Consultation on the proposed Directive to enhance the resilience of critical entities providing essential services in the European Union

The Department of Defence invites written submissions from interested individuals or groups on the proposed EU Directive to enhance the resilience of critical entities.

Closing date

The closing date for receipt of submissions is 5 pm on Wednesday, 14th July 2021.

How to send your submission

Please email an electronic document (searchable PDF/MS Word or equivalent) to OEPConsultation@defence.ie

What to include in your submission

Your submission should comprise the submission document and a separate covering letter. This allows for the publishing of your submission without your contact details.

In the covering letter, please include:

• Your name, postal address, email address and contact telephone number.

• If the submission is on behalf of an organisation, your position in the organisation

• A brief outline of why you are making the submission

In the submission document, please include:

• A brief introduction, for example, explaining your area of expertise

• Any factual information that you have to offer which could be put to other stakeholders for their reactions

• Links to any publications you refer to - there is no need to send such publications as attachments

• Any recommendations to the Department of Defence - be as specific as possible and summarise your recommendations at the end of the document

• If your document is more than five pages long, an executive summary of the main points made in the submission

Important information

• Submissions sent to any other email address will not be accepted.

• Anonymous submissions cannot be accepted and will be rejected.

• Making a submission is a public process and information received may in part or full be subject to the provisions of the Freedom of Information Act 2014 (FOI), Access to Information on the Environment Regulations 2007-2014 (AIE) and the Data Protection Act 2018.

• The Department of Defence intends to publish the contents of all submissions received to this consultation on its website. The Department will redact personal data prior to publication. In responding to this consultation, parties should clearly indicate where their responses contain personal information, commercially sensitive information or confidential information which they would not wish to be released under FOI, AIE or otherwise published.

Privacy

Before making your submission, please read our privacy statement.

Background Information

On 16 December 2020, the European Commission proposed a new Directive to enhance the resilience of critical entities providing essential services in the EU. The purpose of this proposed Directive, which is known as the CER Directive, is to ensure the continuous provision of essential services to citizens by enhancing the resilience of critical entities.

The Directive proposes the use of a risk based methodology to identify Critical Entities and to develop resilience so that critical entities are able to prevent, resist, absorb and recover from disruptive incidents, which may be caused by natural hazards, accidents, terrorism, insider threats, or public health emergencies.

The environment in which critical entities operate has changed significantly in recent years. The risk landscape is more complex. The increased interconnectivity of critical entities, both cross sectoral and cross-border, through integrated supply lines, technology and service provision brings additional challenges to business continuity and crisis management. This proposed new legislation on critical entity resilience requires increased capabilities in areas of national risk assessment and mitigation, emergency planning, improved EU level cross border coordination and cooperation arrangements and enhanced regulation of industry and public sector interests.

Besides damaging the smooth functioning of the internal market, disruptions, especially those with cross-border and potentially pan-European implications, have possibly serious negative implications for citizens, business, governments and the environment.

An earlier Directive 2008/114/EC17 provided for a procedure for designating European critical infrastructures only in the energy and transport sectors, the disruption or destruction of which would have significant cross-border impact on at least two Member States. This proposed CER Directive replaces it as well as accounts for and builds on other existing and envisaged instruments.

The CER Directive constitutes a considerable change as compared to the earlier Directive. The proposed CER Directive has a much wider sectoral scope, covering ten sectors, namely:

• Energy, such as – electricity producers, nominated electricity market operators, electricity market participants, district heating and cooling, central oil stockholding, hydrogen

• Transport

• Banking

• Financial Market Infrastructure

• Health, such as – reference laboratories, research and development of medicinal products, manufacturing of pharmaceuticals and medical devices

• Drinking Water

• Wastewater management

• Digital infrastructure such as – data centres, content delivery network providers, telecoms and trust service providers

• Public administration

• Space

Entities in these sectors and services, which meet laid down criteria, will be within scope of the governance, risk management, security and reporting obligations of this Directive. However, it is important to note where provisions of sector-specific acts of Union law require critical entities to take measures relating to Risk Assessment, Resilience, Background Checks and Notifications, at least equivalent to the obligations laid down in the proposed Directive, the relevant provisions of this proposed Directive shall not apply.

The proposed CER Directive is consistent and establishes close synergies with the proposed Directive on measures for a high common level of cybersecurity across the Union (NIS 2) and the proposed Regulation on digital operational resilience for the financial sector (DORA).

This proposal is the basis for negotiations with Ireland and other Member States on new resilience based legislation via the CER Directive that is now underway in Brussels. All relevant documentation, including the European Commission’s proposed new Directive, Annexes and accompanying impact assessment is available online at the Commission’s CER Directive webpage.