The directive on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space. Certain central public administrations will also be covered by some of the provisions of the directive.
Member States will have to adopt national strategies to enhance resilience of critical entities, in addition to carrying out risk assessments every 4 years at least to identify relevant risks that may disrupt the provision of essential services.
The directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more member states. In this case, the Commission may be requested by the member states to organise an advisory mission. Alternatively the Commission itself may propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations arising from the directive.
Due to the new risks posed by the Russian war of aggression against Ukraine and to respond to the series of attacks against the Nord Stream pipeline, the recommendation that was adopted focused on strengthening the EU’s capacity to protect its critical infrastructure.
3 main areas are covered by the recommendation: preparedness, response and international cooperation. Member states are invited to update their risk assessments and to prioritise the energy sector while conducting stress tests of entities operating critical infrastructure. They are also advised to develop a blueprint, in cooperation with the Commission, to coordinate their response to disruptions of critical infrastructure.
The European Commission presented a proposal for a directive on the resilience of critical entities in December 2020. Once it enters into application, the proposed directive will replace the current directive on the identification and designation of European critical infrastructure, adopted in 2008.
A 2019 evaluation of that directive highlighted the need to update and further strengthen the existing rules in light of new challenges facing the EU, such as the rise of the digital economy, the growing impacts of climate change, and terrorist threats.
Together with the proposed directive on critical entities, the Commission also presented a proposal for a directive on measures for a high common level of cybersecurity across the EU (NIS 2), which aims to respond to the same concerns for the cyber dimension. In September 2020, the Commission presented a proposal for a Digital Operational Resilience Act (DORA), which will strengthen the IT security of financial entities such as banks, insurance companies and investment firms. The Council adopted these two texts on 28 November 2022.
In recent months we have been subject to hybrid attacks and to the consequences of climate change, and the challenges we face are only likely to grow. Preparedness and resilience is a joint effort. We need to make sure that our societies and industry are ready to face any disruptions to our security and our economies, and that when disaster strikes we can respond swiftly. The directive adopted today is an important step towards achieving this.