Activities of Lukas MANDL related to 2020/0365(COD)
Plenary speeches (1)
Resilience of critical entities (debate)
Shadow reports (1)
REPORT on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
Opinions (1)
OPINION on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
Amendments (47)
Amendment 33 #
Proposal for a directive
Recital 29
Recital 29
(29) In order to achieve the objectives of this Directive, and without prejudice to the legal responsibility of Member States and critical entities to ensure compliance with their respective obligations set out therein, the Commission should, where it considers it appropriate, undertake certain supporting activities aimed at facilitating compliance with those obligations. When providing support to Member States and critical entities in the implementation of obligations under this Directive, the Commission should build on existing structures and tools, such as those under the Union Civil Protection mechanism and the European Reference Network for Critical Infrastructure Protection. The Commission and the Member States should also ensure that research opportunities in the field of critical entity resilience under Horizon Europe, and the European Defence Fund are fully exploited.
Amendment 47 #
Proposal for a directive
Recital 1
Recital 1
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operatprovisions of essential services by the critical entity. _________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 54 #
Proposal for a directive
Recital 3
Recital 3
(3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, food production, processing and delivery, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.
Amendment 57 #
Proposal for a directive
Recital 4
Recital 4
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements. Thus, the Member States and the Commission should aim at reaching a common understanding of classifications with a view to achieving the highest possible level of protection of critical entities across the Union.
Amendment 61 #
Proposal for a directive
Recital 5
Recital 5
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market and, enhance the resilience of critical entities. , and improve in particular cross-border cooperation of competent authorities.
Amendment 64 #
Proposal for a directive
Recital 6
Recital 6
(6) In order to achieve that objective, Member States should identify critical entities that should be subject to specific requirements and oversight, but also particular support and guidance aimed at achieving a high level of resilience in the face of all relevant risks. At the same time, Member States should limit the amount of additional bureaucratic measures they impose on critical entities to the absolute minimum and should make sure that national and international notification requirements do not duplicate notification requirements at Union level.
Amendment 65 #
Proposal for a directive
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. The Commission shall continue cooperation with third countries, inter alia under the European Programme for Critical Infrastructure Protection and potential successor programmes, and shall support the sharing of best practices with like-minded partners.
Amendment 68 #
Proposal for a directive
Recital 7
Recital 7
(7) Certain sectors of the economy such as energy and transport are already regulated or may be regulated in the future by sector-specific acts of Union law that contain rules related to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, those sector-specific measures should be regarded as lex specialis and should be complemented by the ones provided for in this Directive, which creates an overarching framework that addresses critical entities’ resilience in respect of all hazards, that is, natural and man-made, accidental and intentional.
Amendment 70 #
Proposal for a directive
Recital 10
Recital 10
(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authorityies of different Member States under this Directive and between the competent authorities under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks.
Amendment 78 #
Proposal for a directive
Recital 12
Recital 12
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down in a transparent manner. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 80 #
Proposal for a directive
Recital 16
Recital 16
(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing sectoral arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level, including with competent authorities of other Member States.
Amendment 84 #
Proposal for a directive
Recital 18
Recital 18
(18) Given that under the NIS 2 Directive eEntities identified as critical entities under this Directive, as well as identified entities in the digital infrastructure sector that are to be treated as equivalent under the present Directive are subject to the cybersecurity requirements of the NIS 2 Directive. For this reason, the competent authorities designated under the two Directives should cooperate, particularly in relation to cybersecurity and physical security risks and incidents affecting those entities.
Amendment 85 #
Proposal for a directive
Recital 19
Recital 19
(19) Member States should support critical entities in strengthening their resilience, in particular those that qualify as small or medium-sized companies, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 95 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within certain specific categories of its personnel and who fulfil sensitive tasks and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data.
Amendment 97 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operationsprovision of essential operations. Whenever necessary and in the public interest, the competent authorities should inform the public and affected users of the nature and further relevant details of an incident. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. without undue delay.
Amendment 101 #
Proposal for a directive
Recital 26
Recital 26
(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number ofmore than three Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.
Amendment 108 #
Proposal for a directive
Article 1 – paragraph 1 – point b
Article 1 – paragraph 1 – point b
(b) establishes rights and obligations for critical entities aimed at enhancing their resilience and improving their ability to provide those services in the internal market;
Amendment 109 #
Proposal for a directive
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) establishes harmonised rules on supervision and enforcement of critical entities, and specific oversight of critical entities considered to be of particular European significance.
Amendment 115 #
Proposal for a directive
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) “incident” means any event having the potential to disrupt, or that disrupts, the operatprovisions of essential services by the critical entity;
Amendment 119 #
Proposal for a directive
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) “risk” means any circumstance or event having a potential adverse effect on the resilience of critical entities with respect to the proper functioning of the essential services they provide;
Amendment 124 #
Proposal for a directive
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysing potential threats and hazards and evaluating existing conditions of vulnerability that could disrupt the operatprovisions of essential services by the critical entity.
Amendment 126 #
Proposal for a directive
Article 3 – paragraph 1
Article 3 – paragraph 1
1. EFollowing consultations that are open to all affected entities in the respective Member State, each Member State shall adopt by [three years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.
