The Critical Entities Resilience Directive (‘CER’) entered into force on 16 January 2023, replacing the 2008 European Critical Infrastructure Directive. The new rules are aiming to strengthen the resilience of critical infrastructure to a range of threats, including natural hazards, terrorist attacks, insider threats, or sabotage. The CER Directive introduces new obligations on entities providing essential services and extends to more sectors compared to its predecessor, meaning more companies will fall within the scope of the new rules.
Which sectors does CER cover?
Whilst the 2008 Directive covered only energy and transport, CER extends to nine new sectors: banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space, and food. This means that companies operating within those sectors need to stay alert and assess whether the new rules apply to them.
Who does CER apply to?
CER applies when:
- The entity provides one or more essential services;
- The entity operates and has its critical infrastructure located in the EU;
- Incident would have a significant disruptive effect on the provision of essential services.
It is important to note that essential entities that fall under the EU’s Second Network and Information Systems Directive (“NIS2”) scope are within the scope of CER as entities providing essential services.
Who will identify critical entities?
The Member States will identify the relevant critical entities and notify them within one month of identification. The identification will be based on a risk assessment carried out by the Member States. The assessment must be completed by 17 January 2026.
The assessment will take various factors into account such as natural and man-made risks, public health emergencies, and terrorist threats. Member States will consider various criteria to determine what constitutes a significant disruptive effect including the number of users of the service, market share, cross-border impact, and the impact of potential incidents.
In relation to the identified critical entities, Member States will also be able to conduct on-site inspections, audits, and issue penalties, which are to be determined by 17 October 2024.
What obligations will critical entities have?
Once identified, the critical entity must review its business and identify the relevant risks and measures to ensure resilience within nine months of notification and then update every four years. The risk assessment should account for all the relevant natural and man-made risks, which could lead to an incident, including those of a cross-sectoral or cross-border nature.
The critical entities will be under an obligation to implement appropriate and proportionate technical, security and organisational measures to ensure their resilience in, amongst all, preventing incidents, ensuring adequate physical protection of premises or responding and mitigating the consequences of incidents. The measures also include training personnel. Finally, the critical entities will also have to notify the competent authority of incidents that significantly disrupt (or have a potential to disrupt) the provision of an essential service, taking into consideration various factors. The notification will have to be made without undue delay and no later than 24 hours after becoming aware.