Parliament and EU member states’ negotiators have agreed on new rules to make the EU’s essential infrastructure more resilient.
Negotiating teams from the European Parliament and the Council of the EU reached a deal on the resilience of essential infrastructure. The new rules would establish harmonised minimum rules to ensure that different member states classify the same providers as essential, and risk assessments for essential infrastructure to boost its resilience in the face of disruptions and hazards. The scope would be expanded to eleven sectors in total, including energy, transport, banking, financial market infrastructures, health, drinking water, waste water, food, digital infrastructure and space. At Parliament’s request, public administration was also included in the scope of the rules.
Under the new rules, critical service-providers would have to carry out risk assessments of their own and report disruptive incidents. Also, Member States would be required to adopt national strategies for boosting resilience and carry out regular risk assessments. National authorities should have the possibility to conduct on-site inspections of critical infrastructure, and introduce penalties in case of non-compliance.
To harmonise communication, each member state should designate a single point of contact to act as liaison and ensure functioning cross-border cooperation.
MEPs pushed for broader scope
In the negotiations, MEPs wished to widen the definition of essential services to also include the environment and public health and safety, which were adopted. They also managed to include consideration of rule of law in the context of resilience against threats and risks. The directive will therefore also address possible threats affecting the functioning of national systems that safeguard the rule of law.
To smoothen cross-border co-operation, MEPs wanted to lower the threshold of recognising service providers as having “European significance”. In the end, it was agreed that the threshold be lowered from ten or more member states (in the Commission proposal) to six or more, which will cover several hundreds of critical entities of the European significance across the Union. At the same time, MEPs wanted to ensure coherence between the present directive and the NIS2 directive on cybersecurity.
After the vote, rapporteur Michal Šimečka (Renew, SK) said: “Against the backdrop of the pandemic and Russia’s war in Ukraine, securing Europe’s critical infrastructure has become a top priority. Today’s agreement will boost the resilience of critical entities, and as the Parliament’s lead negotiator, I pushed to include in the scope of the regulation new and vital sectors, including food production and distribution and public administration. I’m also satisfied that we retained a key provision that will allow Member States to develop a common understanding of what services are essential in any crisis scenario. We, as the Parliament, must not let fragmentation and divergence in national rules stand to weaken the resilience of European societies from increasingly frequent physical and hybrid threats.”
In the previous directive on critical infrastructures, only energy and transport were within the scope of common rules. The European Parliament called for the revision of previous directive in a resolution on the findings of the Special Committee on Terrorism in 2018. On 16 December 2020, the European Commission published its proposal for a new directive on the resilience of critical entities.