EU Parliament approves new rules to protect essential infrastructure, bring about consistency among member states

The European Union (EU) Parliament has given its final approval to rules on improving the protection of the EU’s essential infrastructure. These rules will harmonize the definition of critical infrastructure so that it is consistent between the member states. The move to protect critical infrastructure against physical and digital threats is more than ever high on the EU agenda, not least in light of the recent Nord Stream gas pipeline sabotage.

Covering the sectors of energy, transport, banking, financial market infrastructure, digital infrastructure, drinking and wastewater, food (including production, processing and delivery), health, public administration, and space, the legislation tightens the requirements for risk assessments and reporting for actors considered critical.

The approval coincides with the European Commission’s announcement last week of having launched a call for expression of interest to select entities in member states, who will host and operate cross-border cyber threat detection platforms, each bringing together relevant public entities from several member states, and private entities.

According to the new rules, member states should adopt national resilience strategies, and cross-border communication should happen through designated single points of contact in each member state. At the same time, they should avoid double reporting between this and other resilience-boosting initiatives, so that critical actors do not face an unnecessary administrative burden. To ensure transparency, critical actors should inform national authorities of any incidents or disturbances, and the authorities should inform the public when this is in the public interest.

With 595 votes in favor, 17 against, and 24 abstaining, MEPs (Members of the European Parliament) voted to confirm an agreement from negotiations with the Council on boosting critical infrastructure protection in the EU. 

“To deliver a Europe that protects, we must also bolster the collective resilience of the critical systems underpinning our way of life,” rapporteur Michal Šimečka (Renew, SK) said in a media statement, after the vote. “With 11 crucial sectors covered, this legislation will respond to both the challenges of the climate crises and the increasing occurrence of sabotage in the European Union because of Russia’s war of aggression against Ukraine. The EU’s critical infrastructure must remain resilient against these threats.”

The European Commission proposal seeks to establish an all-hazards framework to support member states in ensuring that critical entities are able to prevent, resist, absorb and recover from disruptive incidents, be they caused by natural disasters, accidents, terrorism, insider threats, or public health emergencies such as pandemics. Additionally, member states would have to identify and list critical entities, adopt a national strategy, and carry out regular risk assessments, while the entities would have to conduct their own risk assessments, take resilience measures, and report disruptive incidents. 

The proposal also envisages on-site inspections and penalties for non-compliance. Entities of particular European significance – those providing essential services to, or in more than, one-third of member states (i.e. nine) – would be subject to specific oversight. The ​​resilience of critical entities (CER) proposal, focused on resilience against physical risks, was presented together with the review of the Network and Information Security Directive (NIS2), which aims to enhance cyber resilience. To ensure alignment, NIS2 provisions would apply to all critical entities identified under the CER.

In the European Parliament, five committees have been working on the proposal, with the Committee on Civil Liberties, Justice and Home Affairs (LIBE) taking the lead. The LIBE committee adopted its report on 15 October 2021. The Council agreed to its general approach on 20 December 2021. The political agreement reached by the co-legislators on 28 June 2022, in the end, covers 11 sectors (with the addition of the food sector) and includes public administration entities, except for the judiciary, parliaments, and central banks.

As wished for by the Council, a clause allows member states to exclude entities active in defense, national security, public security, and law enforcement from obligations. Parliament negotiators ensured that the scope covers systems safeguarding the rule of law and that the thresholds for entities to qualify as being of particular European significance are lowered to six or more member states, instead of nine. Member states will need to transpose the new rules into national law within 21 months.

While certain sectors of the economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions that relate only to certain aspects of the resilience of entities operating in those sectors. In order to address in a comprehensive manner, the resilience of those entities that are critical for the proper functioning of the internal market, the latest rules create an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.

The growing interdependencies between infrastructure and sectors are the result of an increasingly cross-border and interdependent network of service provision using key infrastructure across the Union in the energy, transport, banking, drinking water, waste water, production, processing and distribution of food, health, space, financial market infrastructure, and digital infrastructure sectors and in certain aspects of the public administration sector.

The space sector falls within the scope of the latest rules with respect to the provision of certain services that depend on ground-based infrastructure owned, managed and operated either by member states or by private parties. Consequently, infrastructure owned, managed or operated by or on behalf of the Union as part of its space program does not fall within the scope of these rules.

In terms of the energy sector and in particular the methods of electricity generation and transmission (in respect of the supply of electricity), it is understood that, where deemed appropriate, electricity generation can include electricity transmission parts of nuclear power plants but excludes the specifically nuclear elements covered by treaties and Union law, including relevant legal acts of the Union concerning nuclear power. The process for identifying critical entities in the food sector should adequately reflect the nature of the internal market in that sector and the extensive Union rules relating to the general principles and requirements of food law and food safety. 

Therefore, to ensure that there is a proportionate approach and adequately reflect the role and importance of those entities at the national level, critical entities should only be identified among food businesses, whether for profit or not and whether public or private, that are engaged exclusively in logistics and wholesale distribution and large-scale industrial production and processing with a significant market share as observed at the national level. 

Those interdependencies mean that any disruption of essential services, even one which is initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in a far-reaching and long-term negative impact on the delivery of services across the internal market. Major crises, such as the COVID-19 pandemic, have shown the vulnerability of increasingly interdependent societies in the face of high-impact low-probability risks.

Earlier this month, the EU Parliament and the Council approved legislation that sets tighter requirements for businesses, administrations, and infrastructure with measures that work towards a high common level of cybersecurity across the Union. By updating the NIS directive, the EU Parliament expands the scope to be covered by the proposed NIS2 directive, repealing a 2016 directive.  

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.