Article 1 Subject matter and scope

Council Directive 2008/114/EC(⁴)Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection (OJ L 345, 23.12.2008, p. 75). provides for a procedure for designating European critical infrastructure in the energy and transport sectors the disruption or destruction of which would have a significant cross-border impact on at least two Member States. That Directive focuses exclusively on the protection of such infrastructure. However, the evaluation of Directive 2008/114/EC conducted in 2019 found that, due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring that risks are better accounted for, that the role and duties of critical entities as providers of services essential to the functioning of the internal market are better defined and coherent, and that Union rules are adopted to enhance the resilience of critical entities. Critical entities should be in a position to reinforce their ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from incidents that have the potential to disrupt the provision of essential services.

While a number of measures at Union level, such as the European Programme for Critical Infrastructure Protection, and at national level aim to support the protection of critical infrastructure in the Union, more should be done to better equip the entities operating such infrastructure to address the risks to their operations that could result in the disruption of the provision of essential services. More should also be done to better equip such entities because there is a dynamic threat landscape, which includes evolving hybrid and terrorist threats, and growing interdependencies between infrastructure and sectors. Moreover, there is an increased physical risk due to natural disasters and climate change, which intensifies the frequency and scale of extreme weather events and brings long-term changes in average climate conditions that can reduce the capacity, efficiency and lifespan of certain infrastructure types if climate adaptation measures are not in place. In addition, the internal market is characterised by fragmentation in respect of the identification of critical entities because relevant sectors and categories of entities are not recognised consistently as critical in all Member States. This Directive should therefore achieve a solid level of harmonisation in terms of the sectors and categories of entities falling within its scope.

While certain sectors of the economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.

The growing interdependencies between infrastructure and sectors are the result of an increasingly cross-border and interdependent network of service provision using key infrastructure across the Union in the energy, transport, banking, drinking water, waste water, production, processing and distribution of food, health, space, financial market infrastructure and digital infrastructure sectors and in certain aspects of the public administration sector. The space sector falls within the scope of this Directive with respect to the provision of certain services that depend on ground-based infrastructure owned, managed and operated either by Member States or by private parties; consequently, infrastructure owned, managed or operated by or on behalf of the Union as part of its space programme does not fall within the scope of this Directive.

In terms of the energy sector and in particular the methods of electricity generation and transmission (in respect of supply of electricity), it is understood that, where deemed appropriate, electricity generation can include electricity transmission parts of nuclear power plants but excludes the specifically nuclear elements covered by treaties and Union law, including relevant legal acts of the Union concerning nuclear power. The process for identifying critical entities in the food sector should adequately reflect the nature of the internal market in that sector and the extensive Union rules relating to the general principles and requirements of food law and food safety. Therefore, in order to ensure that there is a proportionate approach and to adequately reflect the role and importance of those entities at national level, critical entities should only be identified among food businesses, whether for profit or not and whether public or private, that are engaged exclusively in logistics and wholesale distribution and large-scale industrial production and processing with a significant market share as observed at national level. Those interdependencies mean that any disruption of essential services, even one which is initially confined to one entity or one sector, can have cascading effects more broadly, potentially resulting in a far-reaching and long-term negative impact on the delivery of services across the internal market. Major crises, such as the COVID-19 pandemic, have shown the vulnerability of our increasingly interdependent societies in the face of high-impact low-probability risks.

The entities involved in the provision of essential services are increasingly subject to diverging requirements imposed under national law. The fact that some Member States have less stringent security requirements on those entities not only leads to various levels of resilience but also risks negatively impacting the maintenance of vital societal functions or economic activities across the Union and leads to obstacles to the proper functioning of the internal market. Investors and companies can rely on and trust critical entities that are resilient, and reliability and trust are the cornerstones of a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. That results in an additional and unnecessary administrative burden for companies operating across borders, in particular for companies active in Member States with more stringent requirements. A Union framework would therefore also have the effect of levelling the playing field for critical entities across the Union.

It is necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market, to enhance the resilience of critical entities and to improve cross-border cooperation between competent authorities. It is important that those rules be future proof in terms of their design and implementation while allowing for necessary flexibility. It is also crucial to improve the capacity of critical entities to provide essential services in the face of a diverse set of risks.

In order to achieve a high level of resilience, Member States should identify critical entities that will be subject to specific requirements and supervision and that will be provided with particular support and guidance in the face of all relevant risks.

