5 minute read
Executive Summary
POSITION | CRITICAL INFRASTRUCTURE | CER DIRECTIVE
Critical Entities Resilience Directive
German industry’s position on the EU Commission’s proposal for a Directive on the Resilience of Critical Entities COM(2020) 829, repealing Directive 2008/114/EC.
April 2021
Executive Summary
As the voice of the German industry, BDI highly appreciates the opportunity to provide feedback on the European Commission’s proposal for a Directive on the Resilience of Critical Entities (COM(2020) 829) (hereafter Critical Entities Resilience – CER – Directive). German industry welcomes the European Commission’s aim to strengthen the resilience of critical entities in the Member States and to further level the playing field for critical entities across the European Union.
While this legislative proposal is overall a successful step forward, German industry is proposing the following adjustments to the proposal for a Directive on the Resilience of Critical Entities:
Strategy for reinforcing the resilience of critical entities (Article 3)
German industry welcomes the EU Commission’s proposal that each Member State must adopt a strategy for reinforcing the resilience of critical entities. Before revising these strategies, Member States should be required to consult critical entities, as these companies provide vital services for the smooth running of daily life.
Identification of critical entities (Article 5)
Given that the sectors concerned are the same in CER and NIS 2, the completely separate identification of critical entities and essential entities is inconclusive. The former are identified by the member states, the latter uniformly throughout Europe by NIS 2. While it may make sense in certain cases that a critical entity is not exposed to cyber risks, any essential entity must also take care of its physical protection. Therefore, physical protection of digital infrastructure must follow for any entity classified as essential under NIS 2 if the EU Commission is serious about protecting it. From the perspective of German industry, a closer interlocking of CER and NIS 2 makes sense at this point.
Competent authorities and single point of contact (Article 8)
There are already numerous sets of regulations in Germany with corresponding reporting provisions in individual sectors. Examples include the Telecommunications Act (TKG) and the Energy Industry Act (EnWG). Under these laws, companies already report security
incidents to various authorities, such as the Federal Network Agency (Bundesnetzagentur), the Federal Office for Information Security (BSI), the Federal Aviation Office (LBA), and the Federal Criminal Police Office (BKA), among others. The proposed CER Directive carries the risk that companies will have to report additionally to another authority. This would lead to unnecessary bureaucracy and duplication of effort, because each authority has different requirements and regulations for reporting. Therefore, a single point of contact should be established not only to exercise a liaison function to ensure cross-border cooperation and cooperation with the Critical Entities Resilience Group but also to simplify and harmonise reporting channels (one-stop-shop principle). The EU Commission must also ensure that the reporting obligations arising from the CER Directive are consistent with already existing reporting obligations. In the case of Germany, for example, it would make sense to have a point of contact at the BSI that covers both NIS 2 and CER reporting.
Risk assessment by critical entities (Article 10)
It should be ensured that the risk assessment remains with the respective critical entity and is not subject to control by national authorities. However, we would welcome the establishment of a common and Union-wide uniform methodology for proper risk assessments. Furthermore, a holistic assessment – across borders and sectors – is not possible within six months. In this sense, the planned period for the assessment must be extended to one year.
Resilience measures of critical entities (Article 11)
When the European Commission adopts delegated or implementing acts under Article 11, it must ensure coherence between already existing national requirements and the requirements to be adopted by the EU Commission. In Germany, for example, the national legislator has introduced or is in the process of introducing the measures to be taken by companies. These are laid down in the IT Security Act 2.0 and, for the telecommunications sector, additionally in § 109 of the Telecommunications Act (§164 new) and the corresponding security catalogue. This increases the probability that the delegated acts or implementing acts of the European Commission will deviate from the German regulatory framework in the future and that German companies will be confronted with contradictory requirements. This must be avoided.
Incident notification (Article 13)
In Germany, critical infrastructures must report cyber security incidents to the national competent authorities, BSI, since the first IT Security Law came into effect in 2016. Nonetheless, German industry does not see any significant improvement in the available cybersecurity threat reporting by the BSI. Therefore, German industry is hesitant when it comes to the extension of reporting obligations to more areas and entities. If the European Commission seeks to introduce the above summarised reporting obligations, it has to ensure that reporting disruptive and potentially disruptive incidents is efficient and effective: one efficient, harmonised reporting channel to a competent authority (one-stop-shop principle) must be created, instead of reporting obligations to various authorities, in accordance with the changes
already proposed. It should also be made clear that incident information to be transmitted in the digital age can only be estimates.
Critical entities of particular European significance and specific oversight (Articles 14 and 15)
The European Commission must ensure that Critical entities of particular European significance are not subject to double reporting requirements under any circumstances. Advisory missions should furthermore only have access to relevant documents and or locations needed to fulfil the mission; all information obtained during consultancy missions concerning business interests and or secrets should be kept confidential.
Supervision and enforcement (Articles 18 and 19)
In order to ensure that all companies implement the resilience measures to be determined by the member states under Article 11 and comply with their reporting obligations under Article 13, the introduction of fines seems justified. However, German industry calls for a Union-wide cap on such fines, as those can vary widely between Member States. The maximum level of fines should not exceed two million euros, without reference to annual turnover. Such a level would strike an acceptable balance between the intention to penalise companies that violate the requirements set out in the Critical Entities Resilience Directive and the requirements of German industry not to impose excessive fines.
Contents
Executive Summary ............................................................................................................................ 1
Introduction.......................................................................................................................................... 5
Need for a revision of current regulations ............................................................................................. 5 A holistic approach to critical infrastructure........................................................................................... 5 Cooperation and information exchange ................................................................................................ 6 Background checks ............................................................................................................................... 6
In Detail Discussion of Selected Articles from the EU Commission’s Proposal for a Critical Entities Directive ................................................................................................................................. 7
Strategy for reinforcing the resilience of critical entities (Article 3) ....................................................... 7 Identification of critical entities (Article 5) .............................................................................................. 7 Competent authorities and single point of contact (Article 8)................................................................ 8 Risk assessment by critical entities (Article 10) .................................................................................... 9 Resilience measures of critical entities (Article 11)............................................................................... 9 Reporting obligations (Article 13) ........................................................................................................ 10 Critical entities of particular European significance (Articles 14 and 15) ............................................ 11 Supervision and enforcement (Articles 18 and 19) ............................................................................. 11
