CER directive

While certain sectors of the economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of entities operating in those sectors. In order to address in a comprehensive manner the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; in respect of all hazards, whether natural or man-made, accidental or intentional.

The growing interdependencies between infrastructure and sectors are the result of an increasingly cross-border and interdependent network of service provision using key infrastructure across the Union in the energy, transport, banking, drinking water, waste water, production, processing and distribution of food, health, space, financial market infrastructure and digital infrastructure sectors and in certain aspects of the public administration sector. The space sector falls within the scope of this Directive with respect to the provision of certain services that depend on ground-based infrastructure owned, managed and operated either by Member States or by private parties; consequently, infrastructure owned, managed or operated by or on behalf of the Union as part of its space programme does not fall within the scope of this Directive.

The entities involved in the provision of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; are increasingly subject to diverging requirements imposed under national law. The fact that some Member States have less stringent security requirements on those entities not only leads to various levels of resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; but also risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; negatively impacting the maintenance of vital societal functions or economic activities across the Union and leads to obstacles to the proper functioning of the internal market. Investors and companies can rely on and trust critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; that are resilient, and reliability and trust are the cornerstones of a well-functioning internal market. Similar types of entities are considered as critical in some Member States but not in others, and those which are identified as critical are subject to divergent requirements in different Member States. That results in an additional and unnecessary administrative burden for companies operating across borders, in particular for companies active in Member States with more stringent requirements. A Union framework would therefore also have the effect of levelling the playing field for critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; across the Union.

It is necessary to lay down harmonised minimum rules to ensure the provision of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; in the internal market, to enhance the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and to improve cross-border cooperation between competent authorities. It is important that those rules be future proof in terms of their design and implementation while allowing for necessary flexibility. It is also crucial to improve the capacity of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; to provide essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; in the face of a diverse set of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

In order to achieve a high level of resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident;, Member States should identify critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; that will be subject to specific requirements and supervision and that will be provided with particular support and guidance in the face of all relevant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;.

Given the importance of cybersecurity for the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and in the interests of consistency, a coherent approach should be ensured, wherever possible, between this Directive and Directive (EU) 2022/2555 of the European Parliament and of the Council(⁵)Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (see page 80 of this Official Journal).. In light of the higher frequency and particular characteristics of cyber risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, Directive (EU) 2022/2555 imposes comprehensive requirements on a large set of entities to ensure their cybersecurity. Given that cybersecurity is addressed sufficiently in Directive (EU) 2022/2555, the matters covered by that Directive should be excluded from the scope of this Directive, without prejudice to the particular regime for entities in the digital infrastructure sector.

Where provisions of sector-specific Union legal acts require critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; to take measures to enhance their resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident;, and where those requirements are recognised by Member States as at least equivalent to the corresponding obligations laid down in this Directive, the relevant provisions of this Directive should not apply, so as to avoid duplication and unnecessary burden. In that case, the relevant provisions of such Union legal acts should apply. Where the relevant provisions of this Directive do not apply, the provisions on supervision and enforcement laid down in this Directive should not apply either.

This Directive does not affect the competence of Member States and their authorities in terms of administrative autonomy or their responsibility for safeguarding national security and defence or their power to safeguard other essential State functions, in particular concerning public security, territorial integrity and the maintenance of law and order. The exclusion of public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State authorities or by other central-level bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State authorities or by other central-level bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital. from the scope of this Directive should apply to entities whose activities are predominantly carried out in the areas of national security, public security, defence or law enforcement, including the investigation, detection and prosecution of criminal offences. However, public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State authorities or by other central-level bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State authorities or by other central-level bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital. whose activities are only marginally related to those areas should fall within the scope of this Directive. For the purposes of this Directive, entities with regulatory competences are not considered to be carrying out activities in the area of law enforcement and are therefore not excluded on that ground from the scope of this Directive. Public administration entities means an entity recognised as such in a Member State in accordance with national law, not including the judiciary, parliaments or central banks, which complies with the following criteria: it is established for the purpose of meeting needs in the general interest and does not have an industrial or commercial character; it has legal personality or is entitled by law to act on behalf of another entity with legal personality; it is financed, for the most part, by the State authorities or by other central-level bodies governed by public law, is subject to management supervision by those authorities or bodies, or has an administrative, managerial or supervisory board, more than half of whose members are appointed by the State authorities or by other central-level bodies governed by public law; it has the power to address to natural or legal persons administrative or regulatory decisions affecting their rights in the cross-border movement of persons, goods, services or capital. that are jointly established with a third country in accordance with an international agreement are excluded from the scope of this Directive. This Directive does not apply to Member States’ diplomatic and consular missions in third countries.

