Source: OJ L 333, 27.12.2022, pp. 164–198Current language: EN
- Resilience of critical entities
Basic legislative acts
- CER directive
Article 14 Background checks
Summary What does Article 14 of the CER directive say?
This article establishes the framework for background checks on personnel connected to critical entities, sitting alongside the broader resilience obligations set out in Article 13.
It gives Member States the responsibility to define the conditions under which critical entities may request background checks, covering people in sensitive roles, those with access to premises or control systems, and candidates being considered for such positions.
The article sets clear boundaries on how these checks must be conducted, requiring them to be proportionate, strictly limited to what is necessary, and processed in line with EU data protection law.
It also mandates a minimum standard for what a background check must include, and requires Member States to use the European Criminal Records Information System to obtain criminal record information from other Member States.
Important points:
- Member States are required to define the conditions under which critical entities may submit background check requests, which must be duly reasoned and take into account the Member State risk assessment.
- Background checks must be proportionate, strictly limited to what is necessary, and carried out solely to evaluate a potential security risk to the critical entity concerned.
- Member States must use the European Criminal Records Information System when obtaining criminal record information from other Member States, with central authorities required to respond within 10 working days.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Member States shall specify the conditions under which a critical entity is permitted, in duly reasoned cases and taking into account the Member State risk assessment, to submit requests for background checks on persons who:
hold sensitive roles in or for the benefit of the critical entity, in particular in relation to the resilience of the critical entity;
are authorised to directly or remotely access its premises, information or control systems, including in connection with the security of the critical entity;
Requests as referred to in paragraph 1 of this Article shall be assessed within a reasonable timeframe and processed in accordance with national law and procedures and relevant and applicable Union law, including Regulation (EU) 2016/679 and Directive (EU) 2016/680 of the European Parliament and of the Council(37). Background checks shall be proportionate and strictly limited to what is necessary. They shall be carried out for the sole purpose of evaluating a potential security risk to the critical entity concerned.
A background check as referred to in paragraph 1 shall, at least:
corroborate the identity of the person who is the subject of the background check;
check the criminal records of that person with regards to offences which would be relevant for a specific position.
When carrying out background checks, Member States shall use the European Criminal Records Information System in accordance with the procedures set out in Framework Decision 2009/315/JHA and, where relevant and applicable, Regulation (EU) 2019/816 for the purpose of obtaining information from criminal records held by other Member States. The central authorities referred to in Article 3(1) of Framework Decision 2009/315/JHA and in Article 3, point (5), of Regulation (EU) 2019/816 shall provide replies to requests for such information within 10 working days from the date on which the request was received in accordance with Article 8(1) of Framework Decision 2009/315/JHA.
Relevant recitals
Recital 32 Background checks to mitigate insider threats
The risk of employees of critical entities or their contractors misusing, for instance, their access rights within the critical entity’s organisation to harm and cause damage is of increasing concern. Member States should therefore specify the conditions under which critical entities are permitted, in duly reasoned cases and taking into account Member State risk assessments, to submit requests for background checks on persons falling within specific categories of its personnel. It should be ensured that the relevant authorities assess such requests within a reasonable timeframe and process them in accordance with national law and procedures and relevant and applicable Union law, including on the protection of personal data. In order to corroborate the identity of a person who is the subject of a background check, it is appropriate for Member States to require proof of identity, such as a passport, a national identity card or a digital form of identification, in accordance with applicable law.
Background checks should include a check of the criminal records of the person concerned. Member States should use the European Criminal Records Information System in accordance with the procedures set out in Council Framework Decision 2009/315/JHA(19) and, where relevant and applicable, Regulation (EU) 2019/816 of the European Parliament and of the Council(20) for the purpose of obtaining information from criminal records held by other Member States. Member States might also, where relevant and applicable, draw on the Second Generation Schengen Information System (SIS II) established by Regulation (EU) 2018/1862 of the European Parliament and of the Council(21), intelligence and any other objective information available that might be necessary to determine the suitability of the person concerned to work in the position in relation to which the critical entity has requested a background check.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
incident
Definition
risk
Definition
essential service
Definition
critical entity
Definition
risk assessment
Definition
resilience
Footnote 19
Footnote 37
Footnote 20
Footnote 21