Amendment 133 #
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 1 – point d a (new)
Article 3 – paragraph 2 – subparagraph 1 – point d a (new)
(da) a policy framework addressing the specific needs and characteristics of small and medium-sized enterprises identified as critical entities to improve their resilience;
Amendment 135 #
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 2
Article 3 – paragraph 2 – subparagraph 2
Amendment 139 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
Article 4 – paragraph 1 – subparagraph 1
1. Competent authorities designated pursuant to Article 8 shall establish, in close coordination with the Commission, a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11.
Amendment 144 #
Proposal for a directive
Article 4 – paragraph 2 – subparagraph 2
Article 4 – paragraph 2 – subparagraph 2
For the purposes of point (c) of the first subparagraph, Member States shall cooperate with the competent authorities of other Member States and, third countries and the Commission, as appropriate.
Amendment 147 #
Proposal for a directive
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Commission mayshall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.
Amendment 151 #
Proposal for a directive
Article 5 – paragraph 2 – point b
Article 5 – paragraph 2 – point b
(b) (the provision of that essential service depends on infrastructure located in the Member State; and
Amendment 152 #
Proposal for a directive
Article 5 – paragraph 2 – point c
Article 5 – paragraph 2 – point c
(c) an incident would have significant disruptive effects on the provision of the essential service or of other essential services in the sectors referred to in the Annex that depend on the service.
Amendment 153 #
Proposal for a directive
Article 5 – paragraph 5
Article 5 – paragraph 5
5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to achieve the highest possible degree of coherence and to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III.
Amendment 156 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third ofthree Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 160 #
Proposal for a directive
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the number of users relying on the essential service provided by the entity;
Amendment 162 #
Proposal for a directive
Article 6 – paragraph 1 – point b
Article 6 – paragraph 1 – point b
(b) the dependency of other sectors referred to in the Annex on that essential service;
Amendment 166 #
Proposal for a directive
Article 6 – paragraph 1 – point f
Article 6 – paragraph 1 – point f
(f) the importance of the entity in maintaining a sufficient level of the essential service, taking into account the availability of alternative means for the provision of that essential service.
Amendment 183 #
Proposal for a directive
Article 8 – paragraph 5
Article 8 – paragraph 5
5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities and the competent authorities of other Member States, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities.
Amendment 185 #
Proposal for a directive
Article 8 – paragraph 6
Article 8 – paragraph 6
6. Member States shall ensure that their competent authorities designated pursuant to this Article cooperate with competent authorities of other Member States designated under this Directive and with the competent authorities designated pursuant to [the NIS 2 Directive], on cybersecurity risks and cyber incidents affecting critical entities, as well as the measures taken by competent authorities designated under [the NIS 2 Directive] relevant for critical entities.
Amendment 195 #
Proposal for a directive
Article 10 – paragraph 1
Article 10 – paragraph 1
Member States shall ensure that critical entities assess within six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operationprovision of essential services.
Amendment 217 #
Proposal for a directive
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel and who carry out sensitive tasks, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.
Amendment 219 #
Proposal for a directive
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operationprovision of essential services. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross- border impact of the incident. Such notification shall not make the critical entities subject to increased liability. In case that there are already national or international standards for crisis management in place which entail a notification system, Member States shall not put in place additional notification requirements.
Amendment 233 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third ofthree Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 236 #
Proposal for a directive
Article 14 – paragraph 3 – subparagraph 1
Article 14 – paragraph 3 – subparagraph 1
3. The Commission shall, without undue delay upon receiving the notification pursuant to Article 5(6), notify the entity concerned that it is considered a critical entity of particular European significance, informing that entity of its rights and obligations pursuant to this Chapter and the date from which those rights and obligations apply to it.
Amendment 242 #
Proposal for a directive
Article 15 – paragraph 2
Article 15 – paragraph 2
2. Upon request of one or more Member States, or at its own initiative, and in agreementconsultation with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.
Amendment 255 #
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
Article 16 – paragraph 2 – subparagraph 1
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of the European Parliament and of interested parties to participate in its work.
Amendment 263 #
Proposal for a directive
Article 22 – paragraph 1
Article 22 – paragraph 1
By [54 months after the entry into force of this Directive], the Commission shall submit a report to the European Parliament and to the Council, assessing the extent to which the different Member States have taken the necessary measures to comply with this Directive. That report shall contain separate country chapters on the concrete implementation progress in each Member State.
Amendment 264 #
Proposal for a directive
Article 22 – paragraph 2
Article 22 – paragraph 2
The Commission shall periodically review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the impact and added value of this Directive on ensuring the resilience of critical entities and whether the scope of the Directive should be extended to cover other sectors or subsectors. The first report shall be submitted by [six years after the entry into force of this Directive] and shall assess in particular whether the scope of the Directive should be extended to include the food production, processing and distribution sector.
Amendment 268 #
— Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC
Amendment 269 #
10a. Food production, processing and distribution — Food businesses referred to in point (2) of Article 3 of Regulation (EC) No 178/2002 (31)