Strengthening Enterprise Resilience

Critical Entities Resilience Directive: Why it is relevant to you

  • Blog
  • 5 minute read
  • February 29, 2024

What is the ‘Critical Entities Resilience Directive’? (CER Directive)

The Critical Entities Resilience Directive (CER Directive) is a European Union (EU) directive that  recognises the increasingly disrupted nature of our polycrisis world. It aims to strengthen the resilience of critical entities against a wide range of threats and hazards, including natural disasters, terrorist and cyber attacks and sabotage.

EU Member States will use a risk-based approach to designate critical entities: the organisations most relevant for vital economic or societal functions across eleven sectors as follows:

Real estate

These entities will be required to evaluate the risks that may disrupt their provision of essential services and adopt relevant resilience measures. These measures will include resilience plans and stringent processes for incident notification. 

Competent authorities in each Member State will be responsible for the correct application and enforcement of the Directive and determining penalties for non-compliances.

Why does the CER Directive matter? 

  • Resilience is here to stay. The CER Directive is the latest iteration of a rapidly expanding regulatory push towards resilience within the EU and beyond. Recent regulation (e.g. the NIS 2 Directive) has largely been driven by the cyber threat. However, the CER Directive acknowledges that the types of threats and hazards we face are more diverse, frequent and complex than ever before. That creates an obligation on business, industry and society to develop the ability to respond and adapt in the face of disruption.
  • The growing breadth of sector coverage. The breadth of sector coverage is another factor that sets this directive apart from other recent regulations (e.g. the Digital Operational Resilience Act (DORA)). Where financial and digital sectors will likely benefit from having laid the groundwork to meet previous regulatory timelines, other sectors may have had limited exposure to resilience requirements. The Directive also does not establish limits on the size of entities and acknowledges that measures may impact neighbouring Member States and third countries
  • The timelines are tight. The Directive imposes significant requirements for risk and resilience. While critical entities may not be designated until July 2026, they will then have only ten months to demonstrate compliance. If you are likely to be a critical entity, you must start planning now
  • The opportunity for a strategic approach. The Directive provides the opportunity for designated critical entities to take a strategic approach to resilience that not only protects value but also generates a competitive advantage by identifying operational efficiencies and capitalising on disruption. A tried and tested operational resilience methodology will act as a critical handrail as the Directive brings new sectors into the resilience fold.

When will the CER Directive be enforced?

In November 2020, the CER Directive was adopted by the European Parliament and the Council of the European Union, and subsequently entered into force in January 2023. There are several key dates in the coming months and years that are essential for organisations to keep in mind:

Member States transpose the CER Directive into national law.

Member States adopt a strategy for enhancing the resilience of critical entities.

Member States identify critical entities and notify the corresponding entities within one month of identification.

Critical entities conduct this risk assessment within nine months of designation and demonstrate compliance with Directive requirements within ten months of designation.

The European Commission submits a report to the Parliament and Council assessing compliance with the Directive.

What actions should you take now? 

Determine if your organisation is likely to be recognised as a critical entity under the Directive based on your sector and potential impact of disruptive events. (Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164 Art. 6; Art. 171)

Familiarise yourself with the CER Directive's specific requirements, including risk assessments, resilience plans, incident notification and mitigation measures.

  • Identify and assess your risks: Conduct thorough assessments to understand your exposure to plausible risks, the likely impacts and how that aligns to your risk appetite. (Article 122)
  • Review your target operating model for risk and resilience: Consider aligning your governance structures to oversee an integrated data-driven target operating model–one that can develop your Enterprise Resilience capability in line with the specific risks you face. Explore how you can implement technology to use data analytics and automation to drive your resilience transformation.
  • Build your resilience capability around what matters most to you: Identify your minimum viable organisation and focus your energy and investment on making it resilient. This involves defining what really matters to you and your customers, and then mapping those Critical Business Services and the dependencies which enable you to deliver those services. Next, align your resilience disciplines - business continuity, IT disaster recovery, cyber and physical security, and supply chain resilience - to the continuity of those services. Develop targeted response structures, frameworks and plans. (Article 133)
  • Build your crisis management capability to manage unplanned or unprecedented scenarios: Review and refresh your incident and crisis management structures and plans to enable rapid containment, triage and response. Consider whether your structures enable you to meet the 24-hour notification requirement and whether you have a clear crisis communications strategy to navigate the complexities of stakeholder management during disruption. (Article 13 and 154)
  • Conduct regular training and exercises: Devise a programme of training, exercising and testing for incident and crisis response using scenarios aligned to the risks identified in the risk assessment. Use real-time data to test your ability to manage disruption within your impact appetite. Identify opportunities to continue maturing your risks, resilience and crisis capabilities. (Article 135)

Monitor CER Directive developments to anticipate and prepare for relevant requirements and deadlines. If you are not immediately identified as a critical entity, consider whether you might be a supplier for a critical entity.

Get in touch to discuss how we’re helping organisations to rethink their approach to resilience.


Footnote:
1Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164

Authors

Bobbie Ramsden-Knowles
Bobbie Ramsden-Knowles

Global Crisis & Resilience Co-Leader, PwC United Kingdom

Co-leader, PwC’s Global Centre for Crisis and Resilience, Partner, PwC UK
Bram van Tiel
Bram van Tiel

Partner Cybersecurity & Privacy, PwC Netherlands

Partner, PwC Netherlands
Ana  Cendón Cubero
Ana Cendón Cubero

Director, PwC Spain

Director, PwC Spain
Jens Greiner
Jens Greiner

Director, PwC Germany

Director, PwC Germany
Eric Timon
Eric Timon

Senior Manager, PwC Ireland (Republic of)

Senior Manager, PwC Ireland
Alex Johnson
Alex Johnson

Senior Manager, PwC Belgium

Senior Manager, PwC Belgium

Contact us

Dave Stainback

Dave Stainback

Global Crisis & Resilience Co-Leader, PwC United States

Tel: +1 678 419 1355

Bobbie Ramsden-Knowles

Bobbie Ramsden-Knowles

Global Crisis & Resilience Co-Leader, PwC United Kingdom

Tel: +44 (0)7483 422701

Hide