Chapter III – Resilience of critical entities (Art. 12-16)

Critical entities should take technical, security and organisational measures that are appropriate and proportionate to the risks they face so as to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident. While critical entities should take those measures in accordance with this Directive, the details and extent of such measures should reflect the different risks that each critical entity has identified as part of its critical entity risk assessment and the specificities of such entity in an appropriate and proportionate way. To promote a coherent Union approach, the Commission should, after consulting the Critical Entities Resilience Group, adopt non-binding guidelines to further specify those technical, security and organisational measures. Member States should ensure that each critical entity designate a liaison officer or equivalent as point of contact with the competent authorities.

In the interests of effectiveness and accountability, critical entities should describe the measures they take, with a level of detail that sufficiently achieves the aims of effectiveness and accountability, having regard to the risks identified, in a resilience plan or in a document or documents that are equivalent to a resilience plan, and apply that plan in practice. Where a critical entity has already taken technical, security and organisational measures and drawn up documents pursuant to other legal acts that are relevant for resilience-enhancing measures under this Directive, it should be able, in order to avoid duplication, to use those measures and documents to meet the requirements as regards resilience measures under this Directive. In order to avoid duplication, a competent authority should be able to declare existing resilience measures taken by a critical entity that address its obligation to take technical, security and organisational measures pursuant to this Directive as compliant, in whole or in part, with the requirements of this Directive.

Regulations (EC) No 725/2004⁽¹⁴⁾ and (EC) No 300/2008⁽¹⁵⁾ of the European Parliament and of the Council and Directive 2005/65/EC of the European Parliament and of the Council⁽¹⁶⁾ establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required under this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union legal acts. Critical entities are also to take into consideration Directive 2008/96/EC of the European Parliament and of the Council⁽¹⁷⁾, which introduces a network-wide road assessment to map the risk of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk of accidents and injuries, based on site visits of existing roads or sections of roads. Ensuring the protection and resilience of critical entities is of the utmost importance for the railway sector and, when implementing resilience measures under this Directive, critical entities are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform set up by Commission Decision 2018/C 232/03⁽¹⁸⁾.

^{(14) Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6).
(15) Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72).
(16) Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28).
(17) Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59).
(18) Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform 2018/C 232/03 (OJ C 232, 3.7.2018, p. 10).}

In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council⁽⁷⁾, which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure.

^{(7) Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79 I, 21.3.2019, p. 1).}

The risk of employees of critical entities or their contractors misusing, for instance, their access rights within the critical entity’s organisation to harm and cause damage is of increasing concern. Member States should therefore specify the conditions under which critical entities are permitted, in duly reasoned cases and taking into account Member State risk assessments, to submit requests for background checks on persons falling within specific categories of its personnel. It should be ensured that the relevant authorities assess such requests within a reasonable timeframe and process them in accordance with national law and procedures and relevant and applicable Union law, including on the protection of personal data. In order to corroborate the identity of a person who is the subject of a background check, it is appropriate for Member States to require proof of identity, such as a passport, a national identity card or a digital form of identification, in accordance with applicable law.

Background checks should include a check of the criminal records of the person concerned. Member States should use the European Criminal Records Information System in accordance with the procedures set out in Council Framework Decision 2009/315/JHA⁽¹⁹⁾ and, where relevant and applicable, Regulation (EU) 2019/816 of the European Parliament and of the Council⁽²⁰⁾ for the purpose of obtaining information from criminal records held by other Member States. Member States might also, where relevant and applicable, draw on the Second Generation Schengen Information System (SIS II) established by Regulation (EU) 2018/1862 of the European Parliament and of the Council⁽²¹⁾, intelligence and any other objective information available that might be necessary to determine the suitability of the person concerned to work in the position in relation to which the critical entity has requested a background check.

^{(19) Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, p. 23).
(20) Regulation (EU) 2019/816 of the European Parliament and of the Council of 17 April 2019 establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L 135, 22.5.2019, p. 1).
(21) Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56).}

A mechanism for the notification of certain incidents should be established to allow the competent authorities to respond to incidents rapidly and adequately and to have a comprehensive overview of the impact, nature, cause and possible consequences of incidents with which the critical entities deal. Critical entities should notify, without undue delay, the competent authorities of incidents that significantly disrupt or have the potential to significantly disrupt the provision of essential services. Unless operationally unable to do so, critical entities should submit an initial notification no later than 24 hours after becoming aware of an incident. The initial notification should only include the information strictly necessary to make the competent authority aware of the incident and allow the critical entity to seek assistance, if required. Such a notification should indicate, where possible, the presumed cause of the incident. Member States should ensure that the requirement to submit that initial notification does not divert the critical entity’s resources from activities related to incident handling, which should be prioritised. The initial notification should be followed, where relevant, by a detailed report no later than one month after the incident. The detailed report should complement the initial notification and provide a more complete overview of the incident.

Standardisation should remain primarily a market-driven process. However, there might still be situations in which it is appropriate to require compliance with specific standards. Member States should, where useful, encourage the use of European and international standards and technical specifications relevant to the security and resilience measures applicable to critical entities.