January 16, 2023 - the NIS 2 Directive and the CER Directive entered into force.
Until October 17, 2024, Member States must transpose the requirements of the CER Directive into national law.
December 14, 2022, we have the final text - the Critical Entities Resilience Directive (CER) was published in the Official Journal of the European Union as Directive (EU) 2022/2557
Full name: The full name is "DIRECTIVE (EU) 2022/2557 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (Text with EEA relevance)"
Deadlines: By 17 October 2024, Member States shall adopt and publish the measures necessary to comply with this Directive. They shall immediately inform the Commission thereof.
They shall apply those measures from 18 October 2024.
Each Member State shall adopt by 17 January 2026 a strategy for enhancing the resilience of critical entities (the ‘strategy’).
By 17 July 2027, the Commission shall submit to the European Parliament and to the Council a report assessing the extent to which each Member State has taken the necessary measures to comply with this Directive.
Note: The new CER Directive replaces the European Critical Infrastructure Directive of 2008. The new rules will strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage.
11 sectors will be covered: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food. Member States will need to adopt a national strategy and carry out regular risk assessments to identify entities that are considered critical or vital for the society and the economy.
The EU established the European Programme for Critical Infrastructure Protection (EPCIP) in 2006, and adopted the European Critical Infrastructure (ECI) Directive in 2008. The EU Security Union Strategy for 2020-2025 and the recently adopted Counter-Terrorism Agenda for the EU, both stress the importance of ensuring the resilience of critical infrastructure in the face of physical and digital risks.
As the 2019 evaluation of the ECI Directive has found, existing European and national measures do not ensure sufficiently that operators are able to confront the increasingly complex operational challenges that they face today. The new CER Directive reflects these findings, but also recent calls by the Council and the Parliament on the Commission to revise the current approach to critical infrastructure protection.
8 December 2022 - The Council approved the Critical Entities Resilience Directive (CER) and a recommendation which aim to reduce the vulnerabilities and strengthen the resilience of critical entities.
To respond to the recent acts of sabotage against the Nord Stream pipeline and the new risks brought by Russia’s aggression against Ukraine, the recommendation adopted focuses on strengthening the resilience of critical infrastructure.
This recommendation aims to accelerate the preparatory work for the implementation of the objectives set out in the critical entities and NIS 2 directives and step up the EU’s capacity to protect its critical infrastructure. It includes series of targeted actions covering key sectors such as energy, digital infrastructure, transport and space.
The recommendation covers three priority areas: preparedness, response and international cooperation. It invites member states to update their risk assessments to reflect current threats and encourages them to conduct stress tests of entities operating critical infrastructure, with the energy sector as a priority.
It also calls on member states to develop, in cooperation with the Commission, a blueprint for a coordinated response to disruptions of critical infrastructure with significant cross-border relevance. The EU will support partner countries in enhancing their resilience and strengthen cooperation with NATO in this area.
22 November 2022 - The European Parliament approved the Critical Entities Resilience Directive (CER).
With 595 votes in favour and only 17 against, the European Parliament approved the Critical Entities Resilience Directive (CER), that dramatically improves the security of the physical and the digital infrastructure in the European Union.
The sabotage of the Nord Stream pipelines in the Baltic Sea is the first major attack on European maritime infrastructure. According to the president of the European Commission, Ursula von der Leyen, "Any deliberate disruption of active European energy infrastructure is unacceptable and will lead to the strongest possible response".
28 June 2022 - Council and European Parliament reach political agreement for the Critical Entities Resilience Directive (CER).
The Council and the European Parliament reached a political agreement on the directive on the resilience of critical entities (CER).
Next step: Work will now continue at technical level to finalise the provisional agreement on the full legal text. This agreement is subject to approval by the Council and the European Parliament before going through the formal adoption procedure.
The Critical Entities Resilience Directive (CER) aims to reduce the vulnerabilities and strengthen the physical resilience of critical entities. These are entities providing vital services on which the livelihoods of EU citizens and the proper functioning of the internal market depend. They need to be able to prepare for, cope with, protect against, respond to and recover from natural disasters, terrorist threats, health emergencies or hybrid attacks.
The text agreed covers critical entities in a number of sectors, such as energy, transport, health, drinking water, waste water and space. Central public administrations will also be covered by some of the provisions of the draft directive.
Member states will need to have a national strategy to enhance the resilience of critical entities, carry out a risk assessment at least every four years and identify the critical entities that provide essential services. Critical entities will need to identify the relevant risks that may significantly disrupt the provision of essential services, take appropriate measures to ensure their resilience and notify disruptive incidents to the competent authorities.
