EU doubles down on national resilience with the Critical Entities Resilience Directive (CER)

The global risk landscape changed dramatically over the past few years. The COVID-19 pandemic, the Russian invasion of Ukraine, and catastrophic climate events are just a few examples of the highly impactful, disruptive events we were and still are faced with. We live in an increasingly volatile, uncertain, complex and ambiguous (VUCA) environment, which has important ramifications for the way we deal with risks. Especially tail risks pose a challenge as they have a low likelihood occurrence but when they do occur, the impact is (very) high. To navigate these stormy waters, now, more than in the past decades, resilience is crucially important on societal, organizational and individual level. The ability to adequately deal with and recover from such events will be determining factors for countries’ and their citizens’ security, prosperity and wellbeing.

Acknowledging this, the European Commission made strengthening resilience a top priority. One of the initiatives is the adoption of new legislation to strengthen the resilience of critical entities of its Member States which provide essential services. These are services that are crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment. The EU Critical Entities Resilience Directive (EU Directive 2022/2557)  entered into force in January 2023 and obliges Member States to identify critical entities within specified sectors and to ensure that these entities take appropriate & proportionate technical, security, and organizational measures to ensure their resilience. CER describes critical entities as “entities that provide an essential service and where an incident would have a significant disruptive effect on the provision by the entity of one or more essential services or on the provision of other essential services in the sectors (cf. defined by CER) that depend on that or those essential services.”  This broad definition means that quite some entities will be subject to the new legislation, also critical infrastructures which is currently covered by The European Programme for Critical Infrastructure Protection (EPCIP).

The goal of CER is to:

• Prevent incidents from occurring, taking into account disaster risk reduction and climate adaptation measures;

• Ensure adequate physical protection of their premises and critical infrastructure;

• Respond to, resist, and mitigate the consequences of incidents, taking into account the implementation of risk and crisis management procedures and protocols and alert routines;

• Recover from incidents, taking into account business continuity measures and the identification of alternative supply chains, in order to resume the provision of essential services;

• Ensure adequate employee security management, taking into account measures such as setting out categories of personnel who exercise critical function, establishing access rights to premises, critical infrastructure and sensitive information;

• Raise awareness about these measures, taking into account training courses, information materials and exercises.

Next to the obligation to perform risk assessments and developing resilience strategies themselves, Member States will have the task to support critical entities in enhancing their resilience. This may include developing guidance materials and methodologies, supporting the organization of exercises to test their resilience and providing advice and training to the personnel of critical entities.

Additionally, an incident notification mechanism needs to be put in place, enabling entities to quickly report incidents that could significantly disrupt the provision of essential services to the competent authorities.

The Directive sets out clear supervision and enforcement rules. Member states must empower their competent authorities with the authority to conduct on-site inspections and to conduct or order audits. Penalties for non-compliance must adopted in national legislation as well. Member states will have to report periodically to the Commission themselves.

Transposition of the CER Directive into national legislation should be completed by 17 October 2024 and identification of critical entities by member states should be completed by 17 July 2026.

Due to pending transposition and the need for further guidelines from the EU, it is already clear that both the scope and the timing of CER might pose a challenge for Member States and critical entities from a compliance perspective. Defining and implementing appropriate and proportionate measures, reporting, performing visits and audits, doing background checks, enforcing requirements,… These new responsibilities will require the adequate investments and capabilities to be made in the coming months and years.

If you would like to know more about what CER means for you and how Deloitte can help, don’t hesitate to reach out to Koen Magnus, Stijn De Win or Nicolas Bas.