35 Amendments of Morten LØKKEGAARD related to 2020/0365(COD)
Amendment 101 #
Proposal for a directive
Recital 1
Recital 1
(1) Council Directive 2008/114/EC17 provides for a procedure for designating European critical infrastructures in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. That Directive focused exclusively on the protection of such infrastructures. However, the evaluation of Directive 2008/114/EC conducted in 201918 found that due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring the resilience of critical entities, that is, their ability to mitigate, absorb, accommodate to and recover from incidents that have the potential to disrupt the operations of the critical entity and the functioning of the internal market. __________________ 17Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p.75). 18 SWD(2019) 308.
Amendment 105 #
Proposal for a directive
Recital 4
Recital 4
(4) The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under the laws of the Member States. The fact that some Member States have less stringent security requirements on these entities not only riskcreates heterogeneous levels of resilience across Member States impacting negatively on the maintenance of vital societal functions or economic activities across the Union, it also leads to obstacles to a level playing field and the proper functioning of the internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. This results in additional and unnecessary administrative burdens for companies operating across borders, notably for companies active in Member States with more stringent requirements.
Amendment 110 #
Proposal for a directive
Recital 8
Recital 8
(8) Given the importance of cybersecurity for the resilience of critical entities and in the interest of consistency, a coherent approach between this Directive and Directive (EU) XX/YY of the European Parliament and of the Council20 [Proposed Directive on measures for a high common level of cybersecurity across the Union; (hereafter “NIS 2 Directive”)] is necessary wherever possible. In view of the higher frequency and particular characteristics of cyber risks, the NIS 2 Directive imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in the NIS 2 Directive, the matters covered by it should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector. As a result, the supervision of entities identified as critical or equivalent to critical under this Directive, in matters that fall under the scope of the NIS2 Directive, will be a responsibility of the competent authorities designated under the NIS 2 Directive. __________________ 20[Reference to NIS 2 Directive, once adopted.]
Amendment 112 #
Proposal for a directive
Recital 12
Recital 12
(12) In order to ensure that all relevant entities are subject to those requirements and to reduce divergences in this respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to reflect national specificities. Therefore, criteria to identify critical entities should be laid down. In the interest of effectiveness, efficiency, consistency and legal certainty, appropriate rules should also be set on notification and cooperation relating to, as well as the legal consequences of, such identification. In order to enable the Commission to assess the correct application of this Directive, Member States should submit to the Commission, in a manner that is as detailed and specific as possible, relevant information and, in any event, the list of essential services, the number of critical entities identified for each sector and subsector referred to in the Annex and the essential service or services that each entity provides and any thresholds applied. In order to avoid divergent application of this Directive and improve the functioning of the internal market, a common list of essential services should be established by the Commission in cooperation with the Member States through the procedure for the adoption of delegated acts.
Amendment 114 #
Proposal for a directive
Recital 12 a (new)
Recital 12 a (new)
(12a) The Commission should provide detailed guidelines to support Member States in identifying critical entities for each national sector and subsector referred to in the Annex and to avoid the risk of a heterogeneous implementation of the Directive.
Amendment 124 #
Proposal for a directive
Article 1 – paragraph 1 – introductory part
Article 1 – paragraph 1 – introductory part
1. This Directive lays down measures with a view to achieve a high level of resilience of critical entities within the Union in order to ensure an effective provision of essential services and to improve the functioning of the internal market. To that end, this Directive:
Amendment 129 #
Proposal for a directive
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) “resilience” means the ability to prevent, resist, manage, mitigate, absorb, accommodate to and recover from an incident that disrupts or has the potential to disrupt the operations of a critical entity;
Amendment 135 #
Proposal for a directive
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Each Member State shall adopt by [threewo years after entry into force of this Directive] a strategy for reinforcing the resilience of critical entities. This strategy shall set out strategic objectives and policy measures with a view to achieving and maintaining a high level of resilience on the part of those critical entities and covering at least the sectors referred to in the Annex.
