Negotiators from the European Parliament and the French Presidency of the Council of the European Union agreed on Tuesday 28 June on new rules to strengthen the resilience of critical entities (see EUROPE 12857/5).
The new directive establishes harmonised minimum rules to ensure that Member States classify the same suppliers as critical and to ensure that risk assessments are carried out for these critical infrastructures in order to prepare them for disasters that are no longer solely related to terrorism, as provided for in the directive adopted in 2008.
The scope of the directive will be extended to 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, food, digital infrastructure and space. The Council’s mandate, agreed in December 2021, covered nine sectors (see EUROPE 12857/5).
The central public administration of a Member State has also been included in the scope of the rules and will be covered by certain provisions.
Critical service providers will have to carry out their own risk assessment and report disruptive incidents. Member States will also be required to adopt national strategies and to carry out regular evaluations, for example by carrying out field inspections and imposing penalties for infringements.
To facilitate cross-border cooperation, it was agreed to lower the threshold for recognition of service providers with a European dimension. The threshold has been reduced from ten or more Member States (in the Commission’s proposal, see EUROPE 12624/2) to at least six countries.
This will cover “several hundred critical entities of European importance across the Union”, the European Parliament said. (Original version in French by Solenn Paulic)