Activities of Pernando BARRENA ARZA related to 2020/0365(COD)
Shadow reports (1)
REPORT on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
Amendments (60)
Amendment 52 #
Proposal for a directive
Recital 2
Recital 2
(2) Despite existing measures at Union19 and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the protection of the population and the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving terrorist threat and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to natural disasters and climate change, which increases the frequency and scale of extreme weather events and brings long-term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 55 #
Proposal for a directive
Recital 3
Recital 3
(3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market and on the human wellbeing. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.
Amendment 59 #
Proposal for a directive
Recital 4
Recital 4
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only risks impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 63 #
Proposal for a directive
Recital 5
Recital 5
(5) It is therefore necessary to lay down harmonised minimum rules to ensure the provision of essential services into the internal marketpopulation and enhance the resilience of critical entities.
Amendment 67 #
Proposal for a directive
Recital 6 a (new)
Recital 6 a (new)
(6a) Account should be taken of the fact that the operations of many critical entities are limited to the local or regional level, including EU regions. In accordance with Member States’ constitutional order and requirements, Member States should be able to delegate tasks under this Directive to territorial entities, as appropriate, in order to better guarantee the provision of essential services to their entire population.
Amendment 69 #
Proposal for a directive
Recital 9
Recital 9
Amendment 79 #
Proposal for a directive
Recital 15
Recital 15
Amendment 82 #
Proposal for a directive
Recital 16
Recital 16
(16) Member States should designate authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In view of the differences in national governance structures and in order to safeguard already existing secterritorial arrangements or Union supervisory and regulatory bodies, and to avoid duplication, Member States should be able to designate more than one competent authority. In that case, they should however clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, both at national and Union level.
Amendment 92 #
Proposal for a directive
Recital 24
Recital 24
Amendment 100 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
Amendment 102 #
Proposal for a directive
Recital 26
Recital 26
(26) While critical entities generally operate as part of an increasingly interconnected network of service provision and infrastructures and often provide essential services in more than one Member State, some of those entities are of particular significance for the Union because they provide essential services to a large number of Member States, and therefore require specific oversight at Union level. Rules on the specific oversight in respect of such critical entities of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.
Amendment 103 #
Proposal for a directive
Recital 33
Recital 33
(33) Since the objectives of this Directive, namely to ensure the provision into the internal marketpopulation of services essential for the maintenance of vital societal functions or economic activities and to enhance the resilience of critical entities providing such services, cannot be sufficiently achieved by the Member States, but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on the European Union. In accordance with the principle of proportionality as set out in that Article 5, this Directive does not go beyond what is necessary in order to achieve those objectives.
Amendment 104 #
Proposal for a directive
Recital 33 a (new)
Recital 33 a (new)
(33a) This Directive complies with the Charter of Fundamental Rights of the European Union (the ‘Charter’). Obligations put on the Member States should not have the effect of putting in place measures that do not fully comply with the Charter.
Amendment 106 #
Proposal for a directive
Article 1 – paragraph 1 – point a
Article 1 – paragraph 1 – point a
(a) lays down obligations for Member States to take certain measures aimed at protecting people and ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and entities to be treated as equivalent in certain respects, and to enable them to meet their obligations;
Amendment 110 #
Proposal for a directive
Article 1 – paragraph 4
Article 1 – paragraph 4
4. Without prejudice to Article 346 TFEU, information that is confidential pursuant to Union and national rules, such as rules on business confidentiality, shall be exchanged with the Commission and other relevant authorities only where that exchange is necessary for the application of this Directive. The information exchanged shall be limited to that which is relevant and proportionate to the purpose of that exchange. The exchange of information shall preserve the confidentiality of that information and protect the security and commercial interests of critical entities.
