Directive on the Resilience of Critical Entities (CER)
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER Directive)
The CER Directive is structured to provide a comprehensive framework for enhancing the resilience of critical entities within the EU. It is organized into several key sections that outline the directive’s objectives, the scope of application, specific obligations for member states and critical entities, and mechanisms for cooperation and enforcement. The structure includes:
Structure and Key Sections
- The CER Directive is structured to provide a comprehensive framework for enhancing the resilience of critical entities within the EU. It is organized into several key sections that outline the directive’s objectives, the scope of application, specific obligations for member states and critical entities, and the mechanisms for cooperation and enforcement.
- General Provisions and Objectives: This section defines the directive’s objectives, which include strengthening the resilience of critical entities against various risks, including natural disasters, terrorism, and cyberattacks. It also establishes the scope of the directive, identifying the sectors and types of entities covered.
- Obligations for Member States: The directive mandates that each EU member state is responsible for identifying critical entities within its jurisdiction. Member states are required to ensure that these entities implement robust resilience measures. This section also details the national frameworks that member states must establish, including the designation of competent authorities and the creation of national strategies for the protection of critical infrastructure.
- Obligations for Critical Entities: Critical entities identified by member states must comply with specific requirements under the CER Directive. These include conducting riskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) assessments, implementing security measures, and reporting incidents that could impact their operations. The directive also emphasizes the importance of resilience planning and preparedness, requiring entities to develop and maintain resilience plans.
- Cooperation and Information Sharing: The directive promotes cooperation between member states and critical entities. It outlines mechanisms for information sharing, both at the national and EU levels, to enhance collective resilience. This section also introduces the role of the European Commission in facilitating cooperation and ensuring consistency in the implementation of the directive across the EU.
- Supervision and Enforcement: The CER Directive includes provisions for the supervision of critical entities and the enforcement of compliance. Member states are required to establish monitoring and enforcement mechanisms to ensure that critical entities adhere to the directive’s requirements. This section also outlines the penalties for non-compliance.
- Final Provisions: This section includes transitional measures, timelines for implementation, and provisions for the review and amendment of the directive.
- Key Sections of the CER Directive
Key Sections of the CER Directive
- Scope and Definitions: Defines the critical sectors covered, such as energy, transport, health, finance, and digital infrastructure.
- Risk Management and Resilience Requirements: Specifies that critical entities must conduct regular risk assessments and implement measures to ensure resilience.
- IncidentIncident Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) Reporting and Response: Outlines the requirements for critical entities to report incidents and maintain operations during disruptions.
- National Strategies and Competent Authorities: Mandates member states to develop national strategies and designate authorities responsible for overseeing the directive’s implementation.
- Cooperation and Coordination: Encourages cross-border collaboration and information sharing to enhance the overall resilience of critical infrastructure across the EU.
The CER Directive represents a significant step forward in the EU’s efforts to safeguard critical infrastructure from a wide range of threats. By establishing clear obligations for both member states and critical entities, the directive aims to create a more resilient and secure environment across the Union.
Get NIS 2 Supply Chain Risk Checklist
Download our free NIS2 Supply Chain Risk Checklist to ensure your organization meets the latest cybersecurityCybersecurity ‘cybersecurity’ means cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881;
- Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)
'cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems,
and other persons affected by cyber threats;
- Definition according Article 2, point (1), of Regulation (EU) 2019/881; compliance standards effortlessly.