In order not to jeopardise national security or the security and commercial interests of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, sensitive information should be accessed, exchanged and handled prudently and with particular attention to the transmission channels and storage capacities used.

With a view to ensuring a comprehensive approach to the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, each Member State should have in place a strategy for enhancing the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; (the ‘strategy’). The strategy should set out the strategic objectives and policy measures to be implemented. In the interests of coherence and efficiency, the strategy should be designed to seamlessly integrate existing policies, building, wherever possible, upon relevant existing national and sectoral strategies, plans or similar documents. In order to achieve a comprehensive approach, Member States should ensure that their strategies provide for a policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 in the context of information sharing on cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, cyber threats and cyber incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; and non-cyber risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, threats and incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; and in the context of the exercise of supervisory tasks. When putting in place their strategies, Member States should take due account of the hybrid nature of threats to critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;.

Member States should communicate their strategies and substantial updates thereto to the Commission, in particular to enable the Commission to assess the correct application of this Directive as regards policy approaches to the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; at national level. Where necessary, the strategies could be communicated as classified information. The Commission should draw up a summary report of the strategies communicated by Member States to serve as a basis for exchanges to identify best practices and issues of common interest in the framework of a Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group. Due to the sensitive nature of the aggregated information included in the summary report, whether classified or not, the Commission should manage the summary report with the appropriate level of awareness with respect for the security of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, Member States and the Union. The summary report and the strategies should be safeguarded against unlawful or malicious action and should be accessible only to authorised persons in order to fulfil the objectives of this Directive. The communication of the strategies and substantial updates thereto should also help the Commission to understand developments in approaches to the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and feed into the monitoring of the impact and added value of this Directive, which the Commission is to review periodically.

The actions of Member States to identify and help ensure the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should follow a risk-based approach that focuses on the entities most relevant for the performance of vital societal functions or economic activities. In order to ensure such a targeted approach, each Member State should carry out, within a harmonised framework, an assessment of the relevant natural and man-made risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, including those of a cross-sectoral or cross-border nature, that could affect the provision of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment;, including accidents, natural disasters, public health emergencies such as pandemics and hybrid threats or other antagonistic threats, including terrorist offences, criminal infiltration and sabotage (‘Member State risk assessment means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;’). When carrying out Member State risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;, Member States should take into account other general or sector-specific risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; carried out pursuant to other Union legal acts and should consider the extent to which sectors depend on one another, including on sectors in other Member States and third countries. The outcome of Member State risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; should be used for the purposes of identifying critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and assisting those entities in meeting their resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; requirements. This Directive applies only to Member States and critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; that operate within the Union. Nevertheless, the expertise and knowledge generated by competent authorities, in particular through risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;, and by the Commission, in particular through various forms of support and cooperation, could be used, where appropriate and in accordance with the applicable legal instruments, for the benefit of third countries, in particular those in the direct neighbourhood of the Union, by feeding into existing cooperation on resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident;.

