What is the Critical Entities Resilience (CER) Directive?

The Critical Entities Resilience (CER) Directive is a new initiative in the EU that aims to ensure that critical entities providing essential services are effectively managing their network and information security. The CER Directive is part of the EU’s latest effort to build stronger cyber resilience across Europe, alongside NIS2 and the EU Cyber Resilience Act.

This article will provide an overview of the CER Directive, focus on its key objectives, how organizations can achieve compliance with the directive, and who it applies to.

See how UpGuard helps businesses become more cyber resilient >

CER Directive overview

The Critical Entities Resilience Directive was first proposed by the European Commission in 2020, which highlighted the need for EU nations to significantly upgrade the cyber resilience of their network and information systems, especially for critical infrastructure sectors.

The CER Directive entered into force on 16 January 2023, which effectively replaces the 2008 ECI Directive (European Critical Infrastructure Directive), one of the key initiatives in the European Programme for Critical Infrastructure Protection (EPCIP). The Directive aims to build upon the foundations set by its predecessor, which originally only addressed protection for the transportation and energy sectors.

The CER Directive represents a significant step in the European Union's efforts to enhance the security and resilience of entities that are important for maintaining the provision of essential services. The Directive acknowledges that previously existing measures were insufficient in preventing disruptions due to measures only protecting individual assets and not the service providers as a whole.

Part of the initial proposal for the CER Directive identified the growing rate of vulnerabilities that critical infrastructures face, ranging from natural disasters to cyber attacks, and the growing need for cross-border collaboration and information sharing. The EU Cyber Solidarity Act addresses this and aims to increase cross-border information sharing between Member States.

Key objectives of the CER Directive

The primary objectives of the CER Directive are centered around three key areas:

1. Building stronger cyber resilience: To build an overarching framework that assesses resilience and risk mitigation strategies to prepare critical entities against potential hazards.
2. Improving risk assessment capabilities: Improving how critical entities assess and analyze their relevant risks while requiring, at minimum every four years, a risk assessment to be performed to identify new risks and the evolution of previous risks as part of the risk management process.
3. Addressing cross-border impact: With growing cross-sector and cross-border interdependencies, it is more necessary than ever to improve cooperation and communication between critical entities as part of the CER Directive.

CER Directive obligations

The CER Directive outlines key obligations that each critical entity must subject to ensure cyber resiliency and a high level of cybersecurity across all sectors. Here are some of the main obligations that require action from each Member State:

Article 4 - Strategy on the resilience of Critical Entities

Each Member State must adopt a strategy or resilience plan to enhance cyber resilience, which must include the following elements:

• A governance framework to achieve objectives and priorities
• A description of necessary measures taken to enhance resilience
• A description of the process used to identify critical entities
• A list of main authorities and stakeholders
• A policy for coordination between competent authorities
• A plan to update the strategy every four years

Article 5 - Risk assessment by Member States

Risk assessments must cover all relevant risks, whether inherent or residual, natural or man-made, that could cause potential security incidents and operational disruptions. Risk assessments must be performed every four years at minimum, in which Member States must report all findings to the Commission.

Article 6 - Identification of Critical Entities

Identification of critical entities must follow this criteria:

• The critical entity provides one or more essential services
• The critical entity operates or has critical infrastructures, in that Member State’s territory
• Disruption to this entity would impact one or more essential services

Member States must also update their list of critical entities at least once every four years.

Article 10 - Member States’ support to Critical Entities

Member States are required to support the critical entities in their territory, which includes providing guidance materials and methodology, assistance in strategy implementation, supporting testing of resiliency, and training for all critical entity personnel. Additionally, Member States must maintain good communication with representatives of each critical entity to exchange information and share good practices.

Article 11 - Cooperation between Member States

To carry out the objectives of the Directive, Member States must consult with other Member States, whenever appropriate, regarding critical entities, especially when:

• The critical entity is linked between two or more Member States
• The corporate structure of the critical entity is connected between two or more Member States
• The critical entity provides essential services in another Member State

Article 12 - Risk assessment by Critical Entities

In addition to Article 5, in which risk assessments are carried out by Member States, Article 12 mandates that critical entities must carry out their own risk assessments, in regards to all relevant risks. Risk assessment findings must be reviewed by a competent authority, in which the competent authority can declare compliance with relevant obligations in the Directive.

Article 15 - Incident notification

Critical entities that suffer a security incident must notify the competent authorities of the Member State within 24 hours after becoming aware of the incident. Details surrounding the incident that must be included are:

• Number and proportion of users impacted by the incident
• Length of the disruption
• The geographical area that is affected by the disruption

Article 18 - Advisory missions

If a Member State requests an advisory mission from the Commission, the Commission must organize a team of experts from the Member State to assess the measures put forth by the critical entity. The advisory mission is tasked with providing guidance to the critical entity for improving resilience and assessing the success of established measures. The Commission bears all the costs for organizing the advisory mission, as part of the CER Directive.

