Source: OJ L 333, 27.12.2022, pp. 164–198Current language: EN
- Resilience of critical entities
Basic legislative acts
- CER directive
Article 5 Risk assessment by Member States
The Commission is empowered to adopt a delegated act, in accordance with Article 23, by 17 November 2023 to supplement this Directive by establishing a non-exhaustive list of essential services in the sectors and subsectors set out in the Annex. The competent authorities shall use that list of essential services for the purpose of carrying out a risk assessment (‘Member State risk assessment’) by 17 January 2026, whenever necessary subsequently, and at least every four years. The competent authorities shall use Member State risk assessments for the purpose of identifying critical entities in accordance with Article 6 and assisting those critical entities to take measures pursuant to Article 13.
Member State risk assessments shall account for the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, accidents, natural disasters, public health emergencies and hybrid threats or other antagonistic threats, including terrorist offences as provided for in Directive (EU) 2017/541 of the European Parliament and of the Council(32)Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6)..
In carrying out Member State risk assessments, Member States shall take into account at least the following:
the general risk assessment carried out pursuant to Article 6(1) of Decision No 1313/2013/EU;
other relevant risk assessments, carried out in accordance with the requirements of the relevant sector-specific Union legal acts, including Regulations (EU) 2017/1938(33)Regulation (EU) 2017/1938 of the European Parliament and of the Council of 25 October 2017 concerning measures to safeguard the security of gas supply and repealing Regulation (EU) No 994/2010 (OJ L 280, 28.10.2017, p. 1). and (EU) 2019/941(34)Regulation (EU) 2019/941 of the European Parliament and of the Council of 5 June 2019 on risk-preparedness in the electricity sector and repealing Directive 2005/89/EC (OJ L 158, 14.6.2019, p. 1). of the European Parliament and of the Council and Directives 2007/60/EC(35)Directive 2007/60/EC of the European Parliament and of the Council of 23 October 2007 on the assessment and management of flood risks (OJ L 288, 6.11.2007, p. 27). and 2012/18/EU(36)Directive 2012/18/EU of the European Parliament and of the Council of 4 July 2012 on the control of major-accident hazards involving dangerous substances, amending and subsequently repealing Council Directive 96/82/EC (OJ L 197, 24.7.2012, p. 1). of the European Parliament and of the Council;
the relevant risks arising from the extent to which the sectors set out in the Annex depend on one another, including from the extent to which they depend on entities located within other Member States and third countries, and the impact that a significant disruption in one sector may have on other sectors, including any significant risks to citizens and the internal market;
any information on incidents notified in accordance with Article 15.
For the purposes of the first subparagraph, point (c), Member States shall cooperate with the competent authorities of other Member States and the competent authorities of third countries, as appropriate.
Member States shall make the relevant elements of Member State risk assessments available, where relevant through their single points of contact, to the critical entities that they have identified in accordance with Article 6. Member States shall ensure that the information provided to critical entities assists them in carrying out their risk assessments pursuant to Article 12 and in taking measures to ensure their resilience pursuant to Article 13.
Within three months of carrying out a Member State risk assessment, a Member State shall provide the Commission with relevant information on the types of risks identified following, and the outcomes of, that Member State risk assessment, per sector and subsector set out in the Annex.
The Commission shall, in cooperation with the Member States, develop a voluntary common reporting template for the purpose of complying with paragraph 4.
Relevant recitals
Recital 15 Member State risk assessments
The actions of Member States to identify and help ensure the resilience of critical entities should follow a risk-based approach that focuses on the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of the relevant natural and man-made risks, including those of a cross-sectoral or cross-border nature, that could affect the provision of essential services, including accidents, natural disasters, public health emergencies such as pandemics and hybrid threats or other antagonistic threats, including terrorist offences, criminal infiltration and sabotage (‘Member State risk assessment’). When carrying out Member State risk assessments, Member States should take into account other general or sector-specific risk assessments carried out pursuant to other Union legal acts and should consider the extent to which sectors depend on one another, including on sectors in other Member States and third countries. The outcome of Member State risk assessments should be used for the purposes of identifying critical entities and assisting those entities in meeting their resilience requirements. This Directive applies only to Member States and critical entities that operate within the Union. Nevertheless, the expertise and knowledge generated by competent authorities, in particular through risk assessments, and by the Commission, in particular through various forms of support and cooperation, could be used, where appropriate and in accordance with the applicable legal instruments, for the benefit of third countries, in particular those in the direct neighbourhood of the Union, by feeding into existing cooperation on resilience.
Recital 17 List of essential services
Member States should submit to the Commission, in a manner that fulfils the objectives of this Directive, a list of essential services, the number of critical entities identified for each of the sectors and subsectors set out in the Annex and for the essential service or services that each entity provides and, if applied, thresholds. It should be possible to present thresholds as such or in aggregated form, meaning that the information can be averaged by geographic area, by year, by sector, by subsector or by other means, and can include information on the range of the indicators provided.
Recital 19 Foreign ownership of critical infrastructure
In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council(7)Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79 I, 21.3.2019, p. 1)., which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.