The EU Critical Entities Resilience Directive: The Time to Act is Now

Recognizing how vital critical infrastructure is to society’s welfare, and how events like the pandemic, war in the Ukraine, and other geopolitical events can cause major disruptions to society and business, the European Commission (EC) has introduced the European Union (EU) Critical Entities Resilience (CER) Directive. Deloitte fully addresses the CER Directive here.

An Ambitious Timeline

Under the CER Directive, EU states have until July 17, 2026, to identify critical entities within their respective jurisdictions and then have 10 months to comply with many new resilience requirements.

The CER Directive is designed to improve and harmonize resilience strategies in EU member states and the organizations within them. Each state will need to convert CER Directive requirements into national legislation. Identified critical infrastructure entities will have to move quickly to comply with the laws. Because of this, any entity that might be deemed critical would be well-served to start a review of its resilience capabilities now.

What You Need to Know About the CER Directive – and Actions to Take Now

The following are key requirements from the CER Directive, and why entities should start making necessary resilience changes now, so it’s not an “all-hands-on-deck” situation when the 10-month deadline period begins.

• Each member state must adopt a strategy for reinforcing the resilience of critical entities. Organizations should anticipate this requirement and use existing frameworks as a starting point for identifying areas of focus and organizational needs to start enhancing resilience capabilities.
• The competent authorities will need to assess all relevant natural and human-made risks that could impact the provision of essential services within the member state. Organizations shouldn’t wait for national-level communication and direction to consider how they can better align their approach to enterprise risk and resilience initiatives. Action can be taken now to review methodologies and drive consistency.
• The CER Directive defines resilience as a “Critical Entity’s ability to prevent, protect against, respond to, resist, mitigate, absorb, accommodate, and recover from an incident.” Organizations likely to be deemed a “critical entity” should consider now what the deadlines and milestones will mean for them and take action to anticipate and address the requirements. Preparation and advanced actions are in organizations’ best interest; it will otherwise be extremely difficult to meet the requirements within the CER Directive’s 10-months deadline.

• Each EU member state must adopt a strategy for reinforcing the resilience of critical entities. Member states are unlikely to be able to provide comprehensive support across all identified critical entities at different levels of resilience maturity. Critical entities must prioritize conducting a self-assessment on their level of maturity and coverage against the requirements contained in the CER Directive, the respective national laws under development in a member state, and relevant international standards.
• Member states must ensure that critical entities implement appropriate measures contained in a resilience plan or equivalent document. Critical entities must consider dedicating personnel to addressing the expected requirements from the mandate. This might extend to creating a senior position, in the form of a Chief Resilience Officer or equivalent, to steer and oversee the organization’s overall approach.
• While the CER Directive does not have the binding nature of an EU regulation, it does require critical entities to allow inspections and audits to prove they are complying with national legislation derived from the CER Directive. Critical entities must review their compliance and reporting capabilities in anticipation of greater expectations that will come with the supervision and enforcement element of the CER Directive.
• Critical entities will be required to implement appropriate measures contained in a resilience plan to prevent incidents from occurring. Critical entities will be required to report, within 24 hours of detection, any incident that disrupts or could disrupt the provision of essential services. Critical entities need to review and revamp their incident detection, impact measurement, and reporting methods and tools to enable them to meet these reporting deadlines and requirements. It is likely that this requirement will need to be technology-enabled, so it will be imperative that relevant processes and technologies are considered well in advance of the July 2026 deadline.
• The EC will support member states and critical entities by preparing an overview of cross-border and cross-sectoral risks, organizing advisory missions, and facilitating information exchange. Critical entities should not wait for guidance to start building or enhancing their relationships with stakeholders within their sector and across borders.
• Supervision and enforcement:  While the CER Directive does not have the binding nature of an EU regulation, it does require critical entities to allow inspections and audits to prove they are complying with national legislation derived from the CER Directive. Critical entities must review their compliance and reporting capabilities in anticipation of greater expectations that will come with the supervision and enforcement element of the CER Directive.

The CER Directive has an ambitious timeline both for EU member states and critical entities. This is why both would be well-served to start reviewing resilience plans and capabilities now, so they don’t find themselves “playing catch-up” later.

Download Deloitte’s article about the CER Directive