for a directive
Recital 2
Recital 2
(2) Despite existing measures at 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat, cyber attacks and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 26 #
Proposal for a directive
Recital 5
Recital 5
(5) It is therefore necessary to lay down harmonised minimum rulrules for all critical entities from all Member States to ensure the provision of essential services in the internal market and enhance the resilience of critical entities.
Amendment 37 #
Proposal for a directive
Recital 19
Recital 19
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 41 #
Proposal for a directive
Recital 20
Recital 20
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and, analyse those risks and establish measures to combat them. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every fourthree years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States.
Amendment 46 #
Proposal for a directive
Recital 28
Recital 28
(28) In order to support the Commission and facilitate strategic cooperation and the exchange of information, including best practices, on issues relating to this Directive, a Critical Entities Resilience Group, which is a Commission expert group, should be established. Member States should endeavour to ensure effective and efficient cooperation of the designated representatives of their competent authorities in the Critical Entities Resilience Group. The group should begin to perform its tasks from sixfour months after the entry into force of this Directive, so as to provide additional means for appropriate cooperation during the transposition period of this Directive.
Amendment 47 #
Proposal for a directive
Recital 30
Recital 30
(30) Member States should ensure that their competent authorities have certain specific powers, the necessary infrastructure and tools for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.
Amendment 59 #
Proposal for a directive
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Each Member State shall adopt by [threewo years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.
Amendment 60 #
Proposal for a directive
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies and the need for the exchange of information between entities;
Amendment 63 #
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 1
Article 3 – paragraph 2 – subparagraph 1
The strategy shall be updated where necessary and at least every fourthree years.
Amendment 68 #
Proposal for a directive
Article 4 – paragraph 1 – introductory part
Article 4 – paragraph 1 – introductory part
1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [threewo years after entry into force of this Directive], and subsequently where necessary, and at least every fourthree years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.
Amendment 72 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
Article 4 – paragraph 1 – subparagraph 1
The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, cyber attacks including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 76 #
Proposal for a directive
Recital 12
Recital 12
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria to identify critical entities, based on minimum indicators and methodologies for each sector and sub-sector, should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 77 #
Proposal for a directive
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.
Amendment 80 #
Proposal for a directive
Article 5 – paragraph 1
Article 5 – paragraph 1
1. By [threewo years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities.
Amendment 81 #
(b) (the provision of that service depends on infrastructure located in the Member State; and the existing possibilities;
Amendment 84 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third oftwo Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 85 #
Proposal for a directive
Article 5 – paragraph 7 – introductory part
Article 5 – paragraph 7 – introductory part
7. Member States shall, where necessary and in any event at least every fourthree years, review and, where appropriate, update the list of identified critical entities.
Amendment 86 #
Proposal for a directive
Recital 19
Recital 19
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular provide financial resources, develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 87 #
Proposal for a directive
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment and public security and safety;
Amendment 88 #
Proposal for a directive
Recital 20
Recital 20
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and on common specifications and methodologies established for each sector covered. They should include minimum indicators, in order to avoid further divergences between Member States, and contingency protocols.
Amendment 89 #
Proposal for a directive
Article 6 – paragraph 2 – introductory part
Article 6 – paragraph 2 – introductory part
2. Member States shall submit to the Commission by [threewo years and three months after the entry into force of this Directive] the following information:
Amendment 90 #
Proposal for a directive
Article 6 – paragraph 2 – subparagraph 1
Article 6 – paragraph 2 – subparagraph 1
They shall subsequently submit that information where necessary, and at least every fourthree years.
Amendment 92 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. As regards the sectors referred to in points 3, 4 and 8 of the Annex, Member States shall, by [threewo years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.
Amendment 94 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular in full respect of Regulation (EU) 2016/679.
Amendment 95 #
Proposal for a directive
Article 8 – paragraph 3
Article 8 – paragraph 3
3. By [threewo years and six months after entry into force of this Directive], and every year thereafter, the single points of contact shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received, including the number of notifications, the nature of notified incidents and the actions taken in accordance with Article 13(3).
Amendment 96 #
5 a. In the event of exceptional situations and high-risk incidents where critical entities and responsible national authorities fail to ensure that the incident is absorbed and remedied, the Commission should intervene through the available levers to help the critical entity to resolve this issue;
Amendment 96 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and in any case within 24 hours after having become aware of an incident, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Critical entities should also notify the users of their services of incidents, their consequences and, if possible, any safety measures or remedies that could be taken. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
Amendment 98 #
Proposal for a directive
Article 10 – paragraph 1
Article 10 – paragraph 1
Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every fourthree years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.
Amendment 105 #
Proposal for a directive
Article 11 – paragraph 3
Article 11 – paragraph 3
3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisory missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide advice to the critical entity concerned in meeting its obligations pursuant to Chapter III. The advisory mission shall report its findings to the Commission, that Member State and the critical entity concerned.
