4 minute read
Introduction
Introduction
On December 16, the European Union released two proposals, one – NIS 2-Directive1 – to address cyber-related risks and another – Critical Entities Resilience Directive (hereafter CER Directive) – to address non-cyber-related risks such as natural hazards, hybrid threats, terrorism, insider incidents, public health emergencies or accidents. The proposed CER Directive expands both the scope and depth of the 2008 European Critical Infrastructure (ECI) Directive, which is to be replaced by the new directive. The proposals extents the scope to ten sectors, i.e. energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space.
Need for a revision of current regulations
Both the 2019 evaluation of the ECI Directive and the impact assessment supporting the proposed CER Directive have found that existing EU-level measures aimed at protecting key services and infrastructures from both cyber and physical risks need to be updated. German industry agrees with this finding and welcomes the Commission's aim of establishing an all-hazards framework by addressing physical and cyber related risks comprehensively and jointly by particularly intertwining the proposal for the CER Directive with the proposal for a Directive on measures for a high common level of cybersecurity across the Union (hereafter NIS 2-Directive).
Cybersecurity risks continue to evolve with increasing digitalisation and connectivity. Physical risks have also become more complex since the adoption of the 2008 EU rules on critical infrastructure, which currently cover only the energy and transport sectors. The two proposals aim at updating the regulatory framework in line with the logic of the EU’s Security Union Strategy, overcoming the false dichotomy between online and offline, and breaking up the previous silo approach.
A holistic approach to critical infrastructure
The strengthening of cyber-resilience in Europe can only succeed if legislators agree on a regulatory framework that provides companies with clear and unambiguous, mutually complementary, and overlap-free requirements. Only legislative acts that adhere to these characteristics will enable companies to utilise internal processes in such a way as to ensure compliance with the respective regulatory framework(s). In particular, the EU Commission should strive for a holistic approach when addressing physical and cyber risks. Henceforth, regulatory acts addressing critical infrastructures and essential entities, i.e. both the CER Directive and the NIS 2-Directive, should be compatible with product-related regulatory acts, such as the EU Cybersecurity Act and potential future NLF-based regulatory requirements introducing horizontal cybersecurity requirements. A high degree of compatibility of various legislative acts will be crucial for a holistic strengthening of Europe’s resilience both online and offline.
This proposal creates close synergies with the NIS 2-Diretcive, which will replace the NIS Directive. Thereby, the legislative framework addresses the increasing interconnectedness between the physical and digital sphere. We welcome that the EU aligns both cyber and physical resilience measures, as set out in the Security Union Strategy and in the EU’s Cybersecurity Strategy 2020, and thereby, adopts the necessary holistic approach. Importantly, the proposed comprehensive approach, the dovetailing
1 The Directive COM(2020) 823 on measures for a high common level of cybersecurity across the Union, repealing Directive (EU) 2016/1148.
with existing regulations, and the further harmonisation at European level reduces bureaucratic burdens and implementation costs for companies on the Internal Market.
Cooperation and information exchange
Overall, German industry is also satisfied with the proposed legislation because a focus is placed on support for Critical Entities – including through EU financed advisory missions and national risk assessments – and European cooperation – including in the form of the Critical Entities Resilience Group. For greater security, government and industry must rely on more team play. The CER directive is well suited to solve the current and future challenges in the area of security for critical infrastructures. Instead of creating excessive new obligations for companies, clear framework conditions are set throughout Europe, which should provide more reliability, more planning security and a more harmonised Single Market. The necessary close and targeted cooperation between the state and companies – both threatened by attacks and natural disaster alike – has been considered and anchored at various points in the directive. German industry therefore welcomes the fact that the CER Directive focuses on support and improved information exchange – even if further optimisation is needed here in particular –instead of petty overregulation.
Background checks
The CER Directive requires companies to implement organisational and technical safety measures to ensure their resilience. To ensure that these measures are effective, companies need to be able to have the trustworthiness of employees working in areas classified as particularly security-critical checked. Only if technical measures are implemented by trustworthy employees will they be effective in the fight against criminals. In this sense, German industry expressly welcomes the possibility of applying for background checks provided for in Article 12. Responsible national government agencies must receive the necessary funding and personnel to implement such background checks.
