Directive sur la résilience des entités critiques (CER)
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC (CER Directive)
The CER Directive is structured to provide a comprehensive framework for enhancing the resilience of critical entities within the EU. It is organized into several key sections that outline the directive’s objectives, the scope of application, specific obligations for member states and critical entities, and mechanisms for cooperation and enforcement. The structure includes:
Structure et sections clés
- The CER Directive is structured to provide a comprehensive framework for enhancing the resilience of critical entities within the EU. It is organized into several key sections that outline the directive’s objectives, the scope of application, specific obligations for member states and critical entities, and the mechanisms for cooperation and enforcement.
- General Provisions and Objectives: This section defines the directive’s objectives, which include strengthening the resilience of critical entities against various risks, including natural disasters, terrorism, and cyberattacks. It also establishes the scope of the directive, identifying the sectors and types of entities covered.
- Obligations for Member States: The directive mandates that each EU member state is responsible for identifying critical entities within its jurisdiction. Member states are required to ensure that these entities implement robust resilience measures. This section also details the national frameworks that member states must establish, including the designation of competent authorities and the creation of national strategies for the protection of critical infrastructure.
- Obligations for Critical Entities: Critical entities identified by member states must comply with specific requirements under the CER Directive. These include conducting risqueRisque désigne le potentiel de perte ou de perturbation causé par un incident et doit être exprimé comme une combinaison de l'ampleur de cette perte ou de cette perturbation et de la probabilité d'occurrence de l'incident. Définition selon l'article 6 de la directive (UE) 2022/2555 (directive NIS2) assessments, implementing security measures, and reporting incidents that could impact their operations. The directive also emphasizes the importance of resilience planning and preparedness, requiring entities to develop and maintain resilience plans.
- Cooperation and Information Sharing: The directive promotes cooperation between member states and critical entities. It outlines mechanisms for information sharing, both at the national and EU levels, to enhance collective resilience. This section also introduces the role of the European Commission in facilitating cooperation and ensuring consistency in the implementation of the directive across the EU.
- Supervision et application: The CER Directive includes provisions for the supervision of critical entities and the enforcement of compliance. Member states are required to establish monitoring and enforcement mechanisms to ensure that critical entities adhere to the directive’s requirements. This section also outlines the penalties for non-compliance.
- Final Provisions: This section includes transitional measures, timelines for implementation, and provisions for the review and amendment of the directive.
- Key Sections of the CER Directive
Key Sections of the CER Directive
- Scope and Definitions: Defines the critical sectors covered, such as energy, transport, health, finance, and digital infrastructure.
- Risk Management and Resilience Requirements: Specifies that critical entities must conduct regular risk assessments and implement measures to ensure resilience.
- IncidentIncident Un événement compromettant la disponibilité, l'authenticité, l'intégrité ou la confidentialité des données stockées, transmises ou traitées ou des services offerts par les réseaux et les systèmes d'information ou accessibles par leur intermédiaire. Définition selon l'article 6 de la directive (UE) 2022/2555 (directive NIS2) Reporting and Response: Outlines the requirements for critical entities to report incidents and maintain operations during disruptions.
- National Strategies and Competent Authorities: Mandates member states to develop national strategies and designate authorities responsible for overseeing the directive’s implementation.
- Cooperation and Coordination: Encourages cross-border collaboration and information sharing to enhance the overall resilience of critical infrastructure across the EU.
The CER Directive represents a significant step forward in the EU’s efforts to safeguard critical infrastructure from a wide range of threats. By establishing clear obligations for both member states and critical entities, the directive aims to create a more resilient and secure environment across the Union.
Obtenir la liste de contrôle des risques de la chaîne d'approvisionnement du NIS 2
Download our free NIS2 Supply Chain Risk Checklist to ensure your organization meets the latest cybersécuritéCybersécurité "cybersécurité", la cybersécurité telle que définie à l'article 2, point 1), du règlement (UE) 2019/881 ; - Définition selon l'article 6 de la directive (UE) 2022/2555 (directive NIS2)
"cybersécurité" : les activités nécessaires pour protéger les réseaux et les systèmes d'information, les utilisateurs de ces systèmes et les autres personnes concernées par les cybermenaces ; - Définition selon l'article 2, point 1), du règlement (UE) 2019/881 ; compliance standards effortlessly.