14 minute read
Entities Directive
In Detail Discussion of Selected Articles from the EU Commission’s Proposal for a Critical Entities Directive
Ensuring a high degree of resilience across the European Union is of outstanding importance considering the increasing interlinkages between sectors and actors, and along supply-chains. Therefore, German industry regards the EU Commission’s proposal for repealing Directive 2008/114/EC and proposing a Directive on the resilience of critical entities (CER Directive) as an important step.
German industry welcomes the European Commission’s approach to address cyber- and non-cyberrelated concerns surrounding essential entities by simultaneously proposing the CER Directive and the NIS 2-Directive. However, it must be ensured that the scope of both directives as well as the respective definitions are congruent. Therefore, German industry calls onto the European legislator to ensure a parallel discussion of both proposed directives.
On the following pages, German industry discusses several important parts of the EU Commission’s proposal for a CER Directive and calls on the European Commission, the European Parliament and the Member States to consider these remarks during the legislative process.
Strategy for reinforcing the resilience of critical entities (Article 3)
Summary of legislative proposal: Member States must adopt a national strategy for reinforcing the resilience of critical entities, containing (a) strategic objectives and priorities, (b) a governance framework, (c) a description of measures necessary to enhance the overall resilience of critical entities, and (d) a policy framework for enhanced coordination between the competent authorities of CER and NIS
2.
BDI’s position: German industry welcomes the EU Commission’s proposal that each Member State must adopt a strategy for reinforcing the resilience of critical entities. Before revising these strategies, Member States should be required to consult critical entities, as these companies provide vital services for the smooth running of daily life.
Identification of critical entities (Article 5)
Summary of legislative proposal: Member States must identify critical entities in specific sectors and sub-sectors defined in the Annex. The identification process should account for the outcomes of the risk assessment and apply specific criteria. Member States shall establish a list of critical entities, which shall be updated where necessary and regularly. Critical entities shall be duly notified of their identification and the obligations that this entails. Competent authorities responsible for the implementation of the directive shall notify the competent authorities responsible for the implementation of the NIS 2 Directive of the identification of critical entities. Where an entity has been identified as critical by two or more Member States, the Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity. Where critical entities provide services to or in more than one third of Member States, the Member State concerned shall notify to the Commission the identities of those critical entities.
BDI’s position: Given that the sectors concerned are partly identical in CER and NIS 2, the completely separate identification of critical entities and essential entities is inconclusive. The former are identified by the member states, the latter uniformly throughout Europe by NIS 2. While it may make sense in certain cases that a critical entity is not exposed to cyber risks, any essential entity must also take care of its physical protection. Therefore, physical protection of digital infrastructure must follow for any
entity classified as essential under NIS 2 if the EU Commission is serious about protecting it. Therefore, German industry recommends a closer interlocking of the proposed scope of the CER Directive and the NIS 2 Directive in terms of critical and essential entities. We would appreciate if a coherent terminology and scope were established, as this would streamline the implementation by entities. However, we appreciate the exclusion of important entities, as defined by the NIS 2 Directive, from the scope of the CER Directive as these entities do not provide services that are essential for the proper functioning of society, but rather are of importance due to their contribution for the European economy.
Competent authorities and single point of contact (Article 8)
Summary of legislative proposal: Each Member State must designate one or more competent authorities responsible for the correct application, and where necessary enforcement, of the rules of this Directive at national level (‘competent authority’). Within the competent authority each Member State shall designate a single point of contact to exercise a liaison function to ensure cross-border cooperation with competent authorities of other Member States and with the Critical Entities Resilience Group referred to in Article 16 (‘single point of contact’). The single point of contact shall provide a summary report on incident notifications to the Commission on a regular basis. The Article requires that competent authorities responsible for the application of the directive cooperate with other relevant national authorities, including competent authorities designated under the NIS 2 Directive.
BDI’s position: There are already numerous sets of regulations in Germany with corresponding reporting provisions in individual sectors. Examples include the Telecommunications Act (TKG) and the Energy Industry Act (EnWG). Under these laws, companies already report security incidents to various authorities, such as the Federal Network Agency (Bundesnetzagentur), the Federal Office for Information Security (BSI), the Federal Aviation Office (LBA), and the Federal Criminal Police Office (BKA), among others. The proposed CER Directive carries the risk that companies will have to report additionally to another authority. This would lead to unnecessary bureaucracy and duplication of effort, because each authority has different requirements and regulations for reporting. Therefore, a single point of contact should be established not only to exercise a liaison function to ensure cross-border cooperation and cooperation with the Critical Entities Resilience Group but also to simplify and harmonise reporting channels (one-stop-shop principle). The EU Commission must also ensure that the reporting obligations arising from the CER Directive are consistent with already existing reporting obligations. In the case of Germany, for example, it would make sense to have a point of contact at the BSI that covers both NIS 2 and CER reporting.