Article 21 - Supervision and enforcement

Competent authorities established by each Member State must maintain the authority and responsibility to:

• Conduct on-site inspections of the critical infrastructure and the premises the critical entity uses to provide essential services
• Conduct audits of critical entities
• Gather evidence and information that necessary measures have been implemented in compliance with the Directive
• Impose penalties, where appropriate, without bias or prejudice for lack of measures implemented and order corrective actions for the critical entity to take necessary measures to improve resilience

When will the CER Directive come into effect?

The power for the Commission to adopt delegated acts begins on 16 January 2023, for a period of five years. Delegated acts are actions taken upon consultation with experts in each Member State, which can vary with each state. However, delegated acts cannot change the nature of the Directive and must include the objectives laid out by the Directive. Delegated acts must also be submitted and approved by the Commission and Council before they can come into force.

The CER Directive requires that each EU Member State must publish measures that comply with the CER Directive into their respective national laws or national legislations by 17 October 2024. Enforcement of those measures must be applied beginning 18 October 2024.

Additionally, all Member States must adopt a full strategy for enhancing the cyber resilience of critical entities, as laid out by the CER Directive, by 17 January 2026. Additionally, Member States must establish a non-exhaustive list of critical entities by 23 November 2023 and perform a risk assessment, which must be completed by 17 January 2026. Identification of critical entities across all critical sectors and subsectors must be completed by each Member State by 17 July 2026.

By 17 January 2027, the Commission must submit a summary of actions taken by each Member State to the Critical Entities Resilience Group (CERG), which must be completed every four years hereafter. By 17 July 2027, the European Commission must also submit an evaluation and report to the European Parliament and European Council detailing the extent to which each Member State has implemented the measures that comply with the CER Directive.

Who enforces the CER Directive?

Regulatory enforcement of the CER Directive will be the responsibility of competent authorities designated by each Member State. These authorities will oversee the implementation of measures and compliance with the CER Directive, and determine the penalties for non-compliance.

The CER Directive also establishes the Critical Entities Resilience Group (CERG), which will assist in facilitating cooperation between Member States and the Commission. The Commission will be in charge of CERG and establishing best practices for information sharing in relation to critical infrastructure entities.

Article 18 also requires designated competent authorities to inform the competent authorities under the NIS2 Directive of each critical entity’s CER Directive compliance and may request a cybersecurity evaluation of the critical entity under NIS2 obligations.

Who does the CER Directive apply to?

The CER Directive covers all critical entities that provide services deemed essential for societal and economic well-being. Article 14 of the Directive states that critical entities are identified as “entities that provide critical services to or in more than one-third of Member States.” These entities operate across eleven main sectors, including:

1. Energy: Electricity, oil, heating, hydrogen, and gas subsectors
2. Transport: Air, rail, water, road, and public transport subsectors
3. Banking: Credit institutions
4. Financial market infrastructure: Trading venues, central counterparties subsectors
5. Health: Healthcare providers, research labs, pharmaceutical operations and manufacturing, medical device manufacturing, and medicinal product distribution
6. Drinking water: Drinking water supply and distribution
7. Waste water: Sewage treatment and disposal, waste water collection
8. Digital infrastructure: IXP, DNS service providers, TLD name registries, cloud computing services, data center service providers, content delivery networks, trust service providers, electronic communications networks
9. Public administration: Government services, public administration of central governments
10. Space: Ground-based infrastructures that support space-based service providers
11. Food: Production, processing, distribution, supply chain, and wholesale distribution

How can critical entities comply with the CER Directive?

To comply with the CER Directive, critical entities can take several key steps:

1. Determine the likelihood of being a critical entity
2. Become familiar with CER Directive requirements
3. Review existing resilience policies and update them as necessary
4. Review existing crisis management policies, including incident response and business continuity plans
5. Conduct personnel training and education exercises

How does the CER Directive impact NIS2?

Both the CER Directive and NIS2 are major initiatives that aim to improve the overall cybersecurity posture in the EU. The CER Directive directly complements NIS2 objectives by aiming to enhance the security and resilience of critical infrastructures and essential services by establishing an operational framework for critical entities to adhere to.

The CER Directive also extends the scope of resilience measures to include a broader range of entities. This comprehensive approach continues upon a unified resilience strategy across the EU while future-proofing against emerging threats and changing threat landscapes.