|Council of the European Union, European Parliament
|Official Journal of the European Union
|L 333, Pages 164-198
|Blog & Commentary, Legislation, News, Policy-making
Directive (EU) 2022/2557 - formally adopted by the co-legislators on 14 December 2022, introducing a number of additional critical infrastructure protection (CIP) measures and replacing Council Directive 2008/114/EC - also known as ECI Directive. The Act is known as the Critical Entities Resilience (CER) Directive. This is a text with EEA relevance.
This Directive lays down obligations on Member States to take specific measures aimed at ensuring the services which are essential for the maintenance of vital societal functions or economic activities within the scope of Article 114 TFEU are provided in an unobstructed manner in the internal market, in particular obligations to identify critical entities and to support critical entities in meeting the obligations imposed on them. It also lays down obligations aimed at enhancing their resilience and ability to provide services in the internal market. It establishes rules on the supervision of critical entities and enforcement, for the identification of critical entities of particular significance and on advisory missions to assess the measures that such entities have put in place to meet their obligations. Finally, it establishes common procedures for cooperation and reporting on the application of this Directive, and it lays down measures with a view to achieving a high level of resilience of critical entities in order to ensure the provision of essential services within the European Union (EU) and to improve the functioning of the internal market.
The Act repeals Council Directive 2008/114/EC, which established an EU-wide process for identifying and designating European Critical Infrastructures (ECIs), and set out an approach for improving their protection.
The draft law was tabled by the European Commission on 16 December 2020, as part of a package which also includes a new EU Cybersecurity Strategy. It sought to address calls from the co-legislators concerning the revision of the existing approach in order to better reflect the increased challenges to critical entities, and to ensure closer alignment with Directive (EU) 2016/1148 (also known as NIS Directive). It also responded to an assessment conducted to the ECI Directive. It reflected national approaches in an increasing number of Member States, which tend to emphasise cross-sectoral and cross-border interdependencies and are increasingly informed by resilience thinking, in which protection is but one element alongside risk prevention and mitigation, business continuity and recovery.
The plenary of the European Parliament's adopted a negotiating position on 20 October 2021. The Council of the European Union adopted its general approach on 21 December. An informal agreement between the co-legislators on a compromise text was reached on 28 June 2022. This was formally endorsed by Parliament on 22 November and by the Council on 8 December. The Act was signed by the co-legislators on 14 December 2022 and published in the Official Journal on 27 December 2022.
The Act entered into force on 16 January 2023. On 25 July, the Commission adopted a Delegated Act comprising a list of essential services in the eleven sectors covered by the Directive.
|Justice and Home Affairs, Security and Defence
|Cybersecurity | Cyber-security, Risk | Crisis Management, Security Union
|European Union [EU]