Why Is The “114 Euro” Mentioned In Directive (EU) 2022/2557?

The “114 Euro” figure is significant because it references Article 114 of the Treaty on the Functioning of the European Union (TFEU), the legal basis for Directive (EU) 2022/2557. This directive focuses on enhancing the resilience of critical entities within the European Union, ensuring vital services are maintained within the internal market. Stay informed with euro2.net, providing comprehensive analysis of the Eurozone economy and its implications. We offer insights into EU directives and their impact on businesses and individuals.

1. Understanding Directive (EU) 2022/2557 & Its Foundation

1.1. What is the Core Objective of Directive (EU) 2022/2557?

Directive (EU) 2022/2557, known as the Critical Entities Resilience Directive (CER), aims to strengthen the ability of critical entities to withstand disruptions and maintain essential services across the European Union. It sets harmonized minimum rules to enhance the resilience of these entities and provides support and supervision measures. The directive acknowledges the interconnected nature of the internal market and the need for a unified approach to protect critical infrastructure and services.

1.2. How Does Article 114 of TFEU Relate to the Directive?

Article 114 of the Treaty on the Functioning of the European Union (TFEU) is the legal foundation upon which Directive (EU) 2022/2557 is built. Article 114 empowers the European Union to adopt measures aimed at establishing and functioning of the internal market. Since the resilience of critical entities directly impacts the stability and proper functioning of the internal market, the EU uses Article 114 as the basis for enacting legislation to ensure a consistent and high level of protection across all Member States. This article allows the EU to harmonize laws and regulations that address disparities among member states that could impede the free movement of goods, services, capital, and people.

1.3. What Does “Text With EEA Relevance” Signify?

“Text with EEA relevance” indicates that the directive also applies to the European Economic Area (EEA). The EEA includes EU member states and certain non-EU countries like Norway, Iceland, and Liechtenstein. These countries participate in the EU’s single market, and this notation confirms that the directive’s provisions extend to them, ensuring a broader scope of harmonized resilience measures.

2. Key Aspects of the Directive

2.1. What are Critical Entities & Essential Services?

Critical entities are organizations, both public and private, that provide essential services crucial for maintaining vital societal functions, economic activities, public health and safety, or the environment. These entities operate within sectors such as energy, transport, banking, healthcare, and digital infrastructure. Essential services are those indispensable for the day-to-day functioning of society and the economy, the disruption of which could have significant adverse effects.

2.2. Which Sectors are Covered Under the Directive?

The directive covers a wide array of sectors critical to the functioning of the EU internal market:

• Energy
• Transport
• Banking
• Financial market infrastructure
• Digital infrastructure
• Health
• Space
• Drinking water
• Waste water
• Production, processing and distribution of food
• Public administration

2.3. What are the Main Obligations for Member States?

Member States have several key obligations under the directive:

• Adopting a National Strategy: Each Member State must establish a strategy for enhancing the resilience of critical entities.
• Risk Assessments: Conducting regular risk assessments to identify relevant natural and man-made risks that could affect the provision of essential services.
• Identifying Critical Entities: Identifying entities that provide essential services and are vital for the functioning of the internal market.
• Supporting Critical Entities: Providing support and guidance to critical entities to help them meet their resilience requirements.
• Establishing Competent Authorities: Designating or establishing authorities responsible for supervising and enforcing the rules of the directive.
• Cross-border Cooperation: Cooperating with other Member States to ensure the consistent application of the directive, especially concerning entities operating across borders.

2.4. What Resilience Measures Are Critical Entities Expected To Implement?

Critical entities are required to implement technical, security, and organizational measures that are appropriate and proportional to the risks they face. These measures should aim to:

• Prevent Incidents: Implementing measures to prevent incidents from occurring, including disaster risk reduction and climate adaptation strategies.
• Protect Premises: Ensuring adequate physical protection of their premises and critical infrastructure through measures like fencing, surveillance, and access controls.
• Respond to Incidents: Establishing procedures and protocols to respond to, resist, and mitigate the consequences of incidents.
• Recover from Incidents: Implementing business continuity measures and identifying alternative supply chains to ensure the resumption of essential services.
• Ensure Employee Security: Managing employee security by establishing access rights, conducting background checks where appropriate, and providing relevant training.
• Raise Awareness: Increasing awareness among personnel about the measures in place through training, information materials, and exercises.

2.5. How Does the Directive Address Cross-Border Cooperation?

The directive emphasizes cross-border cooperation to address the interconnected nature of critical infrastructure and services. Member States are required to consult with each other regarding critical entities that:

• Use critical infrastructure physically connected between two or more Member States.
• Are part of corporate structures connected with critical entities in other Member States.
• Have been identified as critical entities in one Member State and provide essential services to or in other Member States.

