Why the CER Directive matters for organisations

What is the ‘Critical Entities Resilience Directive’? (CER Directive)

The Critical Entities Resilience Directive (CER Directive) is a European Union (EU) directive that recognises the increasingly disrupted nature of our polycrisis world. It aims to strengthen the resilience of critical entities against a wide range of threats and hazards, including natural disasters, terrorist and cyber attacks and sabotage.

EU Member States will use a risk-based approach to designate critical entities: the organisations most relevant for vital economic or societal functions across eleven sectors as follows:

These entities will be required to evaluate the risks that may disrupt their provision of essential services and adopt relevant resilience measures. These measures will include resilience plans and stringent processes for incident notification.

Competent authorities in each Member State will be responsible for the correct application and enforcement of the Directive and determining penalties for non-compliances.

Why does the CER Directive matter?

Resilience is here to stay. The CER Directive is the latest iteration of a rapidly expanding regulatory push towards resilience within the EU and beyond. Recent regulation (e.g. the NIS 2 Directive) has largely been driven by the cyber threat. However, the CER Directive acknowledges that the types of threats and hazards we face are more diverse, frequent and complex than ever before. That creates an obligation on business, industry and society to develop the ability to respond and adapt in the face of disruption.
The growing breadth of sector coverage. The breadth of sector coverage is another factor that sets this directive apart from other recent regulations (e.g. the Digital Operational Resilience Act (DORA)). Where financial and digital sectors will likely benefit from having laid the groundwork to meet previous regulatory timelines, other sectors may have had limited exposure to resilience requirements. The Directive also does not establish limits on the size of entities and acknowledges that measures may impact neighbouring Member States and third countries
The timelines are tight. The Directive imposes significant requirements for risk and resilience. While critical entities may not be designated until July 2026, they will then have only ten months to demonstrate compliance. If you are likely to be a critical entity, you must start planning now
The opportunity for a strategic approach. The Directive provides the opportunity for designated critical entities to take a strategic approach to resilience that not only protects value but also generates a competitive advantage by identifying operational efficiencies and capitalising on disruption. A tried and tested operational resilience methodology will act as a critical handrail as the Directive brings new sectors into the resilience fold.

When will the CER Directive be enforced?

In November 2020, the CER Directive was adopted by the European Parliament and the Council of the European Union, and subsequently entered into force in January 2023. There are several key dates in the coming months and years that are essential for organisations to keep in mind:

Member States transpose the CER Directive into national law.

Member States adopt a strategy for enhancing the resilience of critical entities.

Member States identify critical entities and notify the corresponding entities within one month of identification.

Critical entities conduct this risk assessment within nine months of designation and demonstrate compliance with Directive requirements within ten months of designation.

The European Commission submits a report to the Parliament and Council assessing compliance with the Directive.

What actions should you take now?

Identify and assess your risks: Conduct thorough assessments to understand your exposure to plausible risks, the likely impacts and how that aligns to your risk appetite. (Article 12²)
Review your target operating model for risk and resilience: Consider aligning your governance structures to oversee an integrated data-driven target operating model–one that can develop your Enterprise Resilience capability in line with the specific risks you face. Explore how you can implement technology to use data analytics and automation to drive your resilience transformation.
Build your resilience capability around what matters most to you: Identify your minimum viable organisation and focus your energy and investment on making it resilient. This involves defining what really matters to you and your customers, and then mapping those Critical Business Services and the dependencies which enable you to deliver those services. Next, align your resilience disciplines - business continuity, IT disaster recovery, cyber and physical security, and supply chain resilience - to the continuity of those services. Develop targeted response structures, frameworks and plans. (Article 13³)
Build your crisis management capability to manage unplanned or unprecedented scenarios: Review and refresh your incident and crisis management structures and plans to enable rapid containment, triage and response. Consider whether your structures enable you to meet the 24-hour notification requirement and whether you have a clear crisis communications strategy to navigate the complexities of stakeholder management during disruption. (Article 13 and 15⁴)
Conduct regular training and exercises: Devise a programme of training, exercising and testing for incident and crisis response using scenarios aligned to the risks identified in the risk assessment. Use real-time data to test your ability to manage disruption within your impact appetite. Identify opportunities to continue maturing your risks, resilience and crisis capabilities. (Article 13⁵)

Get in touch to discuss how we’re helping organisations to rethink their approach to resilience.

Footnote:
_{¹Directive (EU) of the European Parliament and of the Council [2022] OJ L333/164}

Authors

Bobbie Ramsden-Knowles

Global Crisis & Resilience Co-Leader, PwC United Kingdom

Co-leader, PwC’s Global Centre for Crisis and Resilience, Partner, PwC UK

Email

Bram van Tiel

Partner Cybersecurity & Privacy, PwC Netherlands

Partner, PwC Netherlands

Email

Ana Cendón Cubero

Director, PwC Spain

Email

Jens Greiner

Director, PwC Germany

Email

Eric Timon

Senior Manager, PwC Ireland (Republic of)

Email

Alex Johnson

Senior Manager, PwC Belgium

Email

Critical Entities Resilience Directive: Why it is relevant to you

What is the ‘Critical Entities Resilience Directive’? (CER Directive)

Why does the CER Directive matter?

When will the CER Directive be enforced?

What actions should you take now?

Authors

Bobbie Ramsden-Knowles

Ana Cendón Cubero

Jens Greiner

Eric Timon

Alex Johnson

Related Content

Rethink resilience: Four ways organisations can evolve for disruption

Global Crisis and Resilience Survey 2023

Podcast: Emerge stronger through disruption

PwC's Global Centre for Crisis and Resilience

Contact us

Strategy + business, a PwC publication

Be a better decider