In order to ensure that all relevant entities are subject to the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; requirements of this Directive and to reduce divergences in that respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; across the Union, while also allowing Member States to adequately reflect the role and importance of those entities at national level. When applying the criteria laid down in this Directive, each Member State should identify entities that provide one or more essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; and that operate and have critical infrastructure means an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a network or a system, which is necessary for the provision of an essential service; located on its territory. An entity should be considered to operate on the territory of a Member State in which it carries out activities necessary for the essential service means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; or services in question and in which that entity’s critical infrastructure means an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a network or a system, which is necessary for the provision of an essential service;, which is used to provide that service or those services, is located. Where no entity meets those criteria in a Member State, that Member State should be under no obligation to identify a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; in the corresponding sector or subsector. In the interests of effectiveness, efficiency, consistency and legal certainty, appropriate rules should be established as regards notifying entities that they have been identified as critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;.

Member States should submit to the Commission, in a manner that fulfils the objectives of this Directive, a list of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment;, the number of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; identified for each of the sectors and subsectors set out in the Annex and for the essential service means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; or services that each entity provides and, if applied, thresholds. It should be possible to present thresholds as such or in aggregated form, meaning that the information can be averaged by geographic area, by year, by sector, by subsector or by other means, and can include information on the range of the indicators provided.

Criteria should be established to determine the significance of a disruptive effect produced by an incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;. Those criteria should build on the criteria set out in Directive (EU) 2016/1148 of the European Parliament and of the Council(⁶)Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1). in order to capitalise on the efforts carried out by Member States to identify operators of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; as defined in that Directive and the experience gained in that regard. Major crises, such as the COVID-19 pandemic, have shown the importance of ensuring the security of the supply chain and have demonstrated how its disruption can have a negative economic and societal impact across a large number of sectors and across borders. Therefore, Member States should also consider effects on the supply chain, to the extent possible, when determining the extent to which other sectors and subsectors depend on the essential service means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; provided by a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;.

In accordance with applicable Union and national law, including Regulation (EU) 2019/452 of the European Parliament and of the Council(⁷)Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union (OJ L 79 I, 21.3.2019, p. 1)., which establishes a framework for the screening of foreign direct investments in the Union, the potential threat posed by foreign ownership of critical infrastructure means an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a network or a system, which is necessary for the provision of an essential service; within the Union is to be acknowledged because services, the economy and the free movement and safety of Union citizens depend on the proper functioning of critical infrastructure means an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a network or a system, which is necessary for the provision of an essential service;.

Directive (EU) 2022/2555 requires entities belonging to the digital infrastructure sector, which might be identified as critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; under this Directive, to take appropriate and proportionate technical, operational and organisational measures to manage the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; posed to the security of network and information systems and to notify significant incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; and cyber threats. Since threats to the security of network and information systems can have different origins, Directive (EU) 2022/2555 applies an all-hazards approach that includes the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of network and information systems, as well as the physical components and environment of those systems.

Union financial services law establishes comprehensive requirements on financial entities to manage all risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; they face, including operational risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, and to ensure business continuity. Such law includes Regulations (EU) No 648/2012(⁸)Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1)., (EU) No 575/2013(⁹)Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No 648/2012 (OJ L 176, 27.6.2013, p. 1). and (EU) No 600/2014(¹⁰)Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012 (OJ L 173, 12.6.2014, p. 84). of the European Parliament and of the Council and Directives 2013/36/EU(¹¹)Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (OJ L 176, 27.6.2013, p. 338). and 2014/65/EU(¹²)Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU (OJ L 173, 12.6.2014, p. 349). of the European Parliament and of the Council. That legal framework is complemented by Regulation (EU) 2022/2554 of the European Parliament and of the Council(¹³)Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (see page 1 of this Official Journal)., which lays down requirements applicable to financial entities to manage Information and Communication Technology (ICT) risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, including concerning the protection of physical ICT infrastructure. Since the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of those entities is therefore comprehensively covered, Article 11 and Chapters III, IV and VI of this Directive should not apply to those entities in order to avoid duplication and unnecessary administrative burden.