Each Member State must also designate a single point of contact to facilitate cross-border cooperation and communication.

3. Relationship With Other EU Legislation

3.1. How Does This Directive Relate To Directive (EU) 2022/2555 (NIS2 Directive)?

Directive (EU) 2022/2555, known as the NIS2 Directive, focuses on cybersecurity measures across the European Union. Recognizing the close relationship between physical and cybersecurity, the CER Directive and the NIS2 Directive are designed to be implemented in a coordinated manner. The NIS2 Directive imposes comprehensive requirements on a broad range of entities to ensure their cybersecurity, including the resilience of network and information systems.

3.2. How Are Potential Overlaps Between the CER & NIS2 Directives Addressed?

To avoid duplication and unnecessary burden, the CER Directive excludes matters sufficiently covered by the NIS2 Directive. Specifically, critical entities in the digital infrastructure sector are exempt from certain obligations under the CER Directive (Article 11 and Chapters III, IV, and VI) because they are already subject to the cybersecurity requirements of the NIS2 Directive. However, Member States must still identify entities in the digital infrastructure sector as critical entities under the CER Directive, ensuring they benefit from the strategies, risk assessments, and support measures outlined in Chapter II of the CER Directive.

3.3. How Does the Directive Interact With Sector-Specific EU Laws?

The CER Directive acknowledges that certain sectors, such as energy and transport, are already regulated by sector-specific EU laws that contain provisions related to resilience. Where these sector-specific laws require critical entities to take measures to enhance their resilience, and where these requirements are recognized by Member States as equivalent to the corresponding obligations in the CER Directive, the relevant provisions of the CER Directive do not apply. This ensures that critical entities are not subject to duplicative requirements and that existing regulatory frameworks are respected.

4. Implementation & Enforcement

4.1. What is the Role of Competent Authorities?

Competent authorities are designated or established by each Member State to supervise the application and enforce the rules of the CER Directive. These authorities are responsible for:

• Ensuring the correct application of the directive at the national level.
• Supervising critical entities.
• Requiring critical entities to provide information and evidence of their compliance.
• Issuing orders to remedy identified infringements.
• Cooperating with other relevant authorities, both at the Union and national levels.

4.2. What Powers Do Competent Authorities Have?

To effectively supervise and enforce the directive, competent authorities have specific powers, including the power to:

• Conduct on-site inspections of critical infrastructure and premises.
• Conduct or order audits of critical entities.
• Require critical entities to provide information and evidence relating to compliance measures.
• Issue orders to remedy identified infringements.

These powers are subject to appropriate safeguards to ensure they are exercised objectively, transparently, and proportionately, protecting the rights and legitimate interests of critical entities.

4.3. What Are the Penalties for Non-Compliance?

Member States are required to lay down rules on penalties applicable to infringements of national measures adopted pursuant to the CER Directive. These penalties must be effective, proportionate, and dissuasive. By October 17, 2024, Member States must notify the Commission of these rules and any subsequent amendments.

5. Critical Entities of Particular European Significance

5.1. How Are These Entities Identified?

An entity is considered a critical entity of particular European significance if it:

• Has been identified as a critical entity under Article 6(1) of the CER Directive.
• Provides the same or similar essential services to or in six or more Member States.

The Commission identifies these entities through consultations with Member States and the critical entities themselves.

5.2. What Are Advisory Missions & How Do They Work?

Advisory missions are organized by the Commission to assess the measures that critical entities of particular European significance have put in place to meet their obligations under Chapter III of the CER Directive. These missions consist of experts from the Member State in which the critical entity is located, experts from the Member States to or in which the essential service is provided, and Commission representatives.

The advisory missions provide advice to the critical entity and report their findings to the Commission, the relevant Member States, and the critical entity concerned. The Commission then communicates its opinion on whether the critical entity complies with its obligations and what measures could be taken to improve resilience.

5.3. What Is The Role Of The Critical Entities Resilience Group?

The Critical Entities Resilience Group supports the Commission and facilitates cooperation among Member States and the exchange of information on issues related to the CER Directive. The group is composed of representatives of the Member States and the Commission, and it may invite relevant stakeholders to participate in its work.

The Critical Entities Resilience Group:

• Supports the Commission in assisting Member States in reinforcing their capacity to ensure the resilience of critical entities.
• Analyzes national strategies to identify best practices.
• Facilitates the exchange of best practices regarding the identification of critical entities and the management of risks and incidents.
• Contributes to the preparation of guidelines and delegated or implementing acts adopted pursuant to the directive.
• Discusses the summary reports of advisory missions and the lessons learned.