Amendment 136 #
Proposal for a directive
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) strategic objectives and priorities for the purposes of enhancing the overall resilience of critical entities taking into account cross-border and cross-sectoral interdependencies and the connections in the supply chains;
Amendment 137 #
Proposal for a directive
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) a description of measures necessary to enhance the overall resilience of critical entities, including a national risk assessment, the identification of critical entities and of entities equivalent to critical entities, and the measures to support critical entities taken in accordance with this Chapter including measures to enhance cooperation between the public and private entities;
Amendment 138 #
Proposal for a directive
Article 3 – paragraph 2 – point d a (new)
Article 3 – paragraph 2 – point d a (new)
(da) a policy framework addressing specific needs of SMEs in complying with obligations set by this Directive in relation to guidance and support in improving their resilience to non-cybersecurity threats and incentivising the adoption of necessary measures;
Amendment 139 #
Proposal for a directive
Article 4 – paragraph 1 – subparagraph 1
Article 4 – paragraph 1 – subparagraph 1
Amendment 142 #
Proposal for a directive
Article 4 – paragraph 2 – point c
Article 4 – paragraph 2 – point c
(c) any risks arising from the dependencies between the sectors referred to in the Annex, including from other Member States and third countries, and the impact that a disruption in one sector may have on other sectors and the internal market;
Amendment 143 #
Proposal for a directive
Article 4 – paragraph 2 – subparagraph 2
Article 4 – paragraph 2 – subparagraph 2
For the purposes of point (c) of the first subparagraph, Member States shall closely cooperate with the Commission and the competent authorities of other Member States and third countries, as appropriate.
Amendment 145 #
Proposal for a directive
Article 4 – paragraph 5
Article 4 – paragraph 5
5. The Commission mayshall, in cooperation with the Member States, develop a voluntary common reporting template for the purposes of complying with paragraph 4.
Amendment 148 #
Proposal for a directive
Article 5 – paragraph 2 – subparagraph 1 a (new)
Article 5 – paragraph 2 – subparagraph 1 a (new)
The Commission shall provide detailed guidelines to support Member States in identifying critical entities for each sector, subsector and types of entities referred to in the Annex.
Amendment 150 #
Proposal for a directive
Article 5 – paragraph 3 – subparagraph 1 a (new)
Article 5 – paragraph 3 – subparagraph 1 a (new)
When establishing the list of critical entities under this Directive, Member States shall develop a coherent approach in relation to the NIS 2 Directive, taking into account its scope. Member States shall ensure that essential entities falling in Annex I of the NIS 2 Directive, but that are not identified as critical entities under this Directive, enhance, where appropriate, the resilience of their essential services to non-cybersecurity attacks, threats or incidents.
Amendment 152 #
Proposal for a directive
Article 5 – paragraph 6
Article 5 – paragraph 6
6. For the purposes of Chapter IV, Member States shall ensure that critical entities, following the notification referred in paragraph 3, provide information to their competent authorities designated pursuant to Article 8 of this Directive on whether they provide essential services to or in more than one third ofthree Member States. Where that is so, the Member State concerned shall notify, without undue delay, to the Commission the identity of those critical entities.
Amendment 155 #
Proposal for a directive
Article 6 – paragraph 1 – point e
Article 6 – paragraph 1 – point e
(e) the geographic area that could be affected by an incident, including any cross-border and cross-sector impacts;
Amendment 157 #
Proposal for a directive
Article 6 – paragraph 2 – point b a (new)
Article 6 – paragraph 2 – point b a (new)
(ba) the geographical coverage of the services provided by the critical entities in each sector, including information on any cross-border impacts;
Amendment 160 #
Proposal for a directive
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Member States shall support critical entities in enhancing their resilience. That support may include developing guidelines and guidance materials and methodologies, supporting the organisation of exercises to test their resilience and providing periodic training to personnel of critical entities.
Amendment 167 #
Proposal for a directive
Article 11 – paragraph 1 – point f
Article 11 – paragraph 1 – point f
(f) raise awareness about the measures referred to in points (a) to (e) among relevant personnel also through training.
