The Council presidency and the European Parliament reached a political agreement on the directive on the resilience of critical entities. Work will now continue at technical level to finalise the provisional agreement on the full legal text. This agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.
This directive aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. They need to be able to prepare for, cope with, protect against, respond to and recover from natural disasters, terrorist threats, health emergencies or hybrid attacks.
The text agreed today covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space. Central public administrations will also be covered by some of the provisions of the draft directive.
Member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services. Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.
The proposal for a directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more member states. In this case, the Commission may be requested by the member states to organise an advisory mission or it may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations related to the directive.
The European Commission presented a proposal for a directive on the resilience of critical entities in December 2020. Once adopted, the proposed directive will replace the current directive on the identification and designation of European critical infrastructure, adopted in 2008.
A 2019 evaluation of that directive highlighted the need to update and further strengthen the existing rules in light of the new challenges facing the EU, such as the rise of the digital economy, the growing impacts of climate change, and terrorist threats. The current COVID-19 pandemic has shown in particular how exposed critical infrastructures and societies can be to a pandemic and the high level of interdependence that exists among EU member states as well as globally.
Together with the proposed directive on critical entities, the Commission also presented a proposal for a directive on measures for a high common level of cybersecurity across the EU (NIS 2), which aims to respond to the same concerns for the cyber dimension. The Council and the Parliament reached an agreement on this proposal in May 2022.
In September 2020, the Commission presented a proposal for a Digital Operational Resilience Act (DORA), which will strengthen the IT security of financial entities such as banks, insurance companies and investment firms. It aims to make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption. The Council and the Parliament reached an agreement on this proposal in May 2022.
Member states will need to ensure a coordinated implementation of all three legislative texts.