The proposal for a directive also establishes rules for the identification of critical entities of particular European significance. A critical entity is considered of particular European significance if it provides an essential service to six or more member states. In this case, the Commission may be requested by the member states to organise an advisory mission or it may itself propose, with the agreement of the member state concerned, to assess the measures the entity concerned has put in place to meet the obligations related to the directive.
16 December 2020 - The European Commission presented a proposal for a directive on the resilience of critical entities.
The proposal is based on Article 114 of the Treaty on the Functioning of the European Union (TFEU). It aims to enhance the resilience of critical entities that provide services essential for vital societal functions or economic activities in the internal market. Once adopted, the proposed directive will replace the current directive on the identification and designation of European critical infrastructure, adopted in 2008.
A 2019 evaluation of that directive highlighted the need to update and further strengthen the existing rules in light of the new challenges facing the EU, such as the rise of the digital economy, the growing impacts of climate change, and terrorist threats. The current COVID-19 pandemic has shown in particular how exposed critical infrastructures and societies can be to a pandemic and the high level of interdependence that exists among EU member states as well as globally.
Together with the proposed directive on critical entities, the Commission also presented a proposal for a directive on measures for a high common level of cybersecurity across the EU (NIS 2), which aims to respond to the same concerns for the cyber dimension. The Council and the Parliament reached an agreement on this proposal in May 2022.
In September 2020, the Commission presented a proposal for a Digital Operational Resilience Act (DORA), which will strengthen the IT security of financial entities such as banks, insurance companies and investment firms. It aims to make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption. The Council and the Parliament reached an agreement on this proposal in May 2022.
Member states will need to ensure a coordinated implementation of all three legislative texts.
Before the Critical Entities Resilience Directive (CER).
Council Directive 2008/114/EC provides for a procedure for designating European critical infrastructure in the energy and transport sectors the disruption or destruction of which would have a significant cross-border impact on at least two Member States. That Directive focuses exclusively on the protection of such infrastructure.
However, the evaluation of Directive 2008/114/EC conducted in 2019 found that, due to the increasingly interconnected and cross-border nature of operations using critical infrastructure, protective measures relating to individual assets alone are insufficient to prevent all disruptions from taking place. Therefore, it is necessary to shift the approach towards ensuring that risks are better accounted for, that the role and duties of critical entities as providers of services essential to the functioning of the internal market are better defined and coherent, and that Union rules are adopted to enhance the resilience of critical entities.
Critical entities should be in a position to reinforce their ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from incidents that have the potential to disrupt the provision of essential services.
While a number of measures at Union level, such as the European Programme for Critical Infrastructure Protection, and at national level aim to support the protection of critical infrastructure in the Union, more should be done to better equip the entities operating such infrastructure to address the risks to their operations that could result in the disruption of the provision of essential services.
More should also be done to better equip such entities because there is a dynamic threat landscape, which includes evolving hybrid and terrorist threats, and growing interdependencies between infrastructure and sectors.
Moreover, there is an increased physical risk due to natural disasters and climate change, which intensifies the frequency and scale of extreme weather events and brings long-term changes in average climate conditions that can reduce the capacity, efficiency and lifespan of certain infrastructure types if climate adaptation measures are not in place.
In addition, the internal market is characterised by fragmentation in respect of the identification of critical entities because relevant sectors and categories of entities are not recognised consistently as critical in all Member States. This Directive should therefore achieve a solid level of harmonisation in terms of the sectors and categories of entities falling within its scope.
While certain sectors of the economy, such as the energy and transport sectors, are already regulated by sector-specific Union legal acts, those legal acts contain provisions which relate only to certain aspects of resilience of entities operating in those sectors. In order to address in a comprehensive manner the resilience of those entities that are critical for the proper functioning of the internal market, this Directive creates an overarching framework that addresses the resilience of critical entities in respect of all hazards, whether natural or man-made, accidental or intentional.
The growing interdependencies between infrastructure and sectors are the result of an increasingly cross-border and interdependent network of service provision using key infrastructure across the Union in the energy, transport, banking, drinking water, waste water, production, processing and distribution of food, health, space, financial market infrastructure and digital infrastructure sectors and in certain aspects of the public administration sector.
The space sector falls within the scope of this Directive with respect to the provision of certain services that depend on ground-based infrastructure owned, managed and operated either by Member States or by private parties; consequently, infrastructure owned, managed or operated by or on behalf of the Union as part of its space programme does not fall within the scope of this Directive.
In order to ensure that all relevant entities are subject to the resilience requirements of this Directive and to reduce divergences in that respect, it is important to lay down harmonised rules allowing for a consistent identification of critical entities across the Union, while also allowing Member States to adequately reflect the role and importance of those entities at national level.
When applying the criteria laid down in this Directive, each Member State should identify entities that provide one or more essential services and that operate and have critical infrastructure located on its territory.