Amendment 109 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third oftwo Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 111 #
Proposal for a directive
Article 15 – paragraph 1 – subparagraph 1
Article 15 – paragraph 1 – subparagraph 1
That Member State shall also inform, without undue thorough delay, the Commission and the Critical Entities Resilience Group of any supervisory or enforcement actions, including any assessments of compliance or orders issued, that its competent authority has undertaken pursuant to Articles 18 and 19 in respect of that entity.
Amendment 112 #
Proposal for a directive
Article 15 – paragraph 3 – introductory part
Article 15 – paragraph 3 – introductory part
3. The advisory mission shall report its findings to the Commission, the Critical Entities Resilience Group and the critical entity of particular European significance concerned within a period of three month60 days after the conclusion of the advisory mission.
Amendment 113 #
Proposal for a directive
Recital 12
Recital 12
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities in the relevant existing national sectors and subsectors on their territory listed in the Annex. Therefore, common criteria, based on minimum indicators and methodologies for each sector and sub-sector to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each existing national sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 113 #
Proposal for a directive
Article 15 – paragraph 3 – subparagraph 3
Article 15 – paragraph 3 – subparagraph 3
That Member State shall take due and objectively account of those views and provide information to the Commission and the Critical Entities Resilience Group on any measures it has taken pursuant to the communication.
Amendment 113 #
Proposal for a directive
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) “resilience” means the ability to prevent, resist, mitigate, manage, absorb, accommodate to and recover from an incident that disrupts or has the potential to disrupt the operations of a critical entity;
Amendment 114 #
Proposal for a directive
Article 16 – paragraph 1
Article 16 – paragraph 1
1. A Critical Entities Resilience Group is established with effect from [sixfour months after the entry into force of this Directive]. It shall support the Commission and facilitate strategic cooperation and the exchange of information on issues relating to this Directive.
Amendment 114 #
Proposal for a directive
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) “incident” means any event having the potential to disrupt, or that disrupts,which results in a disruption of essential services or the destruction of essential infrastructure and has a significant cross- sectoral or cross-border effect on the delivery of essential services in one or more Member States as a result of the failure to maintain the operations of thea critical entity;
Amendment 116 #
Proposal for a directive
Recital 17
Recital 17
(17) In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to sector-specific Union legal requirements, designate, within one of the authorities it designated as competent authority under this Directive, a single point of contact responsible for coordinating issues related to the resilience of critical entities and cross-border cooperation at Union level in this regard. The single point of contact should also liaise, and coordinate all communication, with the competent authorities of its Member State, with the single points of contact of other Member States, with the Critical Entities Resilience Group established by this Directive and with the single points of contacts of entities identified as critical entities under this Directive. To that end, the single points of contact should use efficient, secured, standardised and harmonised reporting channels.
Amendment 116 #
Proposal for a directive
Article 16 – paragraph 3 – point c
Article 16 – paragraph 3 – point c
(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border, cross-sectoral dependencies and regarding risks and incidents;
Amendment 117 #
Proposal for a directive
Recital 17 a (new)
Recital 17 a (new)
(17a) In order to facilitate the cooperation and communication with the Member States, entities identified as critical entities under this Directive should also designate a single point of contact within the entity. The single point of contact should be used by the critical entity to liaise, coordinate and communicate with the Member States, on measures related to the organisational and technical aspects related to the implementation of this Directive.
Amendment 117 #
Proposal for a directive
Article 16 – paragraph 3 – point h
Article 16 – paragraph 3 – point h
(h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive;
Amendment 117 #
Proposal for a directive
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) “essential service” means a service which is essential for the wellbeing of the people and for the maintenance of vital societal functions or economic activities, public safety, protecting the environment or the rule of law;
Amendment 118 #
Proposal for a directive
Article 16 – paragraph 4
Article 16 – paragraph 4
4. By [2418 months after entry into force of this Directive] and every two years thereafter, the Critical Entities Resilience Group shall establish a work programme in respect of actions to be undertaken to implement its objectives and tasks, which shall be consistent with the requirements and objectives of this Directive.
Amendment 121 #
Proposal for a directive
Article 16 – paragraph 7
Article 16 – paragraph 7
7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [threewo years and six months after entry into force of this Directive] and subsequently where necessary and at least every fourthree years.
Amendment 122 #
Proposal for a directive
Article 18 – paragraph 1 – introductory part
Article 18 – paragraph 1 – introductory part
1. In order to assess the compliance of the entities that the Member States identified as critical entities pursuant to Article 5 with the obligations pursuant to this Directive, they shall ensure that the competent authorities shall have the powers and mean, means and human and financial resources to:
Amendment 123 #
Proposal for a directive
Article 18 – paragraph 2 – introductory part
Article 18 – paragraph 2 – introductory part
2. Member States shall ensure that the competent authorities have the powers and mean, means and human and financial resources to require, where necessary for the performance of their tasks under this Directive, that the entities that they identified as critical entities pursuant to paragraph 5 provide, within a reasonable time period set by those authorities:
Amendment 123 #
Proposal for a directive
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysingssessing the extent of potential threats and hazards and evaluatgainst the resilience of a critical entity, analysing existing conditions of vulnerability that could facilitate the disrupt theion of operations of the critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services.
