Toelichting bij COM(2023)526 - Blauwdruk om de respons op verstoringen van kritieke infrastructuur van aanzienlijk grensoverschrijdend belang op Unieniveau te coördineren

Dit is een beperkte versie

U kijkt naar een beperkte versie van dit dossier in de EU Monitor.

1.CONTEXT OF THE PROPOSAL

•Reasons for and objectives of the proposal

In the current geopolitical context, characterised by growing instability, notably due to Russia’s war of aggression against Ukraine and increasing complexity of security threats, as well as by climate change effects such as an increase in unusual climate events or water scarcity, the Union must remain vigilant and adapt constantly. Citizens, companies and authorities in the Union rely on critical infrastructure 1 because of the essential services that the entities operating such infrastructure provide. Such services are crucial for the maintenance of vital societal functions, economic activities, public health and safety or the environment and must be provided in an unobstructed manner in the internal market. Therefore, due to the importance of these essential services for the internal market and, consequently, the need to make critical infrastructure more resilient and, more broadly, to ensure the resilience of critical entities providing these services, the Union must take measures to enhance such resilience and mitigate any disruptions in the provision of such essential services. Such disruptions may otherwise have serious consequences for citizens in the Union, our economies and trust in our democratic systems and may affect the smooth functioning of the internal market, in particular in a context of growing interdependencies between sectors and across borders.

The Union has already taken a number of measures to enhance the protection of critical infrastructure, notably as regards cross-border infrastructure, and the resilience of critical entities, in order to avoid or mitigate the effects of disruptions in the essential services that they provide in the internal market.

Directive 2008/114/EC on the identification and designation of European critical infrastructures 2 (‘’ECI Directive’’) was the first legal instrument to establish an EU-wide procedure for identifying and designating European critical infrastructures and a common Union approach to assess the need to improve the protection of such infrastructure against man-made threats – both intentional and accidental – as well as natural disasters. However, it only focused on the energy and transport sectors and the protection of critical infrastructure and did not provide for wider measures to enhance the resilience of the entities operating such infrastructure.

Due to the increasingly inter-connected and cross-border nature of operations in the internal market, there was a need to cover more than two sectors and go beyond protective measures of individual assets. That is why Directive (EU) 2022/2557 on the resilience of critical entities 3 (‘’CER Directive’’) was adopted in 2022, together with Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union 4 (‘’NIS 2 Directive’’). The aim is to ensure a comprehensive level of physical and digital resilience of critical entities. The CER Directive entered into force on 16 January 2023 and aims at helping Member States to enhance the overall resilience of critical entities, while reinforcing coordination at Union level. It will replace the ECI Directive as of 18 October 2024, by which date Member States will have to take the necessary measures to comply with the CER Directive. The CER Directive applies to 11 sectors 5 . It shifts the focus from the protection of critical infrastructure to the wider concept of resilience of critical entities operating such critical infrastructure, covering the before-during-after of an incident. The NIS 2 Directive also entered into force on 16 January 2023 and modernises the existing legal framework to adapt to the increased digitisation and an evolving cybersecurity threat landscape. The NIS2 Directive also expands the scope of the cybersecurity rules to new sectors and entities and improves the resilience and incident response capacities of public and private entities, competent authorities and Union as a whole.

The CER Directive comprises provisions regarding incident notification by the critical entity to the national competent authority, notification of other (potentially) affected Member States by the national competent authority and notification of the Commission if the incident affects six Member States or more. The CER Directive stipulates certain incident notification obligations where the incident has or might have a significant impact on critical entities and the continuity of the provision of essential services to or in one or more other Member States 6 .

As illustrated by the sabotage of the Nord Stream gas pipelines in September 2022, the security context in which critical infrastructure operates has changed significantly and additional urgent action is needed at Union level in order to enhance the resilience of critical infrastructure, not only as regards preparedness but also as regards a coordinated response.

In this context, a Council Recommendation on a Union-wide coordinated approach to strengthen the resilience of critical infrastructure 7 (“the Critical Infrastructure Resilience Recommendation”) was adopted on 8 December 2022 following a Commission proposal. That Recommendation highlights, among others, the need to ensure at Union level a coordinated and effective response to current and future risks to the provision of essential services. More specifically, the Council invited the Commission “to draft a Blueprint on a coordinated response to disruptions of critical infrastructure with significant cross-border relevance”. The Recommendation mentions that the Blueprint should be coherent with the EU Protocol for countering hybrid threats 8 , take into account the Commission Recommendation 2017/1584 on coordinated response to large scale cybersecurity incidents and crises 9 (‘’Cyber Blueprint’’) and respect the Integrated Political Crisis Response 10 (‘’IPCR’’) arrangements.

