Critical Entities Resilience Directive

Directive (EU) 2022/2557 on the resilience of critical entities

Category

Status

EU

Date of application is 18 October 2024.

EEA

Pending.

Norway

Pending.

Scope

The Resilience of Critical Entities Directive (CER) applies to critical entities identified by member states within the sectors energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space and production, processing and distribution of food.

The Directive aims to harmonize cyber resilience requirements in the EEA by ensuring that risks are more comprehensively accounted for. This includes addressing the dynamic threat landscape, such as hybrid and terrorist threats, and the physical risks from natural disasters and climate change.

While the CER-Directive to some extent overlaps with the NIS2 Directive, the former focuses on the broader concept of resilience across critical entities, including physical security, risk management, and recovery from a wide range of threats. The CER-directive does not apply to matters covered by NIS2 Directive (i.e., cybersecurity matters).

On 19 November 2023, Commission Delegated Regulation (EU) 2023/2450 became applicable in the EU. The Regulation establishes a comprehensive, non-exhaustive list of essential services across several critical sectors, such as public transport, electricity providers, cloud services and data centers, and large-scale production, processing, and distribution of food.

Relevance

The CER-Directive is expected to strengthen the risk awareness and contingency planning of critical entities in the EEA, i.e. by shifting attention from infrastructure and individual objects to services and deliveries as opposed to its predecessor, the EPCIC Directive (2008/114/EC). The EPCIC Directive is currently implemented in the Norwegian Civil Protection Act chapter VI A, but, the CER Directive will likely be implemented in another act, and relationship to the Norwegian Security Act (with a partially overlapping scope) must be further examined. 

Key obligations

Member States must identify critical entities by 17 July 2026, based on their provision of essential services and the significant impact that any disruption could have. These entities must be notified of their status and obligations.

Critical entities are required to conduct risk assessments and implement appropriate and proportionate measures to ensure their resilience. This includes measures to prevent, protect against, respond to, resist, mitigate, absorb, accommodate, and recover from incidents. Entities in scope will be required to demonstrate adequate employee security management, access rights, procedures for background checks and ensure adequate awareness training of its personnel.

Member states must define a regime for conducting background checks for personnel with sensitive roles or access to critical premises and systems, including criminal records. For Norway, this will likely require a supplementary legal basis for obtaining a police certificate of conduct.

Entities must notify competent authorities of incidents that significantly disrupt the provision of essential services within 24 hours, followed by a detailed report no later than one month thereafter.