Given the importance of cybersecurity for the resilience of critical entities and in the interests of consistency, a coherent approach should be ensured, wherever possible, between this Directive and Directive (EU) 2022/2555 of the European Parliament and of the Council(⁵)Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (see page 80 of this Official Journal).. In light of the higher frequency and particular characteristics of cyber risks, Directive (EU) 2022/2555 imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in Directive (EU) 2022/2555, the matters covered by that Directive should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

Where provisions of sector-specific Union legal acts require critical entities to take measures to enhance their resilience, and where those requirements are recognised by Member States as at least equivalent to the corresponding obligations laid down in this Directive, the relevant provisions of this Directive should not apply, so as to avoid duplication and unnecessary burden. In that case, the relevant provisions of such Union legal acts should apply. Where the relevant provisions of this Directive do not apply, the provisions on supervision and enforcement laid down in this Directive should not apply either.

This Directive does not affect the competence of Member States and their authorities in terms of administrative autonomy or their responsibility for safeguarding national security and defence or their power to safeguard other essential State functions, in particular concerning public security, territorial integrity and the maintenance of law and order. The exclusion of public administration entities from the scope of this Directive should apply to entities whose activities are predominantly carried out in the areas of national security, public security, defence or law enforcement, including the investigation, detection and prosecution of criminal offences. However, public administration entities whose activities are only marginally related to those areas should fall within the scope of this Directive. For the purposes of this Directive, entities with regulatory competences are not considered to be carrying out activities in the area of law enforcement and are therefore not excluded on that ground from the scope of this Directive. Public administration entities that are jointly established with a third country in accordance with an international agreement are excluded from the scope of this Directive. This Directive does not apply to Member States’ diplomatic and consular missions in third countries.

Certain critical entities carry out activities in the areas of national security, public security, defence or law enforcement, including the investigation, detection and prosecution of criminal offences, or provide services exclusively to public administration entities that carry out activities predominantly in those areas. In light of the Member States’ responsibility for safeguarding national security and defence, Member States should be able to decide that the obligations on critical entities laid down in this Directive do not apply, in whole or in part, to those critical entities if the services they provide or the activities they perform are predominantly related to the areas of national security, public security, defence or law enforcement, including the investigation, detection and prosecution of criminal offences. Critical entities whose services or activities are only marginally related to those areas should fall within the scope of this Directive. No Member State should be required to supply information the disclosure of which would be contrary to the essential interests of its national security. Union or national rules for the protection of classified information and non-disclosure agreements are of relevance.

Union financial services law establishes comprehensive requirements on financial entities to manage all risks they face, including operational risks, and to ensure business continuity. Such law includes Regulations (EU) No 648/2012(⁸)Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1)., (EU) No 575/2013(⁹)Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). and (EU) No 600/2014(¹⁰)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84). of the European Parliament and of the Council and Directives 2013/36/EU(¹¹)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). and 2014/65/EU(¹²)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349). of the European Parliament and of the Council. That legal framework is complemented by Regulation (EU) 2022/2554 of the European Parliament and of the Council(¹³)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (see page 1 of this Official Journal)., which lays down requirements applicable to financial entities to manage Information and Communication Technology (ICT) risks, including concerning the protection of physical ICT infrastructure. Since the resilience of those entities is therefore comprehensively covered, Article 11 and Chapters III, IV and VI of this Directive should not apply to those entities in order to avoid duplication and unnecessary administrative burden.

However, considering the importance of the services provided by entities in the financial sector to critical entities belonging to all other sectors, Member States should identify, based on the criteria and using the procedure provided for in this Directive, entities in the financial sector as critical entities. Consequently, the strategies, the Member State risk assessments and the support measures set out in Chapter II of this Directive should apply. Member States should be able to adopt or maintain provisions of national law to achieve a higher level of resilience for those critical entities provided that those provisions are consistent with applicable Union law.

Regulations (EC) No 725/2004(¹⁴)Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6). and (EC) No 300/2008(¹⁵)Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72). of the European Parliament and of the Council and Directive 2005/65/EC of the European Parliament and of the Council(¹⁶)Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28). establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents caused by unlawful acts and to resist and mitigate the consequences of such incidents. While the measures required under this Directive are broader in terms of risks addressed and types of measures to be taken, critical entities in those sectors should reflect in their resilience plan or equivalent documents the measures taken pursuant to those other Union legal acts. Critical entities are also to take into consideration Directive 2008/96/EC of the European Parliament and of the Council(¹⁷)Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59)., which introduces a network-wide road assessment to map the risk of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk of accidents and injuries, based on site visits of existing roads or sections of roads. Ensuring the protection and resilience of critical entities is of the utmost importance for the railway sector and, when implementing resilience measures under this Directive, critical entities are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform set up by Commission Decision 2018/C 232/03(¹⁸)Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform 2018/C 232/03 (OJ C 232, 3.7.2018, p. 10)..