Against this background, the current proposal for an additional Council Recommendation contains such a Blueprint. The proposal aims at complementing the current legal framework by describing the coordinated response at Union level when it comes to disruptions of critical infrastructure with significant cross-border relevance while making use of existing Union-level arrangements. Concretely, the proposal describes the scope and the objectives of the Blueprint and the actors, the processes and existing tools that could be used in order to respond, in a coordinated way at Union level, to a disruptive critical infrastructure incident with significant cross-border effect and describes the modes of cooperation between the Member States, Union institutions, bodies, offices and agencies in such situations.

•Consistency with existing policy provisions in the policy area

This proposal for a Council Recommendation is in line with and complements the current legal framework on the protection of critical infrastructure and the resilience of critical entities - the ECI Directive and the CER Directive respectively, as well as the Critical Infrastructure Resilience Recommendation - since it aims at ensuring, in a complementary way, the coordination between Member States, and between them and the Union institutions, bodies, offices and agencies when it comes to responding to incidents that cause disruptions of critical infrastructure with significant cross-border relevance and the provision of essential services. The proposal makes use of existing structures and mechanisms at Union level, including those established by the CER Directive, namely the cooperation between competent authorities and the Critical Entities Resilience Group, which is a group established by the CER Directive to support the Commission and facilitate cooperation among Member States and the exchange of information on issues relating to the CER Directive.

This proposal for a Council Recommendation is also in line with and complementary to the Union framework on cybersecurity as laid down by NIS 2 Directive.

The current proposal aims at putting forward, in the area of resilience of critical entities and protection of critical infrastructure, a Critical Infrastructure Blueprint similar to the Cyber Blueprint.

Point 4(b) of Part I of the Annex also explains the interlinkages with the Cyber Blueprint, which applies to large-scale cybersecurity incidents that cause disruption too extensive for a concerned Member State to handle on its own or which affect two or more Member States or Union institutions with such a wide-ranging and significant impact of technical or political significance that they require timely policy coordination and response at Union political level. An incident is defined in NIS 2 Directive as ‘’an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems” (‘’cyber incident’’).

Competent authorities under the CER Directive and under the NIS 2 Directive have the obligation to cooperate and exchange information on cybersecurity incidents and incidents affecting critical entities, including with regard to relevant measures taken. In a situation where a significant critical infrastructure incident and a large-scale cybersecurity incident affect the same entity, there should be coordination on possible responses between the relevant actors.

The proposal is consistent with the EU Protocol for countering hybrid threats the latter being applicable in the case of hybrid incidents. Point 4(a) of Part I of the Annex explains the interlinkages with the EU Protocol, including which instrument applies in case of a significant critical infrastructure incident with a hybrid dimension.

The proposal is also coherent with other existing crisis management mechanisms at Union level, such as the Council’s IPCR arrangements, the Commission’s internal crisis coordination process, ARGUS 11 and the Union Civil Protection Mechanism 12 (‘’UCPM’’) supported by its Emergency Response Coordination Centre (‘’ERCC’'), and the European External Action Service Crisis Response Mechanism.

The proposal is also consistent with other relevant sectoral legislation, and notably with specific measures therein that regulate certain aspects of response to disruptions by entities operating in concerned sectors.

1.

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY


•Legal basis

The proposal is based on Article 114 of the Treaty on the Functioning of the European Union (‘’TFEU’’), which involves the approximation of laws for the improvement of the internal market, together with Article 292 TFEU, which lays down the relevant rules regarding the adoption of Recommendations.

The choice of Article 114 TFEU as the substantive legal basis is justified by the fact that the proposed Council Recommendation aims at ensuring a coordinated response in case of disruptions of critical infrastructure with significant cross-border relevance. Such disruptions affect several Member States and risk impacting the functioning of the internal market because of the growing interdependencies between infrastructure and sectors in an increasingly interdependent Union economy. Improved response to disruptions will avoid, in turn, disruptions in the functioning of the internal market since those critical infrastructure and the essential services they provide are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment.

The proposal would complement the ECI and CER Directives, which are also based on Article 114 TFEU. The Critical Infrastructure Resilience Recommendation is, like the Recommendation now proposed, also based on Articles 114 and 292 TFEU.

•Subsidiarity (for non-exclusive competence)

Whereas responding to disruptions of critical infrastructure or of the services provided by the critical entities operating that critical infrastructure is first and foremost the responsibility of Member States, the Union has an important role in case of a disruption of critical infrastructure with significant cross-border relevance, since such disruption may impact several or even all sections of economic activity within the single market, the security and international relations of the Union. With the aim of securing the functioning of the internal market, the coordination, at Union level, in case of disruptions of critical infrastructure with significant cross-border effect is not only appropriate but also necessary since such coordinated response at Union level will support Member States’ response to the disruption by way of shared situational awareness, coordinated public communication and mitigating the consequences of the disruption on the internal market.