Proposed changes to the legislative text:
1. Each Member State shall designate one or more competent authorities responsible for the correct application, and where necessary enforcement, of the rules of this Directive at national level (‘competent authority’). Member States may designate an existing authority or authorities.
Where they designate more than one authority, they shall clearly set out the respective tasks of the authorities concerned and ensure that they cooperate effectively to fulfil their tasks under this Directive, including with regard to the designation and activities of the single point of contact referred to in paragraph 2.
Where they designate more than one authority, each Member State shall also designate a single point of contact in order to handle all communication between Member State and critical entities under this directive through an efficient and harmonised reporting channel.
Accordingly, the following changes to Article 4 are proposed:
3. Member States shall make the relevant elements of the risk assessment referred to in paragraph 1 available via their single point of contact to the critical entities that they identified in accordance with Article 5 in order to assist those critical entities in carrying out their risk assessment, pursuant to Article 10, and in taking measures to ensure their resilience pursuant to
Article 11.
Accordingly, the following changes to Article 5 are proposed:
3. Each Member State shall establish a list of the critical entities identified and ensure that those critical entities are notified of their identification as critical entities via the Member State’s single point of contact within one month of that identification, informing them of their obligations pursuant to Chapters II and III and the date from which the provisions of those Chapters apply to them.
Accordingly, the following changes to Article 7 are proposed:
3. Member States shall ensure that the entities referred to in paragraph 1 are, without undue delay, notified of their identification as entities referred to in this Article via the Member State’s single point of contact.
Risk assessment by critical entities (Article 10)
Summary of legislative proposal: Within six months after being notified of their status as a critical entity and subsequently where necessary and at least every four years, critical entities must assess all relevant risks based on national risk assessments and other relevant sources of information.
BDI’s position: It should be ensured that the risk assessment remains with the respective critical entity and is not subject to control by national authorities. However, we would welcome the establishment of a common and Union-wide uniform methodology for proper risk assessments. Furthermore, a holistic assessment – across borders and sectors – is not possible within six months. In this sense, the planned period for the assessment must be extended to one year.
Proposed changes to the legislative text:
Member States shall ensure that critical entities assess within twelve six months after receiving the notification referred to in Article 5(3), and subsequently where necessary and at least every four years, on the basis of Member States’ risk assessments and other relevant sources of information, all relevant risks that may disrupt their operations.
Resilience measures of critical entities (Article 11)
Summary of legislative proposal: Critical entities must take appropriate and proportionate technical and organisational measures to ensure their resilience and must ensure that these measures are described in a resilience plan or equivalent document. Member States can request the Commission to organise advisory missions to provide advice to critical entities in meeting their obligations. Where necessary, the Commission can adopt delegated and implementing acts.
BDI’s position: When the European Commission adopts delegated or implementing acts under Article 11, it must ensure coherence between already existing national requirements and the requirements to be adopted by the EU Commission. In Germany, for example, the national legislator has introduced or is in the process of introducing the measures to be taken by companies. These are laid down in the IT Security Act 2.0 and, for the telecommunications sector, additionally in § 109 of the Telecommunications Act (§164 new) and the corresponding security catalogue. This increases the probability that the delegated acts or implementing acts of the European Commission will deviate from the German regulatory framework in the future and that German companies will be confronted with contradictory requirements. This must be avoided.
Reporting obligations (Article 13)
Summary of legislative proposal: Critical entities must notify the competent authority without undue delay of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, to determine any crossborder impact of the incident. Such notification shall not make the critical entities subject to increased liability. Competent authorities in turn shall provide the notifying critical entity with relevant follow-up information. Via the single point of contact, competent authorities shall also inform the single points of contact in other affected Member States if the incident has, or may have, cross-border impacts in one or more other Member States.
