Critical Entities Resilience Directive: Why it is relevant to you

What is the ‘Critical Entities Resilience Directive’? (CER Directive)

The Critical Entities Resilience Directive (CER Directive) is a European Union (EU) directive that recognises the increasingly disrupted nature of our polycrisis world. It aims to strengthen the resilience of critical entities against a wide range of threats and hazards, including natural disasters, terrorist and cyber attacks and sabotage.

EU Member States will use a risk-based approach to designate critical entities: the organisations most relevant for vital economic or societal functions across eleven sectors as follows:

These entities will be required to evaluate the risks that may disrupt their provision of essential services and adopt relevant resilience measures. These measures will include resilience plans and stringent processes for incident notification.

Competent authorities in each Member State will be responsible for the correct application and enforcement of the Directive and determining penalties for non-compliances.

Why does the CER Directive matter?

Resilience is here to stay. The CER Directive is the latest iteration of a rapidly expanding regulatory push towards resilience within the EU and beyond. Recent regulation (e.g. the NIS 2 Directive) has largely been driven by the cyber threat. However, the CER Directive acknowledges that the types of threats and hazards we face are more diverse, frequent and complex than ever before. That creates an obligation on business, industry and society to develop the ability to respond and adapt in the face of disruption.
The growing breadth of sector coverage. The breadth of sector coverage is another factor that sets this directive apart from other recent regulations (e.g. the Digital Operational Resilience Act (DORA)). Where financial and digital sectors will likely benefit from having laid the groundwork to meet previous regulatory timelines, other sectors may have had limited exposure to resilience requirements. The Directive also does not establish limits on the size of entities and acknowledges that measures may impact neighbouring Member States and third countries
The timelines are tight. The Directive imposes significant requirements for risk and resilience. While critical entities may not be designated until July 2026, they will then have only ten months to demonstrate compliance. If you are likely to be a critical entity, you must start planning now
The opportunity for a strategic approach. The Directive provides the opportunity for designated critical entities to take a strategic approach to resilience that not only protects value but also generates a competitive advantage by identifying operational efficiencies and capitalising on disruption. A tried and tested operational resilience methodology will act as a critical handrail as the Directive brings new sectors into the resilience fold.

When will the CER Directive be enforced?

In November 2020, the CER Directive was adopted by the European Parliament and the Council of the European Union, and subsequently entered into force in January 2023. There are several key dates in the coming months and years that are essential for organisations to keep in mind:

What actions should you take now?

Identify and assess your risks: Conduct thorough assessments to understand your exposure to plausible risks, the likely impacts and how that aligns to your risk appetite. (Article 12²)
Review your target operating model for risk and resilience: Consider aligning your governance structures to oversee an integrated data-driven target operating model–one that can develop your Enterprise Resilience capability in line with the specific risks you face. Explore how you can implement technology to use data analytics and automation to drive your resilience transformation.
Build your resilience capability around what matters most to you: Identify your minimum viable organisation and focus your energy and investment on making it resilient. This involves defining what really matters to you and your customers, and then mapping those Critical Business Services and the dependencies which enable you to deliver those services. Next, align your resilience disciplines - business continuity, IT disaster recovery, cyber and physical security, and supply chain resilience - to the continuity of those services. Develop targeted response structures, frameworks and plans. (Article 13³)
Build your crisis management capability to manage unplanned or unprecedented scenarios: Review and refresh your incident and crisis management structures and plans to enable rapid containment, triage and response. Consider whether your structures enable you to meet the 24-hour notification requirement and whether you have a clear crisis communications strategy to navigate the complexities of stakeholder management during disruption. (Article 13 and 15⁴)
Conduct regular training and exercises: Devise a programme of training, exercising and testing for incident and crisis response using scenarios aligned to the risks identified in the risk assessment. Use real-time data to test your ability to manage disruption within your impact appetite. Identify opportunities to continue maturing your risks, resilience and crisis capabilities. (Article 13⁵)

200+

The amendment to the Emergency Act will create 200+ providers of vital services in Estonia

In order to be ready in time, the necessary activities must be started today.

Get in touch if you:

Need help understanding what changes the CER Directive and the amendment to the Estonian Emergency Act will bring to you;
Want to understand what your operational maturity level is today and what your primary actions should be to improve operational continuity;
Want to rethink your approach to resilience.

Footnote:
_{¹Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164}

Contact US

Crisis Management Services

Crisis Management Services

Organisations that are well prepared for crises emerge from the crisis situation stronger than before. We support our clients in preparing for crisis situations.

Take a look at our business continuity and crisis management services.