Member States should designate or establish authorities competent to supervise the application of and, where necessary, enforce the rules of this Directive and ensure that those authorities are adequately empowered and resourced. In light of the differences in national governance structures, in order to safeguard existing sectoral arrangements or Union supervisory and regulatory bodies, and in order to avoid duplication, Member States should be able to designate or establish more than one competent authority. Where Member States designate or establish more than one competent authority, they should clearly delineate the respective tasks of the authorities concerned and ensure that they cooperate smoothly and effectively. All competent authorities should also cooperate more generally with other relevant authorities, at both Union and national level.

In order to facilitate cross-border cooperation and communication and to enable the effective implementation of this Directive, each Member State should, without prejudice to the requirements of sector-specific Union legal acts, designate one single point of contact responsible for coordinating issues related to the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and cross-border cooperation at Union level (‘single point of contact’), where relevant within a competent authority. Each single point of contact should liaise and coordinate communication, where relevant, with the competent authorities of its Member State, with the single points of contact of other Member States and with the Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group.

The competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 should cooperate and exchange information in relation to cybersecurity risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, cyber threats and cyber incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; and non-cyber risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;, threats and incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; affecting critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; as well as in relation to relevant measures taken by competent authorities under this Directive and competent authorities under Directive (EU) 2022/2555. It is important that Member States ensure that the requirements provided for in this Directive and in Directive (EU) 2022/2555 are implemented in a complementary manner and that critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; are not subject to an administrative burden beyond that which is necessary to achieve the objectives of this Directive and that Directive.

Member States should support critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, including those that qualify as small or medium-sized enterprises, in strengthening their resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident;, in compliance with Member State obligations laid down in this Directive, without prejudice to the critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;’ own legal responsibility to ensure such compliance and, in so doing, prevent excessive administrative burden. Member States could, in particular, develop guidance materials and methodologies, support the organisation of exercises to test the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; and provide advice and training to the personnel of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;. Where necessary and justified by public interest objectives, Member States could provide financial resources and should facilitate voluntary information sharing and the exchange of good practices between critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, without prejudice to the application of competition rules laid down in the Treaty on the Functioning of the European Union (TFEU).

With the aim of enhancing the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; identified by Member States and in order to reduce the administrative burden on those critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, the competent authorities should consult one another, whenever appropriate, for the purpose of ensuring that this Directive is applied in a consistent manner. Those consultations should be entered into at the request of any interested competent authority and should focus on ensuring a convergent approach regarding interlinked critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; that use critical infrastructure means an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a network or a system, which is necessary for the provision of an essential service; which is physically connected between two or more Member States, that belong to the same groups or corporate structures, or that have been identified in one Member State and that provide essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; to or in other Member States.

Where provisions of Union or national law require critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; to assess risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; relevant for the purposes of this Directive and to take measures to ensure their own resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident;, those requirements should be adequately considered for the purpose of supervising the compliance of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; with this Directive.

Critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should have a comprehensive understanding of the relevant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; to which they are exposed and a duty to analyse those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident;. To that end, they should carry out risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; whenever necessary in view of their particular circumstances and the evolution of those risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and, in any event, every four years, in order to assess all relevant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that could disrupt the provision of their essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; (‘critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; risk assessment means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;’). Where critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; have carried out other risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; or drawn up documents pursuant to obligations laid down in other legal acts that are relevant for their critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; risk assessment means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;, they should be able to use those assessments and documents to meet the requirements set out in this Directive concerning critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;. A competent authority should be able to declare that an existing risk assessment means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; carried out by a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; that addresses the relevant risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; and the relevant extent of dependence is compliant, in whole or in part, with the obligations laid down in this Directive.

Critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should take technical, security and organisational measures that are appropriate and proportionate to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; they face so as to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;. While critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should take those measures in accordance with this Directive, the details and extent of such measures should reflect the different risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; that each critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; has identified as part of its critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; risk assessment means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; and the specificities of such entity in an appropriate and proportionate way. To promote a coherent Union approach, the Commission should, after consulting the Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group, adopt non-binding guidelines to further specify those technical, security and organisational measures. Member States should ensure that each critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; designate a liaison officer or equivalent as point of contact with the competent authorities.

