Critical entities: ensuring coherence of non-cyber and cyber resilience
The changing nature of the threat landscape requires better protection and more investment in the EU’s resilience capacities to secure our critical infrastructure. DIGITALEUROPE welcomes the Commission’s effort to strengthen the resilience of critical entities across the EU by developing and updating relevant legislation.
The proposal for a Directive on the resilience of critical entities (RCE Directive) expands both the scope and depth of the 2008 European Critical Infrastructure (ECI) Directive.
The following elements should be addressed during the legislative process:
Requirements regarding physical non-cyber protection under the proposed RCE Directive should be more clearly separated from requirements regarding cyber protection under the revised Directive on Security of Network and Information Systems (NIS2);
The RCE Directive should not introduce additional requirements or obligations on digital infrastructure, which is already covered exhaustively under the NIS2;
Clearer and more transparent supervision practices should be introduced; and
Better harmonisation can be achieved between the RCE proposal, the NIS2 and the proposed Regulation on digital operational resilience for the financial sector (DORA), including in terms of regulatory cooperation, implementation timelines and reporting thresholds.
The RCE Directive is launched in parallel with the NIS2 review. As recognised in the proposal, it is necessary to achieve a coherent approach between the two instruments. Overlaps should be avoided between the requirements regarding physical non-cyber protection under the proposed RCE Directive and requirements regarding cyber protection under the NIS2.
This distinction should be further clarified in the definition of ‘resilience’ in the RCE Directive. It is unclear whether the current definition points specifically only to physical (non-cyber) aspects of resilience or not. Such unclarity may result in national authorities imposing overlapping rules that ultimately affect the overall resilience of the proposed system, causing counterproductive uncertainty and complexity for market players.
Specifying the scope
The RCE Directive states that Member States must, within three years from adoption, establish a list of essential services ‘in the sectors referred to in the Annex.’ This provision does not explain if Member States have a right to pick categories of services listed in the Annex or if they are obliged to identify entities within each category. As the Directive is focused on critical entities, using terms such as essential services can also add to unnecessary confusion. DIGITALEUROPE therefore recommends further clarification of these provisions.
Legal regime for digital infrastructure
DIGITALEUROPE understands that the RCE Directive aims to exempt digital infrastructure as well as banking and financial market infrastructure from the reporting and material obligations foreseen in Chapters III-IV.
However, the RCE Directive itself remains vague and there is no clear description of what the identification as ‘equivalent to critical entities’ implies. It must be ensured that the RCE Directive does not introduce resilience requirements or additional reporting obligations on digital infrastructure, which is already covered exhaustively under the NIS2.
Supervision and enforcement
Supervision practices should be clear and transparent.
Under the proposal, national authorities are granted generic powers and means to conduct on-site inspections. Moreover, are subject to specific oversight where Member State authorities report to the European Commission and the Critical Entities Resilience Group on their compliance with requirements. ‘Advisory missions’ for compliance monitoring of entities of particular ‘European significance’ are also granted generic access to ‘all information, systems and facilities relating to the provision of … essential services.’
The final text should specify clearer procedural safeguards, including which categories of information can be accessed by the authorities and the proposed ‘advisory missions’ to ensure the Directive provides legal certainty for entities.
Harmonisation with other existing legislation
DIGITALEUROPE welcomes the proposal’s intention to harmonise the RCE requirements with existing and future EU legislation such as the NIS2 and the proposed DORA Regulation.
It is important to promote increased coordination among supervisory bodies under these legislative proposals. Notably, the RCE Directive sets out a Critical Entities Resilience Group that will cooperate with the NIS Cooperation Group. We note that the proposal envisages an annual cadence of meetings between the two groups, which may be insufficient to achieve meaningful progress in this direction. We would also recommend that the DORA supervisory authorities be also included.
Since critical infrastructure is largely owned and managed by private entities, DIGITALEUROPE recommends more structural involvement of industry in these coordination efforts, for both better alignment and as resource for industry-specific knowledge.
Lastly, aligned timetables for the entry into force of the RCE Directive, the NIS2 and DORA would benefit the overall implementation process.
The RCE Directive, comparable to the NIS2 proposal, calls for notifications of incidents having ‘the potential to significantly disrupt operations.’
In most cases, such demands will lead to overinforming by the entity to the national authority, with massive amounts of data and information burdening their internal incident handling processes.
Sharing general cyber threats or near misses is not useful and would create unnecessary burden for organisations that would need to process and try to operationalise the information shared. By contrast, periodic updates or threat analysis reports from relevant entities, complemented by dialogue to provide context, are more relevant and useful.