BDI’s position: In Germany, critical infrastructures must report cyber security incidents to the national competent authorities, BSI, since the first IT Security Law came into effect in 2016. Nonetheless, German industry does not see any significant improvement in the available cybersecurity threat reporting by the BSI. Therefore, German industry is hesitant when it comes to the extension of reporting obligations to more areas and entities. If the European Commission seeks to introduce the above summarised reporting obligations, it has to ensure that reporting disruptive and potentially disruptive incidents is efficient and effective: one efficient, harmonised reporting channel to a competent authority (onestop-shop principle) must be created, instead of reporting obligations to various authorities, in accordance with the changes already proposed. It should also be made clear that incident information to be transmitted in the digital age can only be estimates.
Proposed changes to the legislative text:
1. Member States shall ensure that critical entities notify without undue delay the competent authority via the Member State’s single point of contact of incidents that significantly disrupt or have the potential to significantly disrupt their operations. Notifications shall include any essential and available information necessary to enable the competent authority to understand the nature, cause and possible consequences of the incident, including so as to determine any cross-border impact of the incident. Such notification shall not make the critical entities subject to increased liability.
2. In order to determine the significance of the disruption or the potential disruption to the critical entity’s operations resulting from an incident, the following parameters shall, in particular, be taken into account:
a) The estimated number of users affected by the disruption or potential disruption;
b) the estimated duration of the disruption or anticipated duration of a potential disruption;
c) the estimated geographical area affected by the disruption or potential disruption.
4. As soon as possible upon having been notified in accordance with paragraph 1, the competent authority shall provide the critical entity that notified it via the Member State’s single point of contact with relevant information regarding the follow-up of its notification, including information that could support the critical entity’s effective response to the incident.
Critical entities of particular European significance (Articles 14 and 15)
Summary of legislative proposal: Article 14 introduces a new category for companies. Critical entities of particular European significance are companies that provide essential services to or in more than one third of Member States. Upon receiving notification pursuant to Article 5(6), the Commission shall inform the entity concerned that it is considered a critical entity of particular European significance, the obligations that this entails and the date from which those obligations begin to apply.
Specific oversight arrangements apply to critical entities of particular European significance, including that the host Member State shall provide the Commission and the Critical Entities Resilience Group, upon request, with information on the risk assessment carried out pursuant to Article 10 and the measures taken pursuant to Article 11, as well as any supervisory or enforcement action. Article 15 also stipulates that the Commission may organise advisory missions to assess the measures put in place by specific critical entities of particular European significance. On the basis of an analysis of the advisory mission’s findings by the Critical Entities Resilience Group, the Commission shall communicate its views to the Member State where the infrastructure of the entity is located on whether that entity complies with its obligations and, where appropriate, which measures could be taken to improve the resilience of the entity. The article describes the composition, organisation and funding of the advisory missions. It also stipulates that the Commission shall adopt an implementing act laying down rules on the procedural arrangements for the conduct and reports of advisory missions.
BDI’s position: The European Commission must ensure that Critical entities of particular European significance are not subject to double reporting requirements under any circumstances. Advisory missions should furthermore only have access to relevant documents and or locations needed to fulfil the mission; all information obtained during consultancy missions concerning business interests and or secrets should be kept confidential.
Supervision and enforcement (Articles 18 and 19)
Summary of legislative proposal: The supervision of critical entities will be based on ex ante and ex post supervisory measures. Competent national authorities shall have the following powers: (i) on-site inspections of the premises that the critical entity uses to provide its essential services, (ii) off-site supervision of critical entities’ measures pursuant to Article 11, (iii) conduct or order targeted audits, (iv) request information necessary to assess whether the measures taken by those to ensure its resilience meet the requirements of Article 11; and (v) request evidence of the effective implementation of those measures. Competent authorities can order the critical entity concerned to take the necessary and proportionate measures to remedy any identified infringement of this Directive. Member States shall ensure that, when a competent authority assesses the compliance of a critical entity, it shall inform the competent authorities of the Member State concerned designated under the NIS 2-Directive and may request these authorities to assess the cybersecurity of such entity, and should cooperate and exchange information for this purpose. Member States are to lay down the rules on penalties applicable to infringements and to take all measures necessary to ensure that they are implemented.
BDI’s position: In order to ensure that all companies implement the resilience measures to be determined by the member states under Article 11 and comply with their reporting obligations under Article 13, the introduction of fines seems justified. However, German industry calls for a Union-wide cap on such fines, as those can vary widely between Member States. The maximum level of fines should not exceed two million euros, without reference to annual turnover. Such a level would strike an acceptable balance between the intention to penalise companies that violate the requirements set out in the Critical Entities Resilience Directive and the requirements of German industry not to impose excessive fines.