In the interests of effectiveness and accountability, critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should describe the measures they take, with a level of detail that sufficiently achieves the aims of effectiveness and accountability, having regard to the risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; identified, in a resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; plan or in a document or documents that are equivalent to a resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; plan, and apply that plan in practice. Where a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; has already taken technical, security and organisational measures and drawn up documents pursuant to other legal acts that are relevant for resilience-enhancing measures under this Directive, it should be able, in order to avoid duplication, to use those measures and documents to meet the requirements as regards resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; measures under this Directive. In order to avoid duplication, a competent authority should be able to declare existing resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; measures taken by a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; that address its obligation to take technical, security and organisational measures pursuant to this Directive as compliant, in whole or in part, with the requirements of this Directive.

Regulations (EC) No 725/2004(¹⁴)Regulation (EC) No 725/2004 of the European Parliament and of the Council of 31 March 2004 on enhancing ship and port facility security (OJ L 129, 29.4.2004, p. 6). and (EC) No 300/2008(¹⁵)Regulation (EC) No 300/2008 of the European Parliament and of the Council of 11 March 2008 on common rules in the field of civil aviation security and repealing Regulation (EC) No 2320/2002 (OJ L 97, 9.4.2008, p. 72). of the European Parliament and of the Council and Directive 2005/65/EC of the European Parliament and of the Council(¹⁶)Directive 2005/65/EC of the European Parliament and of the Council of 26 October 2005 on enhancing port security (OJ L 310, 25.11.2005, p. 28). establish requirements applicable to entities in the aviation and maritime transport sectors to prevent incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; caused by unlawful acts and to resist and mitigate the consequences of such incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;. While the measures required under this Directive are broader in terms of risks means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; addressed and types of measures to be taken, critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; in those sectors should reflect in their resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; plan or equivalent documents the measures taken pursuant to those other Union legal acts. Critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; are also to take into consideration Directive 2008/96/EC of the European Parliament and of the Council(¹⁷)Directive 2008/96/EC of the European Parliament and of the Council of 19 November 2008 on road infrastructure safety management (OJ L 319, 29.11.2008, p. 59)., which introduces a network-wide road assessment to map the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of accidents and a targeted road safety inspection to identify hazardous conditions, defects and problems that increase the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of accidents and injuries, based on site visits of existing roads or sections of roads. Ensuring the protection and resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; is of the utmost importance for the railway sector and, when implementing resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; measures under this Directive, critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; are encouraged to refer to non-binding guidelines and good practices documents developed under sectorial workstreams, such as the EU Rail Passenger Security Platform set up by Commission Decision 2018/C 232/03(¹⁸)Commission Decision of 29 June 2018 setting up the EU Rail Passenger Security Platform 2018/C 232/03 (OJ C 232, 3.7.2018, p. 10)..

The risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; of employees of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; or their contractors misusing, for instance, their access rights within the critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;’s organisation to harm and cause damage is of increasing concern. Member States should therefore specify the conditions under which critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; are permitted, in duly reasoned cases and taking into account Member State risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident;, to submit requests for background checks on persons falling within specific categories of its personnel. It should be ensured that the relevant authorities assess such requests within a reasonable timeframe and process them in accordance with national law and procedures and relevant and applicable Union law, including on the protection of personal data. In order to corroborate the identity of a person who is the subject of a background check, it is appropriate for Member States to require proof of identity, such as a passport, a national identity card or a digital form of identification, in accordance with applicable law.

