Information & infrastructure security
The Critical Entities Resilience Directive (CER)
What is the purpose of the CER?
The CER (referred to in some countries as the RCE) is a Directive of the European Union (No. 2022/2557) seeking to reduce the vulnerabilities and strengthen the physical resilience of critical entities in the EU. The CER requires Member States to implement measures to ensure that essential services for the maintenance of societal functions or economic activity are provided in an unobstructed manner in the internal market.
The CER operates alongside NIS2 to enhance the resilience of critical entities in the EU. The CER takes a broader approach than NIS2 in creating a framework that addresses the resilience of critical entities in respect of all hazards, going beyond cyber security to anticipate other natural, man-made, accidental, or intentional risks. The CER does not differentiate between 'essential' and 'important' entities, using instead the general terminology of 'critical entities' for providers of essential services.
Key provisions
- The CER creates a framework that addresses the resilience of critical entities in respect of all hazards.
- The new rules will strengthen security measures to a range of threats, introducing a new scope which covers energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, public administration, space and food.
- The CER introduces a risk-based methodology to enable Member States to identify critical entities and to develop resilience to prevent incidents.
Where will the CER apply?
The CER applies to all critical entities that operate (eg provide services to individuals) within the EU, across 11 sectors.
Who will have obligations under the CER?
- Member States must identify critical entities operating within their borders and designate a competent authority for enforcement of the CER.
- Each Member State will be required to adopt a strategy for reinforcing the resilience of critical entities which should include proactive support to critical entities, including developing guidance materials, methodologies, and training, including organising exercises to test resilience, and promoting mechanisms to support voluntary information sharing among critical entities.
- Competent authorities within the Member States will need to assess all risks that could impact the provision of essential services.
- Member States and critical entities will be required to conduct regular risk assessments.
- Within 24 hours of detecting an incident that disrupts or could disrupt the provision of essential services, a critical entity will be required to give an initial notification to the competent authority (unless operationally incapable of doing so).
Are there sanctions for non-compliance?
Yes. Penalties are not fixed across the EU. Article 22 of the CER states that Member States shall lay down the rules on penalties applicable to infringements while ensuring they are implemented. The penalties must be effective, proportionate, and dissuasive.
Key dates and deadlines
- 17 January 2023 – the CER entered into force.
- 17 October 2024 – Member States to adopt and publish the measures necessary for compliance.
- 18 October 2024 – Member States to begin enforcement of transposed measures.
- 17 January 2026 – Member States must submit their strategy for enhancing resilience of critical entities.
- 17 July 2026 – Member States must identify critical entities.
- 17 July 2027 – Commission submits to EU Parliament status of Member State compliance.