CoESS welcomes in a position paper published today the European Commission's proposal for a Directive on the Resilience of Critical Entities (CER Directive) - repealing Directive 2008/114 on the Identification of European Critical Infrastructures. Still, CoESS believes that the European Commission’s proposal for a CER Directive needs to go further to reach its objective to reduce vulnerabilities and enhance the resilience of critical entities, and provides recommendations to European Council and Parliament for concrete amendments in the text.
Notably, the position paper calls on policymakers in European Council and Parliament to take on board key recommendations of the European Parliament’s Report of the Special Committee on Terrorism concerning the protection of Critical Infrastructure. Also, CoESS sees a lot of opportunities in further aligning the European Commission’s proposal with the proposal for a NIS Directive 2 on important matters where, without objective justifications, this is currently not the case - namely on supply chain security, quality control and the use of European and International Standards that can enhance resilience of Critical Infrastructures.
Unfortunately, CoESS notes that the proposal still makes unjustified differences between physical security and cybersecurity provisions. Notably, Article 11 of the CER Directive on "Resilience measures of Critical Entities" falls short of the provisions made in Article 18 of the proposal for a NIS Directive 2 on "Cybersecurity Risk Management Measures".
In contrast to the NIS Directive 2, the CER Directive does not include provisions on supply chain security and quality control of suppliers and service providers. CoESS does not see any objective justification why such provisions should apply for cybersecurity risk management measures and not physical resilience measures of critical entities.
Robust physical and cybersecurity cannot be envisaged separately from each other without the risk of compromising them both. Security professionals even go further and argue that this silo reasoning in itself is a source of vulnerabilities. It is well known that most cyberattacks can only happen with human intervention, voluntary or involuntary. A breach in physical protection can lead to a serious cybersecurity incident – for example in access control to IT equipment and control rooms at critical entities. Conversely, a cyberattack can compromise or destroy physical assets. Neither can be effective without the other.
Due to this interdependence between physical protection and cybersecurity, also the European Parliament’s Report of the Special Committee on Terrorism “calls for Directive 2008/114 to be revised in order to provide similar rules and procedures for ‘operators of essential services’ as in the NIS Directive”. It continues that “whereas private security services play a role in ensuring resilient security chains, public procurement of their services should therefore be subject to specific quality criteria, with regard to aspects such as the training, vetting and screening of personnel, quality control and compliance assurance, and the implementation of technological developments and contract management”.
CoESS strongly calls on the European Parliament and Council to follow this recommendation and add the provisions on risk management measures in supply chain security and quality control, which are already included in Article 18 of the NIS Directive 2, to Article 11 of the CER Directive.
In line with the abovementioned Report of the European Parliament’s Special Committee on Terrorism and as part of necessary quality control, CoESS also recommends to include additional provisions for operators of critical entities to ensure:
Proposals for concrete amendments in the text are outlined in the Annex of the position paper, which can be found here.