A mechanism for the notification of certain incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; should be established to allow the competent authorities to respond to incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; rapidly and adequately and to have a comprehensive overview of the impact, nature, cause and possible consequences of incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; with which the critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; deal. Critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should notify, without undue delay, the competent authorities of incidents means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; that significantly disrupt or have the potential to significantly disrupt the provision of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment;. Unless operationally unable to do so, critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should submit an initial notification no later than 24 hours after becoming aware of an incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;. The initial notification should only include the information strictly necessary to make the competent authority aware of the incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; and allow the critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; to seek assistance, if required. Such a notification should indicate, where possible, the presumed cause of the incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;. Member States should ensure that the requirement to submit that initial notification does not divert the critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;’s resources from activities related to incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law; handling, which should be prioritised. The initial notification should be followed, where relevant, by a detailed report no later than one month after the incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;. The detailed report should complement the initial notification and provide a more complete overview of the incident means an event which has the potential to significantly disrupt, or that disrupts, the provision of an essential service, including when it affects the national systems that safeguard the rule of law;.

Standardisation should remain primarily a market-driven process. However, there might still be situations in which it is appropriate to require compliance with specific standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(^30^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).. Member States should, where useful, encourage the use of European and international standards means a standard as defined in Article 2, point (1), of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(^30^); Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12). and technical specifications means a technical specification as defined in Article 2, point (4), of Regulation (EU) No 1025/2012; relevant to the security and resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; measures applicable to critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;.

While critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; generally operate as part of an increasingly interconnected network of service provision and infrastructure and often provide essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; in more than one Member State, some of those critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; are of particular significance for the Union and its internal market because they provide essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; to or in six or more Member States and, therefore, could benefit from specific support at Union level. Rules on advisory missions in respect of such critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; of particular European significance should therefore be established. Those rules are without prejudice to the rules on supervision and enforcement set out in this Directive.

On a reasoned request from the Commission or from one or more Member States to or in which the essential service means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; is provided, where additional information is necessary to be able to advise a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; in meeting its obligations under this Directive or to assess the compliance of a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; of particular European significance with those obligations, the Member State that has identified a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; of particular European significance as a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; should provide the Commission with certain information as set out in this Directive. In agreement with the Member State that has identified the critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; of particular European significance as a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, the Commission should be able to organise an advisory mission to assess the measures put in place by that entity. In order to ensure that such advisory missions are carried out properly, complementary rules should be established, in particular on the organisation and conduct of the advisory missions, the follow-up actions to be taken and the obligations for the critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; of particular European significance concerned. The advisory mission should, without prejudice to the need for the Member State in which the advisory mission is conducted and the critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; concerned to comply with the rules laid down in this Directive, be conducted subject to the detailed rules of the law of that Member State, for instance on the precise conditions to be fulfilled in order to obtain access to relevant premises or documents and on judicial redress. Specific expertise required for such advisory missions could, where relevant, be requested through the Emergency Response Coordination Centre established by Decision No 1313/2013/EU of the European Parliament and of the Council(²²)Decision No 1313/2013/EU of the European Parliament and of the Council of 17 December 2013 on a Union Civil Protection Mechanism (OJ L 347, 20.12.2013, p. 924)..

In order to support the Commission and facilitate cooperation among Member States and the exchange of information, including best practices, on issues relating to this Directive, a Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group should be established as a Commission expert group. Member States should endeavour to ensure that the designated representatives of their competent authorities in the Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group effectively and efficiently cooperate, including by designating representatives who hold security clearance, where appropriate. The Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group should begin to perform its tasks as soon as possible, so as to provide additional means for appropriate cooperation during the transposition period of this Directive. The Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group should interact with other relevant sector-specific expert working groups.

The Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group should cooperate with the Cooperation Group established under Directive (EU) 2022/2555 with a view to supporting a comprehensive framework for cyber and non-cyber resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;. The Critical Entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; Resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; Group and the Cooperation Group established under Directive (EU) 2022/2555 should engage in a regular dialogue to promote cooperation between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 and to facilitate the exchange of information, in particular on topics of relevance to both groups.

