Activities of Annalisa TARDINO related to 2020/0365(COD)
Shadow reports (1)
REPORT on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
Amendments (24)
Amendment 49 #
Proposal for a directive
Recital 2
Recital 2
(2) Despite existing measures at 19 19 Union and national level aimed at supporting the protection of critical infrastructures in the Union, the entities operating those infrastructures are not adequately equipped to address current and anticipated future risks to their operations that may result in disruptions of the provision of services that are essential for the performance of vital societal functions or economic activities. This is due to a dynamic threat landscape with an evolving hybrid and terrorist threats and growing interdependencies between infrastructures and sectors, as well as an increased physical risk due to industrial accidents, to human and cybernetic actions, to natural disasters and to climate change, which increases the frequency and scale of extreme weather events and brings long- term changes in average climate that can reduce the capacity and efficiency of certain infrastructure types if resilience or climate adaptation measures are not in place. Moreover, relevant sectors and types of entities are not recognised consistently as critical in all Member States. _________________ 19European Programme for Critical Infrastructure Protection (EPCIP).
Amendment 53 #
Proposal for a directive
Recital 3
Recital 3
(3) Those growing interdependencies are the result of an increasingly cross- border and interdependent network of service provision using key infrastructures across the Union in the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and waste water, health, waste management, food supply chain, certain aspects of public administration, as well as space in as far as the provision of certain services depending on ground-based infrastructures that are owned, managed and operated either by Member States or by private parties is concerned, therefore not covering infrastructures owned, managed or operated by or on behalf of the Union as part of its space programmes. These interdependencies mean that any disruption, even one initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in far-reaching and long-lasting negative impacts in the delivery of services across the internal market as well as on the security of Union citizens. The COVID-19 pandemic has shown the vulnerability of our increasingly interdependent societies in the face of low-probability risks.
Amendment 71 #
Proposal for a directive
Recital 10
Recital 10
(10) In view of ensuring a comprehensive approach to the resilience of critical entities, each Member State should have a strategy setting out objectives and policy measures to be implemented. To achieve this, Member States should ensure that their cybersecurity strategies provide for a policy framework for enhanced coordination between the competent authority under this Directive and the NIS 2 Directive in the context of information sharing on incidents and cyber threats and the exercise of supervisory tasks. Such requirements should not translate into excessive burdens for operators.
Amendment 75 #
Proposal for a directive
Recital 11
Recital 11
(11) The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that targets efforts to the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of all relevant natural and man- made risks that may affect the provision of essential services, including accidents, hybrid threats, natural disasters, public health emergencies such as pandemics, and antagonistic threats, including terrorist offences. When carrying out those risk assessments, Member States should take into account other general or sector- specific risk assessment carried out pursuant to other acts of Union law and should consider the dependencies between sectors, including from other Member States and third countries. The outcomes of the risk assessment should be used in the process of identification of critical entities and to assist those entities in meeting the resilience requirements of this Directive.
Amendment 83 #
Proposal for a directive
Recital 17 a (new)
Recital 17 a (new)
(17a) Security Liaison Officers should be identified for all designated critical entities in order to facilitate cooperation and communication with relevant national critical infrastructure protection authorities.
Amendment 89 #
Proposal for a directive
Recital 20
Recital 20
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States, taking into account assessments made by police, defence and other national authorities involved in public security.
Amendment 91 #
Proposal for a directive
Recital 20 a (new)
Recital 20 a (new)
(20a) This directive should apply without prejudice to Member States’ competences with respect to the maintenance of public security, defence and national security in full compliance with Union law.
Amendment 93 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing intensity of hybrid threats, which are increasingly difficult to track and identify, and by the concerning phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data. Staff in charge of recruitment should be adequately trained to detect potential security threats.
Amendment 98 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts. In light of the sensitivity of certain incidents, appropriate confidentiality should be ensured.
Amendment 111 #
Proposal for a directive
Article 2 – paragraph 1 – point 1
Article 2 – paragraph 1 – point 1
(1) “critical entity” means a public or private entity of a type referred to in the Annex, which has been identified as such by a Member State in accordance with Article 5n asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions;
Amendment 125 #
Proposal for a directive
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
(7a) "Security Liaison Officer" means a point of contact for security related issues between the owner or operator of the critical entity and the relevant Member State authority.
Amendment 129 #
Proposal for a directive
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities and their supply chain taking into account cross- border and cross-sectoral interdependencies;
Amendment 130 #
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 1– point b
Article 3 – paragraph 2 – subparagraph 1– point b
(b) a governance framework to achieve the strategic objectives and priorities, including a description of the roles and responsibilities of the different authorities, critical entities (public and private) and other parties involved in the implementation of the strategy;, especially police, defence and other national authorities involved in national security.
Amendment 131 #
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 1 – point d
Article 3 – paragraph 2 – subparagraph 1 – point d
(d) a policy framework for enhanced coordination between the competent authorities designated pursuant to Article 8 of this Directive and pursuant to [the NIS 2 Directive] for the purposes of information sharingaimed at simplifying the reporting procedures and strengthening the effectiveness of information sharing among private and public entities identified as critical entities and the designated authorities, and among the designated authorities in interdependent cross-national and cross-sectoral domains on incidents and cyber threats and, while streamlining the exercise of supervisory tasks.
Amendment 134 #
Proposal for a directive
Article 3 – paragraph 2 – subparagraph 1 – point d a (new)
Article 3 – paragraph 2 – subparagraph 1 – point d a (new)
(da) a list of all national and cross- border authorities involved in the implementation of the strategy on multiple and inter-dependent sectors;
Amendment 143 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 2
Article 4 – paragraph 1 – subparagraph 2
The risk assessment shall account for all relevant natural and man-made risks, including accidents, hybrid threats, natural disasters, public health emergencies, antagonistic threats, including terrorist offences pursuant to Directive (EU) 2017/541 of the European Parliament and of the Council34 . _________________ 34Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
Amendment 165 #
Proposal for a directive
Article 6 – paragraph 1 – point c
Article 6 – paragraph 1 – point c
(c) the impacts that incidents could have, in terms of degree and duration, on economic and societal activities, the environment, public health and public safety;
Amendment 180 #
Proposal for a directive
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
2a. Without prejudice to the provisions established under sector-specific legislative frameworks and the NIS 2 Directive, the single point of contact referred to in paragraph 2 shall be the sole point of contact for public and private critical entities operating cross-border services when reporting incidents or risks of incident happening within the Member State of the single point of contact, in order to ensure swift and simplified coordination of information.
Amendment 182 #
Proposal for a directive
Article 8 – paragraph 5
Article 8 – paragraph 5
5. Member States shall ensure that their competent authorities, whenever appropriate, and in accordance with Union and national law, regularly consult and cooperate with other relevant national authorities, in particular those in charge of national security, defence, civil protection, law enforcement and protection of personal data, as well as with relevant interested parties, including critical entities, and ensure effective coordination procedures to assist the critical entities and process the information provided by the critical entities.
Amendment 188 #
Proposal for a directive
Article 8 – paragraph 7 a (new)
Article 8 – paragraph 7 a (new)
7a. Each Member State shall implement an appropriate communication mechanism between the relevant Member State authority and the Security Liaison Officer or equivalent with the objective of exchanging relevant information concerning identified risks and threats in relation to the critical entities concerned. That communication mechanism shall be without prejudice to national requirements concerning access to sensitive and classified information.
Amendment 190 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities in enhancing their resilience, including developing specific protocols, best practices and agreements between public and private actors involved. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 198 #
Proposal for a directive
Article 10 – paragraph 2
Article 10 – paragraph 2
The risk assessment shall account for all relevant risks referred to in Article 4(1) which could lead to the disruption of the provision of essential services, including an assessment of the international situation. It shall take into account any dependency of other sectors referred to in the Annex on the essential service provided by the critical entity, including in neighbouring Member States and third countries where relevant, and the impact that a disruption of the provision of essential services in one or more of those sectors may have on the essential service provided by the critical entity.
Amendment 205 #
Proposal for a directive
Article 11 – paragraph 1 – point e
Article 11 – paragraph 1 – point e
(e) ensure adequate employee security management and training, including by setting out categories of personnel exercising critical functions, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 216 #
Proposal for a directive
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnelprofessional categories that have been established by the Member States under relevant national legislation after consultation with the critical entities, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks.