Critical Entities Resilience Directive
In Detail Discussion of Selected Articles from the EU Commission’s Proposal for a Critical Entities Directive Ensuring a high degree of resilience across the European Union is of outstanding importance considering the increasing interlinkages between sectors and actors, and along supply-chains. Therefore, German industry regards the EU Commission’s proposal for repealing Directive 2008/114/EC and proposing a Directive on the resilience of critical entities (CER Directive) as an important step. German industry welcomes the European Commission’s approach to address cyber- and non-cyberrelated concerns surrounding essential entities by simultaneously proposing the CER Directive and the NIS 2-Directive. However, it must be ensured that the scope of both directives as well as the respective definitions are congruent. Therefore, German industry calls onto the European legislator to ensure a parallel discussion of both proposed directives. On the following pages, German industry discusses several important parts of the EU Commission’s proposal for a CER Directive and calls on the European Commission, the European Parliament and the Member States to consider these remarks during the legislative process. Strategy for reinforcing the resilience of critical entities (Article 3) Summary of legislative proposal: Member States must adopt a national strategy for reinforcing the resilience of critical entities, containing (a) strategic objectives and priorities, (b) a governance framework, (c) a description of measures necessary to enhance the overall resilience of critical entities, and (d) a policy framework for enhanced coordination between the competent authorities of CER and NIS 2. BDI’s position: German industry welcomes the EU Commission’s proposal that each Member State must adopt a strategy for reinforcing the resilience of critical entities. Before revising these strategies, Member States should be required to consult critical entities, as these companies provide vital services for the smooth running of daily life. Identification of critical entities (Article 5) Summary of legislative proposal: Member States must identify critical entities in specific sectors and sub-sectors defined in the Annex. The identification process should account for the outcomes of the risk assessment and apply specific criteria. Member States shall establish a list of critical entities, which shall be updated where necessary and regularly. Critical entities shall be duly notified of their identification and the obligations that this entails. Competent authorities responsible for the implementation of the directive shall notify the competent authorities responsible for the implementation of the NIS 2 Directive of the identification of critical entities. Where an entity has been identified as critical by two or more Member States, the Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity. Where critical entities provide services to or in more than one third of Member States, the Member State concerned shall notify to the Commission the identities of those critical entities. BDI’s position: Given that the sectors concerned are partly identical in CER and NIS 2, the completely separate identification of critical entities and essential entities is inconclusive. The former are identified by the member states, the latter uniformly throughout Europe by NIS 2. While it may make sense in certain cases that a critical entity is not exposed to cyber risks, any essential entity must also take care of its physical protection. Therefore, physical protection of digital infrastructure must follow for any
7
