Critical Entities Resilience Directive
Introduction On December 16, the European Union released two proposals, one – NIS 2-Directive1 – to address cyber-related risks and another – Critical Entities Resilience Directive (hereafter CER Directive) – to address non-cyber-related risks such as natural hazards, hybrid threats, terrorism, insider incidents, public health emergencies or accidents. The proposed CER Directive expands both the scope and depth of the 2008 European Critical Infrastructure (ECI) Directive, which is to be replaced by the new directive. The proposals extents the scope to ten sectors, i.e. energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Need for a revision of current regulations Both the 2019 evaluation of the ECI Directive and the impact assessment supporting the proposed CER Directive have found that existing EU-level measures aimed at protecting key services and infrastructures from both cyber and physical risks need to be updated. German industry agrees with this finding and welcomes the Commission's aim of establishing an all-hazards framework by addressing physical and cyber related risks comprehensively and jointly by particularly intertwining the proposal for the CER Directive with the proposal for a Directive on measures for a high common level of cybersecurity across the Union (hereafter NIS 2-Directive). Cybersecurity risks continue to evolve with increasing digitalisation and connectivity. Physical risks have also become more complex since the adoption of the 2008 EU rules on critical infrastructure, which currently cover only the energy and transport sectors. The two proposals aim at updating the regulatory framework in line with the logic of the EU’s Security Union Strategy, overcoming the false dichotomy between online and offline, and breaking up the previous silo approach. A holistic approach to critical infrastructure The strengthening of cyber-resilience in Europe can only succeed if legislators agree on a regulatory framework that provides companies with clear and unambiguous, mutually complementary, and overlap-free requirements. Only legislative acts that adhere to these characteristics will enable companies to utilise internal processes in such a way as to ensure compliance with the respective regulatory framework(s). In particular, the EU Commission should strive for a holistic approach when addressing physical and cyber risks. Henceforth, regulatory acts addressing critical infrastructures and essential entities, i.e. both the CER Directive and the NIS 2-Directive, should be compatible with product-related regulatory acts, such as the EU Cybersecurity Act and potential future NLF-based regulatory requirements introducing horizontal cybersecurity requirements. A high degree of compatibility of various legislative acts will be crucial for a holistic strengthening of Europe’s resilience both online and offline. This proposal creates close synergies with the NIS 2-Diretcive, which will replace the NIS Directive. Thereby, the legislative framework addresses the increasing interconnectedness between the physical and digital sphere. We welcome that the EU aligns both cyber and physical resilience measures, as set out in the Security Union Strategy and in the EU’s Cybersecurity Strategy 2020, and thereby, adopts the necessary holistic approach. Importantly, the proposed comprehensive approach, the dovetailing
1
The Directive COM(2020) 823 on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.
5