Amendment 125 #
Proposal for a directive
Article 22 – paragraph 1
Article 22 – paragraph 1
By [5436 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the Member States have taken the necessary measures to comply with this Directive.
Amendment 126 #
Proposal for a directive
Article 22 – paragraph 2
Article 22 – paragraph 2
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [sixfive years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.
Amendment 130 #
Proposal for a directive
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) “incident” means any event having the potential to disrupt, or that disrupts,which results in a disruption of essential services or essential infrastructure or the destruction of essential infrastructure and has a significant cross-sectoral or cross- border effect on the delivery of those services in one or more Member States as a result of the failure to maintain the operations of theat critical entity;
Amendment 131 #
Proposal for a directive
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) “essential service” means a service which is essential for the wellbeing of citizens and the maintenance of vital societal functions or economic activities and proper functioning of the internal market and the disruption of which would have a significant cross-sectoral or cross- border effect on the provision of that service, in on one or more Member States;
Amendment 134 #
Proposal for a directive
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysingssessing the extent of potential threats and hazards and evaluatgainst the resilience of the critical entity, analysing existing conditions of vulnerability that could facilitate the disrupt theion of operations of the critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services.
Amendment 138 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
Article 4 – paragraph 1 – subparagraph 1
1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment, based on common specifications and methodologies containing specific indicators established for each sector covered, of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11. The assessments shall include a minimum number of indicators, in order to avoid divergences between Member States.
Amendment 148 #
Proposal for a directive
Article 5 – paragraph 1
Article 5 – paragraph 1
1. By [three years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities, when applicable.
Amendment 155 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third ofthree Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 156 #
Proposal for a directive
Article 6 – paragraph 1 – point e a (new)
Article 6 – paragraph 1 – point e a (new)
(ea) the vulnerability associated with the degree of isolation of certain types of geographic areas, such as insular regions, outermost regions or mountainous areas;
Amendment 169 #
Proposal for a directive
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
2a. Member States shall ensure that critical entities designate within three months after receiving the notification referred to in Article 5(3), a single point of contact to exercise a liaison function with the Member States on issues related to the technical and organisational measures referred to in paragraph 1.
Amendment 179 #
Proposal for a directive
Article 13 – paragraph 2 – point c a (new)
Article 13 – paragraph 2 – point c a (new)
(ca) the degree of isolation of the areas affected by the incident, and in particular if it affects insular and outermost regions or mountainous areas;
Amendment 179 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States, with the Commission and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).
Amendment 192 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities, including financially, in order to enhancinge their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 196 #
Proposal for a directive
Article 10 – paragraph 1
Article 10 – paragraph 1
Member States shall ensure that critical entities assess within sixtwelve months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.
Amendment 202 #
Proposal for a directive
Article 11 – paragraph 1 – point e
Article 11 – paragraph 1 – point e
(e) ensure adequate employeestaff security management, including by setting out categories of personnel exercising critical functions, in compliance with applicable training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 215 #
Proposal for a directive
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. The background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the concerned personnel.
Amendment 220 #
Proposal for a directive
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours after having become aware of the incident, followed by a final detailed report not later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
Amendment 230 #
Proposal for a directive
Article 13 – paragraph 3 a (new)
Article 13 – paragraph 3 a (new)
3a. The competent authority concerned shall inform the public of the incident, or require the critical entity to inform the public, where the competent authority determines that it would be in the public interest to disclose the incident.
Amendment 231 #
Proposal for a directive
Article 13 – paragraph 3 b (new)
Article 13 – paragraph 3 b (new)
3b. Member States shall ensure that, in the event of a particular and significant threat of an incident concerning the critical entities, the critical entities inform those users of their services that could be affected by the incident or by the disruption of the services as its consequence and, where relevant, of any possible safety measures or remedies which the users could take.
Amendment 232 #
Proposal for a directive
Article 13 – paragraph 3 c (new)
Article 13 – paragraph 3 c (new)
3c. Once a year, the competent authority concerned shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.
Amendment 234 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third ofthree Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 243 #
Proposal for a directive
Article 15 – paragraph 2
Article 15 – paragraph 2
2. Upon request of one or more Member States, or at its own initiative, and in agreement withafter informing the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.
Amendment 249 #
Proposal for a directive
Article 15 – paragraph 4 – subparagraph 2
Article 15 – paragraph 4 – subparagraph 2
The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.
Amendment 256 #
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
Article 16 – paragraph 2 – subparagraph 1
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and, the Commission and the European Parliament. Where relevant for the performance of its tasks, the Critical Entities Resilience Group mayshall invite representatives of interested parthe relevant entities to participate in its work.
Amendment 267 #
5. Health — Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19 — EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health — Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC — Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2 — Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX — Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC