Activities of Petar VITANOV related to 2020/0365(COD)
Plenary speeches (1)
Resilience of critical entities (debate)
Shadow reports (1)
REPORT on the proposal for a directive of the European Parliament and of the Council on the resilience of critical entities
Amendments (34)
Amendment 37 #
Proposal for a directive
Recital 19
Recital 19
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 47 #
Proposal for a directive
Recital 30
Recital 30
(30) Member States should ensure that their competent authorities have certain specific powers, the necessary infrastructure and tools for the proper application and enforcement of this Directive in relation to critical entities, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, notably, the power to conduct inspections, supervision and audits, require critical entities to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure compliance of the critical entity concerned, taking account of in particular the seriousness of the infringement and the economic capacity of the critical entity. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law, in accordance with the requirements resulting from Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity with its obligations under this Directive, competent authorities designated under this Directive should be able to request the competent authorities designated under the NIS 2 Directive to assess the cybersecurity of those entities. Those competent authorities should cooperate and exchange information for that purpose.
Amendment 60 #
Proposal for a directive
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies and the need for the exchange of information between entities;
Amendment 76 #
Proposal for a directive
Recital 12
Recital 12
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, common criteria to identify critical entities, based on minimum indicators and methodologies for each sector and sub-sector, should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied.
Amendment 77 #
Proposal for a directive
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Commission may, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.
Amendment 86 #
Proposal for a directive
Recital 19
Recital 19
(19) Member States should support critical entities in strengthening their resilience, in compliance with their obligations under this Directive, without prejudice to the entities’ own legal responsibility to ensure such compliance. Member States could in particular provide financial resources, develop guidance materials and methodologies, support the organisation of exercises to test their resilience and provide training to personnel of critical entities. Moreover, given the interdependencies between entities and sectors, Member States should establish information sharing tools to support voluntary information sharing between critical entities, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union.
Amendment 88 #
Proposal for a directive
Recital 20
Recital 20
(20) In order to be able to ensure their resilience, critical entities should have a comprehensive understanding of all relevant risks to which they are exposed and analyse those risks. To that aim, they should carry out risks assessments, whenever necessary in view of their particular circumstances and the evolution of those risks, yet in any event every four years. The risk assessments by critical entities should be based on the risk assessment carried out by Member States and on common specifications and methodologies established for each sector covered. They should include minimum indicators, in order to avoid further divergences between Member States, and contingency protocols.
Amendment 94 #
Proposal for a directive
Recital 24
Recital 24
(24) The risk of employees of critical entities misusing for instance their access rights within the entity’s organisation to harm and cause damage is of increasing concern. That risk is exacerbated by the growing phenomenon of radicalisation leading to violent extremism and terrorism. It is therefore necessary to enable critical entities to request background checks on persons falling within specific categories of its personnel and to ensure that those requests are assessed expeditiously by the relevant authorities, in accordance with the applicable rules of Union and national law, including on the protection of personal data, in particular in full respect of Regulation (EU) 2016/679.
Amendment 96 #
Proposal for a directive
Recital 25
Recital 25
(25) Critical entities should notify, as soon as reasonably possible under the given circumstances and in any case within 24 hours after having become aware of an incident, Member States’ competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Critical entities should also notify the users of their services of incidents, their consequences and, if possible, any safety measures or remedies that could be taken. The notification should allow the competent authorities to respond to the incidents rapidly and adequately and to have a comprehensive overview of the overall risks that critical entities face. For that purpose, a procedure should be established for the notification of certain incidents and parameters should be provided for to determine when the actual or potential disruption is significant and the incidents should thus be notified. Given the potential cross-border impacts of such disruptions, a procedure should be established for Member States to inform other affected Member States via single points of contacts.
Amendment 113 #
Proposal for a directive
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) “resilience” means the ability to prevent, resist, mitigate, manage, absorb, accommodate to and recover from an incident that disrupts or has the potential to disrupt the operations of a critical entity;
Amendment 114 #
Proposal for a directive
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) “incident” means any event having the potential to disrupt, or that disrupts,which results in a disruption of essential services or the destruction of essential infrastructure and has a significant cross- sectoral or cross-border effect on the delivery of essential services in one or more Member States as a result of the failure to maintain the operations of thea critical entity;
Amendment 116 #
Proposal for a directive
Article 16 – paragraph 3 – point c
Article 16 – paragraph 3 – point c
(c) facilitating the exchange of best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross-border, cross-sectoral dependencies and regarding risks and incidents;
Amendment 117 #
Proposal for a directive
Article 16 – paragraph 3 – point h
Article 16 – paragraph 3 – point h
(h) exchanging information and best practices on innovation, research and development relating to the resilience of critical entities in accordance with this Directive;
Amendment 117 #
Proposal for a directive
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) “essential service” means a service which is essential for the wellbeing of the people and for the maintenance of vital societal functions or economic activities, public safety, protecting the environment or the rule of law;
Amendment 122 #
Proposal for a directive
Article 18 – paragraph 1 – introductory part
Article 18 – paragraph 1 – introductory part
1. In order to assess the compliance of the entities that the Member States identified as critical entities pursuant to Article 5 with the obligations pursuant to this Directive, they shall ensure that the competent authorities shall have the powers and mean, means and human and financial resources to:
Amendment 123 #
Proposal for a directive
Article 18 – paragraph 2 – introductory part
Article 18 – paragraph 2 – introductory part
2. Member States shall ensure that the competent authorities have the powers and mean, means and human and financial resources to require, where necessary for the performance of their tasks under this Directive, that the entities that they identified as critical entities pursuant to paragraph 5 provide, within a reasonable time period set by those authorities:
Amendment 123 #
Proposal for a directive
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) “risk assessment” means a methodology to determine the nature and extent of a risk by analysingssessing the extent of potential threats and hazards and evaluatgainst the resilience of a critical entity, analysing existing conditions of vulnerability that could facilitate the disrupt theion of operations of the critical entity and evaluating the potential adverse effect the disruption of operations could have on the provision of essential services.
Amendment 138 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
Article 4 – paragraph 1 – subparagraph 1
1. Competent authorities designated pursuant to Article 8 shall establish a list of essential services in the sectors referred to in the Annex. They shall carry out by [three years after entry into force of this Directive], and subsequently where necessary, and at least every four years, an assessment, based on common specifications and methodologies containing specific indicators established for each sector covered, of all relevant risks that may affect the provision of those essential services, with a view to identifying critical entities in accordance with Article 5(1), and assisting those critical entities to take measures pursuant to Article 11. The assessments shall include a minimum number of indicators, in order to avoid divergences between Member States.
Amendment 148 #
Proposal for a directive
Article 5 – paragraph 1
Article 5 – paragraph 1
1. By [three years and three months after entry into force of this Directive] Member States shall identify for each sector and subsector referred to in the Annex, other than points 3, 4 and 8 thereof, the critical entities, when applicable.
Amendment 155 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third ofthree Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 179 #
Proposal for a directive
Article 8 – paragraph 2
Article 8 – paragraph 2
2. Each Member State shall, within the competent authority, designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States, with the Commission and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’).
Amendment 192 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities, including financially, in order to enhancinge their resilience. That support may include developing guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing training to personnel of critical entities.
Amendment 196 #
Proposal for a directive
Article 10 – paragraph 1
Article 10 – paragraph 1
Member States shall ensure that critical entities assess within sixtwelve months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.
Amendment 202 #
Proposal for a directive
Article 11 – paragraph 1 – point e
Article 11 – paragraph 1 – point e
(e) ensure adequate employeestaff security management, including by setting out categories of personnel exercising critical functions, in compliance with applicable training requirements and qualifications, establishing access rights to sensitive areas, facilities and other infrastructure, and to sensitive information as well as identifying specific categories of personnel in view of Article 12;
Amendment 215 #
Proposal for a directive
Article 12 – paragraph 1
Article 12 – paragraph 1
1. Member States shall ensure that critical entities may submit requests for background checks on persons who fall within certain specific categories of their personnel, including persons being considered for recruitment to positions falling within those categories, and that those requests are assessed expeditiously by the authorities competent to carry out such background checks. The background checks shall be proportionate and strictly limited to what is necessary and relevant for the fulfilment of the duties of the concerned personnel.
Amendment 220 #
Proposal for a directive
Article 13 – paragraph 1
Article 13 – paragraph 1
1. Member States shall ensure that critical entities notify without undue delay the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations. An initial notification shall be submitted within 24 hours after having become aware of the incident, followed by a final detailed report not later than one month thereafter. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
Amendment 230 #
Proposal for a directive
Article 13 – paragraph 3 a (new)
Article 13 – paragraph 3 a (new)
3a. The competent authority concerned shall inform the public of the incident, or require the critical entity to inform the public, where the competent authority determines that it would be in the public interest to disclose the incident.
Amendment 231 #
Proposal for a directive
Article 13 – paragraph 3 b (new)
Article 13 – paragraph 3 b (new)
3b. Member States shall ensure that, in the event of a particular and significant threat of an incident concerning the critical entities, the critical entities inform those users of their services that could be affected by the incident or by the disruption of the services as its consequence and, where relevant, of any possible safety measures or remedies which the users could take.
Amendment 232 #
Proposal for a directive
Article 13 – paragraph 3 c (new)
Article 13 – paragraph 3 c (new)
3c. Once a year, the competent authority concerned shall submit a summary report to the Commission and to the Critical Entities Resilience Group on the notifications received and the action taken in accordance with this Article.
Amendment 234 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third ofthree Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 243 #
Proposal for a directive
Article 15 – paragraph 2
Article 15 – paragraph 2
2. Upon request of one or more Member States, or at its own initiative, and in agreement withafter informing the Member State where the infrastructure of the critical entity of particular European significance is located, the Commission shall organise an advisory mission to assess the measures that that entity put in place to meet its obligations pursuant to Chapter III. Where needed, the advisory missions may request specific expertise in the area of disaster risk management through the Emergency Response Coordination Centre.
Amendment 249 #
Proposal for a directive
Article 15 – paragraph 4 – subparagraph 2
Article 15 – paragraph 4 – subparagraph 2
The Commission shall organise the programme of an advisory mission, in consultation with the members of the specific advisory mission and in agreement with the Member State where the infrastructure of the critical entity or the critical entity of European significance concerned is located.
Amendment 256 #
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
Article 16 – paragraph 2 – subparagraph 1
2. The Critical Entities Resilience Group shall be composed of representatives of the Member States and, the Commission and the European Parliament. Where relevant for the performance of its tasks, the Critical Entities Resilience Group mayshall invite representatives of interested parthe relevant entities to participate in its work.
Amendment 267 #
5. Health — Healthcare providers referred to in point (g) of Article 3 of Directive 2011/24/EU19 — EU reference laboratories referred to in Article 15 of Regulation [XX] on serious cross borders threats to health — Entities carrying out research and development activities of medicinal products referred to in Article 1 point 2 of Directive 2001/83/EC — Entities manufacturing basic pharmaceutical products and pharmaceutical preparations referred to in section C division 21 of NACE Rev. 2 — Entities manufacturing medical devices considered as critical during a public health emergency (‘the public health emergency critical devices list’) referred to in Article 20 of Regulation XXXX — Entities holding a distribution authorisation referred to in Article 79 of Directive 2001/83/EC