For years, resilience1 has been a senior leadership priority for public and private sector organizations in the European Union (EU). Yet, the COVID pandemic, war in Ukraine, and climate-related events have revealed shortcomings in resilience planning. This has resulted in an urgent imperative to bolster resilience capabilities and the launch of the European Commission’s EU Critical Entities Resilience (CER) Directive which Member States will have to adhere to by 17th July 2026.
The CER Directive aims to improve and harmonise Member States’ and organizations’ resilience strategies and plans. The Directive sets requirements which Member States will need to transpose into national legislation. It also asks Member States to identify Critical Entities (i.e. those which provide essential services) by 17 July 2026 and to define national resilience strategies, risk assessment frameworks, and other elements of resilience within an ambitious 10 month timetable from that declaration. Critical Entities in the 11 sectors specified in the Directive (Exhibit 1) will have to move quickly to comply with the requirements set out by their respective Member States by the specified dates.
This article aims to help navigate the most critical elements of the Directive for a broad range of stakeholders: from senior executives and Board members in Critical Entities, and actual and potential Member States’ competent authorities, all the way to risk management, business continuity, crisis management, and resilience professionals. With just under a year to go until the Directive’s first critical milestone, its purpose is to encourage potentially affected organizations and stakeholders to begin to understand the requirements and proactively address them.
Exhibit 1: The eleven sectors covered by the CER Directive
* Risk assessments and resilience-based measures/plans for digital infrastructure, financial market infrastructure, and banking are covered by NIS2 and DORA accounting, respectively, for cyber and information and communications technology risks.
The CER Directive (EU Directive 2022/2557) aims to enhance resilience to risks that could impact the provision of essential services, indispensable to the proper functioning of society and the economic system. Doing this will reinforce trust in the public and private organizations’ ability to deliver those services during and after disruption.
Three drivers prompted the EU to issue this Directive now:
We have identified eight key provisions included in the CER Directive which private and public sector organization leaders need to know about and the actions needed to start addressing them.
1. Article 4: Strategy on the resilience of Critical Entities: Each Member State must adopt a strategy for reinforcing the resilience of Critical Entities. This must include: strategic objectives and priorities (taking into account cross-border and cross-sectoral dependencies); a governance framework to achieve the strategic objectives and priorities; a description of the measures necessary to enhance the overall resilience of Critical Entities; and a list of the main authorities and relevant stakeholders involved in the implementation of the strategy. Member States will need practical frameworks for developing harmonisation strategies as well as risk assessments. These frameworks may leverage existing frameworks, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM Framework and the International Consortium for Organizational Resilience (ICOR) Framework2.
Action required: Organizations should anticipate this ‘harmonisation’ and use existing frameworks as a starting point for identifying areas of focus and organizational needs to start enhancing resilience capabilities.
2. Article 5: Risk assessment by Member States: The competent authorities will need to assess all relevant natural and human-made risks that could impact the provision of essential services.
These include risks arising from interdependencies among sectors, including those in other Member States and third countries. The latter being of particular relevance for cross-border groups comprising affiliates in and outside the EU, and their actual or potential dependencies from a supply chain management standpoint. Relevant elements of the Member States’ risk assessments will be communicated to the Critical Entities and, within three months, data and relevant information on the risk assessment results will be communicated to the EC. Member States’ risk assessments will require a coherent framework and specific methodologies for determining impacts, likelihoods, and sectoral and supply chain dependencies. This assessment should serve as well as a foundational tool for enhancing resilience and reporting.
Action required: Organizations shouldn’t wait for this national-level communication to consider how they can better align their approach to enterprise risk and resilience initiatives. Action can be taken now to review methodologies and drive consistency.
3. Article 6: Identification of Critical Entities: The Directive includes dates and deadlines for significant milestones (Exhibit 2). Member States have until 17 July 2026 to identify Critical Entities in each of the 11 sectors. Once an entity has been designated “critical,” the competent authority will notify the entity within one month, and the resilience requirements will apply ten months after notification. In identifying Critical Entities, a Member State will account for its resilience strategy and the outcomes of its risk assessment. The Member State will also consider whether the entity provides one or more essential services, where the entity operates, and where its critical infrastructure is located. Member States will need a rigorous methodology and process – based on its resilience harmonisation strategy and risk assessment framework – for determining that an entity is critical. They will also need to establish clear and ongoing communication between their competent authorities and the Critical Entities.
Action required: Organizations likely to be deemed a ‘critical entity’ should consider now what the deadline and milestones will mean for them and take action proactively to anticipate the requirements. The requirements are challenging to meet within just ten months.
Exhibit 2: CER Directive milestones
4. Article 10: Members States’ support to Critical Entities: Member States are responsible for supporting Critical Entities in enhancing their resilience. This may include developing guidance materials, methodologies, and training, including organizing exercises to test resilience, and promoting mechanisms to support voluntary information-sharing among Critical Entities. Member States may also provide financial resources to Critical Entities, where justified by public interest objectives (and in compliance with State Aid rules in the EU).
Action required: Member States are unlikely to be able to provide comprehensive support across all identified critical entities at different levels of resilience maturity. Critical Entities must prioritise conducting a self-assessment on their level of maturity and coverage against the requirements contained in the Directive, the respective national laws under development in a Member State, and relevant international standards. This gap analysis should serve as the lynchpin for an ambitious roadmap of key milestones to complete will identify where more or less support will be required from Members States.