Amendment 121 #
Proposal for a directive
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) “risk” means any circumstance or event having a potential adverse effect on the resilience ofprovision of essential services by critical entities;
Amendment 128 #
Proposal for a directive
Article 3 – paragraph 1 – subparagraph 1 a (new)
Article 3 – paragraph 1 – subparagraph 1 a (new)
Where in a Member State several regional strategies are adopted, the provisions of this Article shall apply mutatis mutandis.
Amendment 142 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 2
Article 4 – paragraph 1 – subparagraph 2
The risk assessment shall account for all relevant natural and man-made risks, including accidents, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Title II of the Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 149 #
Proposal for a directive
Article 5 – paragraph 1
Article 5 – paragraph 1
1. By [three years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points 3, 48 and 89 thereof, the critical entities.
Amendment 154 #
Proposal for a directive
Article 5 – paragraph 5
Article 5 – paragraph 5
5. Following the notification referred in paragraph 3, Member States shall ensure that critical entities provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they have been identified as a critical entity in one or more other Member States. Where an entity has been identified as critical by two or more Member States, these Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity in regard to the obligations pursuant to Chapter III and to achieve a comparable level of resilience across the border.
Amendment 157 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third ofthree Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 161 #
Proposal for a directive
Article 6 – paragraph 1 – point a
Article 6 – paragraph 1 – point a
(a) the number of userpersons relying on the service provided by the entity;
Amendment 163 #
Proposal for a directive
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) the impacts that incidents could have, in terms of degree and duration, on the provision of essential services to the affected population, economic and societal activities, the environment and public safety;
Amendment 173 #
Proposal for a directive
Article 7 – paragraph 1
Article 7 – paragraph 1
1. As regards the sectors referred to in points 3, 48 and 89 of the Annex, Member States shall, by [three years and three months after entry into force of this Directive], identify the entities that shall be treated as equivalent to critical entities for the purposes of this Chapter. They shall apply the provisions of Articles 3, 4, 5(1) to (4) and (7), and 9 in respect of those entities.
Amendment 175 #
Proposal for a directive
Article 7 – paragraph 2
Article 7 – paragraph 2
Amendment 176 #
Proposal for a directive
Article 8 – paragraph 1 – subparagraph 1
Article 8 – paragraph 1 – subparagraph 1
1. Each Member State shall designate one or more competent authorities responsible for the correct application, and where necessary enforcement, of the rules of this Directive at national level (‘competent authority’). Member States may designate an existing authority or authorities.
Amendment 177 #
Proposal for a directive
Article 8 – paragraph 1 – subparagraph 2
Article 8 – paragraph 1 – subparagraph 2
Where they designate more than one authority, they shall clearly set out the territorial delineation of competences and the respective tasks of the authorities concerned and ensure that they cooperate effectively to fulfil their tasks under this Directive, including with regard to the designation and activities of the single point of contact referred to in paragraph 2.
Amendment 184 #
Proposal for a directive
Article 8 – paragraph 5
Article 8 – paragraph 5
5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, consult and cooperate with other relevant national authorities, in particular those in charge of civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including academia, civil society and critical entities.
Amendment 186 #
Proposal for a directive
Article 8 – paragraph 6
Article 8 – paragraph 6
6. Member States shall ensure that their competent authorities designated pursuant to this Article cooperate with competent authorities designated pursuant to [the NIS 2 Directive] on cybersecurity risks and cyber incidents affecting critical entities, as well as the measures taken by competent authorities designated under [the NIS 2 Directive] relevant for critical entities.
Amendment 187 #
Proposal for a directive
Article 8 – paragraph 7
Article 8 – paragraph 7
7. Each Member State shall notify the Commission of the designation of the competent authority and single point of contact within threone months from that designation, including their precise tasks and responsibilities under this Directive, their contact details and any subsequent change thereto. Each Member State shall make public its designation of the competent authority and single point of contact.
