Critical Entities Resilence Directive 

CER Directive (Critical Entities Resilience) aims to reduce vulnerabilities and strengthen the physical resilience of critical entities in the European Union (EU) to ensure the uninterrupted provision of services that are essential for the economy and society as well as increasing the resilience of the critical entities that provide these services. Entities in the energy sector, including electricity, district heating, oil, gas and hydrogen operators, are included in the scope of this directive.

Each Member State must:

Adopt a national strategy and carry out regular risk assessments.

  • Considering the outcome of the risk assessments, identify entities that provide essential services to society, the economy, public health and safety or the environment.
  • Support the identified critical entities in enhancing their resilience with, for instance, guidance material, exercises, advice and training.
  • Ensure that national authorities have powers, resources and means to carry out their supervisory tasks, including conducting on-site inspections of critical entities and introducing penalties for non-compliance as part of an enforcement mechanism.
  • Specify the conditions under which a critical entity can submit requests for background checks on personnel holding sensitive roles

Critical entities must:

  • Carry out risk assessments of their own to identify risks that could disrupt their ability to provide essential services.
  • Take technical, security and organizational measures to enhance their resilience.
  • Notify significant disruptive incidents to the national authorities.

This directive is part of a package of legislative measures to improve the resilience and

incident-response capacities of public and private entities in the EU in the field of

cybersecurity and critical infrastructure protection

This Directive shall not apply to matters covered by Directive (EU) 2022/2555 (NIS2), without prejudice to Article 8 of this Directive. Considering the relationship between the physical security and cybersecurity of critical entities, Member States shall ensure that this Directive and Directive (EU) 2022/2555 (NIS2) are implemented in a coordinated manner.

The critical entities identified by Member States (in accordance with Article 5) under this Directive should be aligned with the operators, whether essential or important entities,

identified under the NIS2 Directive. Secondly, the operators, which fall under both Directives (CER and NIS2) should have one reporting line. In this respect, the Commission as well as the Member States should provide the entities above mentioned with one single point of contact where these entities are supposed to register, and where they can notify both cyber incidents and incidents according to Article 13 (1) of the CER Directive. Multiple lines of reporting should therefore be avoided.

Critical Entities Resilience Group when organizing meetings with the NIS Directive Cooperation Group shall inform and invite sectoral ISACs to attend the meetings taking place among them to promote strategic exchange of information.

    Latest updates on CER Directive

    Important milestones regarding the CER (Critical Entities Resilience) Directive coming soon.

    By October 17, 2024, Member States must transpose the requirements of the CER Directive into national law. They shall apply those measures from 18 October 2024.

    Member States will have until July 17, 2026, at the latest to identify critical entities.

    ECCC provides support activities related to cybersecurity, also in cooperation with ENISA, for innovation and industrial policy in cybersecurity.

    https://www.critical-entities-resilience-directive.com/

    https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2557&from=EN