5. Article 13: Resilience measures of Critical Entities: Member States must ensure that Critical Entities implement appropriate measures contained in a resilience plan or equivalent document to prevent incidents from occurring, ensure adequate protection of critical infrastructure, address the impact of and recovery from incidents, and guarantee adequate employment security management. Critical Entities will need to formulate initiatives to meet new resilience mandates. For example, they may need to adapt their own risk management and resilience frameworks to harmonise with those emanating from the Directive and adjust related roles, responsibilities, and reporting processes to fulfil their Member State’s regulatory mandates.
Action required: Critical Entities must consider dedicating personnel to addressing the expected requirements from the mandate. This might extend to creating a senior position, in the form of a Chief Resilience Officer or equivalent, to steer and oversee the organization’s overall approach.
6. Article 15: Incident notification: Within 24 hours of detecting an incident that disrupts or could disrupt the provision of essential services, the Critical Entity will be required to give an initial notification to the competent authority (unless operationally unable to do so). Notifications will include information on the nature, root cause, and possible consequences of the incident and potential cross-border impacts. Within one month after detection, the Critical Entity will submit a detailed report that includes the number and percentage of affected users, the duration of the disruption, and the affected geographic area.
Action required: Critical Entities need to review and revamp their incident detection, impact measurement, and reporting methods and tools to enable them to meet these reporting deadlines and requirements. It is likely that this requirement will need to be technology enabled, making it imperative that this is considered well in advance of the July 2026 deadline.
7. Article 20: Commission support: To support Member States and Critical Entities, the EC will prepare a Union-level overview of cross-border and cross-sectoral risks, organize advisory missions, and facilitate information exchange. In addition, the EC, in consultation with the Critical Entities Resilience Group, will develop best practices, guidance materials and methodologies, and cross-border training exercises to support and test the resilience of Critical Entities.
Action required: Critical Entities should not wait for guidance to start to build or enhance their relationships with stakeholders within their sector and cross-border. This could be done through cross-sector exercising, cross-border collaboration, forums, and information sharing.
8. Article 21: Supervision and enforcement: Member States will ensure that the competent authorities can conduct on-site inspections of the Critical Entity’s relevant infrastructure and premises, perform or order relevant audits, and gather other information needed to verify that measures have been implemented in compliance with national legislation derived from this Directive. In addition, Article 22 empowers Member States to provide for “effective, proportionate and dissuasive” penalties for infringements of national provisions adopted under the Directive. While the CER Directive lacks the binding nature that an EU Regulation would have, it sets goals that Member States must achieve while leaving them to devise their own laws regarding the manner by which to achieve those goals. Member States will therefore need to develop their own policies (aligned with any guidelines and implementing acts issued by the EC) and formulate national laws that internalize and build on the minimum requirements laid out at EU level.
Action required: Critical Entities must review their compliance and reporting capabilities in anticipation of greater expectations that will come with the supervision and enforcement element of the CER Directive.
In addition to the specific Articles and the actions organizations should be considering, this endeavour will require the support of all the senior executives and Board members in the Critical Entities. This will ensure the initiatives are fully brought to bear with no vulnerabilities that could evidence non-compliance. Getting this engagement now will be critical for delivering overall success.
Member States and Critical Entities face an ambitious timeframe for implementing the provisions of the CER Directive. It will also require significant resources from many Member States and Critical Entities. We believe all organizations impacted or potentially impacted by the Directive should immediately start to determine what the specific impact will be, what resources will be needed, and how best to proceed to comply against the requirements laid out in the Directive.
Deloitte has a Global Crisis & Resilience community of over 1000 practitioners internationally, and over 300 in Europe alone. We work across industries to identify and establish good practice and new approaches to crisis and resilience. We have designed, implemented, embedded and supported resilience programmes for a wide range of global clients, many on a journey to comply with regulation and legislative direction. We help them to be prepared for disruption, but we also assist them when major disruptions occur. We know what works and what doesn’t, and how to efficiently bring success through designing approaches and building capabilities that are appropriate and proportionate for our clients, the industry and ecosystem within which they operate, and the risks they face. Our specific services include:
If you would like more information or to speak to a Crisis & Resilience Lead in your local market, please see the contacts below
Jose Maria Fernandez | Spain | firstname.lastname@example.org | Tel: +34 912926914
Tim Johnson | UK | email@example.com | Tel: +44 2073030746
Koen Magnus | Belgium | firstname.lastname@example.org | Tel: +32 485466590
Abigail Worsfold | UK | email@example.com | Tel: +44 2070074663
Michael Mueller | Germany | firstname.lastname@example.org | Tel: +49 89290368428
Stefanie Ruys | Nordics & Denmark | email@example.com | Tel: +45 30935287
Tariq Ajmal | Middle East | firstname.lastname@example.org | Tel: +971 24082424
Stefano Buschi | Italy | email@example.com | Tel: +39 0283322993
Florian Widmer | Switzerland | firstname.lastname@example.org | Tel: +41 582796910
Colm McDonnell | Ireland | email@example.com | Tel: +353 14172348
Frédérique Demenint | Netherlands | firstname.lastname@example.org | Tel: +31 882887874
Sonia Cabanis | France | email@example.com | Tel: +33 158370304