Critical Entities Resilience (CER) Directive

The purpose of the Critical Entities Resilience Directive (Directive EU 2022/2557; “CER Directive“) is to ensure that services which are essential for the maintenance of vital societal functions or economic activities in the EU are provided in an unobstructed manner. According to the CER Directive, Member States must identify critical entities that provide such essential services, and the critical entities must comply with specific obligations aimed at enhancing their resilience against natural and man-made risks, such as natural disasters, public health emergencies, hybrid threats, terrorist offences, criminal infiltration, and sabotage. In addition, Member States must support and supervise the critical entities in meeting their obligations. The new CER Directive replaces the European Critical Infrastructure Directive from 2008.

What does this mean?

  • Each Member State must adopt a strategy for enhancing the resilience of critical entities, carry out risk assessments relating to essential services, and designate one or more competent authorities to ensure the correct application and enforcement of the Directive within its territory. If a Member State designates multiple authorities, it must select one single point of contact for cross-border cooperation.
  • The Member States shall draw up a list of critical entities and support such critical entities in their efforts to enhance resilience, e.g., by developing guidance, supporting resilience testing, and providing training.
  • Entities identified as critical by a Member State must carry out a critical entity risk assessment at least every four years (and within nine months following designation as a critical entity) to assess all relevant risks that could disrupt the provision of the essential services. The critical entities must also take appropriate and proportionate technical, security, and organizational measures to ensure resilience, and notify the authorities without undue delay of incidents that significantly disrupt or have the potential to significantly disrupt the provision of the essential services.
  • While the NIS II Directive focuses on cyber resilience of essential and important entities, the CER Directive takes a more holistic approach to enhance the overall resilience of critical entities. Thus, as the main rule, the CER Directive does not apply to matters covered by the NIS II Directive. However, the Member States must ensure that the CER Directive and the NIS II Directive are implemented in a coordinated manner.

Who?

  • The rules set forth in the CER Directive are applicable across a non-exhaustive list of 11 sectors: energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration, space, and food.

Consequences

  • Member States shall adopt rules on effective, proportionate, and dissuasive penalties for infringements of national measures adopted based on the CER Directive.
  • Monitoring and enforcement are the responsibility of the national CER authorities in each Member State.

Timeline

  • The CER Directive entered into force on 16 January 2023. Member States have until 17 October 2024 to transpose the Directive into national law and must identify the critical entities within their territory by 17 July 2026.