Amendment 191 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities in enhancing their resilience and ensure that such support is given at all levels of government. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 193 #
Proposal for a directive
Article 9 – paragraph 3
Article 9 – paragraph 3
3. Member States shall establish information sharing tools to support voluntary sharing of information stharingt is not personal data between critical entities in relation to matters covered by this Directive, in accordance with Union and national law on, in particular, competition and protection of personal data.
Amendment 200 #
Proposal for a directive
Article 11 – paragraph 1 – point d
Article 11 – paragraph 1 – point d
(d) recover from incidents, including business continuity measures and the identification of alternative supply chains to ensure the continuation of the essential service;
Amendment 209 #
Proposal for a directive
Article 11 – paragraph 2 a (new)
Article 11 – paragraph 2 a (new)
2a. Member States shall ensure that where the measures referred to in paragraph 1 have the potential to limit the exercise of fundamental rights and freedoms of natural persons, these limitations shall be limited to what is strictly necessary and proportionate in a democratic society.
Amendment 212 #
Proposal for a directive
Article 11 – paragraph 3
Article 11 – paragraph 3
3. Upon request of the Member State that identified the critical entity and with the agreement of the critical entity concerned, the Commission shall organise advisoryssessment missions, in accordance with the arrangements set out in Article 15(4), (5), (7) and (8), to provide adviassess compliance tof the critical entity concerned in meetingwith its obligations pursuant to Chapter III. The advisoryssessment mission shall report its findings to the Commission, that Member State and the critical entity concerned.
Amendment 218 #
Proposal for a directive
Article 12 – paragraph 3
Article 12 – paragraph 3
Amendment 221 #
Proposal for a directive
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
Amendment 224 #
Proposal for a directive
Article 13 – paragraph 2
Article 13 – paragraph 2
Amendment 225 #
Proposal for a directive
Article 13 – paragraph 2 – point a
Article 13 – paragraph 2 – point a
Amendment 226 #
Proposal for a directive
Article 13 – paragraph 2 – point b
Article 13 – paragraph 2 – point b
Amendment 227 #
Proposal for a directive
Article 13 – paragraph 2 – point c
Article 13 – paragraph 2 – point c
Amendment 228 #
Proposal for a directive
Article 13 – paragraph 3 – subparagraph 1
Article 13 – paragraph 3 – subparagraph 1
3. On the basis of the information provided in the notification by the critical entity, the competent authority, via its single point of contact, shall inform the single point of contact of other affected Member States if the incident has, or may have, a significantn impact on critical entities and the continuity of the provision of essential services in one or more other Member States.
Amendment 229 #
Proposal for a directive
Article 13 – paragraph 3 – subparagraph 2
Article 13 – paragraph 3 – subparagraph 2
In so doing, the single points of contact shall, in accordance with Union law or national legislation that complies with Union law, treat the information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.
Amendment 235 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third ofthree Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 237 #
Proposal for a directive
Article 15 – paragraph 1 – subparagraph 1
Article 15 – paragraph 1 – subparagraph 1
1. Upon request of one or more Member States or of the Commission, the Member State where the infrastructure of thea critical entity of particular European significance is located shall, together with that entity, inform the Commission andshall, inform the Critical Entities Resilience Group of the outcome of the risk assessment carried out pursuant to Article 10 and the measures taken in accordance with Article 11.
Amendment 239 #
Proposal for a directive
Article 15 – paragraph 1 – subparagraph 2
Article 15 – paragraph 1 – subparagraph 2
That Member Stateentity shall also inform, without undue delay, the Commission and the Critical Entities Resilience Group of any supervisory or enforcement actions, including any assessments of compliance or orders issued, that its competent authority has undertaken pursuant to Articles 18 and 19 in respect of that entity.
Amendment 240 #
Proposal for a directive
Article 15 – paragraph 2
Article 15 – paragraph 2
2. Upon request of one or more Member States, or at its own initiative, and in agreement with the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisoryssessment mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisoryssessment missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.
