The Critical Entities Resilience (CER) Directive 2022/2557, forming a set of European Union guidelines and recommendations aimed at reducing vulnerabilities and enhancing the resilience of critical entities against various threats, came into effect last year. Adopted on December 14, 2022, it replaced the European Critical Infrastructure Directive 2008/114/EC which had been limited to selected sectors and covered only specific aspects of resilience. The updated rules in CER aim to strengthen the resilience of critical entities against a broad spectrum of threats, including natural disasters, terrorism, hybrid threats, insider threats, and sabotage across multiple industries.
CER defines critical entities as those essential for maintaining the continuity of societal and economic functions in the EU and an entity is classified as a critical entity of European significance if it provides fundamental services in at least six EU member states and operates within one of the 11 designated sectors deemed essential for maintaining key societal functions, economic activities, public health and safety, or environmental security, including:
Critical entities face risks not only from natural disasters but also from targeted attacks by hackers or terrorist groups, highlighting the need for comprehensive protection and resilience-building measures. Under the CER Directive, EU Member States are required to identify critical entities by July 17, 2026, and support them in fulfilling their obligations stemming from CER.
CER Directive prioritizes three key areas:
To meet these objectives, EU Member States must develop and implement a national strategy to enhance the resilience of critical entities. Entities covered by the strategy will be required to conduct risk assessments at least once every four years, identify risks that could significantly disrupt service delivery, implement appropriate measures to strengthen their resilience, and report incidents that impact their resilience to the relevant authorities.
Alongside the DORA Regulation and the NIS2 Directive, CER represents another key legislative instrument requiring careful preparation. CER does not automatically impose direct obligations on individual entities; instead, individual EU Member States must transpose its provisions into national legislation and define specific enforceable requirements. Overall, CER serves as a framework of recommendations and measures designed to ensure the high resilience of identified critical entities, safeguarding essential services across the EU, and improving the functioning of the internal market. Adhering to the guidelines set forth by the European institutions is essential for enhancing security, building trust, ensuring regulatory compliance, and maintaining a strong reputation and competitiveness.
Failure to prepare adequately or comply with CER requirements could lead to penalties or operational restrictions. Specific sanctions will be determined by national legislation, which must be implemented within two years of the directive’s entry into force, i.e., by 2026.
Our team of experienced professionals is ready to provide a comprehensive range of services to address your needs, from initial gap analysis to strategic advisory and implementation support.
Opens in new window