12 Apr 2021

Critical entities: ensuring coherence of non-cyber and cyber resilience

Executive summary

The changing nature of the threat landscape requires better protection and more investment in the EU’s resilience capacities to secure our critical infrastructure. DIGITALEUROPE welcomes the Commission’s effort to strengthen the resilience of critical entities across the EU by developing and updating relevant legislation.

The proposal for a Directive on the resilience of critical entities (RCE Directive)[1] expands both the scope and depth of the 2008 European Critical Infrastructure (ECI) Directive.[2]

The following elements should be addressed during the legislative process:

  • Requirements regarding physical non-cyber protection under the proposed RCE Directive should be more clearly separated from requirements regarding cyber protection under the revised Directive on Security of Network and Information Systems (NIS2);[3]

  • The RCE Directive should not introduce additional requirements or obligations on digital infrastructure, which is already covered exhaustively under the NIS2;

  • Clearer and more transparent supervision practices should be introduced; and

  • Better harmonisation can be achieved between the RCE proposal, the NIS2 and the proposed Regulation on digital operational resilience for the financial sector (DORA),[4] including in terms of regulatory cooperation, implementation timelines and reporting thresholds.

     


Scope

The RCE Directive is launched in parallel with the NIS2 review. As recognised in the proposal,[5] it is necessary to achieve a coherent approach between the two instruments. Overlaps should be avoided between the requirements regarding physical non-cyber protection under the proposed RCE Directive and requirements regarding cyber protection under the NIS2.

This distinction should be further clarified in the definition of ‘resilience’ in the RCE Directive.[6] It is unclear whether the current definition points specifically only to physical (non-cyber) aspects of resilience or not. Such unclarity may result in national authorities imposing overlapping rules that ultimately affect the overall resilience of the proposed system, causing counterproductive uncertainty and complexity for market players.

 


Specifying the scope

The RCE Directive states that Member States must, within three years from adoption, establish a list of essential services ‘in the sectors referred to in the Annex.’[7] This provision does not explain if Member States have a right to pick categories of services listed in the Annex or if they are obliged to identify entities within each category. As the Directive is focused on critical entities, using terms such as essential services can also add to unnecessary confusion. DIGITALEUROPE therefore recommends further clarification of these provisions.

 


Legal regime for digital infrastructure

DIGITALEUROPE understands that the RCE Directive aims to exempt digital infrastructure as well as banking and financial market infrastructure from the reporting and material obligations foreseen in Chapters III-IV.[8]

However, the RCE Directive itself remains vague and there is no clear description of what the identification as ‘equivalent to critical entities’ implies.[9] It must be ensured that the RCE Directive does not introduce resilience requirements or additional reporting obligations on digital infrastructure, which is already covered exhaustively under the NIS2.

 


Supervision and enforcement

Supervision practices should be clear and transparent.

Under the proposal, national authorities are granted generic powers and means to conduct on-site inspections.[10] Moreover, are subject to specific oversight where Member State authorities report to the European Commission and the Critical Entities Resilience Group on their compliance with requirements.[11] ‘Advisory missions’ for compliance monitoring of entities of particular ‘European significance’ are also granted generic access to ‘all information, systems and facilities relating to the provision of … essential services.’[12]

The final text should specify clearer procedural safeguards, including which categories of information can be accessed by the authorities and the proposed ‘advisory missions’ to ensure the Directive provides legal certainty for entities.

 


Harmonisation with other existing legislation

DIGITALEUROPE welcomes the proposal’s intention to harmonise the RCE requirements with existing and future EU legislation such as the NIS2 and the proposed DORA Regulation.

It is important to promote increased coordination among supervisory bodies under these legislative proposals. Notably, the RCE Directive sets out a Critical Entities Resilience Group that will cooperate with the NIS Cooperation Group. We note that the proposal envisages an annual cadence of meetings between the two groups, which may be insufficient to achieve meaningful progress in this direction.[13] We would also recommend that the DORA supervisory authorities be also included.

Since critical infrastructure is largely owned and managed by private entities, DIGITALEUROPE recommends more structural involvement of industry in these coordination efforts, for both better alignment and as resource for industry-specific knowledge.

Lastly, aligned timetables for the entry into force of the RCE Directive, the NIS2 and DORA would benefit the overall implementation process.

 


Reporting thresholds

The RCE Directive, comparable to the NIS2 proposal, calls for notifications of incidents having ‘the potential to significantly disrupt operations.’[14]

In most cases, such demands will lead to overinforming by the entity to the national authority, with massive amounts of data and information burdening their internal incident handling processes.

Sharing general cyber threats or near misses is not useful and would create unnecessary burden for organisations that would need to process and try to operationalise the information shared. By contrast, periodic updates or threat analysis reports from relevant entities, complemented by dialogue to provide context, are more relevant and useful.

 


References:

[1] COM(2020) 829 final.

[2] Council Directive 2008/114/EC.

[3] COM(2020) 823 final.

[4] COM(2020) 595 final.

[5] See Recital 8, COM(2020) 829 final.

[6] See Art. 2(2), ibid.

[7] See Art. 4(1), ibid.

[8] See Art. 7 and Recital 14, ibid.

[9] See Art. 7, ibid.

[10] See Art. 18(1), ibid.

[11] See Art. 15, ibid.

[12] See Art. 15(6), ibid.

[13] See Art. 16, ibid.

[14] See Art. 13, ibid.


For more information, please contact:
Alberto Di Felice
Policy and Legal Counsel
Back to Cybersecurity & Digital Resilience
View the complete Policy Paper
PDF
Our resources on Cybersecurity & Digital Resilience
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
05 Sep 2024 Response to Public Consultation
The NIS2 Directive’s transposition: How do Member States make their critical infrastructure cybersecure?
04 Sep 2024 Policy Paper
Developing guidelines for the Cyber Resilience Act
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept