Skip to main content

Critical Entities Resilience Directive – What It Brings And How To Prepare For It?

The Critical Entities Resilience (CER) Directive 2022/2557, forming a set of European Union guidelines and recommendations aimed at reducing vulnerabilities and enhancing the resilience of critical entities against various threats, came into effect last year. Adopted on December 14, 2022, it replaced the European Critical Infrastructure Directive 2008/114/EC which had been limited to selected sectors and covered only specific aspects of resilience. The updated rules in CER aim to strengthen the resilience of critical entities against a broad spectrum of threats, including natural disasters, terrorism, hybrid threats, insider threats, and sabotage across multiple industries.

 

Who Does CER Apply To?
 

CER defines critical entities as those essential for maintaining the continuity of societal and economic functions in the EU and an entity is classified as a critical entity of European significance if it provides fundamental services in at least six EU member states and operates within one of the 11 designated sectors deemed essential for maintaining key societal functions, economic activities, public health and safety, or environmental security, including:

  • Energy (generation, storage, and distribution) 
  • Transport (air, rail, water, road, and related infrastructure management) 
  • Banking 
  • Financial market infrastructure 
  • Digital infrastructure 
  • Public administration 
  • Food production, processing, and distribution 
  • Health 
  • Drinking water 
  • Wastewater 
  • Space 

Critical entities face risks not only from natural disasters but also from targeted attacks by hackers or terrorist groups, highlighting the need for comprehensive protection and resilience-building measures. Under the CER Directive, EU Member States are required to identify critical entities by July 17, 2026, and support them in fulfilling their obligations stemming from CER. 

Business Corporate Management Planning Team Concept; Shutterstock ID 397123759
Key Focus Areas of CER?

 

CER Directive prioritizes three key areas: 

  1. Enhancing resilience against various threats, including cyberattacks, natural disasters, and terrorist activities. 
  2. Protecting digital service users by fostering trust, minimizing exposure to illegal, harmful, or manipulative content. 
  3. Ensuring transparency and oversight, with specific regulatory requirements for monitoring digital service providers and enforcing transparency in critical entities' operational practices. 

To meet these objectives, EU Member States must develop and implement a national strategy to enhance the resilience of critical entities. Entities covered by the strategy will be required to conduct risk assessments at least once every four years, identify risks that could significantly disrupt service delivery, implement appropriate measures to strengthen their resilience, and report incidents that impact their resilience to the relevant authorities. 

 
Why Is CER Important?
 

Alongside the DORA Regulation and the NIS2 Directive, CER represents another key legislative instrument requiring careful preparation. CER does not automatically impose direct obligations on individual entities; instead, individual EU Member States must transpose its provisions into national legislation and define specific enforceable requirements. Overall, CER serves as a framework of recommendations and measures designed to ensure the high resilience of identified critical entities, safeguarding essential services across the EU, and improving the functioning of the internal market. Adhering to the guidelines set forth by the European institutions is essential for enhancing security, building trust, ensuring regulatory compliance, and maintaining a strong reputation and competitiveness. 

Failure to prepare adequately or comply with CER requirements could lead to penalties or operational restrictions. Specific sanctions will be determined by national legislation, which must be implemented within two years of the directive’s entry into force, i.e., by 2026. 

How Deloitte Can Help?

Our team of experienced professionals is ready to provide a comprehensive range of services to address your needs, from initial gap analysis to strategic advisory and implementation support.

We help organizations conduct thorough assessments of their current resilience levels, identify gaps in existing measures, and propose targeted improvements. 

We assist in preparing and executing a detailed analysis of your resilience against risks, pinpoint deficiencies, and recommend specific steps to enhance protection. 

We help develop policies and control frameworks to ensure compliance with regulatory requirements, rules, and standards, ensuring that your procedures align with relevant legal and security obligations. 

We offer training programs and workshops to enhance staff awareness of risks and resilience-building measures. Our educational sessions provide practical skills for responding effectively to crisis situations. 

At Deloitte, we actively help with preparation for compliance with all relevant rules arising from the legislation, whether it is the DORA Regulation, the NIS2 Directive and the related Cyber Security Act, or the CER Directive