In order to achieve the objectives of this Directive and without prejudice to the legal responsibility of Member States and critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; to ensure compliance with their respective obligations laid down therein, the Commission should, where it considers it appropriate, support competent authorities and critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; with the aim of facilitating their compliance with their respective obligations. When providing support to Member States and critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; in the implementation of obligations under this Directive, the Commission should build on existing structures and tools, such as those under the Union Civil Protection Mechanism, established by Decision No 1313/2013/EU, and the European Reference Network for Critical Infrastructure means an asset, a facility, equipment, a network or a system, or a part of an asset, a facility, equipment, a network or a system, which is necessary for the provision of an essential service; Protection. In addition, it should inform Member States about resources available at Union level, such as within the Internal Security Fund, established by Regulation (EU) 2021/1149 of the European Parliament and of the Council(²³)Regulation (EU) 2021/1149 of the European Parliament and of the Council of 7 July 2021 establishing the Internal Security Fund (OJ L 251, 15.7.2021, p. 94)., Horizon Europe, established by Regulation (EU) 2021/695 of the European Parliament and of the Council(²⁴)Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing Horizon Europe – the Framework Programme for Research and Innovation, laying down its rules for participation and dissemination, and repealing Regulations (EU) No 1290/2013 and (EU) No 1291/2013 (OJ L 170, 12.5.2021, p. 1)., or other instruments relevant for the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;.

Member States should ensure that their competent authorities have certain specific powers for the proper application and enforcement of this Directive in relation to critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex;, where those entities fall under their jurisdiction as specified in this Directive. Those powers should include, in particular, the power to conduct inspections and audits, the power to supervise, the power to require critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; to provide information and evidence relating to the measures they have taken to comply with their obligations and, where necessary, the power to issue orders to remedy identified infringements. When issuing such orders, Member States should not require measures which go beyond what is necessary and proportionate to ensure the compliance of the critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; concerned, taking account of, in particular, the seriousness of the infringement and the economic capacity of the critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; concerned. More generally, those powers should be accompanied by appropriate and effective safeguards to be specified in national law in accordance with the Charter of Fundamental Rights of the European Union. When assessing the compliance of a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; with its obligations as laid down in this Directive, the competent authorities under this Directive should be able to request the competent authorities under Directive (EU) 2022/2555 to exercise their supervisory and enforcement powers in relation to an entity under that Directive that has been identified as a critical entity means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; under this Directive. The competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2555 should cooperate and exchange information for that purpose.

In order to apply this Directive in an effective and consistent manner, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to supplement this Directive by drawing up a list of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment;. That list should be used by competent authorities for the purpose of conducting Member State risk assessments means the overall process for determining the nature and extent of a risk by identifying and analysing potential relevant threats, vulnerabilities and hazards which could lead to an incident and by evaluating the potential loss or disruption of the provision of an essential service caused by that incident; and identifying critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; pursuant to this Directive. In light of the minimum harmonisation approach of this Directive, that list is non-exhaustive, and Member States could complement it with additional essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment; at national level in order to take into account national specificities in the provision of essential services means a service which is crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment;. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making(²⁵)OJ L 123, 12.5.2016, p. 1.. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

In order to ensure uniform conditions for the implementation of this Directive, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(²⁶)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13)..

Since the objectives of this Directive, namely to ensure that services essential for the maintenance of vital societal functions or economic activities are provided in an unobstructed manner in the internal market and to enhance the resilience means a critical entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident; of critical entities means a public or private entity which has been identified by a Member State in accordance with Article 6 as belonging to one of the categories set out in the third column of the table in the Annex; providing such services, cannot be sufficiently achieved by the Member States, but can rather, by reason of the effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on the European Union. In accordance with the principle of proportionality as set out in that Article 5, this Directive does not go beyond what is necessary in order to achieve those objectives.

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(²⁷)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 11 August 2021.

Directive 2008/114/EC should therefore be repealed,