Activities of Nikos ANDROULAKIS related to 2020/0365(COD)
Shadow opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
Amendments (28)
Amendment 12 #
Proposal for a directive
Recital 1
Recital 1
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity, thereby endangering the democratic, social, and economic life in one or more Member States. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 13 #
Proposal for a directive
Recital 2
Recital 2
(2) Despite existing measures at 19 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current, potential and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to an increasingly challenging security environment, with multi-faceted threats the Union is facing in a highly multipolar world with unreliable global actors, a dynamic threat landscape with an evolving terrorist threat and growing global interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long- term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 18 #
Proposal for a directive
Recital 3
Recital 3
(3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risk- high impact risks and the crucial importance to secure our supply chain of inter alia raw materials, chemicals, pharmaceutical products, that are essential to many critical infrastructure sectors.
Amendment 23 #
Proposal for a directive
Recital 8
Recital 8
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks and the growing number of cyber attacks and cyber enabled incidents led by hostile state and non state actors, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sectorapply coherently and consistently with this Directive, whenever possible and necessary. _________________ 20[Reference to NIS 2 Directive, once adopted.]
Amendment 24 #
Proposal for a directive
Recital 8 a (new)
Recital 8 a (new)
(8 a) As climate change is leading to an increase in the frequency, intensity and complexity of natural disasters which can result in a disruption of essential services or the destruction of essential infrastructure with a significant cross- sectoral or transboundary effects, a coherent approach between this Directive and Decision No 1313/2013/EU of the European Parliament and the Council1a, as amended, is necessary especially on issues covering preparedness and response actions. _________________ 1aDecision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).
Amendment 26 #
Proposal for a directive
Recital 11
Recital 11
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences, foreign interferences and malicious disinformation campaigns, as well as CBRN threats. When carrying out those risk assessments, Member States should take into account other general or sector- specific risk assessment carried out pursuant to other acts of Union law, especially under Decision No 1313/2013/EU of the European Parliament and the Council1a and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive. _________________ 1aDecision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924).
Amendment 28 #
Proposal for a directive
Recital 12
Recital 12
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteriaommon criteria, based on minimum indicators and methodologies for each sector and sub- sector to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and, specific as possible, comparable and standardized, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 29 #
Proposal for a directive
Recital 20
Recital 20
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, using a common methodology established for each sector covered.
Amendment 30 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instancemisuse of their access rights within the critical entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of, especially in the context of growing foreign interference, malicious disinformation and radicalisation which could leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel, while fully respecting their fundamental rights, labour law and data protection and privacy, ruling out any discrimination of biased recruitment procedures, and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.
Amendment 31 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. The notification should also trigger, where appropriate, an information to users or citizens potentially affected, with clear safety and security guidance. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
Amendment 34 #
Proposal for a directive
Recital 29
Recital 29
(29) In order to achieve the objectives of this Directive, and without prejudice to the legal responsibility of Member States and critical entities to ensure compliance with their respective obligations set out therein, the Commission should, where it considers it appropriate, undertake certain supporting activities aimed at facilitating compliance with those obligations. When providing support and training to Member States and critical entities in the implementation of obligations under this Directive, the Commission should build on existing structures and tools, such as those under the Union Civil Protection mechanism and the European Reference Network for Critical Infrastructure Protection, or the European Security and Defence College, which can contribute to the development of a common European security culture.
Amendment 35 #
Proposal for a directive
Recital 29 a (new)
Recital 29 a (new)
(29 a) In order to achieve the objective of this Directive, as well as to increase the resilience of the Union's neighbouring countries, the Commission and the EEAS should undertake training activities and exercises in order to increase the resilience of critical entities in EU Enlargement and Neighbourhood countries.
Amendment 38 #
Proposal for a directive
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) “incident” means any event having the potential to disrupt, or that disrupts,natural or man-made event which has the potential to jeopardize the security, to disrupt the delivery of essential services or the destruction of essential infrastructure in one or more Member States as the results of failure to maintain the operations of theat critical entity;
Amendment 40 #
Proposal for a directive
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) “essential service” means a service which is essential for the maintenance of vital societal and democratic functions or, economic activities, public safety and the rule of law;
Amendment 42 #
Proposal for a directive
Article 4 – paragraph 1 – introductory part
Article 4 – paragraph 1 – introductory part
1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment based on a common methodology and indicators established for each specific sector covered, of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.
Amendment 46 #
Proposal for a directive
Article 5 – paragraph 1
Article 5 – paragraph 1
1. By [three years and three months after entry into force of this Directive] Member States, based on common guidelines issued by the Commission, shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities.
Amendment 47 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third ofthree Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 53 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States and when necessary the Commission, shall support critical entities, including financially, in enhancing their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 55 #
Proposal for a directive
Article 11 – paragraph 1 – point b
Article 11 – paragraph 1 – point b
(b) ensure adequate physical protection of sensitive areas, facilities and other infrastructure, including fencing, barriers, perimeter monitoring tools and routines, as well as detection equipment and access controls, while fully respecting data protection and privacy regulations and complying with sectoral and labour law;
Amendment 56 #
Proposal for a directive
Article 11 – paragraph 1 – point e
Article 11 – paragraph 1 – point e
(e) ensure adequate employeestaff security management, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12, while fully complying with sectoral and labour law;
Amendment 57 #
Proposal for a directive
Article 11 – paragraph 1 – point f
Article 11 – paragraph 1 – point f
(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel and include them through social dialogue into the definition, set up and follow up of those measures.
Amendment 58 #
Proposal for a directive
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Member States shall ensure that critical entities may submit requests for proportionate background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the public authorities competent to carry out such background checks. Those checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the concerned personnel, while fully respecting sectoral and labour law.
Amendment 60 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third ofthree Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 61 #
Proposal for a directive
Article 15 – paragraph 4 – introductory part
Article 15 – paragraph 4 – introductory part
4. Each advisory mission shall consist of experts from Member States and of Commission representatives. Member States may propose candidates to be part of an advisory mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity, diverse background and ensuring a geographically and gender balanced representation among Member States. The Commission shall bear the costs related to the participation in the advisory mission.
Amendment 62 #
Proposal for a directive
Article 16 – paragraph 2 – introductory part
Article 16 – paragraph 2 – introductory part
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties to participate in its work, ensuring a diverse participation of stakeholders, and notably trade unions.
Amendment 66 #
Proposal for a directive
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. The Commission shall increase the cooperation with relevant international fora and like-minded third countries especially candidate and Neighbourhood countries, through common training activities and the sharing of best practices.
Amendment 67 #
Proposal for a directive
Annex – Sector 9 – Title
Annex – Sector 9 – Title
9. Public administration and democratic institutions
Amendment 68 #
Proposal for a directive
Annex – Sector 9 – Type of entity – 3 a (new)
Annex – Sector 9 – Type of entity – 3 a (new)
— Central, regional and local governments and assemblies