•Proportionality

The present proposal is in conformity with the principle of proportionality as provided for in Article 5 i of the Treaty on the European Union.

Neither the content nor the form of this proposed Council Recommendation exceeds what is necessary to achieve its objectives. The actions proposed are proportional to the pursued objectives, which focus on ensuring a coordinated response at the Union level in case of disruptions of critical infrastructure or of the services provided by the critical entities operating that critical infrastructure and which have a significant cross border relevance. This proposed coordinated response is proportionate with Member States’ prerogatives and obligations under national law. Incidents that disrupt critical infrastructure or the provision of essential services by critical entities often fall below the threshold of a significant critical infrastructure incident and may be addressed effectively at national level. Therefore, the use of the mechanism provided by in this proposal is limited to major disruptions that have a significant cross-border relevance affecting several Member States.

•Choice of the instrument

To achieve the objectives referred to above, the TFEU provides for the adoption, by the Council, of Recommendations, notably in its Article 292, based on a proposal from the Commission. In accordance with Article 288 TFEU, Recommendations do not have binding force. A Council Recommendation is an appropriate instrument in this case since it signals the commitment of Member States to the measures included therein and provides a strong basis for cooperation in the area of coordinated response in case of significant disruptions of critical infrastructure. In this manner, the proposed Recommendation would complement the binding legal framework (in particular, the CER Directive) and also the earlier adopted Critical Infrastructure Resilience Recommendation, which calls for such complementary measures, while fully respecting Member States’ responsibilities in the area at issue.

2.

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS


•Stakeholder consultations

In developing this proposal, Member States, Union institutions and agencies were consulted. Also, the views of the Member State experts expressed both at the workshop of 24 April 2023 and sent in writing after that workshop were taken into consideration.

There was overall consensus on the usefulness of more coordination in the response at Union level to disruptions of critical infrastructure with significant cross-border relevance in the current threat context, while respecting the competence of Member States in this area and confidentiality of sensitive information. There was also consensus on the need to avoid duplication of instruments and make good use of existing Union-level mechanisms for coordination, information-sharing and response.

While certain Member States had a positive view as regards the wider scope of the Critical Infrastructure Blueprint, others considered that the threshold of six or more Member States provided in the CER Directive when it comes to the identification of critical entities of particular European significance was sufficient and it was not necessary to have a second type of incident included in the scope. A few Member States remarked on the importance of involving, where appropriate, operators of critical infrastructure providing essential services, due to their expertise and the importance of taking into account the cyber dimension.

•Detailed explanation of the specific provisions of the proposal

The proposal for a Council Recommendation consists of a main part and an annex.

The main part consists of 11 points as follows:

Point i sets out the need for enhanced cooperation as regards response to significant critical infrastructure incidents in accordance with the Critical Infrastructure Blueprint contained in the present proposed Recommendation, including the relevant parts of its Annex.

Point i specifies the scope of the Critical Infrastructure Blueprint, which refers to two types of situations of disruptive incidents that would trigger the application of the Critical Infrastructure Blueprint: the incident has either a significant disruptive effect on the provision of essential services to or in six or more Member States; or has a significant disruptive effect in two or more Member States and there is agreement among the relevant actors mentioned therein of the need for Union level coordination due to the significant impact of the incident.

Point (3) refers to the identification of the relevant actors to be involved in the Critical Infrastructure Blueprint and the levels at which the Critical Infrastructure Blueprint will operate (operational, strategic/political). This is further explained in the Annex to the Recommendation.

Point i recommends the application of the Critical Infrastructure Blueprint in coherence with other relevant instruments, as described in the Annex.

Point (5) recommends to Member States to effectively respond, at national level, to significant disruptions of critical infrastructure.

Point (6) recommends establishing or designating points of contact by the relevant actors that should support the use of the Critical Infrastructure Blueprint. Where possible, these points of contact should be the same as the single points of contact under the CER Directive.

Point i refers to the flow of information in case of a significant critical infrastructure incident.

Point (8) expands on how the exchange of information should take place.

Point (9) recommends testing the functioning of the Critical Infrastructure Blueprint through exercises.

Point (10) recommends that lessons identified should be discussed in the Critical Entities Resilience Group, which should prepare a report, including recommendations. The report should be adopted by the Commission.

Point (11) recommends to Member States to discuss the report in the Council.

The Annex describes the objectives, principles, main actors, the interplay with existing crisis response mechanisms and the functioning of the Critical Infrastructure Blueprint with its two modes of cooperation: the information exchange and the response.