CER Directive for Critical Entities Resilience


  • cybersecurity

CER Directive for Critical Entities Resilience

The European Council has embarked on a new chapter in protecting critical infrastructure with the approval of the CER (Critical Entities Resilience) directive, replacing Directive 114/08 on the identification and designation of European critical infrastructures. This step forward reflects a necessary evolution in addressing the growing, often cross-border threats that endanger both the physical and cyber security of the Union.

The CER moves in tandem with the NIS2 directive, merging physical security with logical or cyber security. While NIS2 focuses on the cyber security of critical entities, CER deals with their resilience against physical, natural, or man-made threats, including those of a terrorist nature.

Sectors Involved and Identification of Critical Entities

The sectors covered by the CER directive include energy, transportation, finance, health, water, digital infrastructures, public administration, and space. The CER adopts a risk-based approach to identify critical entities at the European level, establishing common procedures for reporting and cooperation among Member States.

Each Member State will develop a resilience strategy that includes a framework for activities and responsibilities, as well as a chain of command and control. Furthermore, the Commission may outline essential services in various sectors, upon which they will base their national risk assessments.

Critical entities will be identified based on the impact of potential incidents, considering various factors such as the number of users affected, economic and environmental consequences, as well as the availability of service procurement alternatives.

Cooperation and Cyber Security

Member States will collaborate with each other and with critical entities to develop adequate countermeasures and reduce risks. In the event of incidents, critical entities must notify the national competent authority. If a critical entity operates in six or more Member States, it will be considered critical at the European level, subject to stricter controls.

In parallel, the Council has also proposed recommendations on cyber security, aiming for a coordinated response at the European level and the adoption of an all-hazard approach to risk management.

Conclusions: A Step Forward for Europe

The new CER directive represents a significant advancement in protecting European critical infrastructure. Fourteen years after the first directive, it demonstrates Europe’s maturity in addressing the challenges of protecting critical infrastructure, integrating cyber and physical security and adopting a risk-based and interdependence approach. With these new measures, Europe is at the forefront of continental security, prepared to tackle the challenges of the present and future.