An entity should be considered to operate on the territory of a Member State in which it carries out activities necessary for the essential service or services in question and in which that entity’s critical infrastructure, which is used to provide that service or those services, is located.
Critical entities should take technical, security and organisational measures that are appropriate and proportionate to the risks they face so as to prevent, protect against, respond to, resist, mitigate, absorb, accommodate and recover from an incident.
While critical entities should take those measures in accordance with this Directive, the details and extent of such measures should reflect the different risks that each critical entity has identified as part of its critical entity risk assessment and the specificities of such entity in an appropriate and proportionate way.
To promote a coherent Union approach, the Commission should, after consulting the Critical Entities Resilience Group, adopt nonbinding guidelines to further specify those technical, security and organisational measures. Member States should ensure that each critical entity designate a liaison officer or equivalent as point of contact with the competent authorities.
Understanding the Critical Entities Resilience Directive (CER), from the proposal of 16.12.2020
Subject matter, scope and definitions (Articles 1-2).
Article 1 sets out the subject matter and scope of the directive, which lays down obligations for Member States to take certain measures aimed at ensuring the provision in the internal market of services essential for the maintenance of vital societal functions or economic activities, in particular to identify critical entities and to enable them to meet specific obligations aimed at enhancing their resilience and improving their ability to provide those services in the internal market. The directive also establishes rules on supervision and enforcement of critical entities and the specific oversight of critical entities considered to be of particular European significance.
Article 1 also explains the relationship between the directive and other relevant acts of Union law, and the conditions under which information that is confidential pursuant to Union and national rules shall be exchanged with the Commission and other relevant authorities.
Article 2 provides a list of definitions that apply.
National frameworks on the resilience of critical entities (Articles 3-9).
Article 3 states that Member States shall adopt a strategy for reinforcing the resilience of critical entities, describes the elements that it should contain, explains that it should be updated regularly and where necessary, and stipulates that Member States shall communicate their strategies and any updates of their strategies to the Commission.
Article 4 states that competent authorities shall establish a list of essential services and carry out regularly an assessment of all relevant risks that may affect the provision of those essential services with a view to identifying critical entities. This assessment shall account for the risk assessments carried out in accordance with other relevant acts of Union law, the risks arising from the dependencies between specific sectors, and available information on incidents.
Member States shall ensure that relevant elements of the risk assessment are made available to critical entities, and that data on the types of risks identified and the outcomes of their risk assessments is made regularly available to the Commission.
Article 5 states that Member States shall identify critical entities in specific sectors and sub-sectors. The identification process should account for the outcomes of the risk assessment and apply specific criteria. Member States shall establish a list of critical entities, which shall be updated where necessary and regularly. Critical entities shall be duly notified of their identification and the obligations that this entails.
Competent authorities responsible for the implementation of the directive shall notify the competent authorities responsible for the implementation of the NIS 2 Directive of the identification of critical entities. Where an entity has been identified as critical by two or more Member States, the Member States shall engage in consultation with each other with a view to reduce the burden on the critical entity. Where critical entities provide services to or in more than one third of Member States, the Member State concerned shall notify to the Commission the identities of those critical entities.
Article 6 defines the term ‘significant disruptive effect’ as referred to in Article 5(2), and requires that Member States submit to the Commission certain forms of information pertaining to the critical entities that they identify and how they were identified. Article 6 also empowers the Commission, after consultation of the Critical Entities Resilience Group, to adopt relevant guidelines.
Article 7 establishes that Member States should identify entities in the banking, financial market infrastructure and digital infrastructure sectors that are to be treated as equivalent to critical entities for the purposes of chapter II only. These entities should be notified of their identification.
Article 8 stipulates that each Member State shall designate and ensure that adequate resources are provided to one or more competent authorities responsible for the correct application of the directive at national level as well as a single point of contact tasked with ensuring cross-border cooperation. The single point of contact shall provide a summary report on incident notifications to the Commission on a regular basis.
Article 8 requires that competent authorities responsible for the application of the directive cooperate with other relevant national authorities, including competent authorities designated under the NIS 2 Directive.
Article 9 stipulates that Member States shall provide support to critical entities in ensuring their resilience, and shall facilitiate cooperation and the voluntary exchange of information and good practices between competent authorities and critical entities.
Resilience of critical entities (Articles 10-13)
Article 10 states that critical entities shall regularly assess all relevant risks on the basis of national risk assessments and other relevant sources of information.
Article 11 stipulates that critical entities shall take appropriate and proportionate technical and organisational measures to ensure their resilience, and shall ensure that these measures are described in a resilience plan or equivalent document or documents. Member States may request that the Commission organise advisory missions to provide advice to critical entities in meeting their obligations. Article 11 also empowers the Commission, where necessary, to adopt delegated and implementing acts.