Amendment 244 #
Proposal for a directive
Article 15 – paragraph 3 – subparagraph 1
Article 15 – paragraph 3 – subparagraph 1
3. The advisoryssessment mission shall report its findings to the Commission, the Critical Entities Resilience Group and the critical entity of particular European significance concerned within a period of three months after the conclusion of the advisory mission.
Amendment 245 #
Proposal for a directive
Article 15 – paragraph 3 – subparagraph 3
Article 15 – paragraph 3 – subparagraph 3
The Commission shall, based on that advice, communicate its viewsthe advice to the Member States where the infrastructure of that entity is locoperateds, the Critical Entities Resilience Group and that entity on whether that entity complies with its obligations pursuant to Chapter III and, where appropriate, which measures could be taken to improve the resilience of that entity.
Amendment 246 #
Proposal for a directive
Article 15 – paragraph 3 – subparagraph 4
Article 15 – paragraph 3 – subparagraph 4
Thate Member States shall take due account of those views and provide information to the Commission and the Critical Entities Resilience Group on any measures ithey hasve taken pursuant to the communication.
Amendment 247 #
Proposal for a directive
Article 15 – paragraph 4 – subparagraph 1
Article 15 – paragraph 4 – subparagraph 1
4. Each advisoryssessment mission shall consist of experts from Member States and ofthe Commission representatives. Member States may proposshall nominate candidates to be part of an advisoryssessment mission. The Commission shall select and appoint the members of each advisory mission according to their professional capacity and ensuring a geographically balanced representation among Member States. The Commission shall bear the costs related to the participation in the advisoryssessment mission.
Amendment 248 #
Proposal for a directive
Article 15 – paragraph 4 – subparagraph 2
Article 15 – paragraph 4 – subparagraph 2
The Commission shall organise the programme of an advisoryssessment mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.
Amendment 250 #
Proposal for a directive
Article 15 – paragraph 5
Article 15 – paragraph 5
5. The Commission shall adopt an implementing act laying down rules on the procedural arrangements for the conduct and reports of advisoryssessment missions. This implementing act shall be adopted in accordance with the examination procedure referred to in Article 20(2).
Amendment 251 #
Proposal for a directive
Article 15 – paragraph 6
Article 15 – paragraph 6
6. Member States shall ensure that the critical entity of particular European significance concerned provides the advisoryssessment mission with access to all information, systems and facilities relating to the provision of its essential services necessary for the performance of its tasks.
Amendment 252 #
Proposal for a directive
Article 15 – paragraph 7
Article 15 – paragraph 7
7. The advisoryssessment mission shall be carried out in compliance with the applicable national law of the Member State where that infrastructure is located.
Amendment 253 #
Proposal for a directive
Article 15 – paragraph 8
Article 15 – paragraph 8
8. When organising the advisoryssessment missions, the Commission shall take into account the reports of any inspections carried out by the Commission under Regulation (EC) 300/2008 and Regulation (EC) 725/2004 and of the reports of any monitoring carried out by the Commission under Directive 2005/65/EC in respect of the critical entity or the critical entity of particular European significance, as appropriate.
Amendment 254 #
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
Article 16 – paragraph 2 – subparagraph 1
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group mayshall invite representatives of interested parties, such as academia, civil society and critical entities, to participate in its work.
Amendment 257 #
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 2
Article 16 – paragraph 2 – subparagraph 2
The Commission’s representative shall chairchair of the Critical Entities Resilience Group shall be elected by the Critical Entities Resilience Group.
Amendment 259 #
Proposal for a directive
Article 18 – paragraph 1 – point a
Article 18 – paragraph 1 – point a
(a) conduct unannounced on-site inspections of the premises that the critical entity uses to provide its essential services, and off-site supervision of critical entities’ measures pursuant to Article 11;
Amendment 260 #
Proposal for a directive
Article 18 – paragraph 1 – point b
Article 18 – paragraph 1 – point b
(b) conduct or order audits in respect of those entities.