Amendment 175 #
Proposal for a directive
Article 13 – paragraph 1 – subparagraph 1 a (new)
Article 13 – paragraph 1 – subparagraph 1 a (new)
If the incident has, or may have, a significant impact on critical entities or the continuity of the provision of essential services in more than three Member States, critical entities of particular European significance shall additionally notify such incidents to the Commission. The Commission shall inform the Critical Entities Resilience Group of any such notifications without undue delay. The Commission and the Critical Entities Resilience Group shall, in accordance with Union law, treat the information in a way that respects its confidentiality and protects the security and commercial interest of the critical entity concerned.
Amendment 180 #
Proposal for a directive
Article 13 – paragraph 2 – point c a (new)
Article 13 – paragraph 2 – point c a (new)
(ca) the impact on the functioning of the internal market
Amendment 183 #
Proposal for a directive
Article 13 – paragraph 4 – subparagraph 1 a (new)
Article 13 – paragraph 4 – subparagraph 1 a (new)
The competent authority shall inform the public of the incident where it determines that it would be in the public interest to do so. The competent authority shall ensure that critical entities inform users of their services that could be affected by the incident and where relevant, of any possible safety measures or remedies.
Amendment 185 #
Proposal for a directive
Article 14 – paragraph 2
Article 14 – paragraph 2
2. An entity shall be considered a critical entity of particular European significance when it has been identified as a critical entity and it provides essential services to or in more than one third ofthree Member States and has been notified as such to the Commission pursuant to Article 5(1) and (6), respectively.
Amendment 191 #
Proposal for a directive
Article 16 – paragraph 2 – subparagraph 1
Article 16 – paragraph 2 – subparagraph 1
The Critical Entities Resilience Group shall be composed of representatives of the Member States and the Commission. Where relevant for the performance of its tasks, the Critical Entities Resilience Group may invite representatives of interested parties and stakeholders to participate in its work.
Amendment 192 #
Proposal for a directive
Article 16 – paragraph 3 – point a
Article 16 – paragraph 3 – point a
(a) supporting the Commission in assisting Member States in reinforcing their capacity to contribute to ensuring the resilience of critical entities in accordance with this Directive and promoting its uniform implementation in the Member States;
Amendment 193 #
Proposal for a directive
Article 16 – paragraph 3 – point b
Article 16 – paragraph 3 – point b
(b) evaluating the national strategies on the resilience of critical entities referred to in Article 3, the Member States preparedness and identifying best practices in respect of those strategies;
Amendment 194 #
Proposal for a directive
Article 16 – paragraph 3 – point b a (new)
Article 16 – paragraph 3 – point b a (new)
(ba) exchanging information on political priorities and key challenges relating to the resilience of critical entities;
Amendment 195 #
Proposal for a directive
Article 16 – paragraph 3 – point c
Article 16 – paragraph 3 – point c
(c) facilitating the exchange of information and best practices with regard to the identification of critical entities by the Member States in accordance with Article 5, including in relation to cross- border dependencies and regarding risks and incidents;
Amendment 196 #
Proposal for a directive
Article 16 – paragraph 3 – point h a (new)
Article 16 – paragraph 3 – point h a (new)
(ha) promoting and supporting coordinated risk assessments and joint actions among critical entities;
Amendment 198 #
Proposal for a directive
Article 16 – paragraph 4
Article 16 – paragraph 4
4. By [124 months after entry into force of this Directive] and every two years thereafter, the Critical Entities Resilience Group shall establish a work programme in respect of actions to be undertaken to implement its objectives and tasks, which shall be consistent with the requirements and objectives of this Directive.
Amendment 199 #
Proposal for a directive
Article 16 – paragraph 7
Article 16 – paragraph 7
7. The Commission shall provide to the Critical Entities Resilience Group a summary report of the information provided by the Member States pursuant to Articles 3(3) and 4(4) by [three years and six months after entry into force of this Directive] and subsequently where necessary and at least every four years. The Commission shall regularly publish a summary report of the activities of the Critical Entities Resilience Group.
Amendment 200 #
Proposal for a directive
Article 21 – paragraph 6
Article 21 – paragraph 6
6. A delegated act adopted pursuant to Article 11(4) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of twohree months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by twohree months at the initiative of the European Parliament or of the Council.