Article 12 states that Member States shall ensure that critical entities may submit requests for background checks for persons who fall or might come to fall within certain specific categories of personnel, and that these requests are assessed expeditiously by the authorities responsible for carrying out such background checks. The article describes the purpose, scope and contents of the background checks, all of which shall comply with the General Data Protection Regulation.
Article 13 states that Member States shall ensure that critical entities notify the competent authority of incidents that significantly disrupt or have the potential to significantly disrupt their operations.
Competent authorities in turn shall provide the notifying critical entity with relevant follow-up information. Via the single point of contact, competent authorities shall also inform the single points of contact in other affected Member States in the event that the incident has, or may have, cross-border impacts in one or more other Member States.
Specific oversight over critical entities of particular European significance (Articles 14-15)
Article 14 defines critical entities of particular European significance as entities that have been identifed as critical entities and that provide essential services to or in more than one third of Member States. Upon receiving notification pursuant to Article 5(6), the Commission shall inform the entity concerned that it is considered a critical entity of particular European signficance, the obligations that this entails and the date from which those obligations begin to apply.
Article 15 describes the specific oversight arrangements applicable to critical entities of particular European significance, which include, upon request, that host Member States provide the Commission and Critical Entities Resilience Group with information concerning the risk assessment pursuant to Article 10 and the measures taken in accordance with Article 11, as well as any supervisory or enforcement actions.
Article 15 also stipulates that the Commission may organise advisory missions to assess the measures put in place by specific critical entities of particular European significance.
On the basis of an analysis of the advisory mission’s findings by the Critical Entities Resilience Group, the Commission shall communicate its views to the Member State where the infrastructure of the entity is located on whether that entity complies with its obligations and, where appropriate, which measures could be taken to improve the resilience of the entity. The article describes the composition, organisation and funding of the advisory missions. It also stipulates that the Commission shall adopt an implementing act laying down rules on the procedural arrangements for the conduct and reports of advisory missions.
Cooperation and reporting (Articles 16-17).
Article 16 describes the role and tasks of the Critical Entities Resilience Group, which shall be composed of representatives of the Member States and the Commission. It shall support the Commission and facilitate strategic cooperation and the exchance of information. The article explains that the Commission may adopt implementing acts laying down procedural arrangements necessary for the functioning of the Critical Entities Resilience Group.
Article 17 stipulates that the Commission shall, where appropriate, support Member States and critical entities in complying with their obligations under the directive, and complement Member State activities referred to in Article 9.
Supervision and enforcement (Articles 18-19).
Article 18 states that Member States have certain powers, means and responsibilities in ensuring the implementation and enforcement of the directive. Member States shall ensure that, when a competent authority assesses the compliance of a critical entity, it shall inform the competent authorities of the Member State concerned designated under the NIS 2 Directive and may request these authorities to assess the cybersecurity of such entity, and should cooperate and exchange information for this purpose.
Article 19 states that, in accordance with long-standing practice, Member States are to lay down the rules on penalties applicable to infringements and to take all measures necessary to ensure that they are implemented.
Final provisions (Articles 20-26).
Article 20 states that the Commission shall be assisted by a committee within the meaning of Regulation (EU) 182/2011. This is a standard article.
Article 21 confers to the Commission the power to adopt delegated acts subject to conditions laid down in the article. This, too, is a standard article.
Article 22 states that the Commission shall submit a report to the European Parliament and to the Council assessing the extent to which the Member States have taken the necessary measures to comply with the directive. A report assessing the impact and added value of the directive and whether the scope of the directive should be extended to other sectors or subsectors, including the food production, processing and distribution sector, must be submitted regularly to the European Parliament and to the Council.
Article 23 states that Directive 2008/114/EC is repealed with effect from the date of entry into application of the directive.
Article 24 states that Member States shall adopt and publish, within the set time period, the laws, regulations and administrative provisions necessary to comply with the directive, and inform the Commission thereof. The text of the main provisions of national law which they adopt in the field covered by this directive shall be communicated to the Commission.
Article 25 states that the directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. Article 26 states that the directive is addressed to the Member States.
The Critical Entities Resilience Directive (CER), news and alerts
This website belongs to Cyber Risk GmbH (established in Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). We are carefully monitoring the new legal and regulatory obligations that follow the Critical Entities Resilience Directive (CER). We learn the requirements for EU and non-EU firms and entities, update our training programs accordingly, and inform our clients and recipients of our monthly newsletter. For news and developments about the Critical Entities Resilience Directive (CER), you can read our monthly newsletter at no cost (you may visit Cyber Risk GmbH, Reading Room, links at the top of the page). You may also visit this web site.
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.