Article 13 Resilience measures of critical entities

While certain sectors of the economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.

It is necessary to lay down harmonised minimum rules to ensure the provision of essential services in the internal market, to enhance the resilience of critical entities and to improve cross-border cooperation between competent authorities. It is important that those rules be future proof in terms of their design and implementation while allowing for necessary flexibility. It is also crucial to improve the capacity of critical entities to provide essential services in the face of a diverse set of risks.

Critical entities should take technical, security and organisational measures that are appropriate and proportionate to the risks they face so as to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident. While critical entities should take those measures in accordance with this Directive, the details and extent of such measures should reflect the different risks that each critical entity has identified as part of its critical entity risk assessment and the specificities of such entity in an appropriate and proportionate way. To promote a coherent Union approach, the Commission should, after consulting the Critical Entities Resilience Group, adopt non-binding guidelines to further specify those technical, security and organisational measures. Member States should ensure that each critical entity designate a liaison officer or equivalent as point of contact with the competent authorities.

In the interests of effectiveness and accountability, critical entities should describe the measures they take, with a level of detail that sufficiently achieves the aims of effectiveness and accountability, having regard to the risks identified, in a resilience plan or in a document or documents that are equivalent to a resilience plan, and apply that plan in practice. Where a critical entity has already taken technical, security and organisational measures and drawn up documents pursuant to other legal acts that are relevant for resilience-enhancing measures under this Directive, it should be able, in order to avoid duplication, to use those measures and documents to meet the requirements as regards resilience measures under this Directive. In order to avoid duplication, a competent authority should be able to declare existing resilience measures taken by a critical entity that address its obligation to take technical, security and organisational measures pursuant to this Directive as compliant, in whole or in part, with the requirements of this Directive.

On a reasoned request from the Commission or from one or more Member States to or in which the essential service is provided, where additional information is necessary to be able to advise a critical entity in meeting its obligations under this Directive or to assess the compliance of a critical entity of particular European significance with those obligations, the Member State that has identified a critical entity of particular European significance as a critical entity should provide the Commission with certain information as set out in this Directive. In agreement with the Member State that has identified the critical entity of particular European significance as a critical entity, the Commission should be able to organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, in particular on the organisation and conduct of the advisory missions, the follow-up actions to be taken and the obligations for the critical entities of particular European significance concerned. The advisory mission should, without prejudice to the need for the Member State in which the advisory mission is conducted and the critical entity concerned to comply with the rules laid down in this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled in order to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such advisory missions could, where relevant, be requested through the Emergency Response Coordination Centre established by Decision No 1313/2013/EU of the European Parliament and of the Council(²